The spam email lurking in your junk folder could be more dangerous than you think. Every day, a substantial proportion of all emails and SMS messages sent across the globe are spam messages. With the risk of spam messages ranging from mere annoyance to large-scale cyber-attacks, regulators worldwide are cracking down on the bad actors who send these messages. As enforcement efforts ramp up in Australia and abroad, businesses that send marketing messages must pay careful attention to anti-spam regulation to make sure their messages are not classified as spam and to avoid significant financial and reputational damage. This article will explore the dangers of spam, Australia’s anti-spam regime and shifting enforcement attitudes.

What is Spam?

Spam refers to the use of messaging systems to send unsolicited messages to unwilling recipients. These unsolicited messages can be received in a variety of ways including via email, social media and text.

Common examples of spam messages include:

  • emails offering promotional material to recipients who have not consented to receiving marketing material;
  • text messages from unknown senders; and
  • email spoofing, where an unknown sender using a forged email address falsely purports to have access to your email account.

Unsolicited messages regarding legitimate appointments, payment reminders and product fault notices are not considered spam.

Dangers of Spam

While spam is largely perceived as harmless and merely annoying, some forms of spam can a pose a serious threat to a recipient’s security. Spam messages can contain graphic content, misleading information, or may be a phishing attempt. Phishing occurs when a sender fraudulently pretends to be a reputable company for the purposes of inducing a recipient to send sensitive information including banking details and passwords.

A report published by the Australian Competition and Consumer Commission (ACCC) in April 2023 revealed that unsolicited messages are the most common delivery method for scams. In 2022, 33% of reported scams in Australia were sent via text message, 22% were sent via email, and 6% were sent via social networking forums. Last year, spam cost Australians around $182 million with social networking scams being the most costly, at $80 million for Australian victims.

Spam can pose a threat to businesses in two ways:

  1. Businesses can fall victim to spam and consequently expose sensitive information such as private customer details and banking information. In 2022, small Australian businesses lost $13.7 million to scams which were predominately targeted through messaging services.
  2. Businesses that accidentally or intentionally send marketing material without appropriate consent from recipients can suffer substantial reputational and financial harm.

Global Movement

Spam’s use of electronic messaging systems gives it a wide-ranging ability to reach its victims. Using online messaging systems allows spammers to bypass international borders. This is particularly challenging for local enforcement bodies who may be unable to take action against bad actors located in a foreign jurisdiction. For this reason, spam is an inherently global issue that requires strategic international cooperation from various regulatory bodies.

Recently there has been a global push for international cooperation for the purpose of strategically targeting and punishing international spam networks. Earlier this year, the Australian Communications and Media Authority (ACMA) entered into a renewed memorandum of understanding with the Unsolicited Communications Enforcement Network (UCENet). With signatories from Canada, Korea and the United Kingdom (UK), the UCENet has been instrumental in promoting information sharing between international bodies.

International Anti-Spam Regimes

It is important to recognise that anti-spam regulations differ widely between jurisdictions. This regulatory variety can impact international cooperation and present difficulties for businesses that send marketing communications internationally. Below are some of the key differences in the regulatory frameworks enforced in the UK, United States of America (USA) and Canada.

United Kingdom

In 2003, the UK introduced the Privacy and Electronic Communications Regulations (PECR). PECR covers electronic marketing messages, use of cookies and telephone marketing. Before sending marketing messages to individuals, businesses must obtain positive consent. In limited cases, businesses can use a soft opt-in to prove consent from previous customers who did not opt-out of receiving marketing messages. Businesses must obtain consent from sole traders and certain types of partnerships before sending any electronic marketing messages. However, consent is not required when communicating with larger corporations. Failure to comply with PECR can result in fines up to GB£500,000 (approximately AU$951,000).

United States of America

The USA governs spam through the CAN-SPAM Act, which prohibits the transmission of false and deceptive information through electronic marketing messages. Marketing messages must contain a clear ad disclosure and valid physical postal address. The USA has an opt-out regime, meaning that unsolicited spam is not illegal, but each marketing message must contain an unsubscribe option. Each message that breaches the CAN-SPAM Act is subject to penalties up to US$50,120 (approximately AU$78,800).

Canada

In 2014, Canada’s anti-spam legislation (CASL) was introduced. Widely considered as one of the toughest anti-spam regulations, CASL requires any person sending commercial electronic messages to obtain prior consent before sending the message. Under CASL, these electronic messages include emails, SMS, instant messages, and messages sent through social media. Consent can be express or implied, however, individuals who send commercial electronic messages must prove that they have received consent. Serious violations of CASL will result in substantial fines with individuals receiving a fine of up to CA$1 million (approximately AU$1,148,000) and businesses subject to fine over CA$10 million (approximately AU$11,482,000).

