Resources / Compliance
Australia's Spam Act 2003 for senders
Australia's Spam Act 2003 is an opt-in law built on three rules - consent, identify, unsubscribe. Consent is express or (narrowly) inferred, the burden of proving it sits on the sender, and an unsubscribe must work and be honored within 5 working days. ACMA enforces; we describe its role without a penalty figure because the current amounts were not confirmed from a primary source.
Last checked: June 21, 2026
Australia’s Spam Act 2003 (Cth) is an opt-in law that the regulator boils down to three obligations: consent, identify, and unsubscribe. It is enforced by the Australian Communications and Media Authority (ACMA), and one of its defining features is that the burden of proving consent sits on the sender - including for any address you obtained from someone else.
This is general information, not legal advice. Consult Australian counsel for your situation. The obligations below come from ACMA’s guidance and the Spam Act 2003.
The 60-second version
- Opt-in. You must have consent before sending a commercial electronic message.
- Consent is express or inferred; ACMA calls express consent best practice and inferred “not as reliable.”
- You cannot send a message to ask for consent - that message is itself marketing.
- The sender must keep records of who consented, when, and how. Bought lists do not shift that burden.
- Identify yourself accurately (name/business + correct contact details), and keep that info correct for at least 30 days.
- Every commercial message needs a functional unsubscribe, honored within 5 working days, kept live for at least 30 days, free and low-friction.
- Address-harvesting software and harvested lists are prohibited.
- ACMA enforces. We do not print a penalty figure - see the enforcement note.
Consent: express vs inferred
| Type | What it requires |
|---|---|
| Express consent | The person actively consents - via a form, tick-box, phone, or face-to-face. ACMA characterises this as best practice. |
| Inferred consent | The recipient knowingly gave their address in the context of a provable, ongoing relationship with your business, and the marketing is directly related to that relationship. ACMA notes inferred consent “is not as reliable.” |
Two rules constrain both:
- You cannot seek consent by electronic message. Emailing someone to ask whether you may market to them is itself a marketing message.
- The burden of proof is on you. You must be able to show consent for every address used - including addresses from purchased or third-party lists.
When inferred consent actually applies
| Condition | Detail |
|---|---|
| Ongoing relationship | The person has a subscription, account, or membership with your business. |
| Relevance | The marketing must be directly related to that relationship (e.g., a bank marketing a savings account to a savings customer) - it does not extend to unrelated products. |
| Not a one-off purchase | A single past purchase does not, by itself, establish inferred consent for ongoing marketing. |
Sender identification
| Requirement | Detail |
|---|---|
| Name | Accurately identify your name or business name in the message. |
| Contact details | Include correct contact details for you or your business. |
| Authorised sends | If someone sends on your behalf, the message must still identify you as the authorising business - using your correct legal name, or name plus ABN. |
| Duration | Identification information must stay correct for at least 30 days after sending. |
Note that, unlike US CAN-SPAM, the Spam Act does not require a physical postal address - it requires that you be accurately identified and contactable.
Unsubscribe
| Requirement | Detail |
|---|---|
| Option | Every commercial message must contain an unsubscribe option. |
| Clarity | Instructions must be clearly worded. |
| Timeframe | Honor an unsubscribe within 5 working days. |
| No fee | It must not require payment. |
| No extra steps | It must not require extra personal information or creating a login/account. |
| Availability | It must stay functional for at least 30 days after the message is sent. |
| Cost | It must not cost more than the usual amount of using the return address (e.g., a standard SMS charge). |
The 5-working-day window is the tightest of the English-speaking regimes on this page (US and Canada both allow 10 business days).
Prohibited practices
- You cannot use or supply address lists created with address-harvesting software, nor the harvesting software itself.
- You cannot help, guide, or knowingly facilitate another person’s violation of the Act.
Enforcement: ACMA’s role (no figure printed)
ACMA administers and enforces the Spam Act and takes enforcement action against violations.
We do not print a penalty figure on this page. The current penalty-unit amounts were not confirmed from a primary source at author time, and penalty-unit values change over time. Rather than state a number we could not verify, we point you to the Spam Act 2003 and the current Commonwealth penalty-unit value for the applicable amounts.
Common confusion
- “A purchase means I have consent.” A one-off purchase does not create inferred consent for ongoing marketing.
- “I’ll just ask by email.” That request is itself a commercial message and is not allowed without a basis.
- “My list vendor proved consent.” The burden is on you for every address, bought lists included.
- “10 days like the US.” Australia is 5 working days.
What Egressif does, and what stays with you
Egressif provides the operational layer the Spam Act measures: authenticated, accurately identified sending (SPF/DKIM/DMARC so your name and contact stand behind a domain you control), a functional unsubscribe, suppression on receipt so an opt-out is honored well inside the 5-working-day window and stays live past 30 days, and durable records of consent capture, sends, and unsubscribes - directly relevant because the Act puts the burden of proof on the sender. What stays with you is the consent itself: holding valid express or genuinely inferred consent, vetting any acquired list, and keeping the evidence. We make your handling provable; the legal call is yours and your counsel’s.
Related references
- Email marketing laws by country (2026) Anti-spam laws look alike until you sort them by consent. The US (and, for B2B, Turkey) let you mail first and honor opt-outs; Canada, the UK, the EU, and Australia want permission before the first message. This page lines all six up on consent, sender identity, unsubscribe timeframe, who enforces, and the penalties we could verify.
- CAN-SPAM Act: what US email law requires CAN-SPAM is an opt-out law: you may email someone who never asked, as long as the message is honest, names you, carries a physical address, and offers an unsubscribe you honor within 10 business days. There is no B2B exemption, and each non-compliant email is a separate violation.
- CASL: Canada's anti-spam law for senders CASL is an express opt-in law with a narrow, time-limited implied-consent exception. Every commercial electronic message must identify you and carry a working unsubscribe honored within 10 business days, and the burden of proving consent is on the sender. Penalties reach CAD $1M for individuals and CAD $10M for businesses per violation.
- UK PECR and UK GDPR for email marketing UK email marketing runs on two laws at once - PECR for the consent rules and UK GDPR for the data underneath. Marketing to individuals is opt-in (with a narrow soft opt-in for existing customers), while corporate bodies can be emailed without prior consent. We describe the ICO's enforcement powers qualitatively because the specific PECR penalty ceiling is not confirmed from a primary source.
- EU email marketing: GDPR and ePrivacy In the EU, marketing email is governed by the ePrivacy Directive (the consent rule) layered over the GDPR (the data rule). ePrivacy Article 13 generally requires prior opt-in for individuals; GDPR supplies the lawful basis, the right to object, and the accountability that turns consent into something you must be able to prove. Because the directive is transposed by each member state, the specifics vary by country.
- Turkey's ETK, KVKK and IYS for email Turkey requires prior consent (onay) to send commercial electronic messages to consumers, allows B2B sends to merchants and traders without consent, and routes consent and opt-outs through a central government registry, the IYS. Unsubscribe must be honored within 3 business days. The ETK obligations below come from the official law text; the KVKK data-protection layer is flagged where we could not verify it.
Tell us what you run today.
Domains, rough volume, current providers, and what hurts. You will get a straight answer on fit, and a real number, in one conversation.