Unsolicited Electronic Messages Act (NZ): Marketing Email And Text Rules

If you're running a small business, chances are you rely on quick, low-cost marketing like email newsletters, promo texts, and DM-style campaigns to keep customers coming back.

But in New Zealand, you can't just message anyone, anytime, with whatever content you like. The Unsolicited Electronic Messages Act 2007 (often called New Zealand's anti-spam law) sets the rules for sending commercial electronic messages like marketing emails and SMS.

Getting it right isn't just about avoiding complaints. It's also about protecting your brand, improving deliverability, and building trust with your audience from day one.

What Is The Unsolicited Electronic Messages Act (And Who Does It Apply To)?

The Unsolicited Electronic Messages Act 2007 is New Zealand's core anti-spam law. In simple terms, it aims to stop businesses and individuals from sending spam (unwanted marketing messages) to people without appropriate permission.

It applies to commercial electronic messages sent to or from New Zealand, including messages that:

• offer, advertise, or promote goods or services
• promote a business opportunity or investment opportunity
• help a person dishonestly obtain a financial advantage (for example, scam-style spam)

For most SMEs, the practical takeaway is this: if you're sending marketing emails or texts that promote your business, the law likely applies.

What Counts As An "Electronic Message" Under The Act?

The Act catches common marketing channels, including:

• Email (newsletters, promo campaigns, follow-ups)
• SMS/text messages (flash sales, booking reminders that include promotions)
• Instant messaging (depending on the platform and context)

The exact boundaries can get technical (especially as platforms change), so a good rule of thumb is: if it's a message sent electronically and it promotes your business, treat it as covered.

Does It Apply To Small Businesses And Startups?

Yes. The law isn't just aimed at big companies. If you're a sole trader, a growing startup, or a local service business building a mailing list, you still need to comply.

This is why it's worth setting up your marketing processes properly early on. The systems you put in place now (how you collect consent, how you store contact details, and how you handle opt-outs) can save you a lot of stress later.

When Is A Marketing Email Or Text "Unsolicited" (And When Can You Send It)?

The core concept behind the Unsolicited Electronic Messages Act is consent. Generally, you should only send commercial electronic messages when the recipient has agreed to receive them, or you have a clear basis to rely on another form of consent recognised by the Act.

In practical terms, there are three main consent pathways you'll see in small business marketing:

• Express consent (they clearly opted in)
• Inferred consent (based on an existing relationship and the context, it's reasonable to believe they want the message)
• Deemed consent (where an address is conspicuously published and certain conditions are met)

Express Consent (The Safest Option)

Express consent is what most businesses aim for because it's clear and easy to evidence. Examples include when someone:

• ticks a box on your website that says they want to receive marketing emails
• signs up to a newsletter at checkout
• texts a keyword to your number to subscribe to offers
• fills in a form at an event agreeing to receive promotions

If you're collecting customer details online, it's also a good moment to think about your wider privacy compliance. Having a clear Privacy Policy (and following it) helps you set expectations about how you use personal information like email addresses and phone numbers.

Inferred Consent (Useful, But Easier To Get Wrong)

Inferred consent can exist where:

• you have an existing business relationship with the person, and
• the message relates to products/services relevant to that relationship, and
• it's reasonable to assume they would expect to receive that message

For example, if someone has recently bought a product from you, it might be reasonable to email them about related accessories or a follow-up service, depending on how you collected their details and what you told them at the time.

Where businesses get into trouble is treating "inferred consent" as a blanket permission to market indefinitely. It's not.

Deemed Consent (Conspicuously Published Addresses)

In some cases, the Act can treat consent as "deemed" where an electronic address is conspicuously published (for example, on a website or in a professional directory) and:

• there is no statement that the person doesn't want unsolicited commercial electronic messages, and
• your message is relevant to the person's business, role, or official capacity

This is commonly raised in B2B marketing contexts, but it's easy to misapply. If you're planning to rely on deemed consent, it's worth being careful about relevance and making sure you still include all required message content (including an unsubscribe option).

