Unsubscribing from marketing emails should be easy. Yet, many businesses still delay or ignore unsubscribe requests – risking customer frustration and serious legal consequences.
Under Australia’s Spam Act 2003 (Cth), businesses must process unsubscribe requests within five business days. Failing to do so (even by accident) can lead to significant penalties.
If your business sends commercial electronic messages (via email or SMS), it’s essential to understand your legal obligations. In this article, our privacy and data lawyers explain your responsibilities under the Spam Act, how the Australian Communications and Media Authority (ACMA) enforces compliance and practical steps to avoid fines and reputational damage
Key Takeaways
All commercial electronic messages must include a functional unsubscribe facility
Unsubscribe requests must be processed within five business days
Breaches are strict liability offences – intent doesn’t matter
ACMA actively enforces compliance with penalties exceeding $2 million
Technical issues or outsourcing don’t excuse non-compliance
What is a Commercial Electronic Message?
Under the Spam Act, a commercial electronic message includes any message sent by email, SMS, MMS, or instant message that promotes goods, services, or business opportunities.
This law applies to messages sent within, to, or from Australia, regardless of whether they’re managed by a local or overseas provider.
Understand the fundamentals of Australian email marketing laws and consent requirements in our article.
Your Legal Obligations Under the Spam Act
The Spam Act sets out the legal obligations for sending commercial electronic messages in Australia, including clear rules on how recipients must be able to opt out.
Understanding these legal requirements, especially the five-day unsubscribe rule, is critical for all businesses that engage in digital marketing.
These mandatory obligations for businesses include:
1. Include a Functional Unsubscribe Facility (30-Day Minimum)
Every commercial message must contain a clear, working unsubscribe link or reply instruction. This must remain operational for at least 30 days from when the message is sent.
Tip: One-click unsubscribe links or SMS replies like “STOP” are considered best practice.
2. Act on Unsubscribe Requests Within Five Business Days
Section 18(5) of the Spam Act requires businesses to remove a recipient’s electronic address from all relevant mailing lists within five business days of receiving the request. This timeline is strict, and the clock starts when the request is received—not when it’s viewed or processed.
Outsourcing to third-party platforms (e.g., Mailchimp, Campaign Monitor) does not remove your responsibility. Failure to meet this deadline constitutes a strict liability breach, even if it was due to human error or system failure.
ACMA Enforcement: What Businesses Need to Know
The ACMA is the federal regulatory body responsible for enforcing compliance with the Spam Act, including the unsubscribe provisions under section 18(5).
ACMA’s approach is risk-based, focusing on widespread or serious breaches. ACMA also names and shames violators, harming brand trust and reputation.
ACMA has a range of enforcement tools at its disposal, including:
| Action | Used For |
|---|---|
| Infringement Notices | Quick financial penalties for clear-cut breaches |
| Formal Warnings | First-time or low-impact violations |
| Enforceable Undertakings | Legal agreements for future compliance improvements |
| Federal Court Action | Major or repeated violations—can result in large fines |
Organisations are expected not only to implement technical systems that meet statutory requirements but also to conduct regular reviews and audits to ensure ongoing operational effectiveness. Ignorance of the law, technical malfunctions, or outsourcing to third-party providers will not shield a business from liability.
Best Practice Principles for Unsubscribe Compliance
Here’s what your unsubscribe process must include:
| Principle | Requirement |
|---|---|
| Simplicity | Clear, one-step unsubscribe options (e.g., clickable links or SMS replies) |
| No Cost | Users must not be charged to unsubscribe (except normal data/SMS rates) |
| No Data Collection | Don’t ask for more personal information to complete an unsubscribe request |
Penalties for Non-Compliance
Businesses that fail to meet their unsubscribe obligations may face:
Fines of up to $2 million+
Legally binding enforceable undertakings
Formal warnings and investigations
Public listing on the ACMA enforcement register
Non-compliance not only leads to legal consequences – it damages consumer trust, undermines brand credibility, and may reduce email deliverability rates due to spam complaints.
Compliance Checklist: Are You Meeting the 5-Day Rule?
Use this quick checklist to audit your unsubscribe compliance process:
- Does every marketing email or SMS include a clear, working unsubscribe option?
- Is the unsubscribe function available for at least 30 days after sending?
- Are unsubscribe requests processed within five business days, regardless of method?
- Are unsubscribe logs stored with timestamps?
- Have your team and marketing platform provider been trained on compliance?
Ensure your advertising practices meet legal standards and learn more in our article Is Your Advertising Legally Compliant?
Case Study: ACMA v Woolworths Group (2020)
In 2020, ACMA fined Woolworths Group $1,003,800 for breaching the 5-day unsubscribe rule. Despite having unsubscribe links in their emails, Woolworths failed to consistently remove recipients from all marketing lists.
ACMA’s investigation revealed the failure was systemic—technical issues and operational oversights led to continued messages after unsubscribe requests.
Lesson: Even well-resourced businesses are at risk without proper internal controls, system testing, and regular audits.
If you’re unsure whether your email marketing process is fully compliant, we can help. Our team can audit your unsubscribe procedures, assist with compliance planning, and help protect your business from costly mistakes.
Frequently Asked Questions
What qualifies as a ‘functional’ unsubscribe facility?
A functional facility is one that works in practice, is easy to use, and requests are processed without unnecessary delays or requirements.
Does each separate incident of failing to action an unsubscribe request count as a separate breach?
Each failure to comply with the five-day rule in relation to individual unsubscribe requests amounts to a separate contravention under the legislation, potentially resulting in multiple penalties or enforcement actions for a single campaign or system-wide failure.
What defences (if any) exist where an unsubscribe failure is due to a technical error or system malfunction?
As the Spam Act imposes strict liability for breaches, including failures due to technical errors or malfunctions , lack of intent is not a defence, though robust compliance systems and rapid remediation efforts may be considered by ACMA when determining enforcement measures.
Are there exceptions under the Spam Act for certain types of organisations?
All commercial electronic messages are captured except those from government bodies, registered charities, or registered political parties (if the primary purpose is not commercial).
What records should businesses keep to show compliance?
Maintain timestamped records of each unsubscribe request and the date actioned, together with system logs of the removal from marketing lists.
