Compliance

Database Reactivation in Australia: How to Win Back Customers Without Breaking the Law

Database reactivation campaigns can deliver strong ROI, but Australian businesses face strict legal obligations under the Spam Act 2003 and Privacy Act. With ACMA penalties now exceeding $16 million in 18 months, compliance is not optional.

Ben Sabic - Chartered Marketer
Ben Sabic
· January 12, 2026 · 8 min read
Abstract network diagram with interconnected dots, some of which are glowing orange, on a blue gradient background.

Database reactivation campaigns can be one of the most cost-effective marketing strategies available to Australian businesses, but they come with serious legal obligations. Before you send that "we miss you" email to your dormant contacts, you need to understand your responsibilities under the Spam Act 2003 and the Australian Privacy Principles. Get it wrong, and you could face penalties in the millions.

The Australian Communications and Media Authority (ACMA) issued over $16 million in spam penalties in the 18 months leading up to mid-2025, with the Commonwealth Bank of Australia receiving a $7.5 million fine for sending more than 170 million non-compliant marketing messages. The message is clear: compliance is not optional.

This guide covers what Australian businesses need to know about running compliant database reactivation campaigns, including consent requirements, the regulatory framework, and practical steps you can take today.

What is Database Reactivation?

Database reactivation is a marketing strategy designed to re-engage inactive customers or contacts who have stopped interacting with your business. These might be people who made a purchase years ago, signed up for your newsletter but never opened an email, or lapsed subscribers who used to be regular buyers.

The business case is compelling. Acquiring a new customer typically costs five to six times more than retaining or reactivating an existing one. Your database of past customers represents a valuable asset, as these people already know your brand and have shown interest in what you offer. A well-executed reactivation campaign can deliver strong returns with lower acquisition costs than prospecting for entirely new leads.

However, the fact that someone once gave you their email address does not mean you can contact them indefinitely. Australian law places strict limits on when, how, and under what conditions you can send commercial electronic messages.

5-6x

Cost to acquire new vs reactivate

$16M+

ACMA penalties (18 months)

5 days

Max time to process opt-outs

The Regulatory Framework: Two Laws You Need to Know

Two pieces of legislation govern how Australian businesses can contact customers for marketing purposes: the Spam Act 2003 and the Privacy Act 1988 (which includes the Australian Privacy Principles). Understanding how these interact is essential for any reactivation campaign.

The Spam Act 2003

The Spam Act regulates the sending of commercial electronic messages (CEMs), which includes marketing emails, SMS, MMS, and instant messages. It applies to any message that has an "Australian link", meaning it originates in Australia, was commissioned in Australia, or is sent to an address accessed in Australia.

The Act establishes three core requirements for every commercial message:

  1. Consent: You must have the recipient's consent before sending the message. Consent can be express (explicitly given) or inferred (reasonably expected based on an existing relationship).
  2. Identification: Every message must clearly identify who sent it, using your legal business name or your name and Australian Business Number. This information must remain accurate for at least 30 days after sending.
  3. Unsubscribe facility: Every commercial message must include a functional way for recipients to opt out. The unsubscribe must be easy to use, free of charge, and must not require the recipient to log in or provide additional personal information.

Penalties under the Spam Act are substantial. A business sending more than 50 CEMs without consent on a single day could face fines of $313,000 or more. For systematic breaches across multiple days, penalties can escalate into the millions.

Australian Privacy Principles (APP 7)

APP 7 specifically addresses the use of personal information for direct marketing. It applies to organisations with annual turnover exceeding $3 million, as well as health service providers and businesses that buy or sell personal information.

Under APP 7, you can only use personal information for direct marketing if you collected it directly from the individual and they would reasonably expect you to use it for that purpose. If you collected information indirectly (such as from a third-party list), stricter rules apply and you will generally need explicit consent.

Sensitive information, including health data, religious beliefs, and political opinions, can only be used for direct marketing with the individual's express consent. This has implications for businesses in sectors like healthcare, fitness, and financial services.

Recent reforms to the Privacy Act have made some breaches of APP 7 subject to infringement notices, meaning the Office of the Australian Information Commissioner (OAIC) can issue fines of up to $66,000 without court proceedings.

