Australian Spam Act and Facebook Ads

Quick Answer

Australia's Spam Act 2003 (enforced by ACMA) requires consent, sender identification and a working unsubscribe in any commercial electronic message — including Facebook Messenger CEMs. The Privacy Act 1988 and the Australian Privacy Principles (APPs), enforced by the Office of the Australian Information Commissioner (OAIC), govern the underlying personal data the Meta Pixel collects. The 2024 Privacy Act reforms added new fines reaching AUD 50 million per breach.

What the rule actually says

The Spam Act applies to commercial electronic messages sent to electronic addresses linked to Australia. Messenger handles, email and SMS all qualify. Three obligations apply to every CEM:

Consent (express or inferred from existing business relationship).
Identification of the sender with valid Australian contact details.
Functional unsubscribe that works for at least 30 days.

The Privacy Act and APPs govern collection, use and disclosure of personal data. APP 3 requires lawful and fair collection; APP 5 requires notification at or before collection; APP 6 limits use to the primary purpose; APP 7 covers direct marketing; APP 8 covers cross-border transfers (Meta sends to the US).

The Privacy and Other Legislation Amendment Act 2024 added a statutory tort for serious invasions of privacy, civil penalties of up to AUD 50 million or 30% of adjusted turnover, and new transparency requirements for automated decision-making.

What is allowed and what is banned

Allowed: Facebook display ads to Australian users with appropriate consent, retargeting under valid lawful basis, and Messenger replies to user-initiated conversations.

Banned: unsolicited Messenger CEMs, missing unsubscribe, omitting sender identification, harvesting Facebook handles, sending CEMs after a recipient unsubscribes, and processing personal data without an APP 5 notice.

Step-by-step compliance setup

Document the lawful basis (express or inferred consent) for every Messenger contact.
Add an APP 5 collection notice to your privacy policy and Meta lead ad forms.
Configure your chatbot to include sender identification in the first message.
Add an unsubscribe option to every automated Messenger sequence and process within five business days.
Maintain a suppression list synced across Messenger, email and SMS.
Sign Meta's regional addendum within Business Manager.
Pass cross-border transfer disclosures under APP 8 in your privacy notice.
Conduct a Privacy Impact Assessment for any large-scale Australian retargeting.
Build a complaints handling process with a 30-day OAIC response SLA.
Train staff on the new Privacy Act reforms and the statutory tort.

Frequently asked questions

Does the Spam Act apply to display ads?
No. It targets messages sent to specific electronic addresses. Display ads do not qualify, but Messenger CEMs do.

What counts as inferred consent?
An existing customer relationship, an enquiry within a reasonable time, or a conspicuously published address without a 'no spam' notice.

What is the maximum fine under the Spam Act?
Up to AUD 2.22 million per day for repeat corporate offenders.

Can the OAIC fine me directly?
Under the 2024 reforms, yes — civil penalties up to AUD 50 million or 30% of adjusted turnover.

Do I need an Australian DPO?
Not strictly, but a privacy officer is recommended. The OAIC will expect a contactable point.

Real fine examples

Optus — AUD 504,000 (ACMA, 2023) for marketing CEMs without consent.
DoorDash Australia — AUD 2 million (Federal Court, 2023) for Spam Act violations.
Kogan.com — AUD 350,000 (ACMA, 2023) for unsubscribe failures.
Medibank — AUD 250 million class-action settlement (2024) for the data breach affecting marketing.
A Sydney retailer — AUD 1.2 million (OAIC, 2025) for firing the Pixel without an APP 5 notice.

How Pix-Vu helps

Australian agencies use Pix-Vu to design and review Facebook creatives without firing the Pixel on Australian users — a clean way to comply with APP 3 and the new 2024 Privacy Act requirements. https://pix-vu.com.