Why SMS compliance in Australia matters
With open rates as high as 98%, SMS marketing is one of the most direct and effective channels available to Australian businesses. Every message you send must comply with the Spam Act 2003 and the Spam Regulations 2021, or your business risks fines, customer complaints, and reputational damage. SMS like any direct marketing channel comes with regulatory responsibility.
We delve into a comprehensive guide to SMS compliance in Australia, combining essential legal insights with practical tools, examples, and best practices to ensure your messaging is customer friendly and follows Australian regulations and is customer-friendly.
Whether your business is sending SMS yourself or through a marketing SMS partner, such as Kudosity, the legal obligations remain with your business. This isn’t just about avoiding penalties, it's about protecting your customer trust, maintaining data integrity, and sending with confidence.
Australian spam laws and data regulations outline how you can send SMS within these guidelines. Keep your customers happy and maintain a mutually beneficial and respectful relationship. We’ve done the hard work for you, here's a get me up to speed on spam summary.
If you want to go straight to the source, you can read the Spam Act 2003 and Spam Regulations instead.
Compliance Checklist for SMS and MMS Marketing
1. Obtain Explicit and Informed Consent
You cannot send SMS marketing without permission from the recipient. This applies to every message sent to individuals. When someone gives express permission, they agree to you sending them SMS marketing. In Australia, there are two types of legal consent Express and Inferred.:
Express consent – The recipient explicitly agrees to receive messages. This can be granted through filling out a web form, by ticking a box during a checkout process, giving consent over the phone or in person.
Inferred consent – This applies where there's an existing relationship, such as a customer account or subscription. However, one-off purchases or contact via transactional messages post-purchase do not count as inferred consent.
Important: You cannot send a message asking someone to give you permission. This is considered to be a marketing message and classified as spam.
Best Practice: Use a double opt-in process to make consent undeniable. After a customer enters their number, send a confirmation SMS requesting a reply (e.g., “Reply YES to confirm your subscription”). Only add the customer to your list after they confirm.
Keep detailed records of how, when, and where each person gave consent. Under the Spam Act, the burden of proof is on you.
2. Clearly identify your business
Every marketing SMS must identify the business responsible for the message. If a third-party is sending SMS marketing messages on your behalf, they must still ID you as the authorising business with the correct legal name of your business, or your name and Australian Business Number (ABN).
Why it matters: Customers are more likely to engage with messages when they know who sent them. It's also a legal requirement.
What to do:
If your SMS service uses Alpha-Numeric Sender IDs (like “Kudosity”) your business will need to be verified to receive this.
If your SMS service uses virtual numbers to send SMS to allow customer to reply to the text, you need to include your business name in every message, either at the beginning or end.
Example: “Exclusive deals just for you. Shop now and save 20% – [Business Name].
Reply STOP to unsubscribe.”
3. Make opt-outs and unsubscribing easy
Every SMS marketing message must include a simple, functional, way for the recipient to opt out. It can’t cost more than a standard text, and the number needs to be serviceable for at least 30 days after sending your SMS.
To comply, your opt-out must:
Use a clear instruction (e.g., “Reply STOP to unsubscribe”).
Be processed within five working days.
Cost no more than a standard SMS (or for free).
Remain active for 30 days after the message is sent.
Not require login, form submission, or account creation.This is not optional.
At Kudosity, we simplify this by automatically adding opt-out instructions to every SMS template for your campaign and generating a unique unsubscribe link when alpha-numeric sender IDs are used. Our system tracks opt-outs in real time and ensures they’re excluded from future sends. There's no manual intervention required.
4. Protect customer data
Compliance isn’t only about the messages you send, it’s also about how you handle the data behind them.
Under the Australian Privacy Principles (APPs), personal data such as mobile numbers must be stored securely and accessed only by authorised personnel.
Best practices include:
Encrypting stored customer data using industry standards (e.g., AES-256).
Regularly updating access controls and system security.
Ensuring that data collected for one purpose (e.g., COVID check-ins) is not repurposed for marketing. Significant fines apply for the misuse of this data.
Limiting access to SMS data to necessary personnel only.
At Kudosity, your customer data is protected by industry-leading security. We are ISO 27001 and SOC 2 | Type II certified and guarantees 100% Australian data sovereignty. You’ll always know exactly where your data is stored and that it’s safe.
