- Business
- Consumer affairs
- Consumer rights
Commonwealth Bank cops another fine for breaching spam laws
The Commonwealth Bank of Australia (CBA) has been fined $7.5 million for sending more than 170 million emails to customers that did not include the necessary option to unsubscribe.
This is CBA’s second major breach of the spam rules in less than 18 months after it paid a $3.55 million fine in May 2023 for sending 65 million emails without working unsubscribe options.
The Australian Communications and Media Authority (ACMA) investigation found the latest infringement took place between November 2022 and April 2024 and included 34.8 million messages sent to people who either had not consented or had withdrawn their consent to receive the messages.
The Commonwealth Bank has been fined for breaching Australian spam laws.
Under the 2003 Spam Act, commercial marketing messages must contain an unsubscribe option. The law allows for “service” messages that are not commercial to be sent without consent or an unsubscribe option.
Australian Communications and Media Authority chair Nerida O’Loughlin.Credit: Rhett Wyman
The ACMA investigation found that CBA’s messages promoted products and services, including insurance, credit and loan offers, or CBA itself.
ACMA chair Nerida O’Loughlin said the further breaches and the vast scale of CBA’s noncompliance were unacceptable.
“The ACMA took action against CBA just last year for not delivering on their customers’ rights to unsubscribe from marketing messages. We had to take further action after this new investigation found that CBA had incorrectly classified millions of messages as non-commercial,” she said.
“Australians are sick and tired of this kind of spam intruding on their privacy, and it’s clear CBA did not have its systems in order.”
O’Loughlin said businesses were on notice to check how they classified messages as commercial or non-commercial.
“The rules are clear; if a message includes marketing content or direct links to marketing content, it is a commercial message and must give people the option to unsubscribe,” she said.
ACMA has accepted an expanded three-year court-enforceable undertaking from CBA to address the most recent issues. These commit the bank to a comprehensive independent review and implementation of improvements, as well as providing appropriate resources and governance to ensure its compliance.
The maximum fine a court can give companies not complying with spam rules is $626,000 per day when it does not have a prior record. The penalty rises to $3,130,000 per day for companies with a prior record.
Over the last 18 months, businesses have paid more than $20 million in fines for breaching Australia’s spam laws.
A CBA spokesperson said the bank acknowledged and accepted ACMA’s findings and apologised for sending the non-compliant messages.
“Timely and relevant information for our customers is incredibly important, and the way we classify that information to meet our regulatory requirements and customer expectations is an absolute priority. We are committed to meeting our obligations, and we’re dedicating significant time and resources to this,” the spokesperson said.
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.