NZ Anti-Spam Act â?? Steps To Ensure Compliance

July 26th, 2007


The â??Unsolicited Electronic Messages Act 2007â?? comes into effect on 5th September 07 for New Zealand. The search and online marketing team at Netconcepts would like to arm you with information to ensure your business complies with this new law.

As an email marketer you are responsible to ensure that any â??electronic messagesâ?? sent are not considered spam. According to the act, failure to comply could mean a fine of up to $500,000 plus additional compensation and damages costs!

So, what is considered to be an electronic message?

Any commercial message either sent in single or bulk, promoting goods, services, land and commercial website links in the following media types:

  • Emails
  • Instant Messaging
  • SMS
  • Multimedia Message Services
  • Other Mobile Phone Messaging

Even if your company website link is present in an email signature of a personal message it would be deemed as a commercial message.

3 Steps To Comply

Step 1: Consent

You are only able to send messages when you have obtained at least one of three following consent types:

  • Expressed Consent: a direct indication from a person stating that it is okay for you to send messages through filling in a paper form, ticking a box on a website form or phone or face-to-face conversation. It is advised that a record of such consent received is recorded in all instances. This is called â??provable permission”.
  • Inferred Consent: is limited in its application. It is when a person has not directly instructed you to send them a message, but there is a clear expectation that you will. E.g. a subscriber has provided their electronic address when purchasing goods and services and expects â??highly relevantâ?? follow-up communication.
    This does not mean however consent is inferred if a person has been on an existing address list and has not physically unsubscribed themselves. If you are unsure of the type of consent received, it is recommended to undertake a â??re-permissioning” campaign.
  • Deemed Consent: is when a person makes their work-related electronic address public such as on a website, brochure or magazine. You can only send messages if there is a strong relationship between the message and the recipientâ??s business. However, consent is not deemed if the publication states that the person does not wish to receive unsolicited commercial electronic messages at that address.

Step 2: Identify

Your business must be clearly identified within the message. Both the name and contact details must be provided so that recipients know how to contact you.

Step 3: Unsubscribe

A clearly presented and easy to use functioning unsubscribe facility must be made available from all commercial messages. As part of a â??provable permission” practice, it is recommended that unsubscribes are also recorded.


What is considered spam?

A message is considered to be spam if it is electronic, commercial in nature and unsolicited (meaning you have not gained any form of consent from the recipient you send messages to).

What media is affected by the Unsolicited Electronic Messages Act 2007?

Media such as emails, instant messaging, SMS, multimedia message services and other mobile phone messaging are affected by this act. The act does not include however voice or fax.

What does a commercial message actually mean?

A commercial message is one that is marketing or promoting goods, services or land or directing people to a destination where a commercial transaction can take place. Even if you display a website link in a personal email, the message can still be classified as commercial.

Which messages are not deemed to be commercial?

  • Responses to a request for a quote or estimate
  • Messages that facilitate, complete or confirm a commercial transaction that the recipient previously agreed to
  • Warranty information, product recalls and safety and security information about goods or services uses or purchased by the recipient
  • Factual information about a subscription, membership, account, loan or similar ongoing relationship
  • Information directly related to employment or a related benefit plan in which the recipient is currently involved.
  • Messages delivering goods and services, including product or upgrades that the recipient is entitled to receive under the terms of a previous transaction.

Am I able to insert promotional messages into transactional type messages?

If the main purpose of the message is transactional in nature, small relevant commercial messages can be displayed without requiring additional consent.

What do unsolicited messages mean?

These are messages that are sent without the expressed, inferred or deemed consent from individuals.

Do I need to ask for permission from all my subscribers again?

If you are unsure of the type of permission that you have received from your subscribers and the consent has not been recorded you will need to undertake a â??re-permission campaign”, unless one of other forms of consent apply.

What are the penalties for not complying with the act?

There are a number of options available to enforce the legislation including formal warnings, infringement notices and court actions. If a business is to be found in breach of the act, it may have to pay a penalty of up to $500,000 plus and additional victim compensation and/or damages up to the value of the profit generated as a result of sending spam.

What are the 3 levels of consent?

Consent is categorized into 3 levels: Express, Inferred and Deemed.

What is Express Consent?

Express Consent is granted when a person directly indicates that you are able to send them commercial messages such as filling in a paper form, ticking a box on a website or a phone or face-to-face conversation.

Do I need to record consent received?

It is advised to record granted consent either electronically or in paper form. Under the act, it is up to the sender that consent has been received. It is quite easy for people to forget that they have granted permission, therefore it is necessary to record when, how and what people have given consent to receive.

What is provable permission?

Provable permission is where you have electronically recorded consent received. Details recorded can include:

  • Date and time of permission granted
  • Place of where permission was granted (a website form check box, trade show, call centre, etc)
  • Type of information that permission was granted for

What is Inferred Consent?

Even though a person has not directly provided consent for you to send them messages, there is a reasonable expectation that messages will be sent. Inferred Consent is granted if you swap business cards with people or if you provided an email address when purchasing goods and services with an expectation that there will be follow-up communication.

Even if a person has been on your existing address list and has not unsubscribed, it does not mean that consent can be inferred.

