CommBank fined $3.55m over millions of spam marketing emails
Commonwealth Bank has been fined $3.55 million for breaching spam laws related to some 65 million marketing emails the bank sent.
The Australian Communications and Media Authority (ACMA), who levied the fine, found in its investigation that customers were required by CommBank to log in to their accounts in order to unsubscribe. It had sent some 61 million marketing emails.
The bank was found to have sent a further four million more emails that did not have a working unsubscribe facility at all, while also sending some 5000 emails to customers who had successfully unsubscribed.
In a statement published on the bank’s website, CommBank group executive marketing and corporate affairs Monique Macleod said:
“We acknowledge and accept the findings of ACMA’s investigation into CBA’s compliance with certain provisions of the Spam Act. We apologise to all customers impacted by these issues which should not have occurred. We’ve fixed the problem and are making changes to ensure it doesn’t happen in the future.”
“The issues resulted in some customers receiving communications from us after they had unsubscribed, and others receiving communications without a functioning unsubscribe mechanism.
“Since reporting this matter to ACMA, we’ve fixed the issues that were the subject of ACMA’s investigation, and strengthened our systems, processes and controls to support ongoing compliance.”
The agency said the $3.55 million fine was the largest penalty ever imposed for breaches of spam laws.
The Spam Act 2003 requires marketing messages to contain working unsubscribe facilities. Making customers log in or provide personal details to unsubscribe is also prohibited under the law.
Sending further emails to customers that have unsubscribed is also a breach.
CommBank explained the breaches happened after the company updated its electronic banking customer terms and conditions in November 2021, saying the change “inadvertently” removed language which was introduced to provide a temporary exemption to the requirement to include direct unsubscribe links in messages.
The company added that the way the unsubscribe link was populated into 13 message templates meant that the unsubscribe link did not work in the four million emails sent between May and August 2022. This also contributed to the 5000 emails sent to customers that have tried to unsubscribe.
“The scale and duration of the breaches by the CBA is alarming, especially when ACMA gave it early warnings it might have some issues and the steps it took were ineffective,” ACMA chair Nerida O’Loughlin said. “The failure to fix the issues shows a complete disregard for the spam rules and the rights of its customers.
“Consumers are frustrated by marketing intrusions on their privacy, especially when there is no option, or it is difficult, to unsubscribe.”
In addition to the fine, ACMA said it has accepted a three-year court-enforceable undertaking from CommBank, committing iit to an independent review of its e-marketing practices and to implement improvements. The bank is required to give regular compliance reports to the ACMA and train its staff on Australia’s spam laws.
O’Loughlin added: “We continue to see large and well-known businesses who should know better than breaching the spam laws. This action is a further warning to all businesses that non-compliance with Australia’s spam laws will not be tolerated.
“We will be closely monitoring the Commonwealth Bank’s compliance and the commitments it has made to review its practices. If we find future non-compliance, we will not hesitate to take further action.”
Mumbrella contacted CommBank for comment.
Have your say