Commonwealth Bank of Australia Fined $7.5 Million for Spam Law Violations

The Commonwealth Bank of Australia (CBA) has been slapped with a $7.5 million fine for violating Australia’s spam laws by sending over 170 million marketing emails without proper unsubscribe options.

This marks the bank's second major breach of spam regulations.

An investigation by the Australian Communications and Media Authority (ACMA) revealed that between November 2022 and April 2024, CBA sent marketing emails without offering recipients a way to opt out, as required under the Spam Act 2003. 

A further 34.8 million emails were sent to customers who had either not consented or had previously withdrawn their consent.

ACMA Chair Nerida O’Loughlin criticized the "vast scale" of CBA's non-compliance, calling it "unacceptable" and a violation of customer privacy. She emphasized that any message containing marketing content must include an option to unsubscribe.

CBA acknowledged the breach, attributing it to misclassifying some emails as non-commercial service messages. The bank has committed to reviewing and strengthening its systems to prevent future violations. This penalty follows a $3.55 million fine last year for similar infractions.

ACMA has extended CBA's three-year court-enforceable undertaking, which requires the bank to undergo a comprehensive review and make improvements to ensure compliance with spam laws.