An Australian online marketplace, Oneflare, recently had to pay $75,600 for breaching the Spam Act 2003 (‘Spam Act’). Oneflare sent commercial messages to a large number of people, breaching its responsibilities under the Spam Act. If your business uses electronic advertising, you should understand what the Spam Act means for you and how to avoid making Oneflare’s mistakes. This article will explain:

  • Oneflare’s mistake;
  • what Oneflare had to promise to do to rectify the situation; and
  • some of the key requirements under the Spam Act.

The ACMA Investigation 

After receiving many complaints about unwanted messages, the Australian Communication and Media Authority (ACMA) investigated how Oneflare was finding and communicating with individuals without consent. It found that Oneflare sent messages to phone numbers available on public directories and did not provide an unsubscribe option. 

What Does the Spam Act Say?

The Spam Act contains certain rules that businesses must abide by, including:

  • when businesses can and cannot send commercial electronic messages; and 
  • what text these messages must include. 

‘Commercial electronic messages’ include digital forms of direct marketing (e.g. emails or text messages). These are distinct from physical messages (e.g. sending letters by post).  

To send an electronic marketing message, you must:

  • have consent from the recipient to send marketing messages;
  • identify your business as the sender; and
  • include an option to unsubscribe within the message. 


To receive consent from recipients, you can obtain either express or implied consent. You will need to keep a record of this consent. 

You can obtain express consent by asking the customer if you can send them marketing messages. 

For example, you could include an opt-in checkbox offering the customer marketing material. The customer can then choose whether or not to tick the checkbox. 

You may receive implied consent from a customer when they purchase a product from you and you send them marketing material about similar products. 

For example, a customer purchasing a camping tent from your online store could imply that they would like to receive material about other camping equipment (e.g. a portable stove).

You can also infer consent if the customer conspicuously displays a work-related email. This means that if a work-related email address is accessible to the public (e.g. on a businesses’ website) and there is no statement withholding consent, you may be able to send messages to this email address. The key issue here is that the email address and your communication must both be work-related. Any personal or unrelated marketing you wish to send to personal email addresses would not fit within this exception. 


Any message you send should include your businesses’ name so that the recipient knows who the message has come from. 


Every commercial or marketing message you send should include an unsubscribe function, such as: 

  • a link to unsubscribe; or 
  • the steps the recipient should take to opt out of receiving messages from you (e.g. “to opt out, reply ‘stop’”). 

If a customer requests to unsubscribe or opt out, you must action their request within five days. 

ACMA may conduct investigations in response to complaints from individuals who feel that a business is spamming them. It is important to ensure that you always comply with the Spam Act so that you can easily explain your processes if ACMA decides to investigate you. 

The Spam Act applies to any business that sends commercial electronic messages. However, if you are an APP entity, you will also need to comply with the Privacy Act when you send commercial electronic messages. APP entities are businesses who:

  • have an annual turnover of more than $3 million;
  • trade in personal information;
  • provide a health service; or
  • contract with the government.

These businesses must comply with the Australian Privacy Principles (APPs). 

How Did Oneflare Breach the Spam Act?

Oneflare had neither express nor implied consent from the recipients of its messages. Rather, Oneflare simply contacted individuals on a public database. These individuals never expressed an interest in receiving communications from Oneflare. Lastly, the messages that Oneflare sent did not contain an unsubscribe function. 

As well as paying the $75,600 fine, Oneflare had to make statements in an enforceable undertaking to promise to comply with the Spam Act. Oneflare also had to appoint an independent consultant to review its internal advertising procedures.

The enforceable undertaking revealed that Oneflare tried to infer consent simply because the recipients’ contact details were available on a public database. ACMA found that Oneflare could not infer consent by conspicuous publication because Oneflare’s advertisements did not relate to the work-related business of the recipients. That these details were publicly available did not mean that the recipients had provided either express or implied consent to receiving marketing from Oneflare. Oneflare had to remove these contact details from its system. 

Oneflare’s key mistakes were that it:

  • had not received consent; 
  • could not rely on ‘conspicuous publication’; and 
  • did not offer an unsubscribe function to recipients. 

Key Takeaways

If you plan to send electronic marketing messages, you should ensure that you do not wind up in the same position as Oneflare. To avoid doing so, you should: 

  • ensure you have consent; 
  • identify yourself as the sender of the message; and 
  • allow recipients to unsubscribe from future messages. 

If you have any questions about your business’ compliance with the Spam Act, contact LegalVision’s Data and Privacy lawyers on 1300 544 755 or fill out the form on this page.

COVID-19 Business Survey
LegalVision is conducting a survey on the impact of COVID-19 for businesses across Australia. The survey takes 2 minutes to complete and all responses are anonymous. We would appreciate your input. Take the survey now.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. For just $199 per month, membership unlocks unlimited lawyer consultations, faster turnaround times, free legal templates and members-only discounts.

Learn more about LVConnect

Need Legal Help? Get a Free Fixed-Fee Quote

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

  • By submitting this form, you agree to receive emails from LegalVision and can unsubscribe at any time. See our full Privacy Policy.
  • This field is for validation purposes and should be left unchanged.
Our Awards
  • 2019 Top 25 Startups - LinkedIn 2019 Top 25 Startups - LinkedIn
  • 2019 NewLaw Firm of the Year - Australian Law Awards 2019 NewLaw Firm of the Year - Australian Law Awards
  • 2020 Fastest Growing Law Firm - Financial Times APAC 500 2020 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review 2020 AFR Fast 100 List - Australian Financial Review
  • 2020 Law Firm of the Year Finalist - Australasian Law Awards 2020 Law Firm of the Year Finalist - Australasian Law Awards
  • Most Innovative Law Firm - 2019 Australasian Lawyer 2019 Most Innovative Firm - Australasian Lawyer
Privacy Policy Snapshot

We collect and store information about you. Let us explain why we do this.

What information do you collect?

We collect a range of data about you, including your contact details, legal issues and data on how you use our website.

How do you collect information?

We collect information over the phone, by email and through our website.

What do you do with this information?

We store and use your information to deliver you better legal services. This mostly involves communicating with you, marketing to you and occasionally sharing your information with our partners.

How do I contact you?

You can always see what data you’ve stored with us.

Questions, comments or complaints? Reach out on 1300 544 755 or email us at

View Privacy Policy