Kmart Fined $1.3m for Spam Act Breach: How to Avoid the Same Fate

In the last 18 months, Australian businesses have been fined over $12.5 million in spam and telemarketing breach penalties. Kmart is the latest Australian business to be cracked down on by the ACMA as it polices breaches of the Spam Act as a compliance priority.

According to the Australian Communications and Media Authority (ACMA), the authority opened an investigation into Kmart’s consumer marketing practices following several consumer complaints. The investigation found Kmart sent 212,471 messages to customers between July 2022 and May 2023 who had previously unsubscribed, and that these breaches occurred due to a combination of technology, system and procedural failures. Kmart has been handed a $1.3 million fine.

“When a customer decides to opt out of a marketing mailing list, businesses are obliged to fulfil that request. The rules have been in place for nearly 20 years and there is simply no excuse,” ACMA Chair Nerida O’Loughlin stated.

ACMA claims they alerted Kmart on multiple occasions it may have issues with its consumer marketing. “Kmart’s case is particularly concerning as it went on for such a significant period,” O’Loughlin said. “Kmart was given more than enough notice it may have a compliance issue, and it should have done more to address its problems before we had to step in and investigate.”

The Spam Act, established in 2003, protects consumers from privacy breaches and their rights to unsubscribe from marketing messages. 

As laid out by the ACMA on its website here, the following is the best practice to follow when sending marketing messaging to avoid breaching the spam act.

Obtain consent

Many of the breaches fined by the ACMA this year failed to comply with this requirement, including Doordash, who was fined over $2 million for sending more than 566,000 promotional emails to customers who had previously unsubscribed from marketing messages back in August. 

Express consent, in which a person knows and accepts that they will receive marketing emails or messages from you, can be obtained for example, by having a tick box, filling in a form, or a verbal confirmation.

Another, less reliable type is inferred consent, which is harder to prove in the case it is challenged. According to the ACMA, in some circumstances, you may infer that you have consent to send marketing messages if the recipient has knowingly and directly given their address and it is reasonable to believe they would expect to receive marketing from your business, such as an ongoing business relationship. However, it does not cover sending messages after someone has just bought something from your business.

Under the Spam Act, it’s up to you to prove that you have a person’s consent, you should keep record of this. 

Identify yourself as the sender

Accurately identify your name or business name, and include correct contact details. If a message is sent on your behalf, the message must still identify you as the business that authorised the message. Sports betting site BetDeluxe was hit with a $50k fine in February this year for failing to include contact details in its messaging. 

Make it easy to unsubscribe

This is where many businesses are getting tripped up and are facing penalties. In June this year, Commonwealth Bank was handed down the ACMA’s biggest ever fine of $3.55 million after it was found the bank had sent more than 61 million marketing emails to customers that required them to log in to unsubscribe, and a further four million emails without a working unsubscribe option, and an additional 5000+ emails disregarding customer’s requests to unsubscribe. 

According to the ACMA, under the Spam Act, every commercial message must contain an ‘unsubscribe’ option that: presents unsubscribe instructions clearly, honours a request to unsubscribe within five working days, does not require the payment of a fee, does not cost more than the usual amount for using the address (such as a standard text charge), is functional for at least 30 days after you sent the message, and does not require the person to give extra personal information or log in to, or create, an account to unsubscribe from marketing messages. 

A more comprehensive guide to complying with the Spam Act, written by the ACMA is available here.