Image of mail app on an iphone showing 20 emails in inbox

Email Marketing Laws in Australia That Direct Marketers Need to Know About

Website banner illustration with an illustration of an email with icons around it and header text that says direct marketing and email laws in australia


Email marketing is remarkably effective. In its 2021 Email Marketing ROI Statistics report Barilliance cites the average return-on-investment (ROI) for email marketing as being about $38 for every $1 invested, or 3800%. But it’s not a matter of simply purchasing a mailing list or compiling all your contacts and watching your ROI roll in. Direct marketers do need to be aware of the email marketing laws in Australia.  

What is the Spam Act? 

The Spam Act 2003 (Cth) and the Spam Regulations aim to reduce unsolicited electronic marketing material (also known as SPAM) being sent by email, SMS, MMS or via instant messaging.  

What is SPAM? 

Spam is a commercial message sent without permission. Interestingly, the name bears on the canned pork product. The link was drawn following the food product SPAM being referred to as something that is ubiquitous, unavoidable and repetitive in a Monty Python sketch. 

Defining Spam: Email Marketing Laws in Australia

To be a commercial email, it must contain one or more of the following: 

  • an offer;
  • an advertisement; or
  • a promotion. 

Emails that are purely transactional or functional in nature are not considered to be spam emails. Direct marketers can send emails or electronic messages confirming client appointment details, advising of updates to customer policies, or similar, without fear of any repercussions.  

The Spam Act also prohibits the purchase and use of address harvesting software. That is, software that’s designed to search the internet for email addresses to be added to a database. The Spam Act specifically prohibits the use of lists produced using harvesting software, even if that list is purchased from a third party, where it is intended to be used to send unsolicited spam.  

Complying with Email Marketing Laws in Australia 

There are several steps you can take to promote compliance with Australia’s email and electronic marketing laws: 

1.  Get permission before sending any direct marketing emails.  

There are two types of permission (commonly referred to as ‘consent’) that direct marketers can rely on to send direct marketing communications: express and inferred.  

Express permission in direct marketing communications. 

Express permission is given whenever a person knows and accepts that they will receive marketing emails or messages from you. Usually, a person gives express permission by completing a form, ticking a box or toggling a bar on a website, or by agreeing over the phone, or face-to-face.  

It is important to note that you can’t gain consent by sending a person an email to ask for permission. This is because the email asking for permission is considered a marketing message, which you are not permitted to send.  

Inferred permission in direct email marketing. 

Inferred permission is where a person has knowingly and directly given you their address and it is reasonable to believe they would expect to receive marketing materials (including emails) from your business. This requires a business to infer that a person has a provable, ongoing relationship with your business – and marketing is directly related to that relationship. For instance, anyone who subscribes to a loyalty account is usually considered to have given inferred permission. 

It is not acceptable to infer consent if a person has simply purchased something from your business and provided their email as part of that transaction. Nor is it okay to send marketing emails to customers who provided their phone number or email address to you for contact-tracing purposes.  

Take care and be cautious when considering a purchasing any marketing lists from third parties.  It is difficult to know for sure that recipients provided permission to use their information for this purpose, and whether permission was obtained legitimately.  

2.  Clearly identify the sender.  

In your marketing email, you need to: 

  • Ensure your name or business name are accurate and identifiable, and 
  • Include correct contact details for you or your business.  

If someone else sends messages on your behalf, the message must still identify you as the business that authorised the message. Use the correct legal name of your business, or your name and ABN.   In either event, the business information supplied must remain correct for at least 30 days after you send the message. 

5.  Make it easy to unsubscribe.  

Many websites have historically used design features to make it more difficult for users to control their data or take certain actions. These features are called ‘dark patterns’ – and they’ve just been prohibited in California.  

The future of online communications is clear, concise, and straightforward. You should ensure that any privacy functionality on your site is user-friendly to future-proof your organisation’s digital presence.  

To do so, here’s what the Australian Communications and Media Authority (ACMA) recommends:  

“…every commercial message must contain an ‘unsubscribe’ option that: 

    • presents unsubscribe instructions clearly. 
    • honours a request to unsubscribe within 5 working days. 
    • does not require the payment of a fee. 
    • does not cost more than the usual amount for using the address (such as a standard text charge). 
    • is functional for at least 30 days after you sent the message.” 

Two examples of compliant unsubscribe options are:  

To stop receiving messages from us, simply reply to this email with ‘unsubscribe’ in the subject line. 

If you no longer wish to receive these messages, please click the ‘unsubscribe’ button below. 

[Source: ACMA] 

Lessons Learned From Email Marketing Law Breaches in Australia 

The ACMA has the power under the Spam Act to bring court proceedings and issue penalty notices against businesses that have breached their obligations. There have been a number of significant penalties for companies which have breached email marketing laws in Australia, including:  

Spam Act Breach by Woolworths  

Woolworths paid a penalty of more than $1 million for continuing to send marketing emails to customers who had previously unsubscribed from the supermarket giant’s mailing list. More than 5 million non-compliant marketing emails were sent between October 2018 and July 2019.  

The amount is the largest ACMA infringement notice to date.  

Key takeaway from the Woolworths breachEnsure you have robust and reliable systems in place to ensure that any withdrawal of consent is swiftly actioned. 

You can read more about the Woolworths breach here. 

Kogan Breaches the Spam Act 

In January 2021, Kogan was penalised by the ACMA for forwarding more than 42 million marketing emails without an easily accessible unsubscribe mechanism. Consumers were required to first set a password and/or log into a Kogan account to unsubscribe successfully.  

The electronics company was issued a $310,800 infringement notice for the breaches.  

Key takeaway from the Kogan breach: Don’t make it difficult for consumers to access privacy settings at any point. We imagine that privacy setting accessibility is going to be championed into the future, so it’s worth making it easy for your users to control their privacy.  

You can read more about the Kogan breach here. 

Develop Strong Privacy Practices with Privacy108 

Privacy108 works with organisations to uplift their privacy maturity levels. If you’re uncertain about your compliance with email and electronic marketing laws in Australia or have any other privacy-related concerns, reach out. We’d love to assist! 

Want to receive updates like this in your inbox? Subscribe

  • We collect and handle all personal information in accordance with our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.

Privacy, software design and technology. Ian is a privacy, IT and software contracts lawyer with over 30 years of experience as a lawyer and over 20 years of experience advising on the legal aspects of data management and processing.