Flying birds The Online Fix
Market your way to success

You, Spam and Privacy

Spam and privacy legislation Australia

Spam Act and Privacy legislation in Australia impacts on small business owner

The aim of this article of to be a quick 5 minute read to help you understand, in plain language, how to keep on the right side of the law when it comes to emailing and dealing with your customer data - and you never know - it may end up saving you a lot of grief down the track.

The rules are laid out below on how you can use digital marketing messages safely without being in breach of these laws in Australia. However, this is not legal advice. You should familiarise yourself with the legislation to ensure your own circumstances have been considered:)

The Australian Spam Act 2003

The Spam Act was put into place to stop unscrupulous businesses from relentlessly spamming people with digital communications and messages, regardless of whether it was email, text or any other direct form of messaging.

The Spam Act applies to all businesses regardless of size. It covers:

  • all messages coming out of Australia even if the broadcast service you’re using is outside of Australia - such as Mailchimp.

  • all messages originating overseas sent to an Australian address.

  • all digital messages and communications that offers, advertises or promotes a product or service.

The basic rules of the Act are:

  1. You must have permission to send a promotion-type email/message to anyone.
    This is the opt in model at play in Australia and rules out buying lists of email addresses - a big no-no. The important thing to be clear about here is when you collect an email address from someone, be clear about what you’re using it for.

    Here’s an example. As part of your sales process, you collect their email address to email the receipt and delivery information. This is not giving you permission to know start emailing them in the future with promotional deals. What you need to do is include an opt in button where people opt in to receive future emails about your services/products. Yes it makes it hard - but that’s the law.

  2. Within your message eg email, you must have a complete and accurate set of contact details of you - the sender

  3. You must always provide a way to ‘unsubscribe’ from any list

  4. You must complete a request to ‘unsubscribe’ a person within 5 working days.

There are exceptions.

Certain messages from the following types of organisations are exempt:

  • government bodies

  • registered charities

  • registered political parties

  • educational institutions (for messages sent to current and former students).

The above are likely to be completely unhelpful to you as a small biz operator; luckily, there is a however. IF you have an existing relationship and you are emailing them about something to do with that relationship eg. they are a member of your website and you need to tell them about upcoming changes, outages or new features, then you can contact them without express ‘opt-in’ permission.


They are steep - up to $220,000 per day in breach and up to $1.1 million for a repeated breach.

Australian Privacy legislation

Under the law in Australia, if you’ve got a turnover of more than $3 million or regardless of size or type of organisation but you deal with personal health information, then the legislation applies to you.

It applies to personal information such as name, address, date of birth and rare or unique characteristic(s).

There are some other conditions that apply to small business and a comprehensive list is available here.

The basic rules for digital are:

  1. you must have a privacy policy on your website

  2. you must have a link to your privacy policy at any point that you collect data

  3. your privacy policy must clearly state:

    • what you will use the data for

    • how and where you will store it

    • who you will disclose it to including if they will be outside of Australia

    • what information you will collect as part of browsing the website

    • how people can view their personal data and lodge a privacy complaint

    • how you’ll communicate any changes to the policy.

  4. You must ensure that any personal information is reasonably protected and secured from misuse or unauthorised access, modification or disclosure

  5. Once you no longer need that personal information then you must have a process to destroy or de-identify the information.

Now while this only relates to certain businesses, it’s good practice to follow the basic principles of the Privacy Act. Why? This law is about protecting customers from people misusing their private information including on-selling to other organisations. By adhering to it you lend credibility and respect to your business, so that your customers can trust you as a business.


A serious or repeated breach with privacy comes with a maximum penalty of $340,000 for an individual or $1.7 million for a corporation.

Further information:

Further information is available at the not-so-helpful, not really english, but some form of legalese version of English, government websites.



Avoid sending spam | ACMA

Important note: I am not a lawyer just a digital specialist who has had to work within these laws for many years. You must seek proper legal advice relating to your own unique circumstances. The following is just an outline of key points, so it's not complete. I still hope that you’ll find it useful and point you in the right direction.

Scroll to Top