What About Purchased Lists Or Scraped Contacts?

This is a big risk area.

If you buy a list or scrape email addresses from websites/social media, you're often missing the key thing you need under the Unsolicited Electronic Messages Act: consent that's specific to you sending your marketing messages.

Even if the list seller claims "consent was obtained", you still need to be comfortable that the consent is valid, properly recorded, and covers the type of marketing you're sending.

As a practical business move, building your own opt-in list is usually the safest legal and commercial strategy (better engagement, fewer spam complaints, and better deliverability).

What You Must Include In Marketing Messages (So You're Compliant)

Consent is only one part of the compliance picture. Even if you have consent, your marketing emails and texts generally need to include key information so recipients can identify you and opt out easily.

While the Act's requirements can be technical, the compliance checklist is straightforward for most businesses.

1. Identify Your Business Clearly

Your message should clearly state who the sender is. That means the person receiving the email or text should be able to tell:

• the business name (and ideally trading name if different)
• how to contact you (for example, an email address, phone number, or website)

This might sound obvious, but it matters in practice. Vague sender names and "no-reply" setups can create confusion and increase spam complaints.

2. Include A Functional Unsubscribe Option

You generally need to give recipients a way to unsubscribe (opt out), and it needs to be:

• clear (not hidden in tiny text or confusing wording)
• functional (it actually works)
• easy to use (ideally one step, not a multi-page process)

For emails, this is usually an "unsubscribe" link in the footer. For SMS, it might be "Reply STOP to unsubscribe".

Operationally, it's important that your unsubscribe facility remains working for long enough after the message is sent, and that unsubscribe requests are actioned within the required timeframe. Once someone unsubscribes, you need to stop sending them marketing messages.

If your systems don't properly record opt-outs, you can accidentally keep messaging people and create risk very quickly.

3. Be Honest About What You're Sending

Even if a message isn't "spam" under the Unsolicited Electronic Messages Act, your marketing still needs to be truthful and not misleading.

This is where New Zealand's general consumer law comes in, including the Fair Trading Act 1986. Your promotions, pricing claims, "limited time" offers, and testimonials should be accurate and supportable.

It's also why your broader customer-facing terms matter. If you sell online, having clear E-Commerce Terms And Conditions can help set expectations around orders, refunds, subscriptions, and promotions you reference in your messages.

Common Marketing Scenarios Where Small Businesses Slip Up

Most businesses don't set out to break the rules. The issues usually come from moving fast, using third-party tools, or assuming "everyone does it".

Here are a few real-world situations where it's worth slowing down and checking your approach.

Sending "Cold" Outreach Emails To Other Businesses

B2B marketing can still be caught by the Unsolicited Electronic Messages Act.

Even if you're emailing a generic business address, if the email is a commercial electronic message (i.e. it promotes your services), you still need to consider consent and compliance requirements, including unsubscribe options.

Cold outreach is one of those areas where tailored legal advice is worth it, because the details matter (how you obtained the address, what the message says, whether it's truly "commercial", and whether any exceptions apply).

SMS Marketing After A One-Off Job Or Booking

If you're a service business (for example, trades, clinics, beauty, fitness, or consulting), you might collect phone numbers for bookings or invoices.

A booking confirmation or appointment reminder is usually fine when it's genuinely about the service. But if you add promotions ("20% off your next session") you're starting to move into marketing territory.

That doesn't mean you can't do it. It just means you should be confident you have consent (and that your message includes the right information and opt-out steps).

Using Referral Campaigns Or "Tell A Friend" Promotions

Referral campaigns are great for growth, but they can create spam risk if you encourage customers to submit other people's contact details without proper permission.

If your customer gives you their friend's email address and you then send marketing to that friend, you may not have the friend's consent.

A safer approach is often to give the customer a shareable link or code, so the friend can choose to opt in themselves.

