← Back to blog
complianceall
Privacy Act + Spam Act + DNCR cheatsheet for AU SMBs running AI calls

If you're thinking about adding an AI voice agent to your business, you've probably heard the compliance talk: "Check the DNCR." "Get consent." "Log everything." It sounds harder than it is, but the penalties for getting it wrong are real. Fines under the Spam Act can run to A$2.75 million per day for serious or repeated breaches. The good news is that most of the rules come down to three laws, and if you follow a handful of simple routines, you stay clean.

This is the plain-English summary you can print out, stick on the wall, and reference whenever you brief a new team member or configure a new campaign. It covers the Privacy Act 1988, the Spam Act 2003, the Do Not Call Register Act 2006, and what each one means for your AI-powered inbound reception, outbound dialling, and SMS follow-up.

Privacy Act 1988: what you collect, you must protect

The Privacy Act governs how you collect, store, use, and disclose personal information. Personal information is anything that identifies or could reasonably identify a person: name, phone number, email, address, appointment notes, payment details.

Your obligations are straightforward. First, tell people why you're collecting their data. A one-line script on the first call is enough: "We'll record this call and save your details to book your appointment." Second, only collect what you need. If you're booking a haircut, you don't need their driver's licence number. Third, keep the data secure. That means encrypted storage, role-based access controls, and a process to delete records when they're no longer needed. Fourth, let people access or correct their own data if they ask.

AI voice agents usually log call transcripts, timestamps, and any structured data they extract during the conversation. Make sure your platform stores these in Australia or at least complies with the Notifiable Data Breaches scheme. VoxReach stores all call logs and transcripts on Australian infrastructure, which keeps things simple for local businesses.

Spam Act 2003: consent before you send

The Spam Act covers commercial electronic messages: SMS, email, and some forms of instant messaging. Voice calls are not covered by the Spam Act, but if your AI agent sends an SMS confirmation, reminder, or follow-up, the Spam Act applies.

You need consent. That consent can be express ("Yes, text me a reminder") or inferred from an existing business relationship, like a client who booked last month. Every commercial SMS must include your business name or ABN, contact details, and a clear way to opt out. A reply with "STOP" is the standard, and your system must honour it immediately.

One detail that surprised a Newtown cafe owner we spoke to last week: even a "Your table is ready" SMS counts as a commercial message if it also says "Check out our new lunch menu." Keep confirmations transactional, or make sure the customer opted in to marketing.

Do Not Call Register Act 2006: the DNCR is a hard line

The Do Not Call Register is a national list of phone numbers whose owners have said "Don't cold-call me." If you're making unsolicited outbound calls to consumers, you must check every number against the DNCR before you dial. Business-to-business calls are exempt, and so are calls to existing customers, but the definition of "existing customer" is narrow: someone who bought from you, or inquired, in the past four months.

Outbound AI diallers need automated DNCR scrubbing. VoxReach checks every number in real time before placing the call, so you don't accidentally ring someone on the list. There's no grace period. If the number is on the DNCR and you don't have an exemption, don't dial it.

If you're running a cold outreach campaign, keep a suppression file of people who asked not to be contacted, even if they're not on the official DNCR. That file is your evidence of good faith if a complaint ever lands.

Consent: what it actually looks like

Consent is the word that ties all three laws together. Express consent is best: a tick-box on a web form, a verbal "Yes" on a recorded line, a reply to an SMS. Implied consent works in some situations, like an existing customer relationship, but it's always safer to ask.

When your AI agent takes an inbound call, consent is usually implicit: the person rang you. When the agent sends an SMS or makes an outbound call, you need a record of consent. That could be a note in your CRM ("Customer opted in to SMS reminders on 12 March 2025") or a timestamped call recording where they agreed.

One practical tip: script your AI to confirm consent at the start of any new relationship. "Can I send you an SMS confirmation?" takes three seconds and creates an audit trail.

Recordkeeping: your compliance insurance

Every consent you collect, every opt-out you honour, every DNCR check you run: log it. If a complaint reaches the ACMA, your logs are your defence. The ACMA expects you to show who consented, when, and how. A timestamped transcript or a CRM entry is enough.

Keep call recordings for at least two years if the call involved consent, a transaction, or a complaint. Keep SMS logs indefinitely if they document an opt-in or opt-out. Tag records so you can find them fast if you need to respond to a subject access request under the Privacy Act.

What to do right now

If you're launching an AI voice agent, put these three tasks on your setup checklist. First, write a short privacy notice for your website and train your agent to mention it on first contact. Second, integrate DNCR scrubbing into your outbound dialler and set up an opt-out keyword for SMS. Third, switch on call and transcript logging with retention rules that match your state's requirements.

Compliance isn't glamorous, but it's simple. Follow the rules, keep the receipts, and you'll sleep better.

Sign up at app.voxreach.com.au/signup to test an AI voice agent that checks the DNCR, logs every consent, and keeps your data onshore. Thirty minutes of calls to try it out.

Try VoxReach

Sign up in 2 minutes. One-off setup fee, then simple pay-as-you-go — no lock-in. Be live in 5 minutes.

Get started →