Woolworths fined over $1M for contravention of the SPAM Act

Woolworths, one of the largest supermarket chains in Australia, has been fined $1,003,800 for its repeated breaches (more than 5 million) of the SPAM Act 2003 (Cth) (Act) between October 2018 and July 2019.

This is the largest fine ever issued by the Australian Communications and Media Authority (ACMA).

Additionally, in a 3-year court-enforceable undertaking, Woolworths agreed to:

  • appointing an independent consultant to review its systems, processes and procedures, make improvements, and report to ACMA
  • conducting training and reporting all non-compliance it identifies to ACMA for the term of the undertaking.

Background

The infringement notice issued by ACMA stated that ACMA had reasonable grounds to believe that Woolworths, in contravention of the Act, had sent a significant number of commercial electronic messages to electronic addresses more than 5 business days after the relevant recipients withdrew their consent.

In particular, from 30 May 2020 to 3 June 2020, Woolworths sent 798 such messages, which were purported to offer to supply or advertise or promote goods sold by Woolworths.

Woolworths alleged that these contraventions occurred due to a system failure.

Spam Act

The Act prohibits a person or a body corporate from sending, or causing to be sent, a commercial electronic message, which has an Australian link (e.g. the message originates in Australia, the recipient is physically in Australia when the message is accessed and etc.) or is not a designated commercial electronic message (i.e. a message that contains no more than facts and some other information as prescribed by the Act), unless the person can prove that:

  • the relevant recipient consented to receiving such a message
  • the person did not know and could not, with reasonable diligence, have ascertained that the message had an Australian link
  • the person sent out the message by mistake.

Contraventions of the above prohibition may result in the relevant person or body corporate being ordered to pay a civil penalty and, in the case of a penalty imposed under an infringement notice from ACMA, the amount depends on the number of contraventions (i.e. the number of messages that have been sent).

For example, in the case of a body corporate:

  • if the notice is in relation to more than 1 but fewer than 50 contraventions, $4,200 multiplied by the number of contraventions is imposed
  • if the notice is in relation to 50 or more alleged contraventions, $210,000 is imposed.

Repeat corporate offenders may face penalties of up to $2.22 million a day.

As noted above, Woolworths contravened the Act across multiple days and, for each day, ACMA has applied the above calculation based on the number of contraventions occurred during that day. Accordingly, ACMA imposed $163,800 for a day where there have been 39 contraventions and $210,000 for each of the other 4 days where there have been more than 50 contraventions.

Key takeaways

In order to avoid such heavy penalties, businesses should:

  • have the necessary systems, processes and procedures in place to ensure that requests from consumers to unsubscribe are recorded and enacted
  • run frequent tests to ensure that their systems do not send advertising materials to those consumers who have unsubscribed
  • implement a plan and mechanism to immediately detect and respond to any failure in complying with the Act.

In addition, businesses should also note that the Australian Privacy Principles expressly prohibit an organisation from using personal information it holds for direct marketing except for limited circumstances. Accordingly, a business in contravention of the Act may also find itself in breach of the Privacy Act 1988 (Cth).

If you would like more information about the Act, please contact our specialists at Wrays.

Wrays Industry Insights, Insights