This module takes you through anti-spam laws and legal requirements. Make sure your business is not in breach.
Key learning outcomes:
Please note that the information presented in this section is general information only and not to be acted on. If you have a particular problem to your circumstances, please seek professional advice.
Hello, my name is Jeanette Jifkins and I'm from Onyx legal. Today we're talking about anti-spam compliance and what you can and can't do with email lists.
Before we get onto that, though, a little bit about Onyx legal. We're a local boutique commercial law firm based in North lakes. And we look after people who do business online mainly. We're a small team and all of the senior members of the team have run their own businesses in the past. So we understand what it's like for you in a small business to face the day to day challenges you do. We've also all studied lots. So we've got lots of letters after our name, and I've also written a book called Cover Your Arse Online to help you protect yourself in doing business online. We aim to be plain English, straightforward and easy to deal with and to make all the legal issues that you have to manage easy for your business.
So today looking at anti-spam compliance and what you can and can't do with your email lists. We're going to cover what spam actually is; What your anti-spam compliance obligations are; we're going to talk specifically about unsubscribed facilitie;s and how you can use lists.
Now, this information is general information only. Please don't act on this information. If you have a particular problem to your circumstances. You'd need to get specific advice. And on the basis of this information, please don't try and advise other people. It's about raising your awareness and alerting them to the fact that they might have a problem and suggesting they get advice too, don't try and tell them what they need to do or not do by yourself.
So the first thing is what is spam? So spam is an electronic commercial message. So it's got a few components. The electronic part is that it can be sent via the internet or a telecommunication service. So that can be email, phone, messaging, so, wechat. It covers Facebook messenger, all of those sorts of different facilities can fall within, spam compliance.
It is sent to a type of electronic address. So all of those things have electronic addresses, whether it's an email or it happens to be your identification on Messenger, any of those sorts of things that's designated an address. It doesn't have to look like an email address. And it does include social media accounts like LinkedIn.
Commercial means that you are offering goods or services in the message or your advertising or promoting goods or services, or you're offering a business investment opportunity. But the other aspect of it, that's not exactly commercial, but falls within this categorisation, is any sort of commercial, any sort of message for dishonest means. So all of the, you know, Nigerian scam emails, those sorts of emails, they fall within spam as well.
So what is spam as an electronic commercial message? The message can be text. It can be data. It can be speech or music or other sounds. It can be visual images, including animations. Any sort of form of commercial messaging, or promotion, or, dishonest means, anything that can be conveyed electronically can be considered a commercial message. It can be a combination of any of those things as well.
But a voice communications. If you ring somebody's phone and you leave a message in their message bank, that's not spam. So that's the only sort of exclusion there.
One message to one person is enough to breach the spam act. Anti-spam compliance is managed or regulated by the Australian communications and media authority, which is ACMA and their website is acma.gov.au.
In order to be compliant with the spam act, you need to get permission from people to send them communications and permission can be expressed, or it can be inferred. So express permission is where you ask someone and they give it to you. So that might be filling a form on your website, you know, give you us your name and email address, and we will send you this newsletter. That is getting their permission specifically.
Ticking a box. So, competition terms do this on purpose often. You've got to tick all of the boxes in order to submit your entry, and one of those boxes is you agree to accept commercial messaging or marketing emails from us. That's getting permission, even though that's slightly coercive.
Getting someone to agree over the phone. So, if you get one of those random phone calls from, you know, fundraising, I got one from the guide dogs the other day. You get that phone call and they ask you during that phone call, can we add you to our newsletter list or something along those lines? And you say yes. Then that's getting your permission and agreeing face to face.
Now, agreeing face-to-face actually means people know that what they're agreeing to. So handing over a business card is not agreeing face-to-face. If you get someone's business card and you say to them, would it be okay if I add you to my newsletter list? The answer is likely to be no, but that's getting permission, asking specifically if you can do that, instead of just adding them, which really annoys me.
Inferred permission is where someone, you can guess that they probably won't object to receiving information from you. So that's current customers. You have inferred permission from them to add them to your newsletter list. You might tick them off, but you have inferred permission.
