INSIGHT

Push notifications, links and compliance: lessons for all businesses from ACMA’s recent investigations

By Valeska Bloch, William Coote, James Kelly
Data & Privacy Risk & Compliance

Why businesses must rethink digital marketing under the Spam Act 5 min read

The Australian Communications and Media Authority (ACMA) recently investigated wagering providers PointsBet (IGA investigation; Spam Act investigation), Buddybet and Tabcorp, for potential breaches relating to the sending of 'electronic messages' under the Interactive Gambling Act 2001 (Cth) (IGA) and Spam Act 2003 (Cth) (Spam Act).

Although these investigations all relate to the gambling industry, the analysis and reasoning of the ACMA has significant implications for businesses across sectors. In particular, organisations will need to carefully consider how they approach the use of push notifications, links and hyperlinks in messages, and tailored/personalised marketing practices.

In light of the ACMA's recent restatement of Spam Act compliance being one of its 'three enduring compliance and enforcement priorities',1 organisations should review and, where appropriate, uplift their Spam Act compliance guidelines and policies to align with the ACMA's interpretation of key issues.

Key takeaways 

The ACMA's investigations progress the interpretation of the Spam Act in a number of respects. Most significantly:

  • The ACMA has concluded that push notifications on Apple and Android devices constitute ‘electronic messages’ under the IGA. While it has not yet formally issued a position under the Spam Act, it is likely to adopt a similar interpretation. Many organisations have previously assumed push notifications were outside the scope of the Spam Act, but this may no longer hold true. Businesses using push notifications for marketing should review their practices promptly to ensure compliance with Spam Act obligations.
  • The ACMA has evidenced its continued regulatory focus on messages 'misleadingly' being sent as 'service messages', finding that even links (or hyperlinks) to a general website homepage (including hyperlinks embedded in logos) can give an otherwise 'transactional' or 'service' message a commercial purpose. Accordingly, businesses should carefully review the use of links contained in their service messages and templates.
  • The ACMA has confirmed its position that tailored or bespoke electronic messages can enliven Spam Act obligations in the same way as broader, widely distributed marketing campaigns.

Who in your organisation needs to know about this?

Legal and compliance, marketing teams and IT teams involved in sign-off, preparation and configuration of marketing materials (including push notifications), and the design of internal email / service message templates.


Push notifications now in the spotlight as regulated electronic messages

The Spam Act was introduced prior to modern marketing communication methods and, accordingly, differing views have been historically taken as to whether push notifications would satisfy the essential elements of an 'electronic message'. ACMA Spam Act determinations have primarily involved emails, SMS text messages and, more recently, WhatsApp messages.

To date, the ACMA has not publicly pursued organisations for their delivery of push notifications under the Spam Act.

However, in recent investigations into PointsBet and BuddyBet's compliance with the IGA obligations relating to the National Self-Exclusion Register, the ACMA provided a detailed analysis of the operation of push notifications on Apple and Android/Google devices and ultimately concluded that push notifications were regulated electronic messages (an analogous concept to commercial electronic messages under the Spam Act), for the following reasons:

  • Electronic message service delivery: the IGA defines an electronic message as a message sent using an internet carriage service or any other listed carriage services to an electronic address. Push notifications were sent using internet carriage services via Apple’s push notification services (APNs) or Google’s Firebase Cloud Messaging services (FCMs).
  • 'Push tokens' as electronic addresses: the ACMA determined that 'push tokens' generated by Apple or Google services qualify as electronic addresses because they enable the sending of 'a specific message to a specific user of an app on a device' by identifying the user device to receive the notification, similar to email addresses or phone numbers.
  • Similar account: the ACMA also considered that a similar account 'need not use the same underlying technology deployed by email, telephone or instant messaging accounts; nor does it need to function in a manner identical to those accounts'. Apple and Google accounts are similar to an email, instant messaging or telephone account as, amongst other features, they allow targeting and communications to an account holder.

