Understanding Australia's anti-spam legislation

Last updated at:

You will learn

Learn about Australia's anti-spam legislation, and message requirements to help you remain compliant.

In Australia, the sending of SMS and email marketing messages is regulated by the Spam Act 2003 (Spam Act) and the Spam Regulations 2021. The Spam Act was designed to protect people from receiving spam, or “unsolicited commercial electronic messages.” It applies to the sending of commercial electronic messages (CEMs) and governs who you can send to and what your messages need to include. 

This information is not legal advice. Klaviyo recommends that you consult with your legal counsel to make sure that you comply with the Spam Act and all other applicable laws in connection with your marketing program.

About Australia’s Spam Act and regulations

The Spam Act regulates the sending of any CEMs, including: 

  • Email
  • SMS and MMS 
  • Instant messages

The three main requirements under the Spam Act for sending messages are: 

  • Obtain proper consent
  • Provide identification information and contact details
  • Include a method to unsubscribe/opt out of messaging

Violations of the Spam Act are enforced by the Australian Communications and Media Authority (ACMA) and can result in fines of up to $220,000 for a single breach, and as much as $2.1 million for subsequent breaches. 

What is consent under the Spam Act 2003?

There are two types of consent: express and inferred. The Spam Act requires express consent in most cases, which means someone must explicity opt in to receiving marketing messages from your organization.

As a best practice, you should keep records of when you get consent, including the:

  • Type of consent
  • Consent method
  • Date/time an individual consented

When someone signs up via a form, Klaviyo records all of this information automatically on the profile. Further, you can import this information from another provider, and Klaviyo will save it. 

Express consent

Express consent means someone directly gives you permission to send them marketing messages via a certain channel. This means that you cannot send someone a CEM before they expressly tell you to do so — even if the message you want to send will ask for their permission. 

When someone consents to receive one type of electronic marketing messages, this does not count as permission to send them any other type of CEM. For instance, if you have someone’s consent for email, you can only send them emails — it does not count as permission to send SMS, MMS, or instant messages.

There are several ways someone can give you their express consent, including: 

  • Signing up via a form
  • Checking a box on a website
  • Telling you over the phone

Note that someone simply giving you their information (email, phone number, etc.) does not count as them granting permission to message them. 

Some types of CEMs (such as SMS) always require express consent when using Klaviyo. However, others (such as email) allow inferred consent in certain circumstances. Always follow the most stringent laws for the area you’re sending to, whether that’s the Spam Act or Klaviyo’s terms of service. 

Inferred consent

Inferred, also called implied, consent is permissible in only a few scenarios. It is also typically a gray area, so express consent is preferred and recommended in all cases. 

This type of consent may apply when someone has knowingly and directly given you their information, and it is reasonable to believe they would expect to receive marketing messages from your business. This does not give you permission to message them for anything; inferred consent is limited to something specific.

Inferred consent typically comes into play when you have an existing relationship (a “provable, ongoing relationship”) with the recipient, and the marketing you want to send them is directly related to that relationship. You may have a business relationship with someone who provided their contact information when they subscribed to a service, has an account, or is a member. If the marketing is relevant to that relationship, you may have the person’s inferred consent to send messages relevant to your business relationship with them. 

Inferred consent does not apply when someone has only bought something from your business. Inferred consent also likely does not apply when someone has only abandoned their shopping cart. If you plan to send abandoned cart messages on the basis of inferred consent, we strongly recommend you consult with your legal team to confirm they are compliant with applicable law.

Message requirements under the Spam Act

In addition to obtaining the proper consent, the Spam Act requires that you include the following information in every CEM: 

  • Your legal business name, or your company name and Australian business number
    • If someone else sends messages on your behalf, the CEM must still identify you as the business that authorized the message
    • This information must remain correct for at least 30 days after you send your message
  • Contact details for your business or a link to your business’s contact details
    • Your contact information must remain correct for at least 30 days after you send your message
  • An opt-out mechanism (e.g., an unsubscribe link) that:
    • Presents unsubscribe instructions clearly
    • Honors the request to unsubscribe within five working days
    • Does not require the payment of a fee
    • Does not cost more than the usual amount for using the address (such as a standard text charge)
    • Is functional for at least 30 days after you sent the message
    • Does not force recipients to provide extra personal information or create or log into an account to unsubscribe

In emails, the typical approach is to add contact details and opt-out instructions to the footer, and let the sender email address indicate your business. In Klaviyo, every email you send will include your company's contact details and an unsubscribe link by default.

For SMS and MMS messages, you can use the branded sender ID to indicate who’s sending the message. In Klaviyo, every text message going to an Australian recipient will show the branded sender ID and include an unsubscribe link by default.

Best practices

While not explicitly required by the Spam Act, the following are best practices for sending CEMs in Australia:

  • Include at least one link to your website
  • Send messages between 9 am and 8 pm in the recipients’ local time (for SMS and direct messages); use quiet hours for flows to automatically prevent sending SMS outside of these times
  • Do not use common spam-related phrases in your messages or email subject lines; e.g., “free money”
  • Provide value — every CEM should be helpful to the recipient; if not, subscribers will likely opt out
  • Avoid sending a lot of emojis and using acronyms unless you know your audience understands or responds positively to them
  • Do not overload recipients with too many messages; for instance, use Smart Sending to limit how often someone can receive messages via a certain channel

Sending to Australian recipients using Klaviyo

When sending to Australian recipients using Klaviyo, it’s important that you also comply with Klaviyo’s Terms of Service and Acceptable Use Policy, which, in certain cases, may be more strict than Spam Act requirements. 

Additional resources

Was this article helpful?
20 out of 23 found this helpful