The Australian Spam Act 2003: A Plain-English Guide for E-Commerce Brands

The Australian Spam Act 2003 is the law that governs commercial electronic messaging in Australia. Every Australian e-commerce brand sending marketing emails, SMS messages, or other commercial electronic messages is subject to it — and the penalties for non-compliance are substantial.

Yet most Australian e-commerce brands couldn’t confidently answer basic questions about what the Act actually requires. They know vaguely that unsubscribes need to work, but they don’t know the five-business-day rule. They know they need consent, but they don’t understand the difference between express and inferred consent, or when inferred consent expires.

This guide is a plain-English explanation of what the Spam Act means for Australian e-commerce brands. It is not legal advice — if you have specific compliance questions, consult a lawyer. But it will give you the working knowledge to run a compliant email programme.

What the Spam Act Actually Covers

The Spam Act 2003 covers “commercial electronic messages” — which means any message sent electronically (email, SMS, MMS, instant messaging) that markets or promotes goods, services, land, or business opportunities.

This is broader than just marketing emails. It includes:

• Promotional emails
• Marketing SMS messages
• Newsletters with commercial content
• Messages promoting affiliate products or services
• Transactional emails with promotional content added

It does not cover:

• Purely transactional messages with no commercial content (order confirmations, shipping updates)
• Messages sent by government bodies for official purposes
• Messages to people who have clearly requested them (e.g., a customer asking you to email their receipt)

The Act applies to any commercial electronic message sent from Australia or to an Australian address. If you’re an Australian business emailing Australian consumers, you are fully subject to the Act.

The Three Core Requirements

The Spam Act has three core requirements. Every commercial electronic message must:

1. Have the consent of the recipient
2. Clearly identify who sent it
3. Include a functional unsubscribe mechanism

If any one of these three requirements is not met, the message may breach the Act.

Requirement 1: Consent

Consent under the Spam Act comes in two forms: express consent and inferred consent.

Express consent is when someone explicitly agrees to receive commercial electronic messages from you. This happens when a subscriber:

• Ticks a checkbox on a sign-up form with clear language stating they consent to receive marketing emails
• Verbally agrees to receive email communications during a purchase or interaction
• Signs up to your email list via a dedicated subscription form with a clear stated purpose

Express consent has no time limit. As long as the subscriber has not withdrawn consent (by unsubscribing or explicitly asking to be removed), express consent remains valid indefinitely.

Best practice for express consent: Your sign-up form language should be specific and accurate. “Sign up to receive marketing emails from [Brand Name]” is ideal. Avoid vague language like “stay connected” or “join the community” that might not clearly convey that commercial emails will follow.

Inferred consent is implied consent that arises from an existing business or other relationship. Under the Act, inferred consent can be inferred when:

• There is an existing business relationship (e.g., a customer who has purchased from you)
• The person has published or provided their electronic address in a way that suggests they want to receive business-related messages (e.g., a business owner who lists their email on their company website for business enquiries)
• The address was conspicuously published (e.g., on a public website) without a request not to receive commercial messages

Important limitations on inferred consent:

Inferred consent from a business relationship is not indefinite. While the Act doesn’t specify a fixed expiry period, the ACMA’s guidance indicates that inferred consent expires when the business relationship ends — for example, when a customer hasn’t purchased in a very long time and has shown no interest in ongoing communications.

Practically, most Australian compliance advisors recommend treating inferred consent as valid for approximately two years from the last purchase or business interaction, provided the subscriber has not indicated they don’t want to receive messages.

What does NOT constitute consent:

• Purchasing a list of email addresses (no consent of any kind has been given)
• Scraping email addresses from websites
• Collecting business cards at events without a clear agreement to receive marketing emails
• Pre-ticked consent checkboxes (the checkbox must be unticked by default)
• Including unsubscribe instructions but continuing to email after an unsubscribe request

Requirement 2: Sender Identification

Every commercial electronic message must clearly and accurately identify the sender. This means:

Required elements in every commercial email:

• The name of the person or organisation that authorised the message to be sent
• The contact details of that person or organisation, including at minimum a physical or postal address
• This information must be present at the time the message is received (not just when it was sent)

For branded email marketing: Your from name should accurately represent your brand. Your footer must include your business name and a physical or postal address. A PO Box is acceptable.

For emails sent on behalf of a client: If you’re an agency sending emails on behalf of a brand, the identifying information must be the brand that authorised the send — not the agency’s information.

The prohibition extends to misleading sender information. A from name or from address that misrepresents who is sending the email — even if technically accurate — can breach the Act.

Requirement 3: Functional Unsubscribe Mechanism

Every commercial electronic message must include a functional mechanism by which the recipient can unsubscribe from future messages. The mechanism must:

• Be clearly presented in the message
• Allow the recipient to request removal without cost (you cannot charge for unsubscribing)
• Remain functional for at least 30 days after the message is sent
• Result in the unsubscribe request being honoured within five business days of receipt

The five-business-day rule is the requirement that most brands misunderstand or fail to implement correctly. You have a maximum of five business days from when an unsubscribe request is received to stop sending commercial messages to that recipient.

