Telstra was fined $626,000 for breaching spam laws by sending over 10 million non-compliant text messages. Over the last 18 months, businesses have paid over $16 million in spam penalties, indicating that ACMA is actively enforcing compliance.
The goal of this guide is to give you the basics of SMS marketing complaiance so you don’t need to deal with any legal headaches – this of course is not legal advice, please see the ACMA website to double-check you’re not in violation of their SPAM laws.
The Three Pillars Of SMS Compliance
To ensure compliance, your entire SMS strategy must be built on three foundational pillars. These are strict legal requirements, and a failure in any of these areas constitutes a breach of the Act.
Pillar 1: Consent
Under Australia’s opt-in system, you cannot send a commercial text message without the recipient’s prior permission. Sending an initial message to request consent is prohibited, as that message itself is considered unsolicited.
The law recognizes two types of consent, but for maximum compliance, one is strongly preferred.
Express Consent
Express consent is the recommended standard. It is established when a person actively and knowingly agrees to receive marketing messages from your business.
Methods for obtaining express consent include:
- A person submitting their number via a form on your website.
- A person ticking an unchecked box that clearly states they agree to receive marketing texts.
- A person texting a keyword like “JOIN” to your number.
- A person providing clear verbal consent.
ACMA strongly recommends express consent because it is clear and unambiguous. The burden of proof is on the sender, so you must maintain meticulous records of who consented, and when and how they did so. You could consider using a double opt-in process. After a user signs up, an automated confirmation text asks them to reply “YES” to confirm. This creates a clear, time-stamped audit trail but the standard expressed consent is fine.
Inferred Consent
The law also allows for “inferred” consent. However, this concept is narrowly defined and has been the source of many compliance failures. Relying on inferred consent carries a higher risk, as the definition is strictly interpreted by the regulator.
Inferred consent may be come from a strong, existing business relationship where marketing messages are directly relevant and expected, such as with a member of a club or a subscriber to a service.
However, the following scenarios do not constitute inferred consent:
- A customer making a one-off purchase.
- A person providing their number for a non-marketing purpose, like a delivery update.
- A phone number being publicly listed.
- A person making an inquiry.
Given the risks, express consent is the recommended and safer approach.
Pillar 2: Clear Sender Identification
Every message you send must clearly state who you are. The message must include your business’s legal name (or your name and ABN) and your contact information. This information must remain accurate and functional for at least 30 days after the message is sent.
This rule builds trust and allows ACMA to trace messages. The regulator has launched an SMS Sender ID Register to combat impersonation scams, and using a verified, branded sender name is now a critical best practice.
For example: “20% off all dental cleanings this month! Book now at Smith Dental Clinic. Call (02) 9876 5432 or reply STOP to opt out.”
Pillar 3: A Functional Unsubscribe Facility
Every commercial message must provide a simple way for the recipient to opt out. This is a fundamental consumer right, and ACMA actively enforces this requirement.
A compliant unsubscribe process must be:
- Clear: Use simple instructions like “Reply STOP to opt-out”.
- Timely: Requests must be processed within five working days.
- Low-cost: It must be free or cost no more than a standard text message.
- Functional: The mechanism must work for at least 30 days after the message is sent.
The Spam Regulations 2021 further clarified that an unsubscribe process cannot require a person to:
- Log in to an account.
- Create a new account.
- Provide any extra personal information.
- Pay a fee.
The enforcement action against Telstra, which resulted in a $626,000 fine, highlights this risk. Their process required customers to call a number and provide a PIN or personal details. ACMA determined this process was non-compliant. The unsubscribe process must be frictionless and present no barriers to the user.
Transactional (Factual) Messages vs. Commercial Messages
This is a common area of non-compliance that has led to significant penalties for major companies. For example, misclassification was a key factor in the $7.5 million fine issued to Commonwealth Bank. It is essential to understand the difference between a commercial message and a purely factual one.
A message is legally defined as “commercial” if just one of its purposes is to promote a product, service, or business. The commercial intent does not need to be the primary purpose. If any promotional element exists, the entire message is classified as commercial and must follow all three rules: consent, identification, and unsubscribe.
