ACMA issues new guidance on expectations for telemarketing and email/SMS marketing

As set out in their FY23/24 Regulatory Priorities, the Australian Communications and Media Authority has been conducting a flurry of regulatory activity regarding Spam Act compliance over the last 12 months, resulting in enforcement action against a number of large Australian and multinational corporates.

Now, the ACMA has issued new guidance articulating its expectations for how corporates should be obtaining individual consent when seeking to conduct telemarketing and emarketing (email, SMS and instant messages).

What's the guidance say?

Some of the key takeaways include the following.

Alignment with the Privacy Act: The ACMA appears to be aligning with the definition of consent under the Privacy Act 1988. Under the Privacy Act, consent may be express or inferred, but the Australian Information Commissioner has taken the view that, to be valid, consent must meet the following four criteria:

1. the individual is adequately informed before giving consent
2. the individual gives consent voluntarily
3. the consent is current and specific
4. the individual has the capacity to understand and communicate their consent.

This approach to consent is articulated in Chapter B of the Australian Privacy Principle Guidelines, but it is likely to become part of the Privacy Act in amendments expected later this year (see Proposal 11.1 in the Government's Response to the Privacy Act Review) .

A preference for express consent: While the ACMA's various rules (including the Do Not Call Register Act and the Spam Act) permit inferred consent, the ACMA makes a strong recommendation that organisations use express consent as it involves a clear and unambiguous choice made by a consumer.

Consent must be demonstrable: The ACMA expects organisations to be able to demonstrate valid consent, including "the method by which the consent was obtained, the terms that applied and the date and time it was obtained."

Lines drawn on supplier risk: The ACMA does not consider that organisations can assume that using third party suppliers will enable compliance: "You need to have oversight and assurance processes in place to ensure that these records are reliably kept and maintained by those third parties or yourself". As such, contractual controls alone will not suffice - organisations need to be able to demonstrate sufficiently active and robust contract management.

A focus on transparency: Much like the Australian Information Commissioner, the ACMA is concerned that valid consent must be properly informed, which means information must be provided in a way that it can be understood and is likely to be seen. The ACMA recommends that organisations "[u]se express consent based on clear terms and conditions that are readily accessible to consumers at the point consent is obtained and not hidden away in fine print, lengthy privacy policies or that require multiple click-throughs to find".

Operational tips: The guidance provides detailed "do's and don'ts" that are a must read for any Australian marketing team.

So what?

Combatting misleading marketing and spam remains at the top of the ACMA's regulatory priorities for 2024/25, and changes to the Privacy Act later this year may further impact direct marketing compliance obligations.

There's never been a better time to review your marketing operations and get your house in order. If this is something your organisation needs help with, don't hesitate to reach out.