Key points on the five-business-day rule:

• Public holidays and weekends are not business days — they do not count towards the five days
• The clock starts when the request is received, not when you process it
• If your ESP processes unsubscribes in real time (as most modern platforms do), you’re automatically compliant on this point
• If you’re exporting lists from one platform and importing to another, you need to ensure suppression lists are transferred with every export

After an unsubscribe: Once someone has unsubscribed, you may not send them further commercial electronic messages — even to confirm the unsubscribe, even to send a special offer to win them back, even if they purchase from you again (unless they re-consent at checkout).

Penalties for Breaching the Spam Act

The ACMA (Australian Communications and Media Authority) enforces the Spam Act. Penalties include:

Civil penalties:

• For individuals: Up to AU$275,000 per day for a continuing breach
• For corporations: Up to AU$2,750,000 per day for a continuing breach (AU$2.2 million for a body corporate)

Enforceable undertakings: The ACMA can require a business to commit to specific remediation actions as an alternative to civil penalties.

Infringement notices: For less serious breaches, the ACMA can issue infringement notices with fixed penalties.

Real-world enforcement examples: The ACMA has pursued enforcement actions against Australian businesses in multiple industries for Spam Act breaches — including retail, real estate, financial services, and telemarketing companies. Penalties issued have ranged from thousands to millions of dollars.

Common Compliance Mistakes by Australian E-Commerce Brands

1. Using pre-ticked consent checkboxes

At checkout, some brands include a pre-ticked checkbox that reads “I’d like to receive marketing emails.” This is not valid express consent — the subscriber must actively choose to opt in. The checkbox must be unticked by default.

2. Importing purchased or third-party lists

Never import a purchased email list into your ESP and begin sending commercial messages. These recipients have not consented to receive emails from your brand, and mass sending to them constitutes a potential breach of the Act.

3. Continuing to email after unsubscribe

If a subscriber unsubscribes via your ESP but you also have them in another database (e.g., a CRM, a separate SMS platform, or a manually managed spreadsheet), you must ensure the unsubscribe is honoured across all channels within five business days.

4. Vague consent language

“Sign up to stay informed” doesn’t clearly communicate that the subscriber is agreeing to receive commercial promotional emails. The consent language needs to be clear enough that a reasonable person would understand they’re agreeing to receive marketing.

5. Not including a physical address

Many smaller Australian e-commerce brands omit their physical or postal address from email footers. This is a breach of the sender identification requirement. Include your registered business address or PO Box in every email footer.

6. Forgetting the five-business-day rule on manual processes

Brands that handle unsubscribes manually (via a “reply to unsubscribe” instruction) often process them in batches — weekly or fortnightly. This can easily breach the five-business-day requirement. Use an ESP with automated unsubscribe processing.

The Spam Act and Re-Engagement Campaigns

Win-back and re-engagement campaigns require special attention under the Spam Act.

If a subscriber’s inferred consent has potentially expired (e.g., they purchased from you three years ago and haven’t engaged since), sending a re-engagement email to seek express consent is a pragmatic compliance move — but it is itself a commercial message and therefore must comply with the Act.

If a subscriber has explicitly unsubscribed, you may not send them a re-engagement campaign. The unsubscribe is final. The only exception is if they re-subscribe of their own accord at a later date.

In practice: before sending any re-engagement or win-back campaign, audit the consent status of your target segment. Contacts who actively unsubscribed must be excluded. Contacts with expired inferred consent should be treated as a win-back opportunity that simultaneously seeks consent renewal.

Building a Spam Act-Compliant Email Programme From Scratch

If you’re building or rebuilding your email programme and want to ensure compliance from the ground up:

Step 1 — Audit your list: Review every segment of your subscriber list and document the consent basis for each group. Classify subscribers as: express consent (date acquired, source), inferred consent (date of last purchase or business interaction), or unknown/unverified.

Step 2 — Suppress the unknowns: Any contacts where you cannot document a consent basis should be suppressed from commercial communications unless you run a re-consent campaign to seek express consent.

Step 3 — Configure your ESP: Ensure your ESP’s unsubscribe mechanism is functional, processes in real time, and updates your suppression list immediately. Test it.

Step 4 — Fix your sign-up forms: Ensure all sign-up forms — pop-ups, checkout opt-in, landing pages — use explicit, accurate consent language and unticked checkboxes.

Step 5 — Update your email footers: Every email template must include your business name and physical/postal address. Check this across every template in your account.

Step 6 — Document ongoing: Keep records of how consent was obtained for new subscribers as you grow your list. If the ACMA ever investigates, you’ll need to be able to demonstrate consent for any subscriber in question.

How Excelohunt Manages Compliance for Australian Brands

Every Australian e-commerce brand Excelohunt manages gets a Spam Act compliance audit at onboarding. We review:

• Consent documentation for your existing list
• Sign-up form language across all touch points
• Email footer content and sender identification
• Unsubscribe handling and suppression list management
• Re-engagement and win-back sequence compliance

We then configure your ESP — whether it’s Klaviyo, ActiveCampaign, Campaign Monitor, HubSpot, Mailchimp, or Omnisend — to maintain compliance automatically as your programme runs.

Get your free email audit with Spam Act compliance review →

We’ll give you a clear picture of your current compliance posture and any issues that need addressing.