Spam Snafu? Here’s What To Do In The Aftermath of Accidental Spam

The Australian Communication and Media Authority (ACMA) recently announced its 2024-2025 enforcement priorities and plans to target misleading spam messages. It notes that spam directly harms Australians by intruding on their privacy and creating an unlawful competitive advantage, amongst other harms. While there’s plenty you can do to prevent SPAM communications from being sent, you may still find yourself in a position where your processes failed and spam was sent out. Here’s what to do next: 

First, read our downloadable guide to Privacy Considerations For Marketing Teams for a primer on SPAM laws in Australia. 

ACMA To Target SPAM Communications

Here’s what the ACMA said of its compliance priority relating to SPAM communications in 2024-2025:

“Our priority is to enforce spam rules to stop commercial messages being misleadingly sent as ‘service’ or non-commercial messages. This especially applies to messages from businesses where there may be a high risk of harm to consumers, like interactive wagering or financial services.

We will also focus on compliance in the online retail sector by educating businesses about spam rules and taking formal action where serious and systemic matters are found.” 

The ACMA’s Statement of Expectations

As part of its compliance focus on spam, the ACMA plans to release educational materials to guide businesses. Its Statement of Expectations on the use of consumer consent is intended to guide businesses that undertake email, SMS, and telephone marketing. It’s a helpful document that outlines some to-dos and don’t dos when it comes to marketing consents. 

Here’s a quick overview: 

The examples below are practices that will generally meet obligations under the rules and are consumer-friendly (categorised and summarised using generative AI):

Obtaining and Managing Consent

Express Consent

Do

  • Use clear, readily accessible terms and conditions when obtaining consent.
  • Avoid burying information in fine print or requiring multiple clicks.
  • Clearly state what the consent covers (types of products, channels, duration, etc.).

Don’t

  • Don’t add contacts to marketing lists without their consent.
  • Don’t use outdated consent (over three months old unless agreed otherwise).

Double Opt-In (Recommended)

    • Implement email confirmation for consent.
    • Provide a link or reference to a preferences management page.

Inferred Consent (Use Cautiously)

Do

  • Only use where there’s a clear, current relationship with the individual.
  • Limit marketing to goods/services directly related to that relationship.

Don’t

  • Don’t infer consent if the relationship is unclear or the message is irrelevant.
  • Don’t infer consent from purchases (even if contact info is given).
  • Published contact info doesn’t equal consent (other conditions apply).
  • Unsubscribe Process:
    • Don’t require logins or personal info (except for email/phone used).

Respecting Preferences and Unsubscribes

Do

  • Telemarketing:
    • End calls immediately if the recipient indicates they want to stop.
    • Remove individuals from call lists upon request.
  • Email Marketing:
    • Include easy-to-use unsubscribe options in all messages.
    • Act on unsubscribe requests quickly (within five business days maximum).
    • Provide a clear option to unsubscribe from all marketing messages.

Consent Mechanisms and Unsubscribing

  • Avoid:
    • Pre-checked tick boxes.
    • Bundled consent (one request for multiple purposes).
    • “Refer a friend” arrangements (consent must be individual).
  • Unsubscribe Process:
    • Don’t charge for unsubscribing (beyond standard message cost).
    • Provide clear unsubscribe options (universal or clearly defined).
    • Don’t continue sending messages after unsubscribing, even if someone else uses the contact.
  • Resubscription:
    • Don’t re-contact unsubscribed individuals to encourage resubscribing unless they’ve expressly consented to this beforehand.

The Aftermath of Accidental Spam

Whether your team accidentally deleted the unsubscribe functionality from an email it sent out or someone dropped the email list into the cc instead of bcc section, it’s important to act quickly following a spam communication being sent out:

Retract or stop sending, if possible

Depending on the platform and mechanism you’ve used to send the communication, it may be possible to stop sending the message. 

In many cases, it’s possible to set up delayed sending, which can be a good practice to prevent spam messages from being sent in haste. If your email platform doesn’t have this functionality, it’s often a good idea to require marketing communications to be scheduled in advance with a view of preventing hasty communications becoming spam communications. 

If you’re unable to stop sending, retracting the email may be an option. This is possible within some email platforms, but only within an extremely limited window and only if the recipient has not received it. 

Acknowledge The Breach

Honesty is often a good policy when it comes to individual privacy. Once you’ve sent the spam communication, you have already breached Australia’s SPAM Act. 

Acknowledging the breach and self-reporting it to the ACMA may help fix the issue quickly. The ACMA may take your self-reporting into consideration and may resolve the breach without further action. 

You may also opt to send a follow-up communication to those who received the spam to provide an overview of what happened, why it happened, acknowledge the breach, and rectify the issue. This might mean that you add an unsubscribe link if it was omitted or, for more complex issues, share information about an internal review and commitment to improvement. 

Internal Review & Improved Processes 

On that note, it’s important that your organisation conducts an internal review to reveal what happened and why. 

With that information in hand, you should consider what measures could be adopted to prevent the issue from arising again. Often, this will be minor process adapations or technological interventions – such as using email platforms instead of manually managing email lists. 

Legal and Privacy Considerations

You should also loop in your legal counsel as there may be legal ramifications for the spam communication, including ACMA complaints and potentially data breach notification obligations. 

Your legal counsel will consider your exposure, as well as likely remediation requirements. They will also be well placed to document the incident and subsequent actions in case of a regulatory investigation. 

With more than $15 million in ACMA fines for spam communications over the past 18 months, it’s critical to loop in a privacy lawyer as early as possible to keep costs down. 

Privacy Compliance with Privacy 108 

The Privacy 108 team regularly consult organisation on the application of SPAM and privacy laws. 

Contact us if you have any questions or need advice on compliance with Australia’s SPAM and privacy laws or in the aftermath of sending spam. 

Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.