Gazette
4notify Australia · Commonwealth Gazette
OFFICIAL · OAIC · ACMA
Gazette No
GAZ-AU-005
Date
2026-05-27
Status
In force
Category
Privacy

Privacy Act, Spam Act 2003 and consent: the framework for transactional and commercial delivery to Australian consumers

The Office of the Australian Information Commissioner (OAIC) administers the Privacy Act 1988 and its Australian Privacy Principles. Commercial electronic messages require consent under the Spam Act 2003, and the Notifiable Data Breaches scheme sets reporting duties. 4notify records the lawful basis and consent state on every delivery envelope at the API edge.

EmailSMSWebhook
Preamble

Section 1 — Pursuant to the Privacy Act 1988 (Cth), the Australian Privacy Principles and the Spam Act 2003 (Cth), this Gazette is issued in respect of consent management for electronic delivery.

Legislative basis
Privacy Act 1988 (Cth)

Australian Privacy Principles; lawful collection, use and disclosure of personal information.

Spam Act 2003 (Cth)

Consent, identification and a functional unsubscribe for every commercial electronic message.

Notifiable Data Breaches scheme

Notification to the OAIC and affected individuals for an eligible data breach likely to cause serious harm.

Implementation
01

Lawful-basis record per delivery

Every envelope carries a Privacy Act basis (express consent, inferred consent, or transactional necessity); set in the template record.

02

Spam Act consent check

Commercial messages carry verified consent at envelope level; sends without consent are blocked at the API edge. Transactional messages are exempt.

03

Access and correction within 30 days

Privacy Act access and correction requests propagate through 4notify within 24 hours; the suppression list updates across three carriers and the email gateway.

04

Eligible-breach notification webhook

Any envelope-level incident raises a webhook to the entity's privacy officer within one hour, supporting NDB scheme timelines.

Delivery envelope
json
{
  "event": "delivery.consent_envelope",
  "entity_id": "AU-CTRL-12345",
  "lawful_basis": "express_consent",
  "spam_act_consent": {
    "consent_id": "SA-2026-001234",
    "captured_at": "2025-09-14",
    "unsubscribe_present": true
  },
  "delivery": { "channel": "email", "template": "promo_v2" },
  "suppression_check": "passed"
}
Sample message
EmailSubject: Your marketing preferences have been updated

Hello, Your consent for marketing messages has been withdrawn as of today. You will no longer receive marketing email, but transactional notices (order confirmations, delivery alerts) will continue. For your other rights under the Privacy Act 1988: [email protected]

Compliance checklist
  • APP Privacy Policy and collection notice current
  • Privacy officer configured for NDB notifications
  • Spam Act consent stored for every commercial delivery
  • Eligible-breach notification webhook reachable
The 4notify difference

4notify is the only A2P provider that stores Spam Act consent and the Privacy Act lawful basis on every envelope, propagates suppression across three carriers in under 24 hours, and raises a one-hour eligible-breach webhook for the NDB scheme.

Frequently asked questions
Does Spam Act consent apply to SMS as well as email?

Yes — the Spam Act 2003 covers all commercial electronic messages: SMS, email and instant messaging. Each requires consent, sender identification and a functional unsubscribe.

What happens if an entity has no valid consent record?

4notify blocks commercial delivery at the API edge until valid consent is supplied; transactional delivery (e.g. order confirmations) remains available.

Gazetted by
4notify Operations Office
2026-05-27 · GAZ-AU-005

Start for free

14 days, no card required. Support across Australian business hours.

Other notices in this edition