CBA hit with record fine for breaching spam laws

This penalty stands as the largest ever imposed by the regulatory body for such offences.

ACMA’s investigation revealed that the bank sent more than “61 million marketing emails to customers that unlawfully required them to log in to unsubscribe”.

Additionally, 4 million marketing emails lacked a functioning unsubscribe facility, while another 5,000 were sent to individuals who had already expressed their desire to unsubscribe.

ACMA chair Nerida O'Loughlin emphasised the need for companies to provide customers with viable options to opt out of unwanted messages.

“The scale and duration of the breaches by the CBA are alarming, especially when the ACMA gave it early warnings it might have some issues and the steps it took were ineffective,” she said.

“Consumers are frustrated by marketing intrusions on their privacy, especially when there is no option, or it is difficult, to unsubscribe.”

As part of a court-enforceable undertaking lasting three years, the Commonwealth Bank has agreed to undergo an independent review of its e-marketing practices.

The bank will also be required to give regular compliance reports to the ACMA.

CBA Group executive marketing and corporate affairs, Monique Macleod, acknowledged the findings of ACMA’s investigation and apologised to all customers impacted.

“We’ve fixed the problem and are making changes to ensure it doesn’t happen in the future,” Ms Macleod said.

“Since reporting this matter to ACMA, we’ve fixed the issues that were the subject of ACMA’s investigation, and strengthened our systems, processes and controls to support ongoing compliance.”

The CBA explained that the majority of the breaches occurred during the bank’s update of electronic banking customer terms and conditions in November 2021. Inadvertently, this update removed specific language that had previously provided a temporary exemption from including direct unsubscribe links in messages.

“The issues resulted in some customers receiving communications from us after they had unsubscribed, and others receiving communications without a functioning unsubscribe mechanism,” Ms Macleod said.

“CBA takes its Spam Act obligations very seriously and is prioritising its compliance with the EU.”

Under the Spam Act of 2003, marketing messages must include functional unsubscribe options and requiring recipients to log in or provide personal information to unsubscribe is generally prohibited.

Once an individual has unsubscribed, sending further marketing messages becomes unlawful.

Companies have been fined more than $11 million in the past 18 months for breaching spam laws.

“We continue to see large and well-known businesses who should know better than breaching the spam laws,” Ms O'Loughlin said.

“We will be closely monitoring the Commonwealth Bank’s compliance and the commitments it has made to review its practices. If we find future non-compliance, we will not hesitate to take further action.”