Australian Anti-Spam Regime

In Australia, the Spam Act 2003 (Cth) (Spam Act) prohibits the use of spam. The Spam Act sits alongside the Privacy Act 1988 (Cth) and grants ACMA a wide range of regulatory powers.

What is prohibited?

The Spam Act prohibits certain types of commercial electronic messages (CEMs). Prohibited CEMs are messages:

  • sent electronically, including those sent via email, text message or online networking services;
  • unsolicited and lacking the express or inferred consent of the recipient;
  • of a commercial nature and containing an offer, advertisement or promotion.

The Spam Act only governs CEMs with an Australian link which includes CEMs that:

  • originate in Australia;
  • are authorised or sent by individuals or businesses based in Australia;
  • are accessed or intended to be accessed in Australia; and
  • are sent to an organisation that carries on business in Australia.

Who does the Spam Act apply to?

The Spam Act applies to every business and individual that sends CEMs with an Australian link.

Some organisations are exempt from the Spam Act, including:

  • registered political parties;
  • registered charities;
  • government bodies; and
  • educational institutions, but only in relation to CEMs sent to current and past students.

What must businesses do?

  1. Obtain Consent

Businesses that send CEMs must obtain consent from recipients. Express consent occurs when a recipient knows and accepts that they will receive CEMs from a business. Express consent can be given when a recipient fills in a form or ticks a box on the business’s website. The Spam Act prohibits businesses from sending electronic messages requesting recipient consent.

Businesses can also infer consent where there is a provable, ongoing relationship between the recipient and the business. When consent is inferred, CEMs must be directly related to the existing relationship. An example of an indirectly related message is when a bank sends an email to a customer using a savings account services advertisements for unrelated investment products. ACMA advises that businesses attain express consent as a matter of best practice.

  1. Provide Accurate Identification

Businesses must provide clear identification when sending CEMs. This means businesses must identify their business name and include up-to-date contact information. Businesses must provide the legal name of the business and their Australian Business Number (ABN) when they authorise a third party to send CEMs on their behalf. The sender’s identification details cannot change for at least 30 days from when the CEM is sent.

  1. Allow Recipients to Unsubscribe

The Spam Act requires that every CEM provide recipients the opportunity to withdraw consent through an unsubscribe option. Unsubscribe options must be easy to access and functional for at least 30 days from when the CEM is sent. Businesses must honour any unsubscribe request with 5 working days and cannot charge recipients a fee for unsubscribing.

Enforcement Attitudes

In recent years, ACMA has ramped up efforts to enforce the Spam Act. From 2022 to 2023, spam deterrence was a key enforcement priority. In this period, ACMA finalised nine investigations, issued $8 million in infringements and court-enforceable undertakings, and sent compliance alerts to 2,000 businesses.

Case Study #1

In early August, ACMA issued an infringement notice of over $2 million to a large food delivery platform. In ACMA’s investigation it was discovered that the platform had sent CEMs to recipients who had withdrawn their consent. The platform sent over 560,000 promotional emails to recipients who had unsubscribed, and failed to provide an unsubscribe option in over 500,000 promotional SMS messages.

Case Study #2

In June, a large bank paid a record $3.55 million in penalties for breaching the Spam Act. ACMA’s investigations found that the bank made it difficult for recipients to unsubscribe from CEMs and that the bank failed to take proper action when given early warnings from ACMA. The bank sent 61 million marketing emails that required recipients to login to their accounts to unsubscribe. Additionally, the bank sent 4 million marketing emails that lacked a function unsubscribe option and sent a further 5,000 CEMs to recipients who had unsubscribed.

Next Steps

As enforcement ramps up, it is important for businesses to ensure that they are complying with relevant spam regulations.

Generally, any business that uses CEMs to communicate with customers must ensure:

  • it obtains express consent to send CEMs to a recipient;
  • every CEM it sends accurately identifies it as the sender;
  • opt-out options such as unsubscribe links are provided in every CEM and are functional;
  • recipients who have opted out to receiving CEMs are removed from mailing lists;
  • any changes to the business name, ABN or opt-out option are only enacted 30 days after the last CEM was sent; and
  • it complies with the specific legislation in the jurisdiction or jurisdictions in which it is conducting its activities.

If you require advice or have any questions, contact Sainty Law at lawyers@saintylaw.com.au.