Spam Act 2003
The Spam Act 2003 is Australia's primary legislation governing commercial electronic messages, including SMS. Understanding and complying with this act is essential for any business sending marketing messages to Australian mobile numbers.
Three Core Rules
1. Consent Required
You must have consent before sending commercial electronic messages. Consent can be:
- Express consent: Explicit opt-in (checkbox, reply YES, verbal agreement)
- Inferred consent: Based on business relationship or publicly available contact details
⚠️ Best Practice
Always obtain express consent. While inferred consent is legally valid in some circumstances, it's riskier and harder to prove during audits.
2. Identify Yourself
Messages must clearly identify who sent them. Include:
- Your business or organization name
- Contact information (phone number or email)
✓ Good Example
"Your order #123 has shipped! - AcmeCorp. Reply STOP to unsubscribe."✗ Bad Example
"Your order has shipped! Track here: [link]"Missing: Business name and unsubscribe option
3. Unsubscribe Mechanism
Provide a simple, free way to opt out. Requirements:
- Unsubscribe method must be free and easy to use
- Most common: "Reply STOP to unsubscribe"
- Must honor requests within 5 business days
- Keep records of all unsubscribe requests
💡 Implementation Tip
Automate opt-out processing to ensure immediate compliance. Maintain a central suppression list checked before every campaign send.
What Messages Are Exempt?
Factual messages (no consent needed):
- Order confirmations and receipts
- Delivery notifications and tracking updates
- Appointment reminders
- Account security alerts (password resets, suspicious activity)
- Two-factor authentication codes
- Service disruption notifications
Note: Even exempt messages must identify the sender and avoid marketing content.
Penalties
- Individuals: Up to $555,000 per day of violation
- Corporations: Up to $2.5 million per day of violation
- ACMA can issue infringement notices without court proceedings
- Reputational damage and loss of customer trust
ACMA Regulations
The Australian Communications and Media Authority (ACMA) enforces SMS compliance and sets industry standards. Key requirements include:
Do Not Call Register
The Do Not Call Register allows individuals to opt out of unsolicited marketing calls and SMS. Rules:
- Check numbers against register before cold marketing (not required if you have consent)
- Existing customers can receive marketing for 30 days after relationship ends
- Register doesn't prevent all contact - consent, inquiries, and factual messages are still permitted
Access Required
Register for access at donotcall.gov.au. Annual subscription fee applies for businesses.
Industry Codes
ACMA oversees industry codes of practice. Key standards:
- Telecommunications Consumer Protections (TCP) Code
- Mobile Premium Services Code (for paid SMS services)
- Short Message Service (SMS) Aggregator Code
ACMA Enforcement Powers
- Investigate complaints from consumers
- Issue formal warnings and infringement notices
- Impose fines without court proceedings
- Require businesses to implement compliance programs
- Publish names of non-compliant businesses
Privacy Act 1988
The Privacy Act governs how businesses collect, use, and store personal information, including phone numbers used for SMS marketing.
Australian Privacy Principles (APPs)
APP 1: Privacy Policy
Maintain an up-to-date privacy policy explaining how you collect and use phone numbers. Make it easily accessible on your website.
APP 3: Collection of Personal Information
Only collect phone numbers when necessary. Inform individuals why you're collecting their number and how it will be used.
APP 6: Use and Disclosure
Only use phone numbers for the purpose you collected them. Don't share with third parties without consent.
APP 11: Security of Personal Information
Protect phone number databases with appropriate security measures. Use encryption, access controls, and regular security audits.
APP 12: Access and Correction
Allow individuals to access and correct their personal information. Provide a process for updating or removing phone numbers from your database.