If contact details are published and where those contact details are published, it doesn't say no junk mail or we don't accept commercial messaging or something like that. Then there's inferred consent to receive your email marketing.
Where the subject relates to the individuals role or function. So for example, if you're searching through LinkedIn and you want to speak to somebody who happens to be the marketing manager of a company or the business development manager of a company. If that business development manager or marketing manager or someone, the kind of products or services you are offering are directly relevant to their role and make sense to their role. Then there's inferred consent to connect with them and offer them that information.
And if there is a connection between some sort of promotion and the recipient. So if you go to, for example, the home show at the convention center and you know, when you buy the ticket, if you ever read the terms and conditions, you normally get added to a list, and that list is distributed to all of the exhibitors at the home show and you consent to receiving information from all of those exhibitors. That's what happens in a lot of those sort of conventions and centers like that.
When, in order to be compliant. It's not just getting permission. You then really need to tell them who you actually are. So I don't know about you. But I connect with a lot of people on LinkedIn. I have a lot of connections on LinkedIn and I get added to two email lists without my consent on a daily basis. So randomly these emails pop up in my email list, from somebody and they don't always tell me what company they're from. Or else they send an email where the company identification data is all in the images. Now my email system blocks images unless I accept them. And a lot of email systems, particularly in business, a lot of people set up their email systems to do that, because otherwise you just download a whole lot of data you don't need. So, I don't know who they are in the text of the email, because all of that information has been confined to the images.
So that's not spam compliant. It has to be the text of the email that's visible without those blockings or, you know, with those blockings in place, needs to tell them who you are. And it needs to identify your business properly, so, the name of your business, an ABN or ACN is appropriate, an address, at least a postal address, PO box if not a street address. And some contact details, so website, an email address, or phone number, anything like that. A combination of that data to substantiate who you are, that needs to be in the body of the email, or, you know. It can be in the footer, the signature at the bottom, or it can be an introduction at the top, but it has to be there.
You need to tell people where you got their details. If you got their details from a convention or you got their details from your website, something like that, let them know where the information has come from.
Invite them to opt into a list if you're building a list rather than just subscribing them to a list. So it's called a double opt in. So you're sending them and effectively a communication. And then inviting them to subscribe to that communication. A double opt-ins are not the requirement under Australian law. You can do a single optin where you get their permission, either express or inferred, and you add them to a list provided that they have the opportunity to unsubscribe.
And we'll talk more about unsubscribe in a minute. You've got to tell them how to unsubscribe. So I've seen emails recently where the unsubscribe information is there, but the background of the emails white, and they've made the text white. So you can't actually see it. So that's, that's not a legitimate unsubscribed facility. I'm sorry.
Recently, actually we will go on and speak about unsubscribe facilities. Woolworths recently. So in the last month or so, got fined at least a hundred thousand dollars, if not more, because they didn't have a functioning unsubscribed facility.
So what that means is, people would try to unsubscribe and it didn't work. So they were still getting messaging. So that's not a functioning unsubscribe facility.
The unsubscribe, you really should make it automated. If you're using any automated email system like MailChimp or active campaign or Ontraport or infusion soft or any of those. They all have unsubscribe facilities built into their systems. You just activate them in the backend and they're fairly straightforward.
The best ones I have seen. And I know as a business owner, this may be confronting to you, but the ones that I appreciate the most are the ones that now come up next to your email address. So when you received the email, the next to the title of the email or your email address, right at the very top of the email, it's got an unsubscribe link. Brilliant. It makes it very easy. It stops people getting annoyed at your marketing if they never wanted to receive it in the first place. And it makes it less likely that people are going to add your email to ‘I never signed up to this email list’ or my flag your email is spam. Cause you want to avoid that happening if you can.
