Skip to content

Oneflare’s Breach of the Spam Act: Lessons for Business Owners

An Australian online marketplace, Oneflare, recently had to pay $75,600 for breaching the Spam Act 2003 (‘Spam Act’). Oneflare sent commercial messages to a large number of people, breaching its responsibilities under the Spam Act. If your business uses electronic advertising, you should understand what the Spam Act means for you and how to avoid making Oneflare’s mistakes. This article will explain:

  • Oneflare’s mistake;
  • what Oneflare had to promise to do to rectify the situation; and
  • some of the key requirements under the Spam Act.

The ACMA Investigation 

After receiving many complaints about unwanted messages, the Australian Communication and Media Authority (ACMA) investigated how Oneflare was finding and communicating with individuals without consent. It found that Oneflare sent messages to phone numbers available on public directories and did not provide an unsubscribe option. 

What Does the Spam Act Say?

The Spam Act contains certain rules that businesses must abide by, including:

  • when businesses can and cannot send commercial electronic messages; and 
  • what text these messages must include. 

‘Commercial electronic messages’ include digital forms of direct marketing (e.g. emails or text messages). These are distinct from physical messages (e.g. sending letters by post).  

To send an electronic marketing message, you must:

  • have consent from the recipient to send marketing messages;
  • identify your business as the sender; and
  • include an option to unsubscribe within the message. 

Consent

To receive consent from recipients, you can obtain either express or implied consent. You will need to keep a record of this consent. 

You can obtain express consent by asking the customer if you can send them marketing messages. 

For example, you could include an opt-in checkbox offering the customer marketing material. The customer can then choose whether or not to tick the checkbox. 

You may receive implied consent from a customer when they purchase a product from you and you send them marketing material about similar products. 

For example, a customer purchasing a camping tent from your online store could imply that they would like to receive material about other camping equipment (e.g. a portable stove).

You can also infer consent if the customer conspicuously displays a work-related email. This means that if a work-related email address is accessible to the public (e.g. on a businesses’ website) and there is no statement withholding consent, you may be able to send messages to this email address. The key issue here is that the email address and your communication must both be work-related. Any personal or unrelated marketing you wish to send to personal email addresses would not fit within this exception. 

Identification

Any message you send should include your businesses’ name so that the recipient knows who the message has come from. 

Unsubscribe

Every commercial or marketing message you send should include an unsubscribe function, such as: 

  • a link to unsubscribe; or 
  • the steps the recipient should take to opt out of receiving messages from you (e.g. “to opt out, reply ‘stop’”). 

If a customer requests to unsubscribe or opt out, you must action their request within five days. 

ACMA may conduct investigations in response to complaints from individuals who feel that a business is spamming them. It is important to ensure that you always comply with the Spam Act so that you can easily explain your processes if ACMA decides to investigate you. 

The Spam Act applies to any business that sends commercial electronic messages. However, if you are an APP entity, you will also need to comply with the Privacy Act when you send commercial electronic messages. APP entities are businesses who:

  • have an annual turnover of more than $3 million;
  • trade in personal information;
  • provide a health service; or
  • contract with the government.

These businesses must comply with the Australian Privacy Principles (APPs). 

Continue reading this article below the form
Loading form

How Did Oneflare Breach the Spam Act?

Oneflare had neither express nor implied consent from the recipients of its messages. Rather, Oneflare simply contacted individuals on a public database. These individuals never expressed an interest in receiving communications from Oneflare. Lastly, the messages that Oneflare sent did not contain an unsubscribe function. 

As well as paying the $75,600 fine, Oneflare had to make statements in an enforceable undertaking to promise to comply with the Spam Act. Oneflare also had to appoint an independent consultant to review its internal advertising procedures.

The enforceable undertaking revealed that Oneflare tried to infer consent simply because the recipients’ contact details were available on a public database. ACMA found that Oneflare could not infer consent by conspicuous publication because Oneflare’s advertisements did not relate to the work-related business of the recipients. That these details were publicly available did not mean that the recipients had provided either express or implied consent to receiving marketing from Oneflare. Oneflare had to remove these contact details from its system. 

Oneflare’s key mistakes were that it:

  • had not received consent; 
  • could not rely on ‘conspicuous publication’; and 
  • did not offer an unsubscribe function to recipients. 

Key Takeaways

If you plan to send electronic marketing messages, you should ensure that you do not wind up in the same position as Oneflare. To avoid doing so, you should: 

  • ensure you have consent; 
  • identify yourself as the sender of the message; and 
  • allow recipients to unsubscribe from future messages. 

If you have any questions about your business’ compliance with the Spam Act, contact LegalVision’s Data and Privacy lawyers on 1300 544 755 or fill out the form on this page.

Register for our free webinars

ACCC Merger Reforms: Key Takeaways for Executives and Legal Counsel

Online
Understand how the ACCC’s merger reforms impact your legal strategy. Register for our free webinar.
Register Now

Ask an Employment Lawyer: Contracts, Performance and Navigating Dismissals

Online
Ask an employment lawyer your contract, performance and dismissal questions in our free webinar. Register today.
Register Now

Stop Chasing Unpaid Invoices: Payment Terms That Actually Work

Online
Stop chasing late payments with stronger terms and protections. Register for our free webinar.
Register Now

Managing Psychosocial Risks: Employer and Legal Counsel Responsibilities

Online
Protect your business by managing workplace psychosocial risks. Register for our free webinar.
Register Now
See more webinars >
Jessica Anderson

Jessica Anderson

Senior Lawyer | View profile

Jessica is a Senior Lawyer in LegalVision’s Commercial Contracts team. From day to day, Jessica enjoys preparing contracts to suit her clients’ needs, and walking clients through key-risk issues whether within a contract or within the broader regulatory landscape, from privacy law, consumer law, or community gaming and charities law.

Qualifications: Bachelor of Laws, Graduate Diploma of Legal Practice, Macquarie University.

Read all articles by Jessica

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards