What is spam?
Spam refers to the sending of unsolicited commercial electronic messages whether via through SMS, email, MMS or instant messages and is the online equivalent of junk mail. The content of spam messages vary, with some promoting the sale of products and/or services. Other spam messages are sent with the specific objective of deceiving users into providing sensitive financial personal details such as bank or credit card details. These are also known as phishing scams.
Other issues associated with spam include the promotion of pornography, offensive content, fraudulent material, illegal online gambling services, pyramid selling, get rich quick schemes, scams and other misleading and deceptive business practices.
A lot of spam typically contain get-rich-quick cons, bogus lottery wins, Nigerian scams, miracle cures, offers of restricted drugs and loans. Other spam messages contain malicious computer viruses which damage computers. It is important not to follow any links in spam emails. You could become a victim of spyware or malware resulting in your sensitive banking information being sent out to scammers or your computer could be zombied and used to send out more spam.
Governments all over the world have enacted anti-spam legislation. Whenever you consider the use of an email marketing program, ensure that it is compliance with relevant spam and other associated laws. These laws vary from jurisdiction to jurisdiction.
The United States enacted the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act 2003). In the European Union there are several Directives which regulate the use of spam and other associated practices. Each piece of legislation operates with slight variations.
In the United States the legislation is enforced by the Federal Trade Commission, or action can, in some instances, also be initiated by nominated state officials, internet service providers and others.
There are severe penalties which attach for each violation of the Act, which carries an $11,000 penalty per violation in respect of each recipient. In the last couple of years several US states have also enacted anti-spam legislation, which create private causes of action for individuals, including in some cases class actions and companies affected by spam. A case in 2008 resulted in the largest damages award ever being awarded under the Act in MySpace, Inc. v. Wallace in 2008, with a judgment of over $230 million in damages against the defendants.
There are several pieces of legislation in Australia which may apply to spam:
There are also several industry codes of Practice:
The codes have been crafted to supply relevant and achievable standards and procedures, by groups representing industry sectors for their member organisations.
There is also criminal legislation which deals with relay spam, and prosecutions have occurred pursuant to criminal laws prior to the enactment of the Spam Act.
In the United States there have been several actions brought under other legal doctrines including trade mark law, unfair competition law, arising from the use of spam. One of the more interesting claims which have arisen from the actions brought in the US in relation to spam relate to the action for the tort of trespass to chattels. For instance in Hotmail v VanMoneyPie, the Plaintiffs Microsoft argued that the defendants, in creating millions of spam email accounts, had trespassed on the property in their email servers and computer networks, requiring them to incur damages as a result of this unauthorised misuse. See also CompuServe Inc v Cyber Promotions .
In the Compuserve case, the Plaintiff had informed the defendant that their spam emails were unwelcome and had taken steps to block their transmission. However the Defendant merely bypassed their spam blocking mechanisms by simply using a new originating address. The critical question was whether the sending of spam to the plaintiff’s systems amounted to a sufficient interference with their computers, whether they sustained damage, and whether there was consent for the interference. The defendant unsuccessfully argued that having an internet presence with an email address configured to accept email constituted implied presence to send the email. The Court avoided dealing with this aspect of the case, by regarding the notice given by the Plaintiff to the Defendant to desist from sending emails as a withdrawal of any such consent.
The Court in the Compuserve decision referred to an earlier case being Thrifty-Tel Inc v Bezenek (1996) which held that electronic signals were a sufficient interference to support an action in trespass.
For a contrary decision see Intel Corp v Hamidi (2003) where the defendant, a former Intel Engineer sent six mass emails to employees’ email addresses on Intel’s email system which were critical of Intel’s employment and personnel practices over a 21 month period. Distinguishing the case from previous case law the Court held that previous decisions finding electronic contact to be a trespass to computer systems had involved some actual or threatened interference with the computers’ functioning.
Therefore, whilst in the US, the traditional tort of trespass appears to require the interference to be a physical interference which causes damage to property, the Courts seem to be recognising that trespass to chattels can occur in the absence of such direct interference. (See also Ebay Inc v Bidder’s Edge Inc  where it was held that data trawling or scraping was held to constitute physical interference with the defendant’s server. The electronic signals sent by the defendant to retrieve information from eBay’s computer system were held to be sufficiently tangible to support a viable case of trespass upon an application for a preliminary injunction) Under Australian law there is no such requirement for the interference to the chattel to be physical. The use of the tortious action for trespass to goods is therefore of interest due to it’s potential applicability in all common law jurisdictions.
The Spam Act 2003
The Spam Act 2003 (Cth) prohibits the sending or causing ot be sent spam or unsolicited commercial email (UCE) that has an Australian link. A message has an Australian link if it originates or was commissioned in Australia regardless of the destination to which it was sent, or where it emanates from overseas but has been sent to an address accessed in Australia.
An email could violate the Act if it is either:
1. sent from Australia regardless of whether it is sent to an Australian or overseas address
2. commissioned by senders either physically situate in Australia or by organisations with their operations in Australia. Therefore even if either you or your business didn’t personally sent it but authoriesed it’s sending or despatch on behalf of your entity.
3. where it emanates from overseas but is sent to an address accessed in Australia. ie to computers in Australia (including the recipient’s personal computer) or to recipients who read the message when the are physically present in Australia or are organisations carrying on business in Australia.
The legislation is drafted very broadly and covers both email that originates in Australia and email that is sent to addresses located in Australia.
To be covered by the Spam Act, the message must be commercial in it’s character or it must refer the recipient to a location where a commercial transaction may be conducted. It is also a legislative requirement under the Act to include an opt out or functional unsubscribe facility in all commercial email, even where the email was specifically requested.
The coverage of the legislation is broad in that it includes commercial electronic messages sent using applications like email, instant messaging, SMS (short message service) and MMS (multimedia message service; image-based mobile phone messaging)
There have been recent actions taken against SMS spammers for contravening both the Spam Act 2003 (Cth) and the former S52 of the Trade Practices Act 1974 (Cth). In Australian Communications and Media Authority v Mobilegate Ltd the defendants, comprising of two companies and three individuals involved in dating sates created fake dating profiles and engaged in an elaborate text messaging spamming scheme.
By their actions they encouraged users to reply to the messages using premium rate mobile numbers. Not only did the spammers derive the profit from the scam but in the process harvested the contact details of the recipients for the purpose of perpetrating future scams. The scam involved obtaining mobile numbers from members of dating websites, setting up fictitious member profiles on the sites and sending unsolicited SMSs to genuine members of those sites. The members were charged an exorbitant $5 on each occasion they replied to these messages. The scam was estimated to have cost users over $2.5 million in total.
Mobile phone users receiving spam or phish, are arguably more vulnerable to spam, given that they do not yet have all the tools desktop users can employ to effectively judge which messages can be trusted, due to the mobile interface and it’s limited functionality.
What kinds of communications are excluded from the scope of the Spam Act?
What are the penalties for violating the Act?
The Act sets out a number of possible options available to enforce the legislation, and are tailored to the circumstances of the infringement. These include formal warnings, infringement notices and court actions. Penalties and investigations are arranged by the ACMA and may involve the issuing of infringement notices carrying a penalty of $440 per contravention for an individual and $2,200 for a body corporate. The issue of warning notices in lieu of infringement notices or initiating court proceedings with respect to a breach of the Act would typically be seen as the appropriate course of action where the ACMA was satisfied that the breach was not deliberate and unlikely to recur.
A person who is issued with an infringement notice may object to paying it, but may be penalised more heavily if court action ensues and the breach was established.
The penalties can be very onerous for violating the legislation; the maximum daily penalty is $1.1million for companies, $220,000 for individuals. This figure is in relation to breaches relating to activities occuring over a single day. Any person who is knowingly concerned (seen to be aiding and abetting) in a violation can be exposed to liability under the Act
How to ensure your email marketing campaign is in compliance with the Spam Act?
To ensure your email marketing activities are compliant with Australian anti-spam legislation there are three critical factors to consider.
Firstly ensure that the person you are sending it to has given their consent to email being transmitted to them. Consent can either be explicit, ie a direct affirmative indication by a user that they consent to you sending messages of the type you propose to send to them. Examples of explicit consent may include where the recipient has subscribed to your advertising mailing list, or checked a box consenting to receive messages of advertisements from you. Alternatively the recipient may have specifically requested such material be sent to you over the phone, by mail, surface mail or during some other communication eg market surveys and previews. It does not matter when the contact list was gathered, or how it has been used, as long as you can scan your addresses on your contact list and be able to authoritatively establish that you have obtained the consent of each user on the list.
Inferred consent may be based on a business or other relationship with the person, and a past pattern of conduct. Whilst there are no direct instructions you can rely upon, it seems clear that it will be safe to send messages if it is clear, from all the circumstances, that the recipient would have a reasonable expectation that messages will be sent to them.
Another instance of inferred consent is said to arise when a person has conspicuously published their electronic address, in which case it would be permissible to send email to them. One scenario which is given is where the recipient’s published employment role has been advertised including their email address. It has been deemed to be reasonable to contact the addressee with either offers of work or for the purpose of offering to sell them supplies where they publish their contact details including their email address.
However it isn’t permissible to send them commercial offers for services or products whichsuch offers are not related to their primary function advertised.
Furthermore, if the published email address is accompanied by a statement by the publisher requesting it not be used for the purpose of sending messages, it cannot be used as a basis for inferring consent to receive email messages. By extension, when a user provides a business card including their email address it would be a reasonable expectation that they consent to receive communications, provided they are confined to the purposes of their business activities.
What is an existing relationship for the purpose of establishing inferred consent?
Above it is stated that it is reasonable to infer consent based on a prior existing relationship, and NPP2 should be consulted to give further guidance on the ambit of permitted communications. There are different types of communications an existing business may have had with a user from which you could reasonably infer consent.
For instance, a relationship may arise out of ongoing service or warranty obligations from the purchase of a product, companies have relationships with shareholders, as do subscribers to a service, employers and employees, club members and loyalty card holders.
If in doubt it is recommended that you seek legal advice as to whether it is safe to assume you would be able to establish inferred consent.
Ensure your email message contains accurate information regarding identity
You must ensure your email communications contain accurate and up to date information identifying the person or organisation which has sent or authorised the sending of the email. The information must be reasonably likely to remain correct for up to 30 days after despatch of the message. Because there are constraints in the amount of information you may be able to include in messages sent by particular applications eg SMS, ensure that you at least include your business and contact number and possibly a link to more information about your business.
Ensure you include an unsubscribe facility
Your email messages must incorporate a functional unsubscribe facility or link, a means which allows the recipient to opt out of receiving future email correspondence. For SMS, the facility might include a number or addressees can SMS their request to
unsubscribe, or alternatively, provide an email address for the person to contact with their opt out request
That facility must be reasonably likely to be able to receive and enable action to unsubscribe messages for a period of 30 days after the sending of the message. This is an important consideration if your business is contemplating changing addresses. It is suggested that if you are doing so you include postal information and phone contacts for both addresses, and the date when the transfer will occur, or, alternatively, make prior arrangements for communications that go to the old premises to be re-directed to
your new premises for a period of time.
A request to opt out must be honoured within five working days to avoid future breaches of the legislation. The Act provides that acceptable examples of the unsubscribe facility will be specified by regulation and may vary between technologies. The Spam Regulations 2004 (Cth) have set down conditions regarding this. Any commercial electronic message sent after this five day period contrary to an unsubscribe request may be considered to be in breach of the legislation.
In a recent investigation by the ACMA, a division of MYOB Australia was found to be sending commercial emails to addressees who had requested to be removed from their list. The ACMA accepted an enforceable undertaking from the company not to repeat the offending behaviour. The emails in question were sent by the company’s website design data hosting and domain name registry company SmartyHost.
Avoid using address harvesting software or harvested address lists
Address harvesting software refers to computer programs designed to automatically collect electronic addresses from the Internet. The software searches public areas such as from web pages,newsgroups, chat rooms and other online directories to compile or ‘harvest’ lists of addresses.
The Actprohibits the supply, acquisition or use of software that ‘harvests’ electronic addresses from the internet for the purpose of sending spam. By the same logic the provision, acquisition or use of address lists to send spam using email lists which have been generated via the use of such software is also prohibited. Great caution should be exercised when using harvested lists as this has been the subject of enforcement action by the ACMA against companies.
Whilst such software and lists may be used for completely for the primary purpsoe of undertaking legitimate activities like collecting information for research or marketing purposes you must exercise caution. As long as you can be sure that the permission to obtain the information is predicated upon informed consent, this will be acceptable. However the software or lists may have been used to create distribution lists for sending spam.
If you decide that you want to collect email addresses for marketiting activities, ensure you retain adequate records of where and when you procured the addresses for your future reference. It is also important to ensure that your website isn’t being linked to or reference from an email which could be characterised as spam. This practise is illegal and is known as ‘spamvertising’.
