Getting SMS compliance wrong can cost your business up to $2.1 million per day. Here's everything you need to know to stay legal.
You must have express or inferred consent before sending commercial SMS. Express consent = they explicitly opted in (form, checkbox, text keyword). Inferred consent = existing business relationship (bought from you in last 2 years). Keep records of when and how consent was obtained. If challenged, burden of proof is on you.
Every commercial SMS must clearly identify who sent it. Use a registered sender ID (your business name, up to 11 characters) or a reply-enabled number. Anonymous or misleading sender IDs breach the Spam Act 2003. Include your business name in the message body as backup.
Every commercial SMS must include a functioning opt-out mechanism. "Reply STOP to unsubscribe" is standard. Process opt-outs within 5 business days (best practice: instantly). Sending to someone who's opted out is a breach โ even accidentally.
ACMA can issue infringement notices of $2,220 per message (individuals) or $13,320 per message (businesses). Court-ordered penalties reach $2.1 million per contravention per day. These are real โ ACMA actively enforces. Tiger Airways was fined $110,000. Optus paid $1.5M.
The DNCR applies to voice calls and fax, not SMS โ but the Spam Act covers SMS separately. Don't confuse the two. DNCR registration costs $220/year and must be checked before telemarketing calls. SMS consent is managed separately under the Spam Act.
Mobile numbers are personal information under the Privacy Act 1988. Store securely, don't share with third parties without consent, and have a clear privacy policy. Breaches reported to the OAIC can compound SMS non-compliance issues.
Compliance Books โ