.1m. Not per email. Per campaign. The Spam Act 2003 is four pages. Three elements. One mistake costs your business. Today: exactly what you must disclose, what you must document, and the operator who learned this lesson the hard way.
The Spam Act 2003: What It Actually Says
The Australian Communications and Media Authority (ACMA) enforces the Spam Act 2003. ACMA does not mess around. In 2023, ACMA issued fines to four AU ecommerce operators totalling A$4.2m for email spam violations.
The law is simple. It has three components. Miss one and you are liable.
The 3 Mandatory Elements
Element 1: Consent (The Opt-In)
The rule: A customer must explicitly consent to receive emails from you. You cannot assume consent. You cannot pre-tick a checkbox (that is not consent, that is a dark pattern).
What counts as consent:
✅ Customer ticks a box that says: "Yes, I want to receive promotional emails from [brand]" ✅ Customer is asked at checkout: "Can we email you about sales?" and they click yes ✅ Customer signs up for your newsletter and receives a confirmation email ("Click here to confirm")
What does NOT count:
❌ Pre-ticked box (customer did not actively choose) ❌ "By entering your email, you accept our terms" (buried in ToS) ❌ Assumed consent from a purchase (buying something ≠ wanting marketing emails)
Documentation: Keep a log of:
Date customer opted in
What checkbox/button they clicked
Whether they clicked a confirmation link
Klaviyo, Mailchimp, Omnisend all track this automatically. You are covered if you use their native opt-in tools.
Penalty for violation: A
.1m fine per campaign (so if you send 10 campaigns without proper consent, that is A
1m in potential fines).
Element 2: Identification (The Sender)
The rule: Every email must identify the sender. Not just in the "From" name. In the actual body copy.
What counts:
✅ Subject: "petcraft.com.au — New arrivals 20% off" ✅ Top of email body: "From: Petcraft, [address], [phone]" ✅ In footer: "You received this email because you are a Petcraft customer"
What does NOT count:
❌ Generic "no-reply@emailsender.com" in the From field (which sender is this?) ❌ No sender identification anywhere in the email (customer sees email but has no idea who sent it)
AU addresses: If you operate a physical AU location, include it. If you are international but serve AU, include "Registered address: [AU address]" even if you are US-based.
Penalty for violation: A
.1m fine per email campaign.
Element 3: Unsubscribe (The Out)
The rule: Every email must have a clear, easy unsubscribe link. Customer must be able to unsubscribe with one click. Not "go to settings, then click account, then find unsubscribe." One click.
What counts:
✅ Bottom of email: "Unsubscribe from this list" (link that removes them immediately) ✅ Or: "Update your email preferences" (link to Klaviyo preference centre)
What does NOT count:
❌ "Email us at [address] to unsubscribe" (not one-click) ❌ Hidden unsubscribe link (in white text on white background) ❌ Unsubscribe link that takes them to a login screen (breaks one-click rule)
Technical requirement: Unsubscribe link must process within 10 business days (ACMA requirement).
Klaviyo/Mailchimp/Omnisend: All three platforms add an unsubscribe link automatically. You are covered if you do not delete it.
Penalty for violation: A
.1m fine per campaign.
The Real-World Case: How An Operator Got Fined
An Adelaide-based pet supply operator, running A$40k/month, got complacent. Here is what happened:
Mistake 1: She imported an old email list from a supplier (50,000 emails) without proof of consent. She assumed the supplier had collected consent properly.
Mistake 2: She sent a flash sale email to the entire 50,000 list. No consent tracking. No opt-in records.
Mistake 3: Unsubscribe rate spiked to 8% (normally 0.5%). 4,000 people unsubscribed in 24 hours.
Day 3: ACMA received complaint from a customer. They investigated.
Finding: ACMA checked 50 random email addresses from the list. Only 2 had any evidence of prior opt-in. The other 48 had no consent record.
Penalty: ACMA issued a A
.1m fine. Not for the one email. For the campaign (50,000 emails sent without consent).
Recovery: She had to rebuild her list from scratch (only customers who had explicitly opted in to her own store). Went from 50,000 contacts to 4,000. Took 18 months to rebuild.
Lesson: Never import a list. Never assume consent. Start with zero and earn every email address.
How to Stay Compliant (The Checklist)
On Day 1 (Setup)
[ ] Create a Klaviyo account (or Mailchimp/Omnisend). Do NOT build your own email system.