In considering whether the push messages were sent to an electronic address, the ACMA also found that an address does not need to be persistent or static and that 'the fact that this address is not "permanent" is not a defining characteristic of an address'.

In its PointsBet report, the ACMA references the Explanatory Memorandum to the IGA, which notes the key policy objective of ensuring 'that individuals experiencing harm from online wagering are not targeted with marketing material that may encourage them to gamble or deregister'. However, we consider it unlikely that the absence of this policy objective under the Spam Act would cause the ACMA to adopt a position in relation to push notifications under the Spam Act that is different to its position under the IGA.

The implications of this position are significant. The use of push notifications for marketing would require businesses to include accurate sender details and an unsubscribe statement and functionality in the push notification itself.

In light of these ACMA investigations, businesses that leverage push notifications to deliver marketing messages should undertake a review of their practices to ensure alignment with the Spam Act requirements.

Links to general website pages may give messages a 'commercial purpose'

The key Spam Act obligations (eg only sending messages with the recipient's consent and with a functional unsubscribe facility) apply to electronic messages that have a 'commercial purpose'. In assessing whether a message has a commercial purpose, the message is to be assessed as a whole, including having regard to any content that may be located using links contained in a message.

In May 2025, the ACMA found that PointsBet's sending of claimed 'service messages' relating to responsible gambling or account/transaction service updates had a commercial purpose by virtue of the fact that the messages included a hyperlink to PointsBet's website homepage (embedded in PointsBet's logo), and that the homepage advertised PointsBet's commercial services, including offers and promotions.

The inclusion of links and hyperlinks to website homepages is relatively common in service message templates. The ACMA has demonstrated now on a number of occasions that it is taking a very hardline approach to interpreting the Spam Act. Although the ACMA's investigation was conducted within the context of its ongoing enforcement priority as it relates to gambling harms, the implications from the determination apply across the economy more broadly. Businesses should accordingly review template communications for any links to website homepages and assess whether those homepages have a commercial purpose.

If links are to be included, businesses should ensure they are to pages that do not promote goods or services (eg to a standard 'contact us' webpage). While we have not seen the ACMA pursue businesses for content located via secondary links, given the approach of the ACMA to date, it would be prudent to ensure that secondary links also do not contain commercial content.

Tailored and personalised messages can still be subject to the Spam Act

The Spam Act has very broad application to any commercial electronic message. This means it may apply both to messages sent from business to business, and from business to individuals.

While Spam Act compliance has historically been viewed as more important in the context of regulating 'one to many' marketing messages, the ACMA's 2025 investigation into Tabcorp found that Tabcorp had contravened the Spam Act by virtue of the messages it sent to VIP customers, which comprised tailored messages offering bonus bets, deposit matches, rebates and offers of tickets to sporting and other events. The ACMA took the view that these messages were commercial and should have only been sent with consent, and with a functional unsubscribe facility.

Given the ACMA's attention on tailored marketing, all businesses—but particularly those involved in industries with a higher risk of consumer harm—should consider their marketing practices holistically, including as part of VIP programs and other more personal or exclusive arrangements, rather than only in the context of wider marketing campaigns.

We expect that, for many businesses, the application of the Spam Act to 'one to one' marketing communications has not historically been on the radar, and would require a change in processes to ensure the key requirements of consent and inclusion of a functional unsubscribe facility are satisfied.

Actions you can take now

In light of the ACMA’s recent focus, organisations should take proactive steps to mitigate compliance risk.

  • Undertake a review of all marketing and communication channels—including push notifications, email/SMS, service messages and tailored communications—for alignment with Spam Act requirements.
  • Ensure messages include accurate sender details and unsubscribe functionality or verify reliance on an appropriate exception.
  • Review templates for embedded links and assess whether linked pages contain include commercial content.
  • Finally, engage legal, marketing and IT teams to review and update internal policies and training materials to reflect the ACMA’s evolving interpretation of the Spam Act.