Reputation
Is It Legal to Email Customers Asking for a Google Review?
Yes — but the Spam Act 2003 sets real rules for how, and review-request emails aren't automatically exempt just because you're not selling anything. Here's what actually applies, in plain English.
Updated 10 July 2026 · 6 min read
Why this question comes up
It's a reasonable thing to worry about. Most business owners know they can't email people out of nowhere selling a product, but a message asking a genuine past customer for an honest review doesn't feel like marketing in the usual sense — there's nothing being sold, no discount attached, just a request for feedback. The uncertainty is understandable, and it's worth clearing up properly rather than guessing.
The short answer: emailing existing customers to ask for a review is common practice and generally lawful, but it's still governed by the Spam Act 2003 (Cth) because the Act's definition of a commercial electronic message is broad. A message that promotes your business — including one that simply asks people to talk about it publicly — is treated the same way a marketing email would be, so the same three requirements apply.
The three things the Spam Act actually requires
Strip away the legal language and the Act comes down to three practical requirements for any commercial electronic message — email, SMS, or similar — sent to someone in Australia:
- Consent — you need the recipient's express consent, or consent that can reasonably be inferred from an existing relationship with them (more on this below).
- Identify — the message must clearly show who sent it: your business name and a way to contact you, not a vague or disguised sender.
- Unsubscribe — every message needs a functioning way to opt out, and any unsubscribe request has to be honoured within a reasonable time (the Act specifies within five business days).
What counts as consent for a review request
This is where most legitimate review-request campaigns sit comfortably: if someone gave you their email address as part of doing business with you — booking an appointment, making a purchase, signing up at the till — that existing relationship generally supports 'inferred consent' for a follow-up message reasonably connected to that transaction, sent within a reasonable time afterwards. Asking a customer you served last week for a review of that visit fits squarely within what they'd reasonably expect.
Inferred consent has limits. It doesn't extend indefinitely — emailing someone who bought from you three years ago and never engaged with you since is a weaker case than someone from last month. It also doesn't extend to contacts you didn't get directly: a list bought from a third party, scraped from a directory or social media, or inherited from a business you acquired without the contacts' knowledge, generally lacks a lawful basis regardless of how the email is worded.
Getting the practical details right
Most of the compliance work is mechanical, not judgement-based, once you know what to check for:
- Say clearly who the message is from — your business name, not just a generic or automated-looking sender address.
- Include a working unsubscribe link or instruction in every message, not just the first one in a sequence.
- Action unsubscribe requests promptly — don't let someone who's opted out receive a follow-up campaign weeks later because the list wasn't updated.
- Keep a basic record of where each contact came from and roughly when — if a complaint is ever raised, being able to show the contact was a genuine, recent customer is the difference between a five-minute conversation and a real problem.
What not to do
- Don't buy or scrape contact lists. Consent needs to come from your own relationship with the person, not from a source you've never interacted with.
- Don't disguise who the message is from, or make the sender name misleading.
- Don't ignore or delay unsubscribe requests — this is one of the more commonly enforced elements of the Act.
- Don't frame the request as conditional on a positive review, and don't send only to customers you expect to be happy while excluding the rest — that's review gating, a separate issue under Google's policies and Australian Consumer Law, but it compounds badly with a Spam Act complaint if the same campaign triggers both.
What happens if you get it wrong
The Australian Communications and Media Authority (ACMA) regulates the Spam Act and can act on complaints — from a formal warning through to infringement notices or court action for serious or repeated breaches. Most small businesses never come close to that outcome, because most non-compliance is unintentional: a missing unsubscribe link, a stale contact list, an unsubscribe request that fell through the cracks rather than deliberate spamming.
The practical takeaway is the same regardless of enforcement risk: treat review-request emails with the same care as any other commercial message, because under the Act, that's what they are.
Where this leaves review-request campaigns
None of this means email-based review requests are risky or best avoided — they're a genuinely effective, low-friction way to reach customers at the right moment, and the compliance bar is entirely achievable for a small business managing its own contact list responsibly. Tools built for this, including Cedric's campaign feature, build the unsubscribe link and opt-out handling into every send by default. What a tool can't do for you is establish that you had a lawful basis to email the contact in the first place — that responsibility for the contact list itself sits with the business sending it, not the software sending it on their behalf.