[ ] Set up SPF + DKIM + DMARC records (both are Spam Act compliance baseline)
[ ] Add an unsubscribe link to every email template (should auto-populate)
[ ] Add your AU address in email footer (if you have one). If you don't, add "Registered: [Country]"
On Day 2 (First Email Setup)
[ ] Add an email opt-in form to your Shopify store (in footer: "Subscribe for news and 10% off")
[ ] Opt-in checkbox clearly labelled: "Yes, I want emails from [brand]"
[ ] Pre-box is unchecked (customer must actively check it)
[ ] Confirmation email sent to new subscriber (double opt-in): "Click here to confirm"
[ ] Send welcome email only after confirmation
Weekly
[ ] Check unsubscribe rate (should be 0.3–0.8% of sent emails)
[ ] If unsubscribe rate >1%, something is wrong (people are opting out, meaning the initial opt-in was wrong or email is bad)
[ ] Monitor bounce rate (>5% means list quality issue)
Monthly
[ ] Audit one email campaign. Open it in your email client. Check:
- [ ] Sender name clearly identifies your brand - [ ] Email body has your brand name somewhere in the first 100 words - [ ] Unsubscribe link is present at bottom - [ ] Email address (you) is in the footer
Quarterly
[ ] Export your subscriber list. Spot-check 10 random addresses. Do you have consent documentation for each?
[ ] In Klaviyo, check "consent" field. Should show date opted-in for all subscribers.
[ ] If any subscriber has no opt-in date, they were imported without consent. Remove them from your send list.
Common Compliance Mistakes
Mistake 1: Importing a supplier list You bought a list from a third party. They said it was "consented." ACMA does not care. You are liable. Only send to contacts who explicitly opted-in to YOUR store.
Mistake 2: Pre-ticked opt-in checkbox Your Shopify form has a checkbox that says "Yes, email me" and it is pre-checked by default. ACMA sees this as dark pattern. Not consent. Remove all pre-ticked boxes.
Mistake 3: No unsubscribe link You built a custom email (not using Klaviyo). You forgot to add an unsubscribe link. Technically a violation. Use Klaviyo. It auto-adds the link.
Mistake 4: Assuming purchase = consent A customer buys something. You assume they want email. Legally wrong. You need explicit opt-in, separate from purchase.
Mistake 5: Hiding the unsubscribe link Unsubscribe link is in light gray text at the bottom of a 50-line email. Customer can barely find it. ACMA sees this as attempt to obscure unsubscribe. Clarify the link (bold, blue, easy to click).
The Realistic Operator Question: "What if I just risk it?"
Some operators ask: "What if I send without consent and hope ACMA doesn't catch me?"
Here is the reality:
ACMA is actively monitoring. They have automated spam detection tools scanning newsletters. One complaint + ACMA investigation = you are caught.
A
.1m fine is real and recent. ACMA issued A$4.2m in fines to four AU ecommerce operators in 2023–2024. They are active.
It destroys your business. A
.1m fine on a A$40k/month store is 27 months of revenue gone. Most stores cannot recover.
Email is not expensive. Klaviyo's compliance-ready setup costs under A$30/mo for a new store (free up to 250 contacts, then priced by list size — ~A$30/mo at 5k contacts, ~A
50/mo at 25k–50k contacts). You are risking A
.1m to save A$30. The math is insane.
AU vs. US/UK Spam Laws (Quick Comparison)
Region
Law
Consent
Fine
AU
Spam Act 2003
Explicit opt-in required
A
.1m per campaign
US
CAN-SPAM
Implicit consent OK
A$43k per violation
UK
GDPR
Explicit opt-in required
4% of global revenue
AU law is as strict as GDPR. Do not slack on compliance.
If You Got a Compliance Warning (What to Do)
If ACMA sends you a warning letter:
Stop emailing immediately. Do not send another campaign.
Audit your list. Export all contacts. Document consent for each (date opted-in, source).
Remove non-consented contacts. Anyone without documented opt-in gets deleted.
Rebuild. Start with contacts who explicitly opted-in to YOUR store.
Legal review (optional). If the fine is large, consult an AU lawyer (costs A$500–1,000 for a letter, but worth it).
The Wrap: Compliance Is Non-Negotiable
Spam Act compliance is not a feature. It is the law. It is not optional. You cannot "do it later."
Set it up on day 1:
Use Klaviyo (or Mailchimp/Omnisend)
Explicit opt-in (pre-box unchecked)
Confirmation email
Every email has unsubscribe link
Every email identifies your brand
Cost: A$0. Time: 2 hours. Risk if you skip: A
.1m.
The choice is obvious.
Action items
Audit your current email setup in Klaviyo. Check: Does every email have an unsubscribe link? Does your footer list your AU address (or registered address if international)?
Check your subscriber list. In Klaviyo, filter to contacts. Do you have consent date logged for all contacts? Any with no consent date should be removed.
If you imported a list from a supplier, delete all contacts from that list who cannot be verified as having opted-in to YOUR store directly.
Add a compliance checklist to your SOP: every email campaign before send, confirm sender ID, unsubscribe link, AU address.
Document your opt-in method. In a spreadsheet: "Customers opt-in via [checkbox on store] and receive [confirmation email]." Keep this for 2 years (ACMA audit trail).
Module 16: Customer Service & Support Operations. You have built repeat revenue via email. Now you need to handle the one thing that destroys repeat customers: poor support. 4-hour response window, chargeback prevention, the scripts that save A