5. Conduct regular SMS compliance audits
Regulations evolve, and so should your SMS practices. Regular reviews of your compliance systems help protect your business and improve campaign effectiveness.
Audit your SMS program by reviewing:
Consent collection records and opt-in processes.
Message content for legal and brand alignment.
Opt-out functionality.
Third-party vendors and delivery systems.
Data access controls and storage policies.
Regular audits not only keep you compliant, they show customers that your business values transparency, security, and accountability.
The Spam Act 2003: What you need to know
Australia’s Spam Act 2003 governs all commercial electronic messages, including SMS and MMS. It is enforced by the Australian Communications and Media Authority (ACMA).
Under the Act, you must:
Have consent (express or inferred).
Identify yourself in every message.
Provide a functional and unsubscribe option. Always allow unsubscribe make your unsubscribe function easy, obvious and accessible. You don’t want people to feel forced into staying on your SMS list, and besides – it’s illegal. Under the Spam Act, every marketing message your business sends must include an ‘unsubscribe’ option.
Never use address-harvesting software or harvested contact lists. This is the no-harvest clause. Don’t assist others in breaking the rules, either. If you do make a mistake and break a spam rule, own up to it. That way, you can try to remedy it, and when your case is reviewed, it may be resolved with no recourse.
SPAM Exemptions
Certain organisations are exempt from SPAM law in Australia. These include:
Government bodies
Registered charities
Registered political parties
Educational institutions (for messages sent to current and former students).
Purely factual messages
Exemptions: Some organisations, like government bodies, registered charities, and educational institutions, are exempt from certain aspects of the Spam Act but must still follow privacy and data security principles.
Violating the Spam Act can result in fines, investigations, and enforcement action. If your business does make a mistake, owning it quickly and addressing the issue can help resolve the matter without further penalty.
What does SMS compliance look like in practice?
Here are examples of SMS messages that comply with Australia’s laws and demonstrate responsible sending:
Example 1 – Promotion SMS "Enjoy 25% off sitewide at Kudosity this weekend only! Shop now: kudosity.com. Reply STOP to opt out"
Example 2 – Booking Reminder "Hi Sarah, your dental appointment is on Monday at 10:30am. Please reply CONFIRM or call 03 9000 0000 to reschedule. – ClearSmile Dental. Reply STOP to unsubscribe"
Example 3 – Loyalty Update "You’ve earned 100 points in your rewards account. Redeem now for exclusive perks. Reply STOP to opt out – Green & Co."
Each message:
Clearly identifies the sender
Offers value to the recipient
Includes a clear opt-out instruction
How Kudosity supports SMS compliance
At Kudosity, our platform is designed to support SMS compliance in Australia.
We support responsible sending
Our SMS service has features geared towards compliance, automated to lessen your load. The Kudosity platform is built to ensure your marketing messages are spam compliant.
Our online platform will auto-add ‘Opt-out reply STOP’ to your messages when you create a campaign. If the sender ID you’re messaging from contains a word (alpha-numeric), Kudosity adds an automatically-generated unique unsubscribe link.
Save more time with automatic management of all opt-out requests. Streamline your next campaign; Kudosity will automatically exclude opt-outs, so you can take that off your manual to-do list.
Here’s how we help you stay on the right side of the law, while still getting the results you want:
Automatic opt-out handling: Reply STOP and unique links should be added to every message you send.
Real-time unsubscribe tracking: Immediate suppression from future sends.
Consent tracking and audit logs: Keep a secure, searchable history.
Full Australian data sovereignty: ISO 27001 + SOC 2 | Type II certified.
Dedicated compliance support: Expert help when you need it.
SMS Marketing with confidence
Compliance isn’t a barrier to good marketing, it’s the foundation of it. By aligning with SMS legal requirements and the Spam Act 2003, your business not only avoids legal risk but also builds stronger, more respectful relationships with your customers.
With Kudosity’s platform, you don’t need to choose between compliance and performance - you get both.We also have an expert team on hand 24/7 to assist you with your SMS marketing campaigns and provide guidance on regulations.
Ready to simplify compliance and send smarter SMS campaigns? Explore Kudosity’s compliant messaging solutions today.
We are ISO 27001 and SOC 2 | Type I certified and have 100% Australian data sovereignty; rest assured– when you gather information from your customers and prospects – their data is safe with us. We confirm the safety and whereabouts of your data and simplify data compliance requirements.
Spam regulations are serious. Kudosity makes it easy to send responsibly.