Focus: Communications, Media & Technology – December 2003
Has spam been canned?
In brief: On Tuesday, 2 December, the Federal Government passed national anti-spam legislation in the form of the Spam Bill 2003 and the Spam (Consequential Amendments) Bill 2003. Lawyer Alyssa Caplan reports on the key features of the new anti-spam legislation and important compliance issues for clients.
- The Spam Bill in brief
- The Spam Bill in detail
- Key features of the Spam Bill
- What does it all mean? How will it affect your business?
'Spam' has become an Internet epidemic, accounting for more than half of the emails sent over the Internet every day and costing businesses worldwide more than $20 billion per year.
The anti-spam legislation is designed to tackle the proliferation of unsolicited emails and other electronic messages, such as SMS. While the legislation is unlikely to have much of an impact on the bulk of spam, which originates from overseas, it will have important implications for businesses operating in Australia and engaged in direct email and SMS marketing or who otherwise offer goods and services over the Internet.
The Spam Bill includes the following key features:
- an opt-in regime (based on consent) for commercial electronic messaging;
- a requirement that commercial electronic messages contain a functioning unsubscribe facility, as well as information about the person who authorised the sending of the messages;
- a prohibition on electronic address-harvesting software and address lists generated using such software; and
- a flexible range of civil sanctions, including warnings, infringement notices and court-ordered penalties.
The Spam (Consequential Amendments) Bill 2003 provides the regulatory framework for the administration of the anti-spam legislation by the Australian Communications Authority (ACA).
Despite the title of the bill, the term 'spam' is undefined. Instead, the Bill regulates unsolicited commercial electronic messages with an Australian link.
What are commercial electronic messages with an Australian link?
Electronic messages are messages sent using an Internet or other carriage service to an electronic address (and include emails, SMS and MMS, but exclude voice calls from a standard telephone service).
Commercial electronic messages are electronic messages sent for one of the commercial purposes set out in clause 6 of the Bill (such as offering to supply/provide/advertise or promote goods, services, land, business or investment opportunities).
Broadly stated, a commercial electronic message will be regarded as having an Australian link if the message originates in Australia or is received in Australia.
1. An opt-in regime (based on consent) for commercial electronic messaging
Clause 16, the main operative provision of the Bill, prohibits a person from sending, or causing to be sent, a commercial electronic message that has an Australian link unless:
- the relevant account-holder consented to the message;
- the sender did not know and could not, with reasonable diligence, have ascertained that the message had an Australian link (eg which may occur if the Australian recipient has an address that ends with '.com' rather than '.com.au');
- the message was sent by mistake (eg where a virus on the sender's computer results in the message being sent); or
- the message falls within the definition of a designated commercial electronic message.
For the purposes of the Bill, consent can be expressly given or can be reasonably inferred from the conduct, business and other relationships of the individual or organisation concerned. Consent is not to be inferred from the publication of the recipient's electronic address. It can, however, be inferred if the electronic address was conspicuously published and it would be reasonable to assume that that address was published with the addressee's consent and the publication does not specifically exclude consent.
The general prohibition in clause 16 does not apply to designated commercial electronic messages, which are defined in Schedule 1 of the Bill as:
- messages that contain no more than factual information and some form of information that identifies the source of the information (for instance, name, logo and contact details of the person who authorised the sending of the message); or
- messages sent, subject to certain conditions, by a government body, a registered political party, a religious organisation, a charity or an educational institution.
2. All commercial electronic messages must contain accurate sender information and a functional unsubscribe facility
Under clause 17 of the Bill, all commercial electronic messages (including designated commercial electronic messages), whether solicited or unsolicited, that have an Australian link, must:
- clearly and accurately identify the individual or organisation that authorised the sending of the message (eg by including a correct company name and ABN); and
- include accurate information about how the recipient can readily contact that individual or organisation.
Under clause 18 of the Bill, all commercial electronic messages (other than designated commercial electronic messages), whether solicited or unsolicited, that have an Australian link, must contain a 'functional unsubscribe facility'.
A functional unsubscribe facility is simply a clear and conspicuous statement to the effect that the recipient may use a particular electronic address to unsubscribe from, or opt-out of, receiving any further messages from the individual or organisation who authorised the sending of the message.
To mandate the inclusion of an unsubscribe facility is, however, of concern. Replying to spam can be dangerous, as it confirms the existence of your email address to the spammer and may result in more spam being sent to you.
3. A prohibition on electronic address-harvesting software and address lists generated using such software
Part 3 of the Bill imposes a strict prohibition on the supply, acquisition or use of address-harvesting software or harvested address lists.
Address-harvesting software means software that is specifically designed for searching the Internet for electronic addresses and for collecting and compiling those addresses. A harvested address list includes a list that was produced prior to the commencement of the Bill.
Again, to fall within the prohibition, there must be some link to Australia, so that either the supplier or the customer is physically present or carries on business in Australia.
The defences to the above prohibitions include:
- the supplier had no reason to suspect that the address harvesting-software or harvested-address list would be used in connection with sending unsolicited commercial electronic messages;
- the supplier did not know (and could not, with reasonable diligence, have ascertained) that the customer had a relevant Australian connection;
- the acquirer of the software or list did not intend to use them in connection with sending unsolicited commercial electronic messages; or
- the address harvesting-software or harvested-address list is not used in connection with sending unsolicited commercial electronic messages.
4. A flexible range of civil sanctions, including warnings, infringement notices and court-ordered penalties.
Enforcement of the legislation will be undertaken by the ACA under a multi-tiered scheme. The ACA will be able to issue formal warnings, seek injunctions and seek investigative and monitoring warrants from the courts. The financial penalties faced by spammers will be significant, with organisations liable to pay $220,000 (individuals up to $44,000) for the first contravention on a single day. Repeat offenders will be more severely penalised, with organisations liable to pay up to $1.1 million per day (individuals up to $220,000).
There will, however, be a 120-day grace period after the Bill receives the royal assent for businesses to bring their practices into line with the new requirements.
In isolation, the new legislation is unlikely to 'put spam back in the can', as promised by former Communications Minister, Senator Richard Alston. However the Spam Bill is not to be dismissed (as some have done) simply because less than 2 per cent of spam is sourced from within Australia. The new legislation should be seen as one step in a range of complementary strategies, including the development of Industry Codes, end-user empowerment and international cooperation.
Fortunately, there is a growing trend of adopting anti-spam legislation around the world. Last month, the former Governor of California, Gray Davis, signed anti-spam legislation based on similar principles as the Australian opt-in model. The Californian law is due to come into effect on 1 January 2004. President Bush is also expected to sign the federal 'CAN-SPAM Act' by mid-December 2003.
Similarly, the UK's Privacy and Electronic Communications Regulations implement a European Union Directive of last year, which will come into force on 11 December 2003. Other EU member states will follow in coming months.
While the efficacy of the Australian anti-spam legislation remains to be seen, it introduces further compliance issues for Australian business. Organisations will need to review their procedures to ensure that:
- either express or inferred consent exists for all commercial electronic messages. (This raises issues regarding what type of conduct or pre-existing relationship gives rise to an inference that consent has been given);
- messages contain accurate information identifying the organisation and a functional unsubscribe facility;
- harvested address lists (whether created before or after the implementation of the legislation) are not used; and
- employees are educated on the new legislative changes and adequate email policies are in place.
Businesses should start to seek advice as to the potential implications of the new legislation and develop appropriate strategies to ensure compliance with the new legislation.
- Niranjan ArasaratnamPartner, Sector Leader - Technology, Media & Telecommunications,
Ph: +61 3 9613 8324