The Last 24 Months of ACMA Enforcement

Published at 08:08 on 26 Jan 2026

The Australian Communications and Media Authority (ACMA) has updated its enforcement priorities and undertaken a host of investigations since we last published on key themes in its spam penalties. So, we decided it was time for an updated piece! 

In this post, we explore the last 24 months of ACMA enforcement, as well as its current compliance priorities. The key takeaways are important for telcos, gambling services provides, and utilities companies in particular – but they apply to any organisation that sends marketing messages. 

Read on to learn what the current enforcement priorities are, plus our analysis of the trends and takeaways from the recent penalties. 

Table of Contents

2025-2026 ACMA Compliance Priorities

The ACMA has listed two compliance priorities for 2025-2026, namely: 

  1. Disrupting mobile number fraud, including monitoring telco compliance with rules directed at fraud prevention. It notes that mobile number fraud can result in financial losses and emotional distress for those impacted.
  2. Combating spam and telco scams, which is an enduring priority. In 2025–26, the focus is on persistent unwanted spam or telemarketing in particular.

The other enforcement and compliance priorities listed for 2026 include compliance with Triple Zero and public safety requirements, the provision of critical information to telco customers affected by domestic and family violence, minimising gambling harm, and combating spam and telco scams. 

2025 ACMA Infringement Notices

Here’s a quick summary of the infringement notices from the ACMA in 2025, including the penalty amount and the reason for the penalty: 

  • Southern Phone ($2.5M, Sept): Failed identity checks during mobile number porting (anti-scam breach).
  • Optus ($826K, Sept): Failed identity checks during mobile number porting (anti-scam breach).
  • Exetel ($694K, June): Failed identity checks during mobile number porting (anti-scam breach).
  • Betfair ($871K, June): Sent marketing via email/SMS without consent or a functional unsubscribe option.
  • Opticomm ($150K, April): Failed to comply with infrastructure notification requirements under the Telecommunications Act.
  • Tabcorp ($4M, April): Sent marketing via SMS/WhatsApp without sender info, consent, or unsubscribe options.
  • Telstra ($18K, March): Breached emergency call service regulations following a service disruption.
  • Unibet/Betchoice ($1M, Feb): Failed to close accounts for individuals registered on the BetStop self-exclusion list.
  • Circles.Life ($413K, Jan): Failed identity checks during mobile number porting (anti-scam breach).

2024 ACMA Infringement Notices 

Similarly, here’s the list for 2024: 

  • Telstra ($394K, Dec): Failed to comply with NBN service migration rules intended to protect residential customers.
  • Optus ($12M, Nov): Breached emergency call (Triple Zero) obligations during a major nationwide network outage.
  • Telstra ($3M, Nov): Failed to meet emergency call person requirements during a separate service disruption.
  • PointsBet ($500K, Nov): Sent marketing material without consent or unsubscribe options, breaching spam and self-exclusion laws.
  • Telstra ($626K, Oct): Sent marketing SMS messages that lacked a functional, easy-to-use unsubscribe facility.
  • Commonwealth Bank ($7.5M, Aug): Sent millions of marketing emails and SMS without consumer consent or functional opt-outs.
  • Pizza Hut ($2.5M, April): Sent over 10 million marketing emails without consent or valid unsubscribe facilities.
  • Telstra ($1.5M, March): Failed to follow scam prevention rules regarding identity authentication for high-risk transactions.
  • Southern Phone ($244K, March): Breached the industry standard for handling consumer complaints.
  • Luxottica ($1.5M, Feb): Sent marketing emails without consent and without a functional unsubscribe facility.
  • Outdoor Supacentre ($302K, Jan): Sent over 80,000 marketing SMS messages without customer consent.

Comparing the Penalties to ACMA’s Compliance Priorities

It’s interesting to compare the penalties to the ACMA’s published compliance priorities. 

Looking at the penalties across the two years, you can see escalating penalties (in monetary terms and in frequency) across 2024 and 2025 geared towards disrupting mobile fraud. Across the two years, there were 5 in total – with the penalties accounting for around 18% of overall fine volumes in those two years. 

The press releases for these penalties focused on the emotional distress the customers experienced during the technical breaches, as well as the fact that the telcos had ongoing vulnerabilities that were exploited by scammers (and not caught and/or remedied promptly). 

The other focus point listed relates to persistent spam messages and telemarketing. The dollar value of fines in category accounted for 36% of all the monetary penalties across this two year period. We’d suspect that this trend will continue through 2026, too. 

