The Australian Communications and Media Authority (ACMA) is continuing to focus on businesses that breach the Spam Act 2003 (Cth) (the Spam Act), including the Commonwealth Bank of Australia (CBA), which incurred one of the largest penalties to date.
It is important for businesses to understand what these prosecutions mean, and how to ensure they do not breach the Spam Act, and can avoid the penalties that can result.
Under the Spam Act, a commercial electronic message (CEM) that contains only factual information (and satisfies several other technical requirements) is classified as a 'designated commercial electronic message', and is exempt from the requirement that it can only be sent with consent, and to have an unsubscribe facility.
One of ACMA's key compliance priorities for the 2024-25 financial year is targeting businesses that miscategorise CEMs as designated commercial electronic messages and do not include unsubscribe facilities.
This new priority may have been trigged after Luxottica Retail Australia Pty Ltd (Luxottica) breached the Spam Act by sending over 45,000 messages over a one year period without unsubscribe facilities on the basis that such messages were designated commercial electronic messages. Luxottica was fined $1,512,500 for these and other breaches of the Spam Act in April 2024.
It's expensive to get wrong: Commonwealth Bank's $7.5 million mistake
After incurring a $3.5 million penalty in May 2023 for sending 65 million emails without functional unsubscribe facilities, the CBA was back in the spotlight in 2024, this time for a combination of absent unsubscribe facilities and for messages sent without consent.
In its investigations, ACMA assessed almost 1,000 unique templates provided by CBA used to send emails between November 2022 and April 2024. According to ACMA, these messages were commercial in nature either on the basis of the content itself, or from the commercial content that could be accessed from the email, either by link, telephone number, or contact information.
In CBA's submissions, it admitted sending up to almost 35 million CEMs without consent and up to 170 million CEMs without an unsubscribe facility because it had 'incorrectly classified some of the messages as service non-commercial or compliance messages'. As such messages were incorrectly classified, they were sent to consumers regardless of whether they had opted-out from marketing, and some messages included a statement that the recipient could not unsubscribe.
As a result of its breaches of the Spam Act, CBA was issued a $7.5 million penalty (in addition to the $3.5 million issued the year before), as well as a three year court-enforceable undertaking to address its non-compliance. CBA must conduct a comprehensive independent review of its practices, and introduce appropriate resources and governance processes to ensure compliance.
PointsBet's misclassified CEMs
PointsBet Australia Pty Ltd (PointsBet) also has not escaped Spam Act prosecution. In May 2025 ACMA issued a media release regarding its recent investigation against PointsBet for misclassifying emails as designated CEMs and not including an unsubscribe option.
Between September and November 2023, PointsBet sent 705 emails which it claimed were designated CEMs 'due to their content being of a claimed service nature'. However, ACMA determined that despite the content of the message, because the PointsBet logo was hyperlinked to its website where a customer could obtain PointsBet's gambling services, it was enough for the message to be categorised as promoting goods or services.
Prior to the decision on PointsBet, the strictest application of the commercial test was in ACMA's findings that Luxottica breached the Spam Act. In that case, emails sent to clients that their order had been shipped or with instructions to reset their password were found to be commercial in nature because they included an offer for free shipping on all orders and various hyperlinks.
Comparatively, in PointsBet's communications, there was no offer evident in the emails as the purpose was service related, for example to inform the customer about a billing issue that had been fixed. However, according to the findings, communications can have multiple purposes, and even if an ancillary purpose is to promote goods and services via a hyperlinked logo, this is sufficient for it to be commercial.
This strict application may have been a reflection of heightened sensitivity regarding gambling exclusion, as individuals who had registered under the National Self Exclusion Register (NSER) received communications from PointsBet.
However, not all of the recipients of the 705 emails were on the NSER. Applying this decision practically, it is difficult to see how any communication between a business and its customer would not have a secondary commercial purpose.
Further, it is unclear to what extent a hyperlink can demonstrate a secondary purpose for promotion of goods and services. If, for example, a business sends an email confirming that an item has been shipped, and such email includes a link to a page on their website where orders can be tracked and that website includes advertising material, is this sufficient for the message to have a commercial secondary purpose?
Ultimately, until further clarification is made, we recommend businesses err on the side of caution and remove hyperlinks from service messages, or receive consent and include an unsubscribe facility.
For this and other breaches of the Spam Act, PointsBet was fined $500,800. It was also required to sign an enforceable undertaking in which it agreed to appoint an independent consultant, develop an implementation plan following receipt of the consultant's report, provide six monthly compliance reports to ACMA, and provide training to its key personnel.
Are these prosecutions a sign of things to come?
ACMA publishes quarterly reports on its enforcement of the Spam Act and other areas of compliance. Its latest report covering January to March 2025 indicates ACMA is increasing its investigations, as the number of finalised investigations for this financial year is already at the level for the entire 2023-2024 financial year. It also provided over 2,000 Spam Act compliance alerts to businesses - a formal written warning following a customer complaint.
As more significant penalties are awarded to businesses, greater awareness and public attention is also brought to consumers' rights under the Spam Act. In January to March 2025 alone, ACMA received more than 5,700 consumer complaints about alleged breaches of telemarketing and spam laws. The most complained about industries were retail, solar and financial services.
What do these prosecutions mean for you?
Businesses should be aware that compliance with the Spam Act is taken very seriously, and even breaches caused by mistake or human error will not escape prosecution.
When emailing customers, we encourage clients to stop and think about the content and true purpose of the message. Even though the original purpose of the correspondence may be purely factual (i.e. that their order has been shipped), if it includes any commercial material, or commercial material can be accessed from the correspondence, it is highly unlikely to be classified as a designated commercial electronic message.
If you are unsure about whether your business is compliant with the Spam Act, please reach out to our team for advice.
Authors
Andrew Chalet | Partner | +61 3 8080 3542 | achalet@tglaw.com.au
Emma Halliday | Associate | +61 3 8080 3543 | ehalliday@tglaw.com.au