Key Takeaway

The Spam Act governs electronic messages (email, SMS), while APP 7 governs the use of personal information for marketing across all channels. Both require consent, and both demand an easy opt-out mechanism.

The critical question for any reactivation campaign is whether you still have valid consent to contact the people in your database. The ACMA's Statement of Expectations, released in July 2024, provides guidance on this point.

Express consent is the gold standard. This occurs when someone explicitly agrees to receive marketing communications from you, such as by ticking a checkbox, signing up through a form, or verbally agreeing during a phone call. The ACMA strongly recommends businesses rely on express consent wherever possible, as it provides clear evidence of permission and reduces compliance risk.

Inferred consent is permitted in limited circumstances, but should be approached with caution. You may infer consent where someone has knowingly given you their contact details and it is reasonable to believe they would expect marketing from your business. This typically requires a clear, current, and ongoing relationship with the individual, and the marketing must be directly related to that relationship.

For example, a bank could infer consent to tell an existing savings account customer about a new savings product with better interest rates. However, it could not infer consent to market insurance products, as this falls outside the scope of the existing relationship.

Here is where many reactivation campaigns fall into trouble. The ACMA takes the view that consent has an effective expiry date. In its Statement of Expectations, the regulator warns businesses not to rely on "consent that is old, where a consumer would not expect it to still apply."

The ACMA gives a specific example: telemarketing consent becomes "stale" after three months unless the consumer has agreed to a longer period in terms and conditions. While this guidance relates specifically to telemarketing, it signals a broader regulatory expectation that consent does not last forever.

For database reactivation, this creates a significant challenge. If someone last engaged with your business two years ago, can you reasonably claim they would still expect to hear from you? The answer depends on the nature of your relationship, what consent they originally gave, and whether you have maintained any contact in the interim.

ACMA's Consent Expectations

The ACMA recommends businesses use express consent based on clear terms and conditions that are readily accessible to consumers at the point consent is obtained. Consent should not be hidden in fine print, lengthy privacy policies, or require multiple click-throughs to find.

Running a Compliant Reactivation Campaign

Given these constraints, how can you reactivate dormant contacts legally? The following framework will help you stay on the right side of the law.

1

Audit Your Database

For each contact, verify when they consented, what type of consent they gave, the terms of that consent, when they last engaged, and whether they have previously unsubscribed. If you cannot demonstrate valid consent, exclude them from your campaign.

2

Segment by Consent Status

Group contacts into low, medium, and high risk based on consent type and recency of engagement. Tailor your approach accordingly, with more caution for weaker consent.

3

Clean Your Data

Validate email addresses to remove bounces, screen against deceased estate databases and suppression lists. Up to 30% of contact data degrades annually.

4

Ensure Compliant Message Content

Include your legal business name or ABN, accurate contact details valid for 30 days, and a functional unsubscribe that does not require login or additional personal information.

5

Honour Opt-Outs Immediately

Process unsubscribe requests within five business days maximum. Never re-contact people who have unsubscribed to ask if they want to resubscribe.

Segmenting by Risk Level

When auditing your database, categorise contacts based on their consent status and recency of engagement:

Risk Level Consent Type Recommended Approach
Low Risk Express consent, engaged within 12 months Standard reactivation messaging
Medium Risk Express or inferred, no engagement 12-24 months Cautious approach with relationship reminder
High Risk Inferred only, no engagement 24+ months Consider postal mail or exclude entirely

What Happens If You Get It Wrong

The consequences of non-compliance have never been more severe. ACMA enforcement has escalated significantly, with a growing number of investigations and higher penalties. Here are some notable cases:

Company Breach Penalty
CBA 170+ million non-compliant messages $7.5 million
Tabcorp 5,757 messages without unsubscribe $4 million
Telstra 10.5 million SMS with non-compliant unsubscribe $626,000
PointsBet Misclassified promotional messages $500,800

Beyond financial penalties, the ACMA can accept court-enforceable undertakings that require businesses to implement independent compliance reviews, regular reporting, and remediation programs. The reputational damage from being named in an ACMA media release can also be significant.

Case Study

Telstra Unsubscribe Breach (2025)

Telstra received a $626,000 penalty specifically because its unsubscribe facility required recipients to enter a PIN or provide their full name and date of birth. The ACMA found this breached the rules requiring unsubscribe facilities to be easy to use without requiring login or additional personal information.