One single unsolicited commercial email is sufficient to constitute spam
Remember that in Australia spam doesn’t necessarily mean you have to be sending bulk unsolicited commercial email. Sending out one single targeted email without consent can breach the legislation.
Are there any exclusions under the Spam Act?
There are exclusions enshrined in the legislation for messages from government agencies, political parties, charities, and educational institutions whose messages are targed at current or former students.
Use a double opt in process
Although it is not mandated by the legislation it is prudent to implement what is known as a double opt in method, known by various other terms. eg “Closed Loop Opt in“, “Confirmed Opt-in“, or “Verified Opt-in“.
Whether using automated or manual systems, you may find it difficult to validate whether the potential recipient on a list has actually provided their consent. Using this method will provide you with the requisite evidence you require to shield you accusations of breaching the Act.
Where you recieve a message to the effect that an address should be added to your contact list for commercial messages, your business transmits a message to that address, requesting confirmation that messages should be sent there in future. The message also contains a notification that they will only be added to your contact list if they send a positive confirmation within a certain number of days.
Upon the expiration of that period, if you have received positive confirmation you can safely add the address, a negative response will result in the address not being added, whereas a failure to respond should be construed as an indication not to add that contact to your list.
Double opt in processes may be useful when dealing with online subscriptions, requests from third parties and other occasions where consent has not been given at the time of a personal communication or transaction. It requires a recipient to manually confirm their request for information by clicking a unique link and entering a code or identifier to confirm that the owner of the receipient email address has in fact requested the information be sent to them.
This is considered responsible email marketing by email marketing and autoresponder companies to confirm each request before any information is sent out. This has become standard practice for responsible internet mailing lists, and ensures that users are adequately verified and subscribed on a consensual basis.
Ways of safely building customer lists
One way to acquire email addresses for the purposes of orchestrating an email campaign is to ask interested customers to register with your website and specify whether or not they wish to receive future emails with additional information, advertisements, feature articles, product reviews or releases, industry news or other useful tips.
Businesses like to use list building as a popular effective technique to grow their businesses, but there are perils in doing so if it isn’t done in a way which is compliant with the legislation. You may think that because a client has provided you with their email address in the course of a business transaction that you can merely add them to your mailing list and send them unsolicited commercial email of any type.
It is important to be wary of this at all points where you are collecting email addresses and provide the user specific information as to how their email address may be used by you. For example, when using online forms if you are intending to use email addresses collected in this manner ensure you always inform the user of this fact, and explicitly request opt-in permission for your intended use.
For practical purposes, if you are planning to collect email addresses on forms on your website, you can implement a number of steps to assist the end user to make informed choices which will ensure the legality of your email activities. For instance if your immediate intention is not to use their information for the purpose of a mailing list or to send out regular emails, make sure you state clearly on the form how you propose to use the email address. If you don’t do this the end user will be forced to wade through your policies and terms and conditions to locate this information before deciding to make a choice.
Validation data tests to confirm the integrity of email lists
Some marketers will often send out validation data tests to ensure the integrity of data obtained from any lists acquired by them. Be cautious when purchasing email lists as permission to send email lists to specific addresses is arguably not transferable in many cases. If someone represents themselves to be selling opt in mailing lists, be cautious and ask them to show you the permissions form by which they acquired the recipient addresses in addition to a clause that grants them the right to transfer the information.
If you scrutinise privacy policies you will often note that companies reserve to themselves the rights to assign and sell data with third parties. Given the number of overly permissive privacy policies, you should bear in mind the list represents unvalidated data. Many users don’t see the connection between you emailing them and their earlier action of signing up to an unrelated website unless you inform them of this upfront.
Even if you do inform users on such a list that you have purchased the list from another website or business users generally perceive this as an invasion of their privacy, and you run the risk of alienating them. You may get a different type of bargain than you planned on by simply buying a list rather than building your own.
It is not uncommon for address collectors to covertly harvest e-mail addresses from the Internet, as users visit certain sites, and buy and sell them in bulk without the knowledge or consent of the owner.
Valuable information on proper mailing list management can be found at Spamhaus
Can a third party subscribe on another person’s behalf?
The request from a person to receive commercial electronic messages must come from the address owner to constitute valid consent. Therefore your only recourse is to contact the addressee and seek confirmation to ensure that such a request has been made on their behalf and they consent to the sending of the relevant information. Make a notation as to who initiated the first request and the mode by which the request was made, once again for future reference.
