Automating cold outreach is completely legitimate. Ignoring the rules that govern it is not — and in Australia those rules are set by the Spam Act 2003, enforced by ACMA. The good news: compliance and good outreach pull in the same direction. The messages that stay on the right side of the law are also the ones that land in the inbox and get replies. Here’s how to scale outreach without stepping on a rake. (This is general information, not legal advice — check your specifics with a professional.)
What the Spam Act actually requires
The Act governs “commercial electronic messages” — email, SMS and similar — sent to Australian addresses. It rests on three pillars, and you need all three:
- Consent. You must have the recipient’s consent to message them. That can be express (they opted in) or inferred (there’s an existing, relevant relationship, or their work contact details are conspicuously published and relevant to your message).
- Identification. Every message must clearly say who you are and how to contact you. No hiding behind a mystery “from” name.
- Unsubscribe. Every message must include a functional way to opt out, and you must action it — the standard is within five business days, and you can’t charge for it.
The consent question, in practice
For B2B outreach, inferred consent is where most of the nuance lives. Emailing a clearly published, role-relevant business address about something genuinely relevant to that role sits very differently from scraping personal Gmail addresses and blasting them. The safer your targeting, the safer your consent position — which is exactly why sourcing quality matters as much as message quality. An agent that sources conspicuously-published business contacts and checks each one before it ever sends is doing compliance work, not just prospecting. That’s a core job of our ICP Agent, which compliance-checks every match before it reaches the Cold Outreach Agent.
How automation makes compliance easier, not harder
Done well, automation is a compliance asset. It can enforce the rules consistently in a way a busy human never quite manages:
- Suppression lists. Anyone who unsubscribes, bounces, or asks to be left alone is added to a do-not-contact list automatically and never messaged again.
- Identification baked in. Your business name, contact details and an unsubscribe link are present on every send by default — not something a rep forgets on message four.
- Consent and relevance checks. Prospects can be screened against your ICP and compliance rules before a single email goes out.
- An audit trail. Automated systems log who was contacted, when, and why — which is the kind of record you want if a question is ever asked.
Compliance and deliverability are cousins
Staying legal and staying out of the spam folder aren’t the same thing, but they reward the same behaviour: relevance, restraint and clean data. Warm your sending domain, keep daily volume sensible, and message tightly-defined, relevant people. Blast a huge, loosely-qualified list and you’ll damage both your compliance position and your sender reputation at once. Less, but righter, wins on every axis.
Common mistakes to avoid
- Scraping personal addresses. Personal inboxes with no relationship are the fastest way into trouble. Stick to relevant, published business contacts.
- Broken or slow unsubscribes. An opt-out that doesn’t work — or that you don’t action promptly — is a breach, full stop.
- Hiding your identity. Vague sender names and no contact details fail the identification test and kill trust anyway.
- Chasing volume. “More sends” is not a strategy; it’s how you burn a domain and a reputation. Autonomy should let you be more precise, not more spammy — a point we make in AI SDRs explained.
A quick pre-send checklist
Before a campaign goes out, run it past these questions:
- Do I have a defensible basis for contacting each person — express opt-in, or a genuine, relevant business relationship?
- Are these conspicuously-published business contacts, not scraped personal addresses?
- Does every message clearly identify my business and how to reach us?
- Is there a working unsubscribe in every message, and a process to action it within five business days?
- Is my sending volume sensible and my domain warmed, so I’m protecting deliverability too?
- Am I keeping a record of who was contacted, when and why?
If you can answer yes to all six, you’re on solid ground. A good automated setup answers most of them for you by default — which is the point.
The bottom line
Automated cold outreach in Australia is entirely doable within the Spam Act — you need genuine consent, clear identification, and a working, promptly-actioned unsubscribe, applied consistently. Automation, used well, makes all three easier by enforcing them on every send and keeping a clean record. Target the right people, respect the opt-outs, and keep your volume honest, and compliance stops being a worry and becomes a competitive edge. See how sourcing and sending fit together with the ICP Agent and Cold Outreach Agent.