No sweat marketing? Not so fast

Lululemon’s $702,900 fine and how not to over-extend your marketing

In March 2026, the Australian Communications and Media Authority (ACMA) announced that Lululemon Athletica Australia Pty Ltd (Lululemon) had paid a $702,900 penalty for breaches of the Spam Act 2003 (Cth) (Spam Act).  While the conduct occurred in a retail context, the implications extend well beyond consumer marketing.

ACMA’s action reinforces that spam compliance is a systems and governance issue, not just a marketing one.  Regulators increasingly expect large, sophisticated businesses to get this right.

In an era of AI-driven marketing, automation tools and global CRM platforms amplify risk.  Mixed purpose messaging templates, inherited contact lists, and platform configured unsubscribe logic can produce non compliant messages at scale.  From ACMA’s perspective, reliance on third party tools does not mitigate liability.

Following on from our 2025 article, this update explains ACMA’s latest decision, why it matters across industries, and the practical steps businesses can take to reduce regulatory risk.

Why Lululemon’s mixed messages stretched the Spam Act too far

ACMA found that between 1 December 2024 and 5 January 2025, Lululemon sent 370,289 electronic messages to Australian customers that did not contain a functional unsubscribe facility.

Although the emails were presented as ‘service’ or ‘transactional’ messages (eg order confirmations and delivery updates), the messages also included promotional content and links to sales offers.  This meant they were commercial electronic messages (CEM) under the Spam Act.

The conduct breached section 18(1) which requires that:

• every commercial message must include a functional and easy to use unsubscribe facility; and
• any message containing promotional content is treated as commercial, regardless of any service purpose.

ACMA’s enforcement in this case focused squarely on Lululemon’s failure to treat mixed purpose messages as commercial, and to include an unsubscribe functionality.  

Although ACMA enforces the Spam Act, sending mixed-purpose messages can create parallel risks under the Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs), where:

• personal information is used inconsistently with a customer’s stated opt-out preferences (APP 6);
• customers are not clearly informed that service emails could contain marketing content (APPs 3 and 5); and
• opt‑out requests are not implemented promptly and consistently across systems (APP 7).

ACMA flexes its enforcement muscles

ACMA described the breach as ‘easily avoidable’, but nonetheless serious given its scale and systemic nature.  The volume of affected messages pointed to deficiencies in system design and governance, rather than human error.

This was the fifth enforcement action by ACMA in 18 months against various traders involving misclassified marketing messages, underscoring a broader compliance concern ACMA is actively targeting.

The message from the regulator is clear: internal labels, intentions or customer expectations do not determine classification.  If marketing content appears anywhere in the message, the full suite of Spam Act obligations applies.

Regulatory endurance not slowing down

Recent enforcement activity reflects a sustained focus on systemic issues, rather than isolated incidents.  Since mid-2024, businesses in Australia (including Lululemon, Telstra, Commonwealth Bank, and Tabcorp) have paid more than $6.7 million in spam penalties.

Notably, ACMA has emphasised that size and sophistication increase regulatory expectations.  Well resourced organisations are expected to have robust governance, testing and monitoring in place.  Brand strength and reliance on third-party marketing systems do not soften enforcement outcomes.

Spam risk is not one-size-fits-all

Similar risks arise across sectors.  For example:

• SaaS and technology businesses: feature promotions embedded into maintenance notices or renewal reminders;
• Healthcare and education: informational messages combined with fundraising or promotional content; and
• Financial services: transactional alerts containing product upgrade or cross-sell links.

In each case, businesses often assume a message’s primary purpose determines its legal treatment.  ACMA has repeatedly rejected this assumption.  

Peak performance requires a tailored regime

Lululemon’s case illustrates several recurring marketing myths:

• ‘It’s a service email/SMS/push notification, so the Spam Act doesn’t apply’ – incorrect if any promotional content is included;
• ‘Customers expect to receive these messages’ – consumer expectations do not override statutory requirements; and
• ‘Our global templates are compliant’ – Australian spam rules are stricter than many overseas regimes.

For multinational organisations, the decision underscores the risks of deploying global marketing practices without adequate localisation.  Systems compliant overseas may fall short under Australian law, particularly around message classification and unsubscribe functionality.

In our experience, separating transactional communications from marketing content is often the simplest path to compliance.

Our top tips for maintaining good marketing form

Drawing on ACMA’s findings and our experience advising clients on digital regulatory risk, businesses should focus on:

• Subscription and unsubscribe management: Separating transactional and marketing messages where possible, and testing unsubscribe links across devices and platforms;
• Minimal friction for customers to unsubscribe: Making it as easy to unsubscribe as it was to subscribe (eg best practice is to not require a login, or multiple steps/screens);
• Governance and accountability: Assigning clear ownership across legal, marketing and IT, with board and executive visibility of spam compliance risks;
• Consent capture and records: Maintaining auditable consent records, and regularly review legacy databases and inherited customer lists;
• System testing and monitoring: Auditing automated templates and work flows, and monitoring send volumes and error rates for early warning signs;
• Vendor and platform oversight: Understanding how third party platforms classify messages and manage opt outs, supported by contractual protections (eg liability for breaches of the Spam Act caused by vendors, audit and remediation rights, and associated indemnities); and
• Staff training: Equipping customer-facing teams with Spam Act fundamentals, before campaigns launch.

No skipping the warm up

ACMA’s action against Lululemon is a timely reminder that spam compliance is a core element of digital governance.  Businesses should take this opportunity to review their messaging frameworks and embed compliance by design.  Keep your messages fit for purpose by remembering:

• Any communication with promotional content is a marketing message under Australian law.
• Global marketing practices must be adapted for Australian requirements.
• AI and automation tools magnify both risk and regulatory consequences.

We regularly assist clients across industries with Spam Act compliance and broader digital regulatory risk. Contact our Technology team for assistance.

Authors

Briar Francis | Special Counsel | +61 7 3338 7508 | bfrancis@tglaw.com.au

Hannah Fas | Senior Associate | +61 7 3338 7507 | hfas@tglaw.com.au