News & Insights

As part of the intellectual property (IP) and information technology (IT) team, we often work with privacy policies and Data Breach Recovery Plans (DBRP). While many businesses have clued in that privacy and data are big-ticket issues, both in Australia and overseas, what they might miss are their communication compliance obligations.

Communications compliance (anti-spam) is actually a part of the privacy and data law framework of which businesses have a legal obligation to comply. Why is this an often-overlooked component of privacy and data compliance? It’s possible many businesses just don’t think their communications would be considered spam and so these laws aren’t relevant to them – but the reality is they’d be wrong. These laws can be breached without intending to scam anyone – so, let’s break it down.

Communications law compliance

Recently Binance, a large corporation, was fined $2 million by the Australian Communications and Media Authority (ACMA) for breach of communications laws. This was based on Binance’s conduct in:

• sending emails to persons without acquiring the proper legal permissions (implied or actual);
• having insufficient opt-out options for communications; and
• Requiring recipients of communications to log into their accounts to change their preferences.

In addition to issuing fines, ACMA may also seek court enforceable undertakings from businesses which breach communications laws. This can be an onerous penalty requiring you to allow ACMA to audit your business and mandate staff training. ACMA also publishes regular articles on its enforcement of communications laws, naming and shaming infringers.

It can be costly, embarrassing and an unnecessary interruption to your business if it was fined, named or required to undertake audits/training for breach of communications laws. Thankfully, compliance can be addressed by having suitable policies and practices in place.

Commercial risks

Aside from strict compliance, there are other commercial downsides to improper communications practices too.

One issue is that recipients may mark the email as spam if the opt-out options aren’t clear and intuitive. Email spam filters, use algorithms (including AI learning algorithms) to automatically classify if an email is spam or not, and a key factor in these algorithms is what proportion of the emails sent from a site, are marked as spam by recipients.

Accordingly, if recipients mark your emails as spam (in order to stop receiving or block them), this may mark all your emails from particular addresses as spam, even when sent for legitimate reasons and to new recipients. Once the algorithm decides your email is spam, it can be very difficult to reverse the algorithm’s decision, usually it means that from then-on each recipient must manually find and unmark the emails from your addresses as not-spam / trusted sender.

Another issue is the use of inadequate disclaimers in email correspondence / signature blocks. Each industry is different and may need to display licenses or contain specific disclaimers to limit liability for miscommunications or misstatements by its employees. In addition to disclaimers, you can also share company initiatives by including positive messages about recycling or cultural awareness.

Sending an email to an incorrect recipient is a form of data breach (“Communication Data Leaks”), though not necessarily a reportable one. However, should a reportable data breach occur and your data practices be reviewed, you’ll want to demonstrate you’re employing best practices to avoid being fined.

Having disclaimers with proper notices for miscommunications in emails and letters is a factor that help demonstrate you’re using best practices to manage data leaks, in addition to having a DBRP.

How we help

Data protection law is a fast-evolving compliance area for businesses with major ramifications if not done right (just ask Binance!). Accordingly, if you would like assistance with keeping your IT law on track, whether it be with drafting and reviewing communications policies and practices, ensuring your privacy and data breach policy and practices are compliant (including yearly reviews) or addressing any other data or web3 issues, please contact one of our experts in our Information, Communications and Technology team.

The information contained in this article is general in nature and cannot be relied on as legal advice nor does it create an engagement. Please contact one of our lawyers listed above for advice about your specific situation.