Data Breach Notification
If phone numbers are exposed in a data breach, you must:
- Notify the Office of the Australian Information Commissioner (OAIC)
- Notify affected individuals if likely to result in serious harm
- Take steps to prevent further unauthorized access
- Complete notification within 30 days of becoming aware
Obtaining Valid Consent
Express Consent Methods
✓ Online Forms
Clear, unchecked checkbox (opt-in):
□ I agree to receive marketing SMS from AcmeCorp
(You can unsubscribe at any time)✓ SMS Opt-In
User texts keyword to subscribe:
User: "JOIN" to 12345
Reply: "Welcome! You'll receive offers from AcmeCorp. Reply STOP to unsubscribe. Msg&data rates may apply."
✓ Point of Sale
Written or verbal consent at checkout:
"Would you like to receive SMS updates about your order and exclusive offers?"
Document: Date, time, staff member, consent givenConsent Record Keeping
Keep records including:
- Date and time consent was obtained
- Method of consent (web form, SMS, verbal, etc.)
- What the person consented to receive
- IP address (for online consent)
- Wording of consent request shown to user
- Any subsequent consent withdrawals
Retention period: Minimum 5 years after consent obtained or withdrawn
What NOT to Do
- ✗ Pre-checked consent boxes (must be unchecked by default)
- ✗ Bundled consent ("I agree to Terms AND marketing messages")
- ✗ Purchasing phone number lists
- ✗ Assuming consent from public directories
- ✗ Using old consent for new purposes without re-confirmation
Compliance Checklist
□ Obtain express consent before sending marketing SMS
□ Clearly identify your business in every message
□ Include unsubscribe instructions (e.g., "Reply STOP")
□ Honor unsubscribe requests within 5 business days
□ Maintain consent records for 5+ years
□ Check Do Not Call Register for cold contacts
□ Publish accessible privacy policy
□ Implement secure data storage
□ Train staff on compliance requirements
□ Regular compliance audits
Frequently Asked Questions
What is the Spam Act 2003 and how does it apply to SMS?
The Spam Act 2003 regulates commercial electronic messages in Australia, including SMS. It requires businesses to obtain consent before sending marketing messages, identify who sent the message, and provide an easy way to unsubscribe. Violations can result in fines up to $2.5 million.
Do I need consent for every SMS I send?
Not all SMS requires consent. Transactional messages (order confirmations, delivery notifications, password resets) are exempt as they're expected based on the customer relationship. However, marketing and promotional SMS always require explicit opt-in consent under Australian law.
What's the difference between express and inferred consent?
Express consent is explicit opt-in (e.g., ticking a checkbox, sending 'YES' to subscribe). Inferred consent comes from business relationships or publicly available numbers. For SMS marketing, express consent is strongly recommended and safer legally than relying on inferred consent.
Does the Do Not Call Register apply to SMS?
Yes, but with exceptions. You can send SMS to numbers on the Do Not Call Register if you have consent or an existing business relationship. However, you must have your own do-not-contact list and respect unsubscribe requests within 5 business days.
What information must be included in marketing SMS?
Every marketing SMS must clearly identify your business name, include a functional unsubscribe method (e.g., 'Reply STOP to unsubscribe'), and be sent from an identifiable source. Messages must not mislead or deceive recipients about the sender or purpose.
How long must I keep consent records?
Keep consent records for at least 5 years after the consent was given or withdrawn. Records should include when consent was obtained, how it was obtained, what it covers, and any subsequent withdrawals. This protects you in case of compliance audits or complaints.
Continue Learning
SMS Provider Buying Guide →
Understand what compliance features to look for when choosing an SMS provider, including opt-out management and consent tracking.
For DevelopersSMS API Integration Guide →
Learn how to implement compliant SMS sending with proper opt-out handling and consent validation in your code.
Comparison ToolFind Compliant Providers →
Compare SMS providers with built-in compliance features including automated opt-out management and ACMA reporting.
About UsView Methodology →
Learn about our provider evaluation criteria including compliance features and regulatory adherence.
Official Resources
- ACMA Spam Resources - Official guidance on Spam Act compliance
- Do Not Call Register - Register and check numbers
- OAIC Privacy Resources - Privacy Act guidance and APPs