CBA cops $3.5m fine for Spam Act breaches

Spam Act breach ACMA CBA

The Commonwealth Bank of Australia (CBA) has paid a record $3.55 million fine to the Australian Communications and Media Authority (ACMA) after it was found to have sent more than 65 million emails that breached Australia’s anti-spam laws.

The fine is the largest penalty imposed by ACMA for breaches of Australia’s Spam Act 2003.

ACMA chair Nerida O’Loughlin said she was alarmed at the “scale and duration of the breaches”, which occurred over a nine-month period between 2021 and 2022.

She expressed particular disappointment considering “ACMA gave [CBA] early warnings it might have some issues and the steps it took were ineffective”.

“The failure to fix the issues shows a complete disregard for the spam rules and the rights of its customers,” O’Loughlin said.

CBA stressed that it self-identified and reported the potential Spam Act contraventions to ACMA before the regulator commenced its investigations.

ACMA found that CBA had sent more than 61 million marketing emails to customers, between November 2021 and August 2022, that required them to log in to unsubscribe (the law states that marketing email senders are prohibited from requiring recipients to log in or provide extra personal information to unsubscribe from these messages).

CBA also sent a further four million marketing emails that did not have a functioning unsubscribe facility.

The bank blamed the vast majority of the breaches on a November 2021 update to its electronic banking customer terms and conditions.

Additionally, CBA said, “the way the unsubscribe link was populated into 13 message templates meant that the unsubscribe link did not work” for another four million messages that were sent by the bank between May and August 2022.

This “broken link” issue resulted in 5,000 customers receiving messages even after they had asked to unsubscribe.

CBA said that it has since addressed these issues, including by unsubscribing those customers who were not able to unsubscribe via the broken links.

The Spam Act 2003 requires marketing messages to contain working unsubscribe facilities. The Act also states that it is illegal to send further marketing messages to a recipient once they have unsubscribed.

“Consumers are frustrated by marketing intrusions on their privacy, especially when there is no option, or it is difficult, to unsubscribe,” O’Loughlin said.

In addition to the record fine, ACMA has accepted a three-year court-enforceable undertaking from CBA committing it to an independent review of its e-marketing practices and to implement improvements to these systems.

CBA must also provide regular compliance reports to the ACMA and train its staff on Australia’s spam laws.

“We acknowledge and accept the findings of ACMA’s investigation into CBA’s compliance with certain provisions of the Spam Act,” said CBA Group Executive Marketing and Corporate Affairs, Monique Macleod in a statement.

“We apologise to all customers impacted by these issues which should not have occurred. We’ve fixed the problem and are making changes to ensure it doesn’t happen in the future.”

ACMA states that, over the 18 months, businesses have paid $11 million in penalties for breaching spam and telemarketing laws. The regulator has also accepted 12 court-enforceable undertakings and given one formal warning.