The largest fines went to telcos that were non-compliant with Triple Zero and public safety requirements, with the ACMA’s largest ever fine ($12 million, November 2024) going to Optus following a particularly egregious 000 failure in 2023. More on this below. 

An Analysis of The Top 5 Largest Penalties 

Optus — $12 Million (November 2024)

The Breach: A massive failure of the Triple Zero (000) emergency call system during a nationwide network outage. This penalty remains the largest ever levied by the ACMA. 

The Fact Matrix: This penalty was so large because the failure was preventable and Optus failed to follow up with wellbeing checks once the outage was resolved. The takeaway here is that while the failure prompts the investigation and fine, your actions in the aftermath can be used to calculate the price tag. It’s important to do the right thing by your customers in the event of a breach. 

Commonwealth Bank — $7.5 Million (August 2024)

The Breach: Sending 170 million marketing emails and SMS without consent or a functional unsubscribe option.

The Fact Matrix: The CBA sent more than 170 million non-compliant emails that did not include a method for recipients to unsubscribe. Around 35 million of these messages were sent to people who had not consented or who had withdrawn their consent. The CBA had classified these emails as non-commercial, despite the emails promoting products and services or the CBA itself. 

The penalty was so large in part because the ACMA had already penalised the CBA in 2023 for sending 65 million emails without compliant unsubscribe functionality. 

The takeaway from this penalty? 

“The rules are clear, if a message includes marketing content or direct links to marketing content, it is a commercial message and must give people the option to unsubscribe. We have seen several companies get this wrong and businesses are on notice to check how they are classifying messages as commercial or non-commercial.” – ACMA Chair Nerida O’Loughlin. 

Tabcorp — $4 Million (April 2025)

The Breach: TAB sent more than 5,700 marketing messages to customers of its “VIP program” without adequate sender info or opt-out functions.

The Facts: The ACMA expressed concern that these programs often involve customers experiencing significant gambling losses, making the lack of an “unsubscribe” button particularly predatory. The press release noted that gambling safeguards and spam rules are current priorities, and the size of the penalty in this case (compared to the volume of messages sent) is designed to send a message about the ACMA’s approach to gambling marketing compliance. 

Telstra — $3 Million (November 2024)

The Breach: A software glitch caused a 90-minute disruption to Telstra’s Triple Zero service, forcing staff to use a manual backup list to transfer emergency calls. The $3 million penalty was primarily driven by the fact that Telstra had neglected to update its backup data, which contained incorrect phone numbers and caused 127 calls to fail.

Pizza Hut Australia — $2.5 Million (April 2024)

The Breach: Pizza Hut sent more than 10 million non-compliant marketing messages across four months. Texts and emails were sent to customers who had either not consented or had withdrawn their consent. There were also 4.3 million messages sent without an option to unsubscribe. 

This press release really focused on the frustration experienced by people who receive these messages. The reality is that organisations that send spam messages do risk significant reputational harm, in addition to the compliance risk. 

Outside of just the largest penalties, these are some of the trends that stood out to us as we analysed the ACMA’s activities over the past two years: 

“Service Messages” are a High-Risk Area

The Commonwealth Bank ($7.5M) and Telstra ($626K) cases highlight a major trap: organisations should not misclassify marketing as “service” or “factual” messages to bypass the need for an unsubscribe button.

If your message contains any promotional element (e.g., a link to a website with deals, or a suggestion to “check out our other services”), the ACMA may very well classify it as commercial. You must include a functional unsubscribe in these messages. If it were us, we’d err on the side of caution when sending out these high-risk messages and just include the unsubscribe function if there’s even a question about the commerciality of the message. 

Vulnerability is a “multiplier” for penalties

The scale of the Tabcorp ($4M) and Unibet ($1M) fines shows that the ACMA is most aggressive when the breach impacts vulnerable people.

This means that compliance systems must be “harm-aware.” If your organisation holds a list of vulnerable customers (financial hardship, health issues, or self-exclusion), any marketing non-compliance targeting that group will likely trigger a higher penalty. 

Ignoring compliance alerts isn’t a good idea

The Outdoor Supacentre release stood out to us because it specifically called out the organisation for ignoring 5 spam compliance alerts in 11 months. In this instance, the business sent 83,000 marketing messages that were non-compliant. These messages went to people who had not provided consent or previously unsubscribed. 

The lesson here is that Outdoor Supacentre could potentially have avoided the $300k penalty had it acted earlier on the ACMA’s compliance alerts. Knowing that it is an ongoing enforcement priority for the ACMA, we’d urge organisations receiving any compliance alert to treat it seriously. 

Further Resources

Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.