)
Fines for Australia's largest bank for breaching spam rules have now surpassed $11 million after Commonwealth Bank (ASX: CBA) was found to have sent more than 170 million that lacked an option to unsubscribe.
An investigation by the Australian Communications and Media Authority (ACMA) found that of the emails sent between November 2022 and April 2024, 34.8 million were sent to people who either had not consented or had withdrawn their consent to receive such messages.
The latest $7.5 million penalty follows a $3.55 millionfine last year for sending more than 61 million marketing emails to customers unlawfully requiring them to log-in to unsubscribe.
The further breaches and vast scale of CBA's non-compliance has been described by ACMA chair Nerida O’Loughlin as unacceptable.
"The ACMA took action against CBA just last year for not delivering on their customers’ rights to unsubscribe from marketing messages," she said.
"We have now had to take further action after this new investigation found that CBA had incorrectly classified millions of messages as non-commercial."
ACMA notes that the Spam Act 2003 permits purely ‘service’ messages that are not commercial to be sent without consent or an unsubscribe facility. However, the regulator found the bank's messages either promoted products and services like insurance, credit and loan offerings, or CBA itself.
"The rules are clear, if a message includes marketing content or direct links to marketing content, it is a commercial message and must give people the option to unsubscribe," O'Loughlin said.
"We have seen several companies get this wrong and businesses are on notice to check how they are classifying messages as commercial or non-commercial."
In addition to the financial penalty, the ACMA has also accepted an expanded three-year court-enforceable undertaking to address the most recent issues, committing CBA to a comprehensive independent review and implementation of improvements.
The court undertaking will also commit the bank to providing appropriate resources and governance to ensure its compliance.
“We will continue to closely monitor compliance with its commitments and with the spam laws,” O’Loughlin said.
The maximum penalty a court can give to companies not complying with spam rules is $626,000 per day where a company doesn’t have a prior record. Maximum court penalties rise to $3,130,000 per day for companies with a prior record.
Over the last 18 months businesses have paid over $20 million in spam penalties.
)
