Latest News

What is Spam? UBE? UCE? Acquaintance Spam?

The Problem

The Situation in Australia

How You Can Help

How To Avoid Being Spammed

Join CAUBE.AU

Information for Businesses

Information for the Media

Information for Politicians

Who is CAUBE.AU?

Links

Feedback

Home

Information on the Spam Act 2003

Introduction

The Spam Act 2003 (Cth) is in force as of 10^th April 2004. As of that date it is illegal to send even one unsolicited commercial electronic message (not including telephone calls or faxed messages) that meets any one of the categories below. That is, the message is sent:

1. from Australia; or

2. by senders who:

   1. are physically present in Australia; or

   2. are organisations with central management and control (board meetings) in Australia; or

3. to computers in Australia (including the recipient’s personal computer); or

4. to recipients who read the message when they:

   1. are physically present in Australia; or

   2. are organisations carrying on business in Australia;

There are also requirements for an “opt-out” facility in all commercial email – even if the commercial email was requested.

Note: the maximum daily penalty is $1.1million.for companies, and $220,000 for individuals, and anybody knowingly concerned in a violation is liable.

Disclaimer

The discussion here is intended to be a brief, non-technical overview of key points of the new law, and not an exhaustive examination of it. You should not rely on this discussion for legal advice.

The meaning of “spam”

The Act does not define “spam”. Spam in the context of electronic mail still means “Unsolicited Bulk Email” (and even if the Act defined “spam”, that would only affect its structural meaning in the Act, not its ordinary meaning). The Act covers “Unsolicited Commercial Electronic Messages”. The overlap between these and spam is large, especially when the provisions on consent and some of the exceptions are properly understood.

So if somebody claims that because of the Spam Act, spam only means “Unsolicited Commercial Electronic Messages”, you can confidently tell them that they’re wrong.

The meaning of “unsolicited”

“Unsolicited” means that you did not have the consent of the recipient to send the email. Consent can be either express or inferred.

Express consent

“Express consent” means that the recipient has told you that they agree to receive the email. To be express, the consent must have been given by the recipient in circumstances where they must have known that this is what they were doing. For example, a pre-checked “send me newsletters” box will not constitute express consent, nor will the fact that the person gave their email address to the business when the business’s unrevealed or implied purpose in collecting that address was for sending commercial email constitute express consent.

Inferred consent

“Inferred consent” means either that:

1. The sender can infer consent after considering both the relationship between the sender and the recipient (if any) and the conduct of the recipient; or

2. The business function rule applies.

Inferring consent through relationship and conduct

There does not need to be a prior relationship to infer consent if the conduct of the recipient is sufficiently clear. But if there is a prior relationship, it must be taken into account no matter how clear the recipient’s conduct would be without that prior relationship. For example, a relationship importing antagonism may negate an inference you could otherwise draw from conduct. Note: some organisations disagree with our view on this point, and believe that there must be a prior relationship to infer consent. The position is arguable, however we remain of the view that our interpretation is correct.

Where there is a relationship, you need to take into account both the relationship and the conduct of the recipient to infer consent. If the recipient has told you they do not want commercial email, or if they have reacted adversely when you have sent it to them before, you will not be able to infer consent based on conduct. If the recipient has withheld their email address from you, then you cannot infer consent (this means that the practice of e-pending is now illegal unless the recipient has given consent for the e-pending ).

The concept of “relationship” means that there is some element of an ongoing, two-way interaction. A one-off transaction will only constitute a relationship until a short time after the transaction is completed. On the other hand, there may be a transaction which, by its nature, imports an ongoing relationship – for example, a software support or maintenance contract imports an ongoing relationship, but a sale of software without support will only constitute a relationship for a short time after the software has been delivered and payment has been taken.

To infer consent, the conduct of the recipient in the context of any relationship between the sender and the recipient must be such that it is reasonable to infer consent. It must be possible to infer that the recipient would more likely than not, in fact be happy to receive the messages.

Pre-Spam Act spammers and inferred consent

Update: the rule we state below has been confirmed by the Federal Court in ACMA v Clarity1 [2006] FCA 410, for reasons including the ones we give here.

