Australian Spam Act and DNCR Compliance for AI Outbound - The 2026 Plain-English Guide
AI outbound is legal in Australia with the right setup. Here is the plain-English guide to Spam Act 2003, DNCR and Privacy Act changes coming December 2026.
Australian businesses paid more than $15 million in spam and telemarketing penalties in 2024-2025. Not one of those cases was about AI doing the sending. Every single one was about missing sender identification, broken unsubscribe links or calls made without checking the Do Not Call Register.
AI outbound is legal. Lazy implementation is not. The rules have not changed because AI is now doing the work. What has changed is that ACMA moved to active, audit-based enforcement in 2026.
What the Spam Act 2003 actually says about B2B cold email
The Spam Act does not ban cold email outreach to businesses. It requires three things: sender identification, a working unsubscribe mechanism and consent.
For B2B outreach, consent can be inferred. If a contact's email address is publicly listed for business purposes - on their website, LinkedIn profile or a public directory - you have inferred consent to contact them for relevant commercial purposes. That window lasts approximately 180 days without further engagement.
The three non-negotiable requirements
- Sender identification: Your business name and a physical or postal address must appear in every message. A reply-to email alone is not enough.
- Working unsubscribe: The opt-out link must function and process within five working days. A broken link is a breach regardless of how few people click it.
- Consent management: You must demonstrate consent - inferred or explicit - for every contact. Buying a list does not transfer consent to you.
The DNCR and AI voice outbound
Email and voice operate under different rules. The Do Not Call Register applies to phone-based outreach including automated voice calls and AI voice agents making outbound calls.
Before any automated voice call to an Australian number, you must check that number against the DNCR. This is not optional. B2B service businesses are not exempt.
The right entry path for AI outbound in Australia
- Inbound response first. An AI agent answering inbound calls or web enquiries has zero compliance risk. The prospect initiated contact. This is where most AU businesses should start.
- Warm follow-up second. AI calls to leads who have already engaged carry minimal risk. Consent is clear and recent.
- Consented outbound last. Cold AI voice outbound requires DNCR check, correct identification and a clear opt-out path.
See how Njin builds compliant AI voice workflows for AU businesses.
The Privacy Act ADM deadline: December 2026
The Privacy Act amendments introduce an Automated Decision Making (ADM) disclosure requirement. The deadline is December 2026.
If your AI system makes or materially contributes to a decision that affects a person - like scoring or filtering a lead - you need a disclosure mechanism. For most AU B2B businesses, this means a short addition to your privacy policy and the ability to describe your scoring logic at a high level.
How ACMA is enforcing in 2026
ACMA shifted to proactive, data-driven auditing in early 2026. They identify high-volume senders using network-level data and initiate investigations without waiting for complaints.
The highest-risk profile is a business running high-volume AI sequences with no visible unsubscribe, no sender address or using a purchased list. ACMA calculates penalties per message sent, not per campaign.
The practical fix is simple. Audit your sequences now. Check sender ID and unsubscribe in every template. Remove anyone who has not engaged in 180 days unless you have explicit consent. Read more about AU-compliant AI outreach systems.
For context on why response speed matters for inbound, see our speed to lead guide.