Basic email messages. If you don't use an auto-responder system and you do want to send out commercial messaging. Now, remember I said, one email to one person is sufficient. So one email to one person still has to have an unsubscribe opportunity on it. And you can do that by saying, ‘to stop receiving messages from us simply reply to this email with unsubscribe in the subject line’. But then you have to activate that when you receive them, which means you need to check your junk mail folder because you might be receiving emails from people not properly in your system yet. And then you have to actually remove them from the lists that you're sending to. Or if you no longer wish to receive these messages, please click the unsubscribe button.
Now this applies to text messaging as well. And the way you can do it on text messages is ‘reply’, ‘stop’ to and then put the message or, ’unsubscribe’, and then give them a phone number or something like that. That makes it easy to remove someone from a list, and then you have to apply it, make sure you apply it. And it does work.
So, what do you do with lists and what can you, and can you not do with lists? So when you create your own list, using a website, you know, through your website, you've got, please add your name and email it here. And, you know, we’ll keep you updated. You've got express permission from those people. You can add them to your list, not a problem. You still have to have identify your business in your email, and you still have to have a functioning unsubscribe facility.
What if you've purchased a list? So I've had this come up and there are places where you can buy a list of data. For example, you might be in the cafe industry and you want to be able to market to a bunch of cafes in a certain geographical area. You can buy those lists. And get that communication details. You want to communicate to all of the secondary schools in Queensland. You can buy those lists and get those contact details.
When you purchase those lists, you need to be very clear that the person who compiled the list had the permission from all of the people on that list first, for the purpose that they're selling that list to you. Now often people don't check that point. But it is your responsibility. If you're going to use that list to make that check.
For example, the Australia post survey, they issue a survey every year. A whole bunch of people participate in that survey Australia post make it a condition of that survey, that they will be sharing that data with businesses relevant to the survey questions. So there's often questions about travel, the size of your household, whether you've got a mortgage, all of those sorts of things. And then randomly throughout the year, you get phone calls around lunchtime or six o'clock in the evening from people you never heard of before saying we're doing a survey to see if you're eligible for Oh, blah, blah, blah, blah, blah. That's cause you done one of those surveys and you've consented to being put on one of those lists with the knowledge that those lists are going to be sold or distributed to other providers. See, this is why I would read terms and conditions.
You can use the list, even if the recipients, if you're given a list from someone. So for example, you go into a business relationship with an allied provider, for example, an accountant and a financial advisor. If one party in that relationship has permission from their list to share that information with, for example, an accountant has permission to share it with a financial advisor, then it's okay because they got specific permission in the first place, but you've still got to check that.
If lists are harvested. So I used to get complaints. I worked with the Australian psychological society is their in house counsel at one point. And The Australian psychological society offers a service called find a psychologist service, and you can fill in some data and you can get details about the psychologist in your local area. It's a fantastic service, but we used to get complaints from the psychologists on that service that their data was harvested and they would get marketing emails and they said, it's your fault. You've shared our personal information with people without our permission. So we had to put a notice on that database or that, that find a psychologist service that says the people listed in this service do not consent to receiving commercial messages.
Now, if you then send, you know, collect that data and send those people commercial messaging, then you're in breach of anti-spam compliance. You're breaching the spam act. So you can't use it in that circumstance. But also the spam act specifically says you must not use address harvesting software and you must not use data collected by address harvesting software.
So any sort of software that goes onto whatever website or all over the internet, however, they do it, where they scrape the data and they use it for, you know, give it to you or sell it to you for then direct marketing. That is a breach of the spam act. So try and be aware of, and don't do that.
How can we help you? Anti-spam compliance is actually remarkably easy and I am surprised at the number of businesses who still don't get it. Think about how you react when you receive spam from people you don't know, and consider whether you want to do that to your clients or not.
Simple compliance are: Have a functioning unsubscribed facility; Get permission to send the information or at least have inferred permission; let people know where you got their data and what you're going to do with it.
And, make sure your company is identified in the email, in the body of the email and not just images that might be attached to it. Pretty simple. And try not to upset people and have them flag your emails as spam. So if you think we can be of help, please come and check out our website onyx.legal, or give us a call and have a quick chat to find out how we can help you.
Thank you for today.