Generative AI has quietly taken over a large share of marketing production. It drafts subject lines, personalises body copy to each recipient, and feeds automated systems that send at a volume no human team could match. The output looks polished and moves fast, which is exactly why it is easy to forget that none of it changes your legal position.
In Australia, every commercial electronic message you send is governed by the Spam Act 2003 (Cth), regulated by ACMA. The Act does not care whether a person or a model wrote the message. It applies the same three rules to each one, and it applies them per message. That last point is what makes AI a risk multiplier rather than a neutral tool.
What the Spam Act requires
The Spam Act 2003 (Cth), at sections 16 to 18, sets out three cumulative rules for every commercial electronic message, meaning any email, SMS, or instant message with a commercial purpose. Cumulative means all three must be satisfied at once. Getting two right does not excuse the third.
Consent before sending
Section 16 requires consent before a commercial electronic message is sent. Consent can be express, where the recipient has actively agreed to receive messages of that kind, or inferred, where it can reasonably be concluded from the recipient's conduct and the business relationship. Inferred consent is narrower than most marketers assume, and the sender carries the burden of showing a valid basis for every address on the list.
Accurate sender identification
Section 17 requires that the message clearly and accurately identifies the sender and includes a way to contact that sender. A recipient should be able to tell who sent the message and reach them. Copy that obscures the sender, uses a misleading "from" name, or omits contact details fails this rule even if consent exists.
A functional unsubscribe that is honoured
Section 18 requires a functional unsubscribe facility. The mechanism must work, must stay usable for a reasonable period, and, just as importantly, the opt-out must actually be actioned. An unsubscribe link that is present but not honoured on the back end is a breach, not a technicality.
Where AI trips it
AI does not create new obligations. It creates new ways to breach the existing ones at scale, and it does so faster than manual review can catch.
The template defect, multiplied
The core risk is simple. Generative AI writes a campaign template, an automated system sends it to a large list, and a single defect in that template repeats across every recipient. If the template lacks accurate sender identification, or omits a working unsubscribe, or is sent to addresses without a valid consent basis, that one flaw is not one breach. Under a per-message regime it is a breach for every message sent. AI scale turns a small authoring error into large penalty exposure.
Personalisation that outruns consent
AI personalisation encourages marketers to reach further into their data and to segment lists in new ways. The temptation is to treat a rich profile as if it were consent. It is not. A model can generate a highly relevant message for a recipient who never agreed to hear from you, and relevance is no defence under the Act. Every address in an AI-driven send still needs a consent basis you can stand behind.
Automated identity and opt-out drift
Automated sending pipelines can quietly break sender identification and unsubscribe handling. A "from" field populated by a system, a dynamically generated footer, or an opt-out request routed through automation that does not reliably suppress future sends: each can fail sections 17 or 18 without anyone noticing until volume exposes it. The faster and more automated the pipeline, the more important it is to verify these mechanics rather than assume them.
Why the exposure is real
This is not a dormant regime. ACMA is one of Australia's most actively enforced. Commonwealth Bank paid a substantial civil penalty in 2023, the largest under the Act to date, and seven-figure outcomes are now routine rather than exceptional. The enforcement pattern is consistent: large, established organisations with sophisticated marketing operations still get caught, often because a systemic process failure repeated across many messages. That is precisely the shape of an AI-scale defect.
What to have in place before a volume send
Audit the template for consent basis. Before any AI-generated campaign goes out at volume, confirm that every address on the target list has a valid express or inferred consent basis, and that you can evidence it. Do not rely on the richness of a profile as a substitute for consent.
Verify sender identification in the actual output. Check the rendered message, not the brief. Confirm the sender is accurately identified and reachable, and that no automated field has overwritten or obscured that identity.
Test the unsubscribe end to end. Confirm the facility is present, functional, and that an opt-out actually suppresses future sends across the whole pipeline, including AI-driven and automated flows.
Put a human gate before scale. Treat the moment before a volume send as a control point. One reviewer checking the template against sections 16 to 18 costs minutes; the same defect shipped to a full list does not.
AI marketing does not sit outside the Spam Act. It sits squarely inside it, at higher volume and higher speed. If you want a fast read on which obligations your current AI use actually triggers, running the free AIRA Health Check will show you where your marketing activity meets the Act and where the gaps are before ACMA finds them for you.