The Commonwealth Bank of Australia (CBA), the country’s largest bank, has been slammed with a A$7.5 million fine for sending 170 million emails that did not comply with spam laws.
An Australian Communications and Media Authority (ACMA) investigation found that between November 2022 and April 2024, CBA contravened Australia’s spam laws by sending over 170 million marketing messages to Australians that did not include a way to unsubscribe.
ACMA noted that CBA sent 34.8 million of these messages to people who either had not consented or had withdrawn their consent to receive these messages.
This is CBA’s second major breach of the spam rules after it paid a A$3.55 million penalty in May 2023 for sending 65 million emails without working unsubscribe arrangements.
ACMA Chair Nerida O’Loughlin issued a strongly worded statement saying that CBA “did not have its systems in order.”
“The ACMA took action against CBA just last year for not delivering on their customers’ rights to unsubscribe from marketing messages. We have now had to take further action after this new investigation found that CBA had incorrectly classified millions of messages as non-commercial, said O’Loughlin.
“Australians are sick and tired of this kind of spam intruding on their privacy and it’s clear CBA did not have its systems in order.”
The Spam Act 2003 permits purely ‘service’ messages that are not commercial to be sent without consent or an unsubscribe facility.
However, ACMA noted that it found CBA’s messages either promoted products and services (including for insurance, credit and loan offerings) or promoted CBA itself.
“The rules are clear, if a message includes marketing content or direct links to marketing content, it is a commercial message and must give people the option to unsubscribe,” added O’Loughlin.
“We have seen several companies get this wrong and businesses are on notice to check how they are classifying messages as commercial or non-commercial.”
In addition to the financial penalty, ACMA has also accepted an expanded three-year court-enforceable undertaking to address the most recent issues.
These commit CBA to a comprehensive independent review and implementation of improvements, as well as providing appropriate resources and governance to ensure its compliance.
“We will continue to closely monitor compliance with its commitments and with the spam laws,” said O’Loughlin.
CBA has now issued an apology. “We apologise for sending non-compliant messages to customers,” said Monique Macleod, group executive marketing and corporate affairs.
ACMA said that over the last 18 months, businesses have paid over A$20 million in spam penalties.
In 2023, ACMA issued fines to major companies in Australia including Kmart (A$1.3 million) and DoorDash (A$2 million).
The maximum penalty a court can give to companies not complying with spam rules is A$626,000 per day where a company doesn’t have a prior record.
Maximum court penalties can rise to a steep $3,130,000 per day for companies with a prior record.