“We acknowledge and accept the findings of ACMA’s investigation into CBA’s compliance with certain provisions of the Spam Act. We apologise to all customers impacted by these issues which should not have occurred. We’ve fixed the problem and are making changes to ensure it doesn’t happen in the future,” said CBA Group Executive Marketing and Corporate Affairs, Monique Macleod.
“The issues resulted in some customers receiving communications from us after they had unsubscribed, and others receiving communications without a functioning unsubscribe mechanism.
“Since reporting this matter to ACMA, we’ve fixed the issues that were the subject of ACMA’s investigation, and strengthened our systems, processes and controls to support ongoing compliance.”
The vast majority of the breaches arose when updating our electronic banking customer terms and conditions in November 2021. The update inadvertently removed language which was introduced to provide a temporary exemption to the requirement to include direct unsubscribe links in messages. This error meant that more than 61 million messages sent between November 2021 and August 2022 required customers to log-in to unsubscribe which did not comply with requirements of the Spam Act.
In addition, the way the unsubscribe link was populated into 13 message templates meant that the unsubscribe link did not work in around 4 million messages sent between May and August 2022. This also resulted in more than 5,000 messages being sent to customers after they had tried to unsubscribe. CBA has addressed these issues including by unsubscribing the customers who were not able to unsubscribe via the broken links.
“CBA takes its Spam Act obligations very seriously and is prioritising its compliance with the EU,” Ms Macleod said.