Purely factual messages, often called “transactional” or “service” messages, are exempt from the consent and unsubscribe rules, though they must still identify the sender. These include communications like:
- Password reset links.
- Appointment reminders.
- Shipping confirmations.
The compliance risk lies in mixing the two. Adding a promotional banner or a link to your website’s homepage in a transactional message can change its classification. ACMA has made it clear that a link to a webpage with any commercial content makes the entire message commercial. This practice converts an exempt message into a regulated commercial message.
The lesson from major enforcement actions is to maintain a strict firewall between your two communication streams. Factual, transactional messages must be free of all marketing content. Your marketing messages must be fully compliant, sent only to consented contacts with a clear unsubscribe option.
Record-Keeping and Data Management
In the event of an investigation, the regulator will require evidence of compliance, making thorough record-keeping essential. The Spam Act places the burden of proof on the sender. Maintaining detailed consent records is a legal requirement.
For every subscriber, you must be able to produce a log showing:
- How they consented (e.g., website form, keyword text).
- When they consented (the exact date and timestamp).
- What they consented to (the exact disclosure language they saw).
This requirement intersects with your obligations under the Privacy Act 1988, which governs how you collect and handle personal information. You must collect data lawfully and for a specific purpose. A phone number collected for a delivery notification cannot be used for marketing without separate, specific consent.
Your data must also be kept secure, using systems that protect customer lists from breaches and limit access to authorized personnel.
Best Practices for Message Delivery
Beyond legal compliance, adopting best practices for message delivery can improve campaign effectiveness and reduce customer complaints. Customer complaints often trigger regulatory investigations, so minimizing recipient annoyance is a key risk mitigation strategy.
Timing and Frequency
Respect your customers’ time. It is a strong industry best practice to avoid sending marketing texts during “quiet hours.” Generally, this means refraining from sending messages before 9 a.m. or after 8 p.m. in the recipient’s local time zone.
Additionally, manage your sending frequency. Sending too many messages is a primary reason for unsubscribes. A reasonable cadence is one to two marketing messages per week, unless you have set different expectations at the point of sign-up.
Personalisation and Testing
Personalising messages with customer data can increase engagement. However, this data must be used in compliance with the Privacy Act, meaning it was collected lawfully for that purpose or with the user’s consent.
A/B testing is an effective method for optimizing campaigns. You can test different offers, calls to action, or send times to see what gets the best response. It is crucial that all message variants used in testing are fully compliant with the Spam Act.
Industry Standards: The ADMA Code
The Association for Data-driven Marketing & Advertising (ADMA) provides a Code of Practice that serves as an industry benchmark for ethical marketing. It is built on principles of fairness, honesty, and transparency, which reinforce legal obligations and help reduce the risk of consumer complaints.
Your SMS Compliance Checklist
Use this checklist to conduct a regular audit of your program. Any negative answers indicate a potential compliance gap that requires immediate attention.
- Consent: Do you have explicit, express consent for every person on your marketing list?
- Records: Can you produce a time-stamped record of that consent for every single subscriber?
- Opt-in: Are all your online consent boxes unchecked by default?
- Identification: Does every marketing text clearly state your business name and contact details?
- Unsubscribe: Does every message have a simple “Reply STOP” (or similar) opt-out?
- Unsubscribe Process: Is your opt-out process free, and does it work without requiring a login or any extra personal details?
- Message Separation: Do you have a strict separation between purely factual messages and commercial messages?
- Timing: Do you avoid sending marketing texts during quiet hours (before 9 a.m. and after 8 p.m. local time)?
SMS marketing in Australia is a highly effective channel, offering direct engagement with customers. However, this effectiveness is contingent on strict adherence to the regulatory framework. Compliance should be treated as a foundational component of your marketing strategy, not an afterthought. By building your program on the principles of consent, identification, and a functional unsubscribe facility, and by respecting customer data, you can build a trusted and successful communication channel. Failure to do so ex