Woolworths Group Limited sent 5 million spam emails in a major breach of the Spam Act 2003. Woolworths blamed ‘technical and systems issues’ for its failure to process unsubscribe requests, which meant those marketing emails were sent as spam.
The Australian Communications and Media Authority (ACMA) issued an Infringement Notice and imposed a fine of $1,003,800.
Woolworths paid the fine and gave an Enforceable Undertaking to: appoint an Independent Consultant, develop and comply with an Independent Plan, undertake Audit and Reporting.
This is a legal analysis followed by a marketing analysis.
The email fail
ACMA found that between 1 October 2018 and 17 July 2019:
“Woolworths Group Limited sent out more than five million spam marketing emails to email addresses which had unsubscribed more than 5 days previously, in contravention of subsection 16(1) of the Spam Act 2003”.
In total, 798 emails [commercial electronic messages - CEMs] were sent to email [electronic] addresses that had an Australian link. They were spam emails because they contained more than factual information. They were sent without the consent of the electronic account-holders because the recipients had sent Woolworths an unsubscribe request to opt-out of receiving emails more than 5 days previously.
After ACMA’s investigation, Woolworths issued a statement that it “acknowledges that its systems, processes and practices were not, in some instances, adequate to ensure that some customers could unsubscribe from CEMs [spam emails] sent by or on behalf of Woolworths”.
Woolworths explained that the problem arose where more than one customer shared the one email address, and where only one customer had sent a request to unsubscribe.
The penalty of $1,003,800 was calculated at 4,780 times $210 for the 798 contraventions.
The legal consequence
Woolworths gave an undertaking to ACMA that for 39 months:
“Woolworths Group Limited undertakes to appoint an Independent Consultant to:
Review the relevant business units’ current procedures, policies, training and systems relating to its compliance with the Spam Act and identify any deficiencies and/or improvements to ensure that:
a. all CEMs are sent, or caused to be sent, by the relevant business units with the consent of the relevant account holder:
b. all unsubscribe requests are actioned within the periods specified in Schedule 2 of the Spam Act¹ for when withdrawal of consent takes effect;
c. all CEMS sent, or caused to be sent, by the relevant business units contain the information required by sections 17(1)(a) and (b) of the Spam Act²; and
d. all CEMs sent, or caused to be sent, by the relevant business units contain a functional unsubscribe facility as required by section 18 of the Spam Act³.
¹ 5 business days from the day on which the request was sent
² Commercial electronic messages must include accurate sender information, namely
(a) the message clearly and accurately identifies the individual or organisation who authorised the sending of the message; and
(b) the message includes accurate information about how the recipient can readily contact that individual or organisation;
³ the electronic address is reasonably likely to be capable of receiving:
(i) the recipient’s unsubscribe message (if any); and
(ii) a reasonable number of similar unsubscribe messages sent by other recipients (if any) of the same message;
at all times during a period of at least 30 days after the message is sent;
“The $1,003,800 fine is the largest ever issued by the ACMA.”
“The spam rules have been in place for 17 years and Woolworths is a large and sophisticated organisation,” ACMA chair Nerida O’Loughlin said.
“The scale and prolonged nature of the non-compliance is inexcusable.”
“Woolworths failed to act even after the ACMA had warned it of potential compliance issues after receiving consumer complaints.”
A normal marketing email will become an illegal spam email if an unsubscribe request is not actioned promptly, within 5 days of receipt.
Headline: The Grocer That Spammed
This is a staggering oversight for an organisation the size and scale of the Woolworths Group. By comparison, most small and medium businesses in Australia who use email marketing or electronic direct mail (EDM) as part of their marketing strategy take reasonable measures to ensure that they understand and comply with the current legislation of both the Privacy Act and the Spam Act 2003.
The most embarrassing part of this episode is that the undertakings that Woolworths have agreed to would be considered as minimum policy and procedural requirements in any organisation that uses email marketing. The fact that ‘Woolworths failed to act even after the ACMA had warned it of potential compliance issues after receiving consumer complaints’, is beyond comprehension.
Any business that either encouraged or allowed their digital marketing team to continue to operate campaigns that did not comply with the Spam Act 2003 is deserving of the penalty.
The lesson for all business owners, regardless of the size of the business is to obtain independent, expert advice about the Spam Act 2003, ensure the obligations are understood and implemented into policy and procedure documents, including scheduled audits to ensure compliance.