As a business owner you need to be careful of what â??reasonable expectation” means. If a person purchases a product from you and provides their email address, does not necessarily mean that you can send a message 2 years after the purchase date for example. Permission does eventually expire if after an amount of time, it is no longer reasonably expected that communication will be sent.

If I have received â??inferred consent”, can I send any information that I want?

No, you are only able to send messages that are highly relevant to the relationship in which you have with the recipient.

What is Deemed Consent?

Deemed Consent is where a person makes their â??work related” electronic address publicly available in a website, brochure or magazine for example. However, consent cannot be deemed if there is a statement within the publication requesting that the person does not want to receive unsolicited electronic messages at that address.

Deemed Consent can only be granted if the message you intend to send is highly relevant to the recipientâ??s business.

Do only messages sent in bulk apply to the act?

No, both bulk and single commercial messages are covered by the act.

Do we need to identify who is sending the message?

Yes, you must always identify your business as the organisation responsible for sending commercial messages along with details of how you can be contacted.

We use GravityMail or another 3rd party system to send our commercial messages, so who is legally responsible for sending these messages?

Even when you use a third party system such as Netconceptâ??s GravityMail, your business is the legal sender of your commercial messages. Netconcepts must work with you to ensure that your business name and contact details are displayed within the message. Your contact details must be accurate for at least 30 days after the send date.

How do we fit all of our information onto a text message?

Even text messages need to include your business name and a way for people to contact you whether this is a phone number, email address, website address, etc.

What methods of â??unsubscription” are allowed for within the act?

Recipients of commercial messages must be able to unsubscribe from your mailing list when they choose to at no cost to them. Both automated and manual unsubscribe functions are allowed for within the act, but they must be reliable. These include:

  • An automated unsubscribe link â?? a one-step-click link that can be clicked upon that automatically unsubscribes the recipient from receiving further communications. No further action is required.
  • An automated unsubscribe reply â?? a person can reply to the message with the word â??UNSUBSCRIBE” written in the subject line. Your system automatically unsubscribes that user.
  • A manual unsubscribe reply â?? a person can reply to the message with the word â??UNSUBSCRIBE” written in the subject line or within the body of the message stating they wish to be unsubscribed. You must honour this request within 5 working days or subsequent messages will be regarded as unsolicited.

Can I hide the unsubscribe function at the bottom of my commercial message?

No, the unsubscribe function must be clearly presented and easy to use within the commercial message.

What other laws are connected with sending commercial electronic messages?

In addition to the â??Unsolicited Electronic Messages Act 2007″, you must also comply with the Privacy Act 1993 which covers 12 Privacy Principals. Passing on personal electronic addresses to another organisation or business, without permission, may breach the Privacy Act.

The Privacy Act also states that you must allow individuals on your database to be able to review and modify their information upon request without any cost to them.

What are the 12 Privacy Principals?

  1. You can only collect personal information that is relevant to your business.
  2. Personal information can only be collected directly from the individual except when the information is publicly available or you are authorised by the individual to collect it.
  3. You must make the individual aware of the following:
    • That information is being collected
    • The purpose in which the information is being collected
    • Who is going to receive the information
    • Name and Address of the organization collecting and holding the information
    • The individualâ??s right to access and correct any information
  4. Information shall not be collected by unlawful or unfair means and shall not intrude to an unreasonable extent upon the personal affairs of the individual.
  5. Information must be protected against loss, unauthorised access, misuse and modification. Every organisation who holds personal information must appoint a Privacy Officer who will be responsible for compliance.
  6. Individuals are entitled to obtain from organizations confirmation of whether or not personal information is held and to access the information about themselves. You should establish, document and implement procedures to handle enquiries from individuals and to provide information requested.
  7. Individuals have the right to request correction of their personal information.
  8. The agency holding personal information must not use that information without taking steps to ensure it is accurate, up-to-date, complete, relevant and not misleading.
  9. Personal information shall not be kept for longer than required for its lawful use.
  10. Personal information shall not be used for any purpose to that for which it was obtained unless the source of the information is a publicly available publication or the use of the information for another purpose was authorised by the individual concerned.
  11. Personal information shall not be disclosed unless the disclosure is directly related to the reason for which the information was originally collected, or the source of the information is a publicly available document, or the disclosure is authorised by the individual concerned.
  12. You should not assign a unique identifier to an individual unless it is necessary to carry out the lawful functions of your business.

More information about the privacy act can be found at


  • I have received either expressed, inferred or deemed consent from my subscriber database
  • I have included accurate information about our company (the sender) within the message
  • I have included clear details of how recipients can contact our company
  • I have included a functional way for people to unsubscribe from our communications (e.g. an unsubscribe link)
  • I have included the reason why the recipient is receiving the message. (a reminder that they have provided consent)
  • I have included a method for recipients to be able to access and modify their personal information.
  • I am recording all instances of permission granted by subscribers, unsubscriptions and history of messages sent to individuals.
  • I have an electronic process in place to confirm verbally granted consent
  • I do not use electronic address harvesting software to create mailing lists
  • I do not purchase or use mailing lists that have been generated from harvesting software

For more information on complying with the â??Unsolicited Electronic Messages Act 2007â?? go to:$file/BusinessGuide.pdf

Jacqui Jones is the Lead Consultant and Search and Online Marketing Specialist of search engine optimization agency Netconcepts and e-mail service provider GravityMail.