What is spam?

Spam refers to the use of messaging systems to send unsolicited messages to unwilling recipients. These unsolicited messages can be received in a variety of ways including via email, social media, and text.

Common examples of spam messages include:

• emails offering promotional material to recipients who have not consented to receiving marketing material;
• text messages from unknown senders; and
• email spoofing, where an unknown sender using a forged email address falsely purports to have access to an email account.

Unsolicited messages regarding legitimate appointments, payment reminders, and product fault notices are not considered spam.

Dangers of spam

While spam is largely perceived as harmless and merely annoying, some forms of spam can pose a serious threat to a recipient's security. Spam messages can contain graphic content, misleading information, or may be a phishing attempt. Phishing occurs when a sender fraudulently pretends to be a reputable company for the purposes of inducing a recipient to send sensitive information including banking details and passwords.

A report published by the Australian Competition and Consumer Commission (ACCC) in April 2023 revealed that unsolicited messages are the most common delivery method for scams. In 2022, 33% of reported scams in Australia were sent via text message, 22% were sent via email, and 6% were sent via social networking forums. In 2022, spam cost Australians around $182 million with social networking scams being the costliest, at $80 million for Australian victims.

Spam can pose a threat to businesses in two ways:

• Businesses can fall victim to spam and consequently expose sensitive information, such as private customer details and banking information. In 2022, small Australian businesses lost $13.7 million to scams which were predominately targeted through messaging services.
• Businesses can accidentally or intentionally send marketing material without appropriate consent from recipients and can suffer substantial reputational and financial harm.

Global movement

Spam's use of electronic messaging systems gives it a wide-ranging ability to reach its victims. Using online messaging systems allows spammers to bypass international borders. This is particularly challenging for local enforcement bodies who may be unable to take action against bad actors located in a foreign jurisdiction. For this reason, spam is an inherently global issue that requires strategic international cooperation from various regulatory bodies.

Recently there has been a global push for international cooperation for the purpose of strategically targeting and punishing international spam networks. Earlier this year, the Australian Communications and Media Authority (ACMA) entered into a renewed Memorandum of Understanding with the Unsolicited Communications Enforcement Network (UCENet). With signatories from Canada, South Korea, and the UK, the UCENet has been instrumental in promoting information sharing between international bodies.

International anti-spam regimes

It is important to recognize that anti-spam regulations differ widely between jurisdictions. This regulatory variety can impact international cooperation and present difficulties for businesses that send marketing communications internationally. Below are some of the key differences in the regulatory frameworks enforced in the UK, the US, and Canada.

UK

In 2003, the UK introduced the Privacy and Electronic Communications Regulations (PECR). PECR covers electronic marketing messages, the use of cookies, and telephone marketing. Before sending marketing messages to individuals, businesses must obtain positive consent. In limited cases, businesses can use a soft opt-in to prove consent from previous customers who did not opt out of receiving marketing messages. Businesses must obtain consent from sole traders and certain types of partnerships before sending any electronic marketing messages. However, consent is not required when communicating with larger corporations. Failure to comply with PECR can result in fines up to £500,000 (approx. $631,500).

US

The US governs spam through the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act), which prohibits the transmission of false and deceptive information through electronic marketing messages. Marketing messages must contain a clear ad disclosure and a valid physical postal address. The US has an opt-out regime, meaning that unsolicited spam is not illegal, but each marketing message must contain an unsubscribe option. Each message that breaches the CAN-SPAM Act is subject to penalties of up to $50,120.

Canada

In 2014, Canada's anti-spam legislation (CASL) was introduced. Widely considered as one of the toughest anti-spam regulations, CASL requires any person sending commercial electronic messages to obtain prior consent before sending the message. Under CASL, these electronic messages include emails, SMS, instant messages, and messages sent through social media. Consent can be express or implied, however, individuals who send commercial electronic messages must prove that they have received consent. Serious violations of CASL will result in substantial fines with individuals receiving a fine of up to CAD 1 million (approx. $750,000) and businesses subject to fines over CAD 10 million (approx. $7,500,000).