One spammer sent out a number of spams prior to the 10^th of April 2004 claiming that they can infer consent based on the fact that they have spammed you before 10^th of April 2004 and you have not opted out. There are many, many reasons why this claim is not even remotely viable, but it is sufficient to point out that:

1. Unless you have purchased something from the spammer, there is no relationship, because it is all one-way. This means that the conduct must be very clear and compelling for there to be any inference of consent.

2. A failure to opt-out is more likely a result of the recipient not wanting to confirm to the sender that their email address is valid. The commonly held belief that opting out merely results in more spam means that there is a more probable explanation for the conduct that has nothing to do with consent at all. It does not matter whether the belief is valid, either generally or in the specific case.

3. Where the spammer uses multiple, changing addresses to send their spam, this is a fairly conclusive indication that the spammer does not believe in, or even care about, consent, since the purpose of this is clearly to avoid filters, and filters are themselves fairly conclusive of the lack of existence of consent.

4. An interpretation of the Act that took such a thing to be inferred consent would be entirely inconsistent with the purpose of the Act. Even if the Act were thought to be ambiguous on this point (it is clearly not), the rule that the Act should be interpreted in a way that supports it purpose would kick in, to ensure that the spammer’s interpretation would not prevail.

In short, a spammer making this claim is either bluffing, or is announcing their intention to violate the Act. Given the “knowingly concerned in” issue (see below), people who are employed by, provide services to, or have received money or property from such a spammer should immediately take steps to sever any relationship with the spammer and put an end to any circumstances that might make them “knowingly concerned in” the future conduct of the spammer.

The business function rule

The business function rule occurs when the recipient or a suitably authorised person has:

1. Conspicuously published (that is, published to a wide audience, but not incidentally such as in a mailing list archive) their email address in circumstances where it is clear that the publication was with authorisation of the recipient; and

2. The email address relates to a business function that is relevant to the commercial message, or relates to an individual whose role or business function is relevant to the commercial message; and

3. An appropriate person has not expressed a desire not to receive the commercial messages.

The easiest way for a recipient to avoid this is to include a statement with the publication indicating a desire not to receive commercial email, such as “(No spam)”.

Closed-loop confirmation (also known, misleadingly, as “double opt-in”)

The Act provides specific protection for businesses using a closed-loop confirmation process that ensures that only the legitimate recipient is physically capable of giving consent to the sending of the message. Closed-loop confirmation involves the sender of the commercial email sending an initial email message to the recipient that contains a code that the recipient can use to confirm that they were the one who requested the relevant messages. The request is ignored if the recipient does not correctly use that code to confirm the request.

The meaning of “knowingly concerned in”

“Knowingly concerned in” means that you knew about the conduct and had some kind of involvement in it. It does not take much involvement to bring a person into the “knowingly concerned” category. It includes the concepts of “aiding, abetting, counselling, procuring, inducing and conspiring” – which are also mentioned in the Act – but goes further.

The following people are obviously knowingly concerned:

1. A person who instructs that the messages be sent;

2. A person who sends the messages;

3. A person who has the authority to instruct that the messages not be sent, but who does not give such instructions.

4. A person involved in setting up, managing or investing in a company (wherever the company is located), where a purpose of setting up that company is to facilitate a breach of the Act.

More subtly, the following people are also knowingly concerned:

1. A person who provides supporting facilities, knowing that they will be used for this purpose. This would include:

   1. Potentially anybody employed in a business in which a significant activity of that business is the sending of messages in breach of the Act;

   2. An accountant who pays the bill for a service used for breaching the Act, or sends the invoice for services sold as a result of a breach of the Act;

   3. A secretary who types up a letter facilitating services to be used for a violation, or even handles a telephone call knowing that the purpose of the telephone call is to facilitate a breach; or

   4. A person taking an order arising from a breach;

2. A person who does something knowing that it enables another person to breach the Act. This would include:

   1. Accepting money or property from a person knowing that they are trying to get their assets out of reach of enforcement of the Act. So, for example, if you are married to a spammer, and the spammer gives you their assets for the purpose of avoiding the enforcement of the Act, you facilitate their breach and can be liable for the fines yourself.

   2. A conference venue provider who provides facilities for a seminar that the venue provider knows is being advertised by a breach of the Act.

