Commonwealth Bank has incurred a second spam-related fine in as many years, this time for sending over 170 million messages with no way to unsubscribe.
The bank was penalised $7.5 million for this latest contravention of Australian anti-spam laws, adding to a $3.55 million fine last year.
The previous breach related to marketing emails sent between November 2021 and November 2022.
Its latest breaches occurred between November 2022 and April 2024.
Of the over 170 million marketing messages sent in the 18 months to April this year, 34.8 million were “sent to people who either had not consented or had withdrawn their consent to receive these messages”, the Australian Communications and Media Authority (ACMA) said in a statement.
ACMA chair Nerida O’Loughlin said the “vast scale of CBA’s non-compliance was unacceptable.”
O’Loughlin said that ACMA “found that CBA had incorrectly classified millions of messages as non-commercial”, which means they can be sent without consent and without an unsubscribe option.
However, this applies to “service messages” only.
“The rules are clear: if a message includes marketing content or direct links to marketing content, it is a commercial message and must give people the option to unsubscribe,” O’Loughlin said.
“We have seen several companies get this wrong and businesses are on notice to check how they are classifying messages as commercial or non-commercial.”
On top of the latest penalty, an “expanded” three-year court-enforceable undertaking is in place requiring the bank “to address the most recent issues.”
“These commit CBA to a comprehensive independent review and implementation of improvements, as well as providing appropriate resources and governance to ensure its compliance,” the ACMA said.