The Commonwealth Bank of Australia (CBA) has been slapped with a $7.5 million penalty for sending over 170 million emails which contradicted Australia’s spam laws, marking the bank’s second major breach of spam rules.
An investigation from the Australian Communications and Media Authority (ACMA) found that between November 2022 and April 2024, CBA contravened spam laws by sending its customers marketing messages without any method to unsubscribe.
The media watchdog observed that the Big Four bank failed to comply with spam rules across more than 170 million junk emails.
A further 34.8 million of the messages were sent to Australians who either hadn’t consented to the messages, or had explicitly withdrawn their consent from CBA’s email chain.
ACMA chair Nerida O’Loughlin said the “vast scale” of the bank’s non-compliance was “unacceptable”.
“Australians are sick and tired of this kind of spam intruding on their privacy and it’s clear CBA did not have its systems in order,” said O’Loughlin.
As noted by ACMA, the Spam Act 2003 allows for purely non-commercial ‘service’ messages to be sent without recipient consent and without providing an avenue to unsubscribe.
CBA appears to have taken some liberties with its interpretation of these rules, as the watchdog found its multi-year campaign either promoted products and services – such as insurance, credit and loan offerings – or directly promoted CBA itself.
According to ACMA’s investigation report, CBA said it sent these messages without consent because it had “incorrectly classified some of the messages as ‘service non-commercial’ or ‘compliance’ messages”.
“The rules are clear, if a message includes marketing content or direct links to marketing content, it is a commercial message and must give people the option to unsubscribe,” said O’Loughlin.
She added ACMA has seen “several companies” get its spam obligations wrong.
“Businesses are on notice to check how they are classifying messages as commercial or non-commercial,” she said.
Commonwealth Banks sent emails without giving recipients a way to unsubscribe. Photo: Shutterstock
CBA has paid a $7.5 million penalty for its breach, while ACMA has accepted an extension of a previously arranged “three-year court-enforceable undertaking” which commits CBA to a “comprehensive independent review and implementation of improvements”.
“We will continue to closely monitor compliance with its commitments and with the spam laws,” O’Loughlin said.
Responding to its compliance failures, CBA said it is “continuing to review and strengthen its systems, processes, and controls to support ongoing compliance with the Spam Act”.
“We apologise for sending non-compliant messages to customers,” said CBA group executive of marketing and corporate affairs, Monique Macleod.
CBA posted a net profit of $9.5 billion for the 2024 financial year.
Repeat offender
This isn’t the first time CBA has been pulled up for its questionable email practices.
Last year, the bank paid a smaller $3.55 million penalty for sending 65 million emails without functional unsubscribe arrangements.
At the time, CBA similarly sent out to junk to 5,000 people who had already unsubscribed from marketing messages.
In June 2023, O’Loughlin warned ACMA would be “closely monitoring” CBA’s compliance and the commitments it had made to review its questionable practices.
“If we find future non-compliance, we will not hesitate to take further action,” she said.
The maximum penalty a court can give non-compliant companies is $626,000 per day where a company doesn’t have a prior record.
In the case of repeat offenders, those penalties can rise to a whopping $3,130,000 per day.
ACMA notes over the last 18 months, businesses have paid over $20 million in spam penalties.
In a statement of expectations released July, the authority told businesses to consider using a “double opt-in” when obtaining consent – such as email confirmation that consent has been given – before stressing the importance of “easy to use” unsubscribe facilities and urging companies to remove people from calls and marketing lists when asked to do so.
