top of page

Going back to basics on privacy and SPAM management in the wake of the latest high-profile breaches

Once again, a string of high profile SPAM and privacy breaches have reinforced that Australian brands are ill-equipped to deal with the impending privacy changes and are not focused enough on ensuring compliance let alone contemplating what is ethically right to do by the customer.

Whilst brands are investing heavily in data driven marketing, they must ensure that embedded and central to their strategy is compliance considerations and delivering the best experience for the customer which includes protecting and respecting their privacy and wishes.

In this article, we break down some of the misdemeanours of major brands, the cost of getting it wrong and what brands can learn from it. We also take a look at the cultural changes that brands need to face into in order to mitigate future risks.

Case study one: Kmart – a string of system and procedural failures and a $1.3m fine

In November of 2023, Kmart was fined $1,303,500 after sending more than 200,000 marketing emails in breach of Australian Spam Laws.

Between July 2022 and May 2023, 212,471 emails were sent to those who had previously unsubscribed. A problem Kmart puts down to technology and system failures alongside failures in procedures. Following a series of customer complaints.

But according to the ACMA, prior to the investigation, Kmart had already been on notice by the media watchdog had already alerted Kmart on a number of occasions that they might have issues with their consumer marketing.

So what can we learn from the Kmart SPAM case;

  • The ACMA has little sympathy for brands citing technology and system issues

  • With SPAM regulation being in force for 20 years, brands have little ability to argue they are not in a position to effectively manage compliance in line with the law.

  • In the case of Kmart, the issues continued over a 9 month period and the brand was alerted to potential in-adequacies. The pace at which organisations act to rectify the issue matters, so too does the organisations' leadership approach to ensure these issues are dealt with as the highest order priority given the impact it has on customers trust in the brand.

CBA and the case of the missing unsubscribe button

In June 2023, CBA was fined more than $3.5m for sending more than 61m marketing emails to customers that unlawfully required them to login to unsubscribe and a further 4 million that did not have a working unsubscribe function, whilst also emailing 5,000 customers who had asked to be unsubscribed.

So, what can we learn from the CBA SPAM case;

  • The CBA fine was the largest of its kind, but given the severity of it you would expect that the fine would be much bigger. In the case of the CBA, the business in part disclosed the issues to ACMA which helps to understand why the fine may not have been larger. Whilst some brands who identify major breaches may seek to cover it up, disclosure may mitigate the consequences if the ACMA is looking in your direction.

  • What is very clear within the SPAM act is that brands need to make it simple and easy for consumers to be able to opt out. Hiding opt outs behind logged in states and putting intentional barriers in the way of opting out is a one way ticket to significant fines for brands.

  • What is also very clear within the SPAM Act is that brands must have a working unsubscribe function in place for at least 30 days post send. Many brands can get caught out, thinking that this is all managed because they have a marketing automation platform in place, but often communications can also be sent from a raft of systems, some legacy platforms and technology and it is these that can put brands in the most precarious positions.

Luxottica, a high-end eyewear retailer, took their eye off compliance

Most recently, Luxottica the owner of the OPSM, Oakley and Sunglass Hut brands, paid a $1,512,500 penalty for sending more than 200,000 marketing messages in breach of Australian spam laws.

Like was the case with the Commonwealth Bank, Luxottica sent customers 91,231 marketing emails without a functional unsubscribe facility. During the same period, Luxottica also sent 112,348 texts and emails to customers who had unsubscribed from such messages.

For Luxottica, one of the key issues that was part of their downfall was the brand opted to send order confirmations which included and linked to commercial content , such as how to view and purchase Oakley products and a free shipping promotion.

So, what can we learn from the Luxottica SPAM case;

  • One of the most significant issues in the Luxottica case was that the brand had embedded commercial marketing messages into operational communications. If a message is purely operational it does not require an opt out facility but in the case of Luxottica their communications began to blur the lines between commercial and promotional when they embedded content and links of a promotional nature.

  • In the Luxottica case, not only did email play a role in their demise, so too did SMS. The SPAM Act covers both email and SMS and the same rules apply to both channels.

Addressing the culture within organisations to heighten the importance of privacy and SPAM compliance within organisations

Whilst many of the cases outlined are SPAM related and not related to broader privacy breaches, we are yet to see the fall out from the Medibank, Optus and Latitude breaches that are under investigation. With the OAIC increasing fines for non-compliance of the Privacy Act to a maximum of $50m or three times the value of benefit gained directly or indirectly, the stakes are high for brands to get this right.

In Europe, GDPR has fundamentally changed the culture within many businesses – because the change was so significant and the stakes so high that brands had no other choice but to change. In Australia, we are yet to feel the full force of the change coming, which is why in part we don’t see brands owning the need to change and evolve.

The buck must stop with the executive; to drive real cultural change, compliance must not be viewed as a job for legal departments, a legal team member, or the responsibility of IT. Whilst legal provides direction and helps guide decision making, they are not activating activity and leveraging data on a daily basis and IT can’t control what communications are being triggered. Organisations who treat their customers privacy with respect and ensure they are buttoned up around compliance are usually those where the executive understands its importance and sees it as their responsibility to ensure the organisation is adhering to its obligations on the privacy and SPAM front.

Data charter or ethics framework; To drive material change, brands need to have the right policies and frameworks to guide decision making, but not the kind of ones that are developed and sit on a drive never to be reviewed again. Data charters and ethics frameworks can help teams to guide decision making and ensure the organisation has clarity over how they want to treat and manage customer data ethically.

Privacy forum; We have seen some organisations adopt a cross-functional privacy forum which provides an avenue for teams across the organisation to engage to make major decisions around privacy and SPAM. The cross-functional nature of it ensures there is a diverse set of voices at the table, but it also enables consistent decision making for the organisation, as opposed to decisions made in silos as and when they arise.

Employee education and training; Whilst this is an obvious one, unfortunately it is often addressed through a one and done approach, as opposed to continuous learning and knowledge sharing. As this space is evolving and particularly during a very important time of change, brands need to re-think how they are remaining abreast of changes and educating teams on what is coming. This is where the privacy forum can also play a role to own and lead in areas of continuous development and knowledge sharing.

Get external advice; We often see brands marking their own homework in the SPAM and privacy compliance space, but they do so with significant blind spots in their knowledge of what it takes to be compliant. Having a seasoned expert undertake a review and share findings and the ramification of non-compliance with leaders can help drive buy in, investment and heighten the importance of it within the organisation.


bottom of page