The Spam Act 2003 (Cth) is Australia's primary legislation governing unsolicited commercial electronic messages. Administered by the Australian Communications and Media Authority (ACMA), it applies to all commercial electronic messages sent to Australian accounts — regardless of where the sender is located. With maximum civil penalties of $2.782 million per day for serious or repeated violations, and a recent pattern of enforcement actions against businesses that thought their practices were compliant, every Australian business that sends marketing email needs a working understanding of the Act.
What Is a "Commercial Electronic Message"?
A commercial electronic message under the Spam Act is a message that: (a) has a commercial purpose — it markets, advertises, or promotes goods or services, or discounts or opportunities involving goods or services; and (b) is sent to an electronic address — email addresses, mobile phone numbers (for SMS), and instant messaging addresses all qualify. Transactional messages (order confirmations, password resets, account statements, service notifications) are generally not commercial electronic messages even if they contain some promotional content — provided their primary purpose is transactional. The key is primary purpose: if an order confirmation email includes a large promotional banner promoting unrelated products, the ACMA may regard the entire message as commercial.
The Three Requirements: Consent, Identification, Unsubscribe
Every commercial electronic message sent to an Australian account must satisfy three requirements simultaneously: (1) the sender must have the recipient's consent to receive commercial messages; (2) the message must accurately identify the sender; and (3) the message must contain a functional unsubscribe mechanism. Failure on any one of the three is a breach of the Spam Act, even if the other two are fully satisfied.
Consent: Express vs Inferred
- Express consent: The recipient has explicitly opted in to receive commercial messages — typically via a checkbox, web form, or verbal confirmation that is recorded. The gold standard.
- Inferred consent: The Spam Act allows consent to be inferred in specific circumstances — where there is an existing business relationship (the person has purchased from you within the last 2 years, or enquired recently), or where the email address was conspicuously published and the message is relevant to the recipient's role or business. Inferred consent has narrow limits and is not a licence to email anyone whose contact details you can find.
- Pre-ticked checkboxes: Consent obtained via a pre-ticked opt-in checkbox is not valid express consent under Australian law. The recipient must take a positive action to consent.
- Consent records: You must be able to demonstrate consent for every recipient on your list. If the ACMA investigates, lack of consent records is treated as evidence of non-consent.
- Withdrawal of consent: Once a recipient unsubscribes, they have withdrawn consent. You must honour unsubscribe requests within 5 business days and cannot send any further commercial messages to that address.
The Unsubscribe Mechanism: What the Spam Act Requires
Every commercial electronic message must include a functional unsubscribe mechanism that: (a) is clearly presented in the message body; (b) allows the recipient to elect to not receive further commercial messages from the sender; (c) remains functional for at least 30 days after the message is sent; and (d) results in the opt-out being processed within 5 business days. Common failures include: unsubscribe links that go to a broken page, unsubscribe requests that only remove the person from one list rather than all commercial communications, and "manage preferences" pages that require creating an account to unsubscribe.
ACMA enforcement focus areas in 2025: broken unsubscribe mechanisms (the most common violation), consent record deficiencies, and failure to honour unsubscribe requests within 5 business days. The ACMA has made clear it actively monitors marketing email and investigates complaints.
What ShieldBox Provides for Spam Act Compliance
- DMARC at p=reject enforcement — prevents your domain from being spoofed to send spam in your name, which can trigger ACMA complaints against your business even if you did not send the messages.
- Verified sender identification — all outbound email from your ShieldBox domain is authenticated with DKIM, satisfying the sender identification requirement of the Spam Act.
- Custom domain email — ensures all commercial messages correctly identify your business, not a shared sending domain that could obscure your identity.
- Australian data hosting — consent records stored in Australia, accessible to demonstrate compliance in any ACMA investigation.