E-Commerce Obligations Under the Spam Act 2003

In Short

• The Spam Act 2003 regulates unsolicited commercial electronic messages, including emails, SMS, MMS, and instant messages.

• Businesses must obtain consent and provide clear identification and an unsubscribe option in commercial messages.

• Penalties for non-compliance include fines, warnings, and legal action.

Tips for Businesses

Ensure you have express or inferred consent before sending commercial messages. Identify your business clearly in the message and provide a functional unsubscribe option. Avoid using address-harvesting software and be mindful of penalties for non-compliance. For assistance, consult a legal expert.

Summarise with: ChatGPT Perplexity Microsoft Copilot

---

Table of Contents

• Spam Act 2003 (Cth)
• Designated Commercial Electronic Messages 
• Consent to Receive Email Messages
• Email Address Harvesting
• Penalties
• Privacy Principles
• Key Takeaways 
• Frequently Asked Questions

Email marketing is a great tool to reach your clients or new leads. However, businesses that send unsolicited commercial electronic messages risk legal repercussions for breaching the Spam Act 2003 (Cth) (the Spam Act). This article details your business’s obligations regarding sending commercial electronic messages under the Act.

Spam Act 2003 (Cth)

The Spam Act prohibits businesses from sending unsolicited commercial electronic messages and provides them with rules for sending legitimate electronic communication to consumers.

The Spam Act covers those messages with a link to Australia. A message has a connection to Australia if it:

• originates in Australia and is sent to any destination; or
• originates overseas and is sent to an address accessed in Australia.

An electronic message is commercial when it is possible to conclude that its purpose, or one of its purposes, is to offer a commercial or business transaction or direct a person to a location where a commercial transaction can occur. Determining whether a message is commercial is a holistic process. The Act considers the following:

• the content of the message; 
• how the message is presented; and
• any links, telephone numbers or contact information provided in the message.

Accordingly, an electronic message is commercial if it offers to: 

• supply goods or services;
• provide a business or investment opportunity; or 
• advertises or promotes a business or investment opportunity. 

The Spam Act does not cover all kinds of commercial messages. It imposes no restrictions on other types of commercial messages, such as non-electronic messages and voice-to-voice telemarketing. It also does not prevent pop-up windows on a website because these form an intrinsic part of the site itself. 

Designated Commercial Electronic Messages 

An exception to the Spam Act’s prohibition on sending unsolicited commercial electronic messages is sending ‘designated’ commercial electronic messages. A designated commercial electronic message (DCEM) is a message that clearly and accurately identifies the sender and only consists of factual information. A DCEM can also include:

• the name, logo and contact details of the individual or organisation who authorised the sending of the DCEM; and
• the name and contact details of the author or the author’s employer, partnership, organisation or sponsor.

Therefore, the Act does not apply to designated commercial electronic messages. These types of messages do not require the recipient’s consent or a functional unsubscribe button. However, designated commercial messages must still include the sender’s details and contact information.

Under the Spam Act, Government bodies, Registered Political Parties and Registered Charities are considered to be sending a DCEM if the message sent from that body relates to goods and services and the body sending the message is the supplier or prospective supplier of such goods and services. 

Additionally, educational institutions are considered to send a DCEM when sending messages to current and former students about their goods and services. 

2025 Key Privacy and Data Developments

This fact sheet outlines the Australian Government’s strengthened consumer privacy laws in 2025 following major data breaches and their alignment with global standards.

Download Now

Businesses should be careful when determining whether their messages are considered designated commercial electronic messages. The content of these messages will determine whether the Act may still apply. Suppose these messages contain hyperlinks to the further supply of goods or services or have images or wording suggesting further advertisement, promotion or supply of goods or services. In that case, the message may be considered a commercial electronic message and thus be required to comply with the Act. 

Consent to Receive Email Messages

The Spam Act prohibits sending unsolicited commercial electronic messages with a link. The Act provides a framework for sending commercial electronic messages. In order to send a commercial electronic message, you must first have express or inferred consent from the recipient. Inferred consent derives from the conduct, business, and other relationships of the organisation or individual concerned.

Additionally, all commercial electronic messages sent under the Act must clearly and accurately identify the sender, the organisation responsible, rather than the individual who hit send. Further, the message must provide contact details that will remain valid for at least 30 days afterwards.

Further, these messages must include a functional unsubscribe facility allowing recipients to indicate they no longer wish to receive the emails. This facility must be accurate and remain operational for at least 30 days. Once a business receives notification of an individual’s wish to unsubscribe, they have five working days to action the request.

Email Address Harvesting

The Spam Act also strictly prohibits businesses from:

• supplying, acquiring or using address harvesting software; and
• supplying, acquiring or using an electronic address list produced using such software.

The Act prohibits this kind of software and its accompanying lists because they enable a business to send spam on a large scale.

Penalties

The Spam Act prescribes various penalties for businesses that breach its provisions. These penalties include:

• warnings;
• infringement notices;
• legal action; and
• pecuniary penalties.

Privacy Principles

All businesses need to be aware that observing their obligations under the Spam Act does not derogate from their responsibilities under the Privacy Act 1988 (Cth) (the Australian Privacy Principles).

Key Takeaways 

Email and electronic marketing messages are a legitimate way for e-commerce businesses to generate interest, increase their market presence and stay in touch with potential and existing customers. However, the Spam Act prohibits businesses from sending unsolicited commercial electronic messages and provides rules for sending electronic messages to consumers. 

If your e-commerce business needs help navigating these obligations, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.

Frequently Asked Questions

What types of electronic messages are covered by the Spam Act?

The Spam Act covers messages sent via email, SMS, MMS, and instant messaging services that originate in or are accessed in Australia, with a focus on messages that offer goods, services, or business opportunities.

What is a designated commercial electronic message (DCEM)?

A DCEM is a message that contains only factual information and clearly identifies the sender. Examples include transactional or service-related messages like order confirmations or password resets. These messages do not require consent or an unsubscribe function, but they must identify the sender.