   3. An Internet Service Provider who provides service knowing that it will be used to breach the Act.

      Note that an ISP is protected where they merely provide the service that was used for sending the message (s9), but this protection will not apply where the ISP has knowledge of the breach in advance.

There are no shelters here. The spammer cannot move operations offshore. They cannot hide behind the corporate veil. They cannot give away property to avoid the property being taken in an enforcement action. All of these approaches just result in more people being liable.

The meaning of “knowingly”

Knowingly means that the person concerned either:

1. Had actual knowledge of the facts constituting the violation; or

2. Suspected the facts constituting the violation, but did not inquire any further, which includes:

   1. actual suspicion; or

   2. knowledge of circumstances that should have “put the person on inquiry”. For example, you know the person has a history of being a spammer, and did not take steps to investigate further. It will not normally be sufficient further inquiry to ask the spammer.

Summary

It is obviously a very bad idea to work for, do business with, or accept money of property from a known spammer. If you do, you expose yourself to the same liability as the spammer.

The unsubscribe facility

All commercial electronic messages covered by the Act must have a facility that allows the recipient to say they don’t want to receive commercial electronic messages from the sender. This includes even single commercial electronic messages, and solicited electronic messages.

In practice this means that every email sent by a business should include an unsubscribe facility.

As of the 10^th of April 2004, all businesses should include in the signature portion of email messages, a clearly labelled electronic address that the recipient can use to request that the business send them no more commercial email. The address could be an email address, or a URL of a web page that can be used to initiate such a request.

The safest way for businesses to ensure they comply with such a request is to ensure that all of their email is sent through an email server they control, and to configure that email server to refuse to accept email for addresses which have taken advantage of the unsubscribe facility. This may require many businesses to seek specialist assistance.

A business may also find it helpful to ensure that employees only use their business related electronic mail address to send email for business purposes. This measure can reduce the potential for exposure. This may be coupled with the provision of an alternative email address to employees that is unrelated to the business address, if the business still wishes to allow email for non-business purposes.

The unsubscribe facility must not involve the user making payments beyond that normally associated with the service on which they received the commercial electronic message.

The Privacy Act still applies

The obligations of a business under the Privacy Act still apply. In particular, if email is being sent for direct marketing purposes, the business must take steps to obtain consent in advance of that use unless it is impracticable to obtain that consent. Note that the word is impracticable, not impractical. To be impracticable (“not capable of being put into practice”), it must be so difficult or unlikely to succeed that there is no point in even making the attempt. Notably it will not be impracticable if the business collected the email address from the individual knowing that one of the uses of the email address would be or may become, direct marketing.

In particular, messages will still normally be prohibited under the Privacy Act, even if they would not be prohibited under the Spam Act, if:

• you collect email addresses on a web page without obtaining consent for the purpose of direct marketing at the time of collection;

• you collect email addresses verbally without obtaining consent for the purpose of direct marketing at the time of collection; or

• you collect email addresses on a form without obtaining consent for the purpose of direct marketing at the time of collection.

For More Information

• Spam Act 2003: A practical guide for business – Australian Communications Authority and the Office for the Information Economy, Department of Communications, Information Technology and the Arts

• Spam Act 2003: An overview for business – Australian Communications Authority and the Office for the Information Economy, Department of Communications, Information Technology and the Arts

• Spam Act 2003 (Cth)

• Spam Regulations 2004 (Cth)

• Spam Act Update – Baker Mackenzie

• Spam Act Precis – Internet Industry Association

• National Spam Initiative – Internet Industry Association

• ADMA Guide to Compliance – Australian Direct Marketing Association

• Recent Developments in Australian Spam Law – Jeremy Malcolm, ISOC-AU

• Spam – General Information – Australian Communications Authority

• Spam FAQ – Australian Communications Authority

• Spam – Information for Australian Businesses – Australian Communications Authority

• Spam – Consumer Information – Australian Communications Authority

• Spam – Reporting, Complaints, and Enquiries – Australian Communications Authority

• Ounce of Prevention Better than a Pound of Spam – 5 Step Guide to Compliance – Australian Computer Society

Press | Edit Membership Details | Logo Programs | Privacy Policy