11 April 2004: D-Day for email databases

Australia now has anti-spam legislation which regulates the sending of one or more unsolicited commercial electronic messages. Persons or businesses who send commercial electronic messages (such as email or SMS) to or from Australia now have until 11 April 2004 to ensure their procedures comply with the Spam Act or face hefty penalties.

Now is the time to review whether your organisation has the consent of all electronic addressees in your databases to send them commercial electronic messages and ensure the content of the messages complies with the Act. It is also the time to put in place quality control procedures for future additions to your databases. We look at some of those steps below. More detailed guidance is available in SpamCheck, our Spam Act compliance guide.

Preparing for 11 April - what you should do

Those organisations which send commercial electronic messages either to or from Australia (and this would include most Australian businesses who supply products or services) will need to undertake a compliance audit before 11 April this year. Key actions which a business should take include the following:

• review its business practices to identify communications made by that business which could amount to a commercial electronic message under the Spam Act;
• ensure the business has the consent of all addressees of such commercial electronic messages from 11 April 2004 to receive such messages. This will usually involve a review of how address lists have been compiled, whether express consent has been given by the addressee in the past or can be inferred from conduct or business and other relationships and whether express or inferred consent should be sought before 11 April 2004 (and if so how);
• review and amend the form and content of any commercial electronic messages sent by the business to ensure compliance with requirements as to sender information and a functional unsubscribe facility;
• ensure that addressees who send an unsubscribe message are removed from the address list and receive no more commercial electronic messages forthwith and in any event within the time frames required by the Act;
• review the businesses' electronic address lists and the process for adding addressees to ensure the consent of new addressees is obtained and to ensure that the business does not breach the prohibitions on the supply, acquisition or use of address-harvesting software or harvested-address lists;
• set up a complaints handling process and contingency plan should the Australian Communications Authority ("ACA") wish to investigate the company's compliance with the Spam Act; and
• if the business sends commercial emails to other countries, consider exposure to any anti-spam laws in those countries.

A business may wish to tie this process in with related compliance activity, for example in relation to compliance with Commonwealth, State and Territory privacy legislation, the SMS code, and telemarketing legislation.

The Spam Act 2003 (Cth)

The Spam Act reaches far beyond the typical notion of spam, which we tend to think of as bulk unsolicited email, often associated with scams promising instant wealth or physical enhancement. Rather, the Spam Act prohibits sending one or more "commercial electronic messages" unless certain exceptions apply. The Act also regulates the content of "commercial electronic messages" and the use of address harvesting software and harvested address lists.

What's a "commercial electronic message"?

An "electronic message" is an individual electronic message sent using an internet carriage service or other listed service, to an email account, telephone account, instant messaging account or any other account. Voice calls made using a standard telephone service are excluded from this definition (but may be regulated by telemarketing laws). An electronic message becomes a "commercial electronic message" when it would be concluded from the content of the message and its presentation and any information available through links or contacts in the message that one purpose of the message is also a listed purpose in the Spam Act. Listed purposes include an "offer to supply or sell goods or services", or "to advertise or promote goods or services" or "to advertise or promote a supplier or prospective supplier of goods or services".

Under the Spam Act an individual or a company must not send a "commercial electronic message" unless:

• the relevant electronic account holder to whom the message was sent consented. Consent may be express or reasonably inferred from the conduct and the business and other relationships of the addressee, individual or organisation. (Consent can be inferred in certain cases from the conspicuous publication of an electronic address, for example, where an email address is published on a website and certain other conditions are satisfied);
• there is a mistake by the sender; or
• the message is a "designated commercial electronic message" (discussed below).

An individual or a company which sends a commercial electronic message prohibited by the Spam Act will be liable to pay civil penalties and possibly damages.

Designated commercial electronic messages exempted

Electronic messages that consist of no more than factual information (including directly related comment) which by itself would not constitute a commercial electronic message, in conjunction with the details of the author and/or the company from which the message originated, are "designated commercial electronic messages" to which the spam prohibition does not apply. Care needs to be taken with this exception as it does not permit commercial promotion to be dressed up as factual information.

Also exempted as designated electronic messages are electronic messages authorised by a government body, registered political party, religious organisation or charitable institution, relating to goods or services supplied by that body. A similar but more limited exemption applies in relation to electronic messages authorised by educational institutions.

Sender information and functional unsubscribe facility

All commercial electronic messages (including designated commercial electronic messages) must include the sender's contact information. Commercial electronic messages must also contain a functional unsubscribe facility. This may simply be a statement in a message that the recipient may use an electronic address (also set out in the message) to reply to the sender requesting the sender to refrain from sending further messages to the recipient. Failure to include contact details or a functional unsubscribe facility attracts civil penalties.

Address-harvesting software and harvested-address lists

A person must not supply, offer to supply, acquire or use address-harvesting software or a harvested-address list. Exemptions are provided in situations where:

• the supplier had no reason to suspect that the address-harvesting software or harvested-address list would be used in connection with sending spam;
• the supplier could not have ascertained that the customer was present in Australia (if an individual) or carrying on business or an activity in Australia (if a corporation);
• the acquirer or user of address-harvesting software or a harvested-address list did not intend to use the address-harvesting software or harvested-address list in connection with sending spam.

Penalties, damages and injunctions

The civil penalties under the Spam Act are significant. For a corporation with no prior record, the maximum penalty for breaching the core "spam" penalty provision (through sending just one spam message) is $11,000. However, where a corporation sends spam and has a prior record of doing so, the maximum penalty rises to $55,000. If that corporation commits two or more contraventions in one day (e.g. by sending two or more messages), it could incur a maximum penalty of up to 10,000 penalty units, or $1.1 million.

The ACA can apply to the Federal Court for an injunction restraining a person from engaging in conduct that would contravene a civil penalty provision, or compelling a person to perform an act where failure to do the act would contravene a civil penalty provision.

Infringement notices

As an alternative to Federal Court enforcement, the ACA can issue infringement notices to an individual or a corporation setting out that person's contraventions of the civil penalty provisions and demanding payment of the corresponding penalties. Infringement notice penalties can range from $2,200 for a single contravention to $110,000 for 50 or more contraventions.

If an organisation pays the infringement notice amount, that extinguishes any liability for the civil penalty contraventions stated in the notice. If the organisation does not pay the penalty infringement notice amount, the ACA may still bring enforcement proceedings and if a contravention is established, the higher civil penalties may be imposed by the court.

Related amendments

The Spam legislation also amends the Telecommunications Act 1997 (Cth) to:

• regulate the activities of the e-marketing industry (companies who send commercial electronic messages that promote the goods or services of other companies), establishing a mechanism for the development of codes of conduct in that industry; and
• create significant powers of search and seizure in relation to investigations by the ACA of potential breaches of the Spam Act.

The US CAN-SPAM Act

Many countries are adopting anti-spam legislation. The EU Directive on Privacy and Electronic Communications is being implemented by member states. On 1 January this year, the US Act on "Controlling the Assault of Non-Solicited Pornography and Marketing" (or the "CAN-SPAM" Act) took effect. This Act has similar objectives to the Spam Act.

More information

We have prepared a spam compliance guide - SpamCheck - to help you comply with the new laws. SpamCheck contains practical steps towards compliance and provides suggested mechanisms for ensuring that an organisation can continue to communicate electronically with its contacts without breaching the Act. If you'd like more information about SpamCheck, contact its authors Mark Sneddon or Sven Bluemmel in our Melbourne office, or any of the contacts listed below.

If you would like more information on spam compliance generally, or any issues in this Alert, contact your nearest Clayton Utz partner listed below.