The Australian Communications and Media Authority (ACMA) revealed on Wednesday it found Commonwealth Bank had sent more than 61 million marketing emails to customers that unlawfully required them to log in to unsubscribe.

The banking giant was found to have sent a further four million marketing emails that did not have a functioning unsubscribe option as well as more than 5000 marketing emails to customers who had asked to unsubscribe.

ACMA chair Nerida O’Loughlin said the scale and duration of the CBA breaches was “alarming”.

“ACMA gave (CBA) early warnings it might have some issues and the steps it took were ineffective,” Ms O’Loughlin said.

“The failure to fix the issues shows a complete disregard for the spam rules and the rights of its customers.

“Consumers are frustrated by marketing intrusions on their privacy, especially when there is no option, or it is difficult, to unsubscribe.”

The fine is the largest ever handed down by the regulator for spam law-related breaches.

Under Australian law, marketing messages must contain working “unsubscribe” options.

Making consumers log in or provide personal details to unsubscribe is also generally prohibited.

Once a message recipient has unsubscribed, sending further marketing messages is also not allowed.

Following the breach, CBA announced it would enter into an enforceable undertaking (EU) with ACMA.

The court-enforceable process will last three years and requires CBA to undertake an independent review of its e-marketing practices.

CBA is also required to give regular compliance reports to ACMA and train its staff on Australia’s spam laws.

CBA group executive of marketing and corporate Affairs Monique Macleod said the bank acknowledged ACMA’s findings.

“We apologise to all customers impacted by these issues which should not have occurred,” Ms Macleod said.

“We’ve fixed the problem and are making changes to ensure it doesn’t happen in the future.”

Ms Macleod said CBA had self-identified and reported the issues that became the subject of ACMA’s investigation.

She claimed the vast majority of the breaches arose when CBA updated its electronic banking customer terms in November 2021.

The update inadvertently removed language introduced to provide a temporary exemption to including direct unsubscribe links in messages.

The resulting error meant that as many as 61 million messages were sent with unlawful requirements up until August 2022.

During the same timeframe, broken links used in 13 message templates resulted in further breaches of the Spam Act 2003.

Ms Macleod said CBA had addressed the issue, including by unsubscribing customers who were not able to unsubscribe via the broken links.

The breaches by one of Australia’s big four banks comes at a time of heightened scrutiny of SMS and email spamming.

Over the past 18 months, ACMA has ordered businesses to pay about $11m in penalties.

In late-2022, Latitude Finance was ordered to pay $1.55m for breaching spam and telemarketing laws.

ACMA has also accepted 12 court-enforceable undertakings and given one formal warning since early 2022.

“We continue to see large and well-known businesses who should know better than breaching the spam laws,” Ms O’Loughlin said.

More Coverage

Final big bank announces hike

Eli Green

Popular bank hikes new mortgage rates

Hugo Timms

“This action is a further warning to all businesses that noncompliance with Australia’s spam laws will not be tolerated.

“We will be closely monitoring the Commonwealth Bank’s compliance and the commitments it has made to review its practices.

“If we find future noncompliance, we will not hesitate to take further action.”