Latest ACMA data shows continuing regulator focus on Australian spam enforcement

The regulator’s latest quarterly report contains details of enforcement actions and compliance activities relating to scams, spam and telemarketing for the period of January to March 2025 and contains important information for businesses and organisations. 

Consumer protection initiatives in action

The report highlights that the ACMA’s broader consumer protection efforts have also seen strong results.

During the quarter, telecommunication (telco) companies reported blocking over 2.4 billion scam calls and nearly 900 million scam SMS messages. This massive effort reflects a sector-wide commitment to reducing fraud.

The ACMA also issued 945 compliance alerts based on consumer complaints to businesses during the quarter, helping organisations identify and correct potential breaches before enforcement action becomes necessary.

ACMA’s compliance priorities

The ACMA has set two main compliance focus areas for the coming year:
Firstly, the regulator will prioritise enforcement against businesses that disguise commercial messages as service or non-commercial communications to combat misleading spam.

Secondly, efforts to reduce the impact of impersonation scams will continue by enforcing telco obligations to detect and block scam SMS, and by sharing intelligence with domestic and international partners.

To assist businesses to comply with Spam Act requirements, ACMA has also issued a statement of expectations about the use of consent in telemarketing and e-marketing.

Major enforcement actions

In a significant ruling, the Federal Court imposed A$1.5 million in penalties on V Marketing Australia Pty Ltd, as well as a A$60,000 fine to its sole director. The company was found to have made over one million telemarketing calls to numbers listed on the Do Not Call Register between March 2017 and September 2018. The case highlights the serious consequences of ignoring telemarketing laws and the need for businesses to maintain up-to-date contact lists and consent records.

Telstra was issued an AU$626,000 infringement notice after self-reporting breaches of the Spam Act 2003 (Cth) (Spam Act). An ACMA investigation identified that over a 21-month period, the telco had sent more than 10 million non-compliant SMS messages. Many of these messages required recipients to provide personal information to unsubscribe, contrary to legal requirements. Some were sent without valid consent. The case illustrates the risks of inadequate consent mechanisms and the importance of user-friendly opt-out processes.

Following the release of its quarterly report, the ACMA has also more recently issued a penalty in excess of AU$4 million against Tabcorp Holdings Ltd for breaches of the Spam Act, including sending electronic marketing communications without an unsubscribe option, not including adequate sender information and sending messages without consent.

How businesses can ensure compliance

With enforcement actions on the rise and penalties reaching into the millions, businesses must take proactive steps to ensure their marketing and communications practices comply with the regulations. Here are four key areas to focus on:

Obtain and document clear, informed consent

Businesses must ensure that individuals have clearly agreed to receive marketing communications and that this consent is documented. While opt-out consent can be lawful, it is more difficult to record evidence of this type of consent. Being able to demonstrate consent includes:

• using opt-in mechanisms, not pre-ticked boxes;
• keeping records of when and how consent was obtained; and
• making it easy for individuals to withdraw consent at any time without the need to provide further personal information.

The ACMA’s statement of expectations makes it clear that, although the Spam Act permits businesses to rely on expressed or inferred consent, express consent is preferred. According to the ACMA, inferred consent should only be relied on where there is a clear, current or ongoing relationship with the individual and the goods or services being marketed are directly related to that relationship.

Regularly review and update systems and practices

Compliance is not a set and forget exercise. Businesses should:

• conduct regular audits of their marketing databases and systems;
• ensure unsubscribe mechanisms are functional, accessible, and do not require unnecessary steps. According to the ACMA, unsubscribe requests should be given effect to within a maximum of 5 business days; and
• review third-party marketing arrangements to ensure they also comply with the Spam Act and Do Not Call Register Act.
  Train staff on legal obligations.

Staff involved in marketing, customer service, or data handling should be trained on:

• the requirements of the Spam Act and the Do Not Call Register Act;
• how to recognise and respond to potential compliance issues;
• the importance of respecting consumer preferences and privacy;
• the ongoing obligations the organisation has event if they engage third partis to send direct marketing on their behalf;

Stay informed and responsive

The regulatory landscape is evolving, particularly with ongoing privacy reforms. Businesses should:

• monitor updates from the ACMA, subscribing to the ACMA newsletter, following their official social media pages;
• subscribe to compliance alerts or industry newsletters, such as the Office of the Australian Information Commissioner’s (OAIC) newsletters;
• seek legal or regulatory advice when launching new campaigns or technologies; and
• consider how they are using online technologies for targeted marketing – the OAIC has issued guidance about the use of pixels and expressed concerns about the collection and use of personal information, particularly sensitive information, for direct marketing activities using these technologies.

The recent reforms to the Privacy Act made breaches of some obligations in Australian Privacy Principle 7, which relates to the use and disclosure of personal information for direct marketing, penalty provisions. This empowers the OAIC to issue compliance and infringement notices without the need to take formal proceedings which can result in fines of up to A$66,000, based on the current value of a penalty unit.

Co-written by Gagan Singh of Pinsent Masons.