10.5M

Non-compliant SMS

21

Months of breaches

$626K

Penalty issued

Frequently Asked Questions

Can I send a reactivation email to someone who bought from me once, three years ago?
Probably not without significant risk. A single purchase three years ago is unlikely to constitute a clear, ongoing relationship. The ACMA's guidance suggests that inferred consent should only be relied upon where there is a current relationship. If you did not obtain express consent at the time of purchase and have not maintained regular contact since, you should exercise caution. Consider whether you have documented evidence of consent that would withstand regulatory scrutiny.
Does the Spam Act apply to transactional emails?
Purely factual messages, such as order confirmations and shipping notifications, may qualify as "designated commercial electronic messages" and are exempt from some Spam Act requirements. However, the moment you add any promotional content, including a banner ad, a link to your website's shop, or a "you might also like" section, the message becomes a full commercial electronic message and all rules apply. The ACMA has taken enforcement action against businesses that misclassified promotional messages as transactional to avoid compliance obligations.
Can I use a third-party database for reactivation?
Using purchased or rented email lists is extremely risky. You remain legally responsible for having consent, even if you acquired the list from someone else. The people on that list did not consent to receive marketing from you, and you have no evidence of any relationship with them. Many businesses have faced penalties after relying on third-party lists where consent was inadequate or non-existent.
What records should I keep about consent?
You should maintain records that include the method by which consent was obtained (such as a form, checkbox, or verbal agreement), the date and time consent was given, the specific terms and conditions that applied, and the scope of what the person consented to receive. The ACMA expects businesses to be able to demonstrate valid consent, so your records need to be detailed enough to prove compliance if challenged.
Can I reactivate old contacts using direct mail instead of email?
Yes. The Spam Act specifically applies to electronic messages. Traditional postal mail is not covered. However, you still need to comply with the Australian Privacy Principles regarding the use of personal information for direct marketing. APP 7 applies regardless of the channel, so you must ensure you have a lawful basis to use someone's address for marketing purposes and provide a way for them to opt out.

Compliance Checklist

  • Audit database for valid, documented consent
  • Segment contacts by risk level based on consent recency
  • Include legal business name or ABN in every message
  • Add functional unsubscribe (no login required)
  • Process opt-outs within 5 business days
  • Never re-contact unsubscribed recipients

Key Takeaways

Database reactivation can deliver excellent returns, but only when done right. The regulatory environment is getting tougher. With ACMA penalties now reaching into the millions and Privacy Act reforms strengthening enforcement powers, the cost of getting it wrong far exceeds the effort of getting it right.

Before launching any campaign, audit your database to verify valid consent, recognise that consent can become stale, ensure every message includes proper identification and a functional unsubscribe, honour opt-outs promptly, and keep detailed records to demonstrate compliance if challenged.

If anything's still not clear, you might find the answer in our FAQ.

This article is provided for general informational purposes only and does not constitute professional, financial, or legal advice. No guarantees are made regarding the accuracy, completeness, or suitability of the information. Results may vary based on your circumstances, the quality of any data used, and how campaigns or strategies are executed. The authors and publisher disclaim any liability for any direct or indirect losses arising from its use.

Ready to Reactivate Your Database?

Get a free audit of your existing contacts. We'll show you how many are reactivatable and what results you could expect. Learn more about our process.

Get Your Free Audit

Topics covered:

Email Marketing Compliance Spam Act Privacy Customer Retention

Share this article

Ben Sabic - Chartered Marketer

Ben Sabic

Ben Sabic is a Chartered Marketer with over a decade of experience in marketing and communications.

Visit website

More Reading

A house key icon connected to glowing network nodes, symbolizing digital security or smart home technology on a gray background.
Industry Tips

Database Reactivation for Mortgage Brokers: Turn Past Clients Into New Revenue

8 min read
Graphic of a metallic database cylinder with currency symbols (Bitcoin, Dollar, Yen) and percentage sign, surrounded by digital squares, symbolizing data flow.
Strategy

The True Cost of Ignoring Your Dormant Database

5 min read

Get insights delivered to your inbox

Join Australian business owners learning how to get more from their existing customer databases.

No spam. Unsubscribe anytime.