Marketing Messages Sent By Contractors Or Agencies

If you use a marketing contractor, a virtual assistant, or an agency to send campaigns, you're still the business benefiting from the marketing and you can still be exposed to risk if things are done incorrectly.

It's smart to have the relationship clearly documented, including who is responsible for compliance steps, data handling, and opt-out management. Depending on the arrangement, a Marketing Service Agreement can help set expectations and reduce disputes if something goes wrong.

And because marketing involves personal information, your privacy settings and data security processes should be aligned too.

How To Build A Compliant Email And Text Marketing Process (A Practical Checklist)

Compliance doesn't have to be complicated. The goal is to build a simple, repeatable process so your marketing is consistent, lawful, and scalable.

Here's a practical checklist many small businesses can use.

1. Map How You Collect Contact Details

List the places where you collect emails and phone numbers, such as:

• website forms
• checkout pages
• booking systems
• paper sign-up sheets
• business cards collected at events
• social media lead forms

For each method, ask: what exactly did the person agree to?

2. Capture Consent Properly (And Keep Records)

If someone opts in, keep a record of:

• when they subscribed
• how they subscribed (web form, in-store, SMS keyword, etc.)
• what they were told at the time (for example, "weekly offers" vs "monthly newsletter")

If you ever need to respond to a complaint, being able to show your consent process can make a huge difference.

3. Make Opt-Out Easy And Automate It Where Possible

Manual unsubscribe handling is where mistakes happen (especially when you're busy).

Try to use systems that automatically:

• apply unsubscribes immediately
• sync unsubscribes across lists
• prevent re-adding a contact without a fresh opt-in

4. Train Your Team (Even If It's Just Two Of You)

If you have staff who manage customer bookings, invoices, or social media, make sure everyone understands the basics:

• don't add people to marketing lists unless you have consent
• don't ignore unsubscribe requests
• don't use customer details for a new purpose that wasn't communicated

If you employ staff, it's also worth ensuring your internal expectations are properly documented, including confidentiality and data handling. Depending on your setup, your Staff Handbook and Employment Contract can help reinforce these obligations.

5. Align Your Spam Compliance With Your Privacy Compliance

Spam rules and privacy rules overlap in day-to-day operations. The Unsolicited Electronic Messages Act focuses on whether you can send a message, while the Privacy Act 2020 focuses on how you collect, use, store, and disclose personal information.

Even if you're "allowed" to send a message under spam rules, you still need to handle personal data lawfully and securely.

This is especially important if you:

• use overseas marketing platforms
• share lists with third parties
• run competitions and collect entrant details
• combine customer data from multiple sources

For many businesses, this is where getting your documents and processes reviewed can be a smart investment, particularly as your marketing becomes more sophisticated.

Key Takeaways

• The Unsolicited Electronic Messages Act 2007 applies to many everyday business marketing activities, including email newsletters and SMS promotions.
• To send marketing messages lawfully, you usually need express consent (best practice), a clear basis for inferred consent that's reasonable in the circumstances, or (in some B2B scenarios) deemed consent where an address is conspicuously published and your message is relevant.
• Your commercial messages should clearly identify your business and include a working, easy unsubscribe option, and you must respect opt-outs (including actioning them within the required timeframe and keeping the unsubscribe facility available).
• Purchased lists and scraped contacts can create serious compliance risks because you may not have valid consent for your business to send marketing.
• Spam compliance should sit alongside your wider legal foundations, including privacy compliance and accurate advertising, so you're protected as your business grows.
• Putting a simple, consistent process in place now (how you collect consent, record it, and manage unsubscribes) can prevent complaints and operational headaches later.

If you'd like help setting up compliant marketing processes, reviewing your customer-facing terms, or making sure your privacy and spam obligations are covered, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.

This article is general information only and does not constitute legal advice. If you need advice about your specific circumstances, get in touch with a lawyer.