Reading time: 5 minutes

An Australian online marketplace, Oneflare, recently had to pay $75,600 for breaching the Spam Act 2003 (‘Spam Act’). Oneflare sent commercial messages to a large number of people, breaching its responsibilities under the Spam Act. If your business uses electronic advertising, you should understand what the Spam Act means for you and how to avoid making Oneflare’s mistakes. This article will explain:

  • Oneflare’s mistake;
  • what Oneflare had to promise to do to rectify the situation; and
  • some of the key requirements under the Spam Act.

The ACMA Investigation 

After receiving many complaints about unwanted messages, the Australian Communication and Media Authority (ACMA) investigated how Oneflare was finding and communicating with individuals without consent. It found that Oneflare sent messages to phone numbers available on public directories and did not provide an unsubscribe option. 

What Does the Spam Act Say?

The Spam Act contains certain rules that businesses must abide by, including:

  • when businesses can and cannot send commercial electronic messages; and 
  • what text these messages must include. 

‘Commercial electronic messages’ include digital forms of direct marketing (e.g. emails or text messages). These are distinct from physical messages (e.g. sending letters by post).  

To send an electronic marketing message, you must:

  • have consent from the recipient to send marketing messages;
  • identify your business as the sender; and
  • include an option to unsubscribe within the message. 


To receive consent from recipients, you can obtain either express or implied consent. You will need to keep a record of this consent. 

You can obtain express consent by asking the customer if you can send them marketing messages. 

For example, you could include an opt-in checkbox offering the customer marketing material. The customer can then choose whether or not to tick the checkbox. 

You may receive implied consent from a customer when they purchase a product from you and you send them marketing material about similar products. 

For example, a customer purchasing a camping tent from your online store could imply that they would like to receive material about other camping equipment (e.g. a portable stove).

You can also infer consent if the customer conspicuously displays a work-related email. This means that if a work-related email address is accessible to the public (e.g. on a businesses’ website) and there is no statement withholding consent, you may be able to send messages to this email address. The key issue here is that the email address and your communication must both be work-related. Any personal or unrelated marketing you wish to send to personal email addresses would not fit within this exception. 


Any message you send should include your businesses’ name so that the recipient knows who the message has come from. 


Every commercial or marketing message you send should include an unsubscribe function, such as: 

  • a link to unsubscribe; or 
  • the steps the recipient should take to opt out of receiving messages from you (e.g. “to opt out, reply ‘stop’”). 

If a customer requests to unsubscribe or opt out, you must action their request within five days. 

ACMA may conduct investigations in response to complaints from individuals who feel that a business is spamming them. It is important to ensure that you always comply with the Spam Act so that you can easily explain your processes if ACMA decides to investigate you. 

The Spam Act applies to any business that sends commercial electronic messages. However, if you are an APP entity, you will also need to comply with the Privacy Act when you send commercial electronic messages. APP entities are businesses who:

  • have an annual turnover of more than $3 million;
  • trade in personal information;
  • provide a health service; or
  • contract with the government.

These businesses must comply with the Australian Privacy Principles (APPs). 

How Did Oneflare Breach the Spam Act?

Oneflare had neither express nor implied consent from the recipients of its messages. Rather, Oneflare simply contacted individuals on a public database. These individuals never expressed an interest in receiving communications from Oneflare. Lastly, the messages that Oneflare sent did not contain an unsubscribe function. 

As well as paying the $75,600 fine, Oneflare had to make statements in an enforceable undertaking to promise to comply with the Spam Act. Oneflare also had to appoint an independent consultant to review its internal advertising procedures.

The enforceable undertaking revealed that Oneflare tried to infer consent simply because the recipients’ contact details were available on a public database. ACMA found that Oneflare could not infer consent by conspicuous publication because Oneflare’s advertisements did not relate to the work-related business of the recipients. That these details were publicly available did not mean that the recipients had provided either express or implied consent to receiving marketing from Oneflare. Oneflare had to remove these contact details from its system. 

Oneflare’s key mistakes were that it:

  • had not received consent; 
  • could not rely on ‘conspicuous publication’; and 
  • did not offer an unsubscribe function to recipients. 

Key Takeaways

If you plan to send electronic marketing messages, you should ensure that you do not wind up in the same position as Oneflare. To avoid doing so, you should: 

  • ensure you have consent; 
  • identify yourself as the sender of the message; and 
  • allow recipients to unsubscribe from future messages. 

If you have any questions about your business’ compliance with the Spam Act, contact LegalVision’s Data and Privacy lawyers on 1300 544 755 or fill out the form on this page.


Key Considerations When Buying a Business

Thursday 11 November | 11:00 - 11:45am

Learn which questions to ask when buying a business to avoid legal and operational pitfalls, so you can hit the ground running. Join our free webinar.
Register Now

Innovation Nation: How to Make the Most of Australia’s Business Innovation and Investor Visas

Thursday 18 November | 11:00 - 11:45am

Want to expand your business into Australia? You need the right visa. Register for our free webinar to learn more.
Register Now

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. From just $119 per week, get all your contracts sorted, trade marks registered and questions answered by experienced business lawyers.

Learn more about LVConnect

Need Legal Help? Get a Free Fixed-Fee Quote

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

Our Awards

  • 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Winner – Australasian Lawyer
  • 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review
  • 2021 Law Firm of the Year - Australasian Law Awards
  • 2019 Most Innovative Firm - Australasian Lawyer