January 2004

New Anti-Spam Legislation - ensure your electronic messages don't break the law

We all know spam when we see it. It's annoying, time consuming and clogs up valuable computer memory resources. It ranges from financial advisers promoting debt consolidation measures for those with expanding credit card debts to absurdly transparent frauds, like the Nigerian emails that promise millions in return for a small payment to cover administrative and banking costs.

Spam is sent by marketing driven companies and individuals who have either "harvested" email addresses from databases on some basis or who have random generators of email addresses that spew out millions of permutations - ultimately, some strike pay-dirt and hit a real email address.

Studies have put the commercial cost of spam in Australia at hundreds of millions of dollars. It is also perceived by many as an invasion of privacy and the Federal Government sees anti-spam legislation as an adjunct to its Privacy Act.

In a bid to reduce the impact of spam, the Federal Government passed the Spam Act 2003 in December. It will commence when it receives royal assent, expected early in 2004.

Amongst other things, the new Act imposes severe penalties on sending spam without the consent of the receiver.

What constitutes spam?

It is important for businesses to know what constitutes spam as far as the Act is concerned, if the penalties are to be avoided. While we may all have an intuitive sense of what spam is, the legal definition may be somewhat wider.

"Sending a commercial electronic message will breach the Act unless the recipient has given express or inferred consent".

The new Act applies to "commercial electronic messages", including emails, mobile phone SMS and MMS and instant messaging. So far it seems that voice-to-voice marketing and faxes are not caught - but regulations may later include these forms of marketing.

The message must have a commercial purpose, such as buying, selling or advertising a good or service or investment opportunity etc. This requirement of a commercial purpose will save some messages, such as purely factual content in a newsletter; but care is needed if the message contains more promotional material.

There must also be an Australian link - in constitutional terms the parliament can only legislate with respect to matters Australian. If a message is sent within Australia, if it is sent to Australia from overseas or if a message is sent to Australian addresses from a person commissioned by a person in Australia, the Act applies. The Act can't be circumvented simply by taking a spamming business offshore.

Sending a commercial electronic message will breach the Act unless the recipient has given express or inferred consent.

Inferred consent may be deduced from conduct of the recipient and the existence of business and other relationships. This is a key point. When you consider the nature of the relationship with a client or business contact, would it be reasonable for that person to expect that you would send such a message. Clearly the content of the message must be appropriate and relevant to the relationship.

Penalties

Before prosecution for breach of the prohibitions, a formal warning would be given, followed by an infringement notice, under which penalties can be imposed.

The penalties for breach of this central prohibition are severe. An infringement notice can involve a fine of $440 per contravention (ie a single email) for an individual and corporations can be fined $2,200 per contravention.

If a court prosecution follows, the penalties escalate to $2,200 (individuals) and $11,000 (corporations). For repeat offences, multiply the penalties by 5 - although there is a ceiling of $1.1 million per day for corporations.

In addition, the legislation prohibits the use of address harvesting software, its sale and acquisition for the purpose of sending spam. The penalties are also severe and similarly escalate from formal warnings through infringement notices and prosecutions for offences and repeat offences.

The Act also requires that an electronic commercial message must clearly and accurately identify the organisation or individual that authorised the sending of the message and a statement that the recipient can "unsubscribe" if desired. There must also be an electronic address capable of acting on requests from recipients who ask for their names to be removed.

Again, there are severe penalties for breach of this requirement with a similar escalation regime to that described above.

There are also provisions for civil actions to be taken for compensation by those injured as a result of spam - such persons can sue for damages and injunctions and the surrender of ill-gotten gains made from spamming.

There are some limited exceptions for educational institutions (messages to the households of their students), religious and charitable organisations.

What to do

  • Check your data-base to ensure that those receiving "commercial" electronic messages have either consented expressly to receiving the messages or that you are confident that there is inferred consent arising from the relationship;

  • Stop sending commercial messages where you are not sure that consent (express or inferred) exists;

  • Check that your commercial electronic messages have the required operational "unsubscribe" address and that the messages accurately identify your organisation.

Will the Act have any impact? The penalties are certainly severe enough. However, it is widely thought that it will not do so, since most spam seems to originate overseas. The Act is part of a package of initiatives that the Government has considered, including the Privacy Act (which is now, of course, in force) and an education program. It remains to be seen what its effect will be - let's hope that it at least has an impact on the more invidious and anonymous spamming that wastes so much of our time.