The Commonwealth Bank of Australia (CBA) has paid a $7.5 million penalty after it sent more than 170 million emails that did not comply with Australia’s spam laws.
An Australian Communications and Media Authority (ACMA) investigation found that between November 2022 and April 2024 CBA contravened Australia’s spam laws by sending over 170 million marketing messages to Australians that did not include a way to unsubscribe. 34.8 million of these messages were also sent to people who either had not consented or had withdrawn their consent to receive these messages.
This is CBA’s second major breach of the spam rules after it paid a $3.55 million penalty in May 2023 for sending 65 million emails without working unsubscribe arrangements.
ACMA Chair Nerida O’Loughlin said the further breaches and vast scale of CBA’s non-compliance was unacceptable.
“The ACMA took action against CBA just last year for not delivering on their customers’ rights to unsubscribe from marketing messages. We have now had to take further action after this new investigation found that CBA had incorrectly classified millions of messages as non-commercial.
“Australians are sick and tired of this kind of spam intruding on their privacy and it’s clear CBA did not have its systems in order,” Ms O’Loughlin said.
The Spam Act 2003 permits purely ‘service’ messages that are not commercial to be sent without consent or an unsubscribe facility. However, the ACMA found CBA’s messages either promoted products and services (including for insurance, credit and loan offerings) or promoted CBA itself.
“The rules are clear, if a message includes marketing content or direct links to marketing content, it is a commercial message and must give people the option to unsubscribe,” Ms O’Loughlin said.
“We have seen several companies get this wrong and businesses are on notice to check how they are classifying messages as commercial or non-commercial.”
In addition to the financial penalty, the ACMA has also accepted an expanded three-year court-enforceable undertaking to address the most recent issues. These commit CBA to a comprehensive independent review and implementation of improvements, as well as providing appropriate resources and governance to ensure its compliance.
“We will continue to closely monitor compliance with its commitments and with the spam laws,” Ms O’Loughlin said.
The maximum penalty a court can give to companies not complying with spam rules is $626,000 per day where a company doesn’t have a prior record. Maximum court penalties rise to $3,130,000 per day for companies with a prior record.
Enforcing rules to stop commercial messages being misleadingly sent as ‘service’ or non-commercial messages is an ACMA compliance priority for 2024–25. The ACMA has released a statement of expectations about the use of consent in e-marketing to assist businesses to comply.
Over the last 18 months businesses have paid over $20 million in spam penalties.