Australian anti-spam regime

In Australia, the Spam Act 2003 (Cth) (the Spam Act) prohibits the use of spam. The Spam Act sits alongside the Privacy Act 1988 (Cth) and grants ACMA a wide range of regulatory powers.

What is prohibited?

The Spam Act prohibits certain types of commercial electronic messages (CEMs). Prohibited CEMs are messages:

• sent electronically, including those sent via email, text message, or online networking services;
• unsolicited and lacking the express or inferred consent of the recipient; and/or
• of a commercial nature and containing an offer, advertisement, or promotion.

The Spam Act only governs CEMs with an Australian link which includes CEMs that:

• originate in Australia;
• are authorized or sent by individuals or businesses based in Australia;
• are accessed or intended to be accessed in Australia; and
• are sent to an organization that carries on business in Australia.

Who does the Spam Act apply to?

The Spam Act applies to every business and individual that sends CEMs with an Australian link.

Some organizations are exempt from the Spam Act, including:

• registered political parties;
• registered charities;
• government bodies; and
• educational institutions, but only in relation to CEMs sent to current and past students.

What must businesses do?

Obtain consent

Businesses that send CEMs must obtain consent from recipients. Express consent occurs when a recipient knows and accepts that they will receive CEMs from a business. Express consent can be given when a recipient fills in a form or ticks a box on the business's website. The Spam Act prohibits businesses from sending electronic messages requesting recipient consent.

Businesses can also infer consent where there is a provable, ongoing relationship between the recipient and the business. When consent is inferred, CEMs must be directly related to the existing relationship. An example of an indirectly related message is when a bank sends an email to a customer using a savings account service's advertisements for unrelated investment products. ACMA advises that businesses attain express consent as a matter of best practice.

Provide accurate identification

Businesses must provide clear identification when sending CEMs. This means businesses must identify their business name and include up-to-date contact information. Businesses must provide the legal name of the business and their Australian Business Number (ABN) when they authorize a third party to send CEMs on their behalf. The sender's identification details cannot change for at least 30 days from when the CEM is sent.

Allow recipients to unsubscribe

The Spam Act requires that every CEM provide recipients the opportunity to withdraw consent through an unsubscribe option. Unsubscribe options must be easy to access and functional for at least 30 days from when the CEM is sent. Businesses must honor any unsubscribe request within five working days and cannot charge recipients a fee for unsubscribing.

Enforcement attitudes

In recent years, ACMA has ramped up efforts to enforce the Spam Act. From 2022 to 2023, spam deterrence was a key enforcement priority. In this period, ACMA finalized nine investigations, issued $8 million in infringements and court-enforceable undertakings, and sent compliance alerts to 2,000 businesses.

Case study #1

In early August 2023, ACMA issued an infringement notice of over $2 million to a large food delivery platform. In ACMA's investigation, it was discovered that the platform had sent CEMs to recipients who had withdrawn their consent. The platform sent over 560,000 promotional emails to recipients who had unsubscribed and failed to provide an unsubscribe option in over 500,000 promotional SMS messages.

Case study #2

In June 2023, a large bank paid a record $3.55 million in penalties for breaching the Spam Act. ACMA's investigations found that the bank made it difficult for recipients to unsubscribe from CEMs and that the bank failed to take proper action when given early warnings from ACMA. The bank sent 61 million marketing emails that required recipients to log in to their accounts to unsubscribe. Additionally, the bank sent four million marketing emails that lacked a function unsubscribe option and sent a further 5,000 CEMs to recipients who had unsubscribed.

Next steps

As enforcement ramps up, it is important for businesses to ensure that they are complying with relevant spam regulations.

Generally, any business that uses CEMs to communicate with customers must ensure:

• it obtains express consent to send CEMs to a recipient;
• every CEM it sends accurately identifies it as the sender;
• opt-out options such as unsubscribe links are provided in every CEM and are functional;
• recipients who have opted out of receiving CEMs are removed from mailing lists;
• any changes to the business name, ABN, or opt-out option are only enacted 30 days after the last CEM was sent; and
• it complies with the specific legislation in the jurisdiction or jurisdictions in which it is conducting its activities.

Katherine Sainty Director
[email protected]
Lily O Brien Senior Paralegal
[email protected]
Sainty Law, Sydney