This week the Australian Communications and Media Authority (ACMA), itself a little known regulatory authority, handed down the largest fine in its history - a whopping AUD $1 million - against a retail supermarket giant for unlawfully spamming more than 1.2 million customers via email.

The ACMA found that the retailer was in breach of Australia's anti-spam laws when it "sent marketing emails to consumers after they had unsubscribed from previous messages" between October 2018 and July 2019. The record-breaking fine was in part due to the retailer's failure to act even after the ACMA had warned it of potential Spam Act compliance issues, and multiple customer complaints.

The Spam Act

The Spam Act is simple - if an organisation (or someone on behalf of an organisation) is sending out marketing messages or emails, it must first have permission from the person who receives them. Once an organisation has a person's permission, the message must:

  • identify them as the sender;
  • contain their contact details; and
  • make it easy for the recipient to unsubscribe.

Permission can be express or inferred.

The ACMA's decision

The specificity of the ACMA's decision, makes it clear that it expects all communications to an email address to stop where such a request has been made by an individual (even where the email address itself may be shared with others). This shows that companies must be vigilant when it comes to their user databases, and in particular which information belongs to which individuals. The retailer's defence of "technical and systems issues" also did not find favour with the ACMA.

The retailer has already paid its fine, and is now subject to a three-year enforceable undertaking which includes actions such as appointing an independent consultant to review and audit its current Spam Act compliance procedures, report regularly to the ACMA, and conduct comprehensive staff training on the nature of its communications.

This latest compliance blitz comes hot off the heels of the ACMA's penalty issued to Optus earlier this year; a clear sign that the Spam Act's unofficial 17 year grace period has well and truly ended. This naturally compliments good practice in data governance, which is becoming increasingly important - beyond the confines of the Spam Act. In an age where consumer protection and privacy are more important than ever, the price of unauthorised spamming is one that organisations cannot ignore.

How can we help?

Clyde & Co has the largest dedicated and rapidly expanding cyber incident response practice in Australia and New Zealand. Our experienced team have dealt with over 700 data breach and technology related disputes in recent times, including a number of the largest and most complex incidents in Asia Pacific to date.

From pre-incident readiness, breach response, through to defence of regulatory investigations and proceedings, as well as recovery actions against wrongdoers, we assist clients in Asia Pacific across the full cyber lifecycle. Our team is also highly regarded for their expertise and experience in managing all forms of disputes across sectors including advising on some of the most newsworthy class actions commenced in Australia.

Thanks to Alex Best for his contributions to this article.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.