The Privacy Act and Spam
It is critical that businesses ensure their practices are also in compliance with the National Privacy Principles, available from the website of the Office of the Information And Privacy Commssioner, remembering that your activities will often involve you dealing with what is regarded as personally identifiable information of customers.
The Privacy Act 1988 generally requires organisations soliciting email addresses to obtain permission from the holder of the email address to use the address for the specific purpose of direct marketing. Businesses should review their current processes and procedures to ensure that they are complying not only with their obligations under the Spam Act but more broadly with the principles governing the handling of personally identifiable information.
Assess your current information collection and handling practices within the framework of the Privacy Act, to make sure that any collection of future addresses is based on informed consent. If they aren’t you may need to modify your practices, forms, letters and other documentation in a manner that they seek consent to send users commercial electronic messages.
Those involved in the use of spam can also be in breach of trade practices legislation, which prohibits the making of false and misleading claims. This type of conduct would be satisfied where for example false or misleading information is contained in forged headers with a view to circumventing spam filters.
Who handles complaints about spam?
The Australian Communications and Media Authoroity is responsible for enforcing the Act, receiving complaints and reports about unsolicited commercial electronic messages sent by either email, SMS/MMS or instant messages. Further information is available on the ACMA spam and e-Security pages. The ACMA have broad investigatory powers, and can make an application to institute court proceedings in respect of a violation.
Prosecutions under the Spam Act 2003
There have been prosecutions and actions taken by the ACMA against persons sending spam. In the case of Australian Communications and Media Authority v Clarity 1 Pty Ltd,  the Federal Court concluded that the defendant company and it’s Managing Director were in breach of the Act. From April 2004 the Australian company had sent unsolicited commercial email to addresses harvested from the internet using address harvesting software. It was also held that the company had purchased from lists of email addresses harvested from the internet. It was alleged the company had sent over 2 million emails, of which over 74 million were successfully sent to over 7 million unique email addresses.
The emails did contain an unsubscribe facilitiy and the evidence demonstrated that the 166,000 requests to be removed from the lists made were all honoured by the company.
The ACMA made an application to the Federal Court for orders under ss 24, 29 and 32 of the Act, seeking pecuniary penalties and a declaration.
The defendant company and it’s Managing Director raised several defences which the Court rejected. The respondents argued that the recipients of the emails had consented to the sending of the emails on a number of grounds.
The first line of argument was that their use of an unsubscribe factility allowed recipients to opt out of further messages. They argued the failure of the respondents to use this feature supported an inference of consent to their continued receipt. The defendants referred to and relied upon material which had been published in the Guidelines to the National Privacy Principles produced by the Office of the Privacy Commissioner to the following effect:
‘it may be possible to infer consent from the individual’s failure to opt out provided that the option to opt out was clearly and prominently presented and easy to take up’.
The Court rejected this contention, as he held that the guidelines were non-legislative in character, were not of assistance in interpreting the legislation. The Court further remarked that S8 of the Act required persons to include an unsubscribe facility as a matter of routine and this without more couldn’t be used to infer consent.
The defendants also argued that there was an existing business relationship between the company and recipients and also that the recipients had published their email addresses prominently on the net. In respect of the latter argument, the Judge noted that the Act explicitly provides that publication of addresses on the net doesn’t support an inference of consent: Clause 4(1) of Schedule 2 to the Act
The ACMA sought significant pecuniary penalties in relation to the conduct. The Court was required to consider the factors under S24 and S25 of the Act. These provisions consider the nature and extent of breaches, any loss or damage resulting from them, the circumstances surrounding the breaches, the ability of the Respondent to pay any damages, and the commercial reality of the circumstances.
The Court imposed a pecuniary penalty of $4.5 million against the defendant company and $1 million against it’s Managing Director, who was held personally liable as an accessory under ss 16(9) and 22(3) for the company’s breaches of ss 16(1) and 22(1) of the Act.
Disclaimer: This site is intended to operate purely as an informational resource, a general overview of intellectual property and other related legal issues arising online. It isn’t a substitute for professional legal advice from a lawyer certified to provide legal advice in your jurisdiction. Neither is it intended to create an attorney-client relationship. The law varies in each jurisdiction and we do not warrant the accuracy, completeness or usefulness of any material you read here.