Consent Management in Your CRM: APPs Compliance for Marketing and Sales

Every time your CRM sends an email, triggers an SMS, or queues a phone call, it is making a consent decision — whether your team realises it or not. Under the Australian Privacy Principles (APPs), the rules governing how you collect, use and disclose personal information apply to every customer interaction your CRM facilitates. APP 7 specifically governs direct marketing, requiring that individuals can opt out easily and that their preferences are respected across every channel. The Spam Act 2003 adds further requirements for electronic messages. And the Do Not Call Register Act creates obligations for telemarketing. Your CRM sits at the intersection of all three frameworks, making consent management one of the most operationally important compliance disciplines you will configure.

The problem is that most CRMs treat consent as a single toggle — "subscribed" or "unsubscribed" — when the legal reality is far more nuanced. A customer may have consented to receive product updates by email but not marketing SMS. They may have given consent for one purpose that does not extend to a different campaign. They may have opted out through one channel while your CRM continues reaching them through another. These gaps are not edge cases — they are the most common compliance failures the OAIC and ACMA encounter, and they originate in CRM configuration, not in marketing strategy.

What the APPs require for marketing and sales consent

Three frameworks converge on your CRM's outbound communication:

APP 7 — Direct marketing

You may use personal information for direct marketing only in specific circumstances. For non-sensitive information, you can rely on "reasonable expectation" — the individual would reasonably expect you to use their information for direct marketing — but you must always provide a simple opt-out mechanism. For sensitive information, explicit consent is required. The critical operational requirement: you must give effect to any opt-out request "within a reasonable period" and ensure it applies across all direct marketing, not just the channel they used to opt out.

The Spam Act 2003

Electronic commercial messages — email, SMS, instant messaging — must include the sender's identity, accurate contact information, and a functional unsubscribe mechanism. The message must be sent with consent (express or inferred), and the unsubscribe must be honoured within five business days. Penalties for non-compliance can reach $2.22 million per contravention for companies.

The Do Not Call Register Act

If your CRM triggers outbound phone calls or SMS for marketing purposes, you must check the Do Not Call Register and suppress listed numbers. Calling a registered number without an exemption can attract penalties of up to $313,000 per contravention for companies.

Why a single opt-in/opt-out toggle is not enough

The typical CRM stores consent as a boolean: subscribed or not. This fails in several predictable ways:

• Channel blindness. A customer unsubscribes from email. Your CRM keeps sending them SMS because the opt-out only toggled the email flag. Under APP 7, a request to stop direct marketing applies to all marketing, not just one channel.
• Purpose creep. A customer gave their email to receive a quote. Your CRM adds them to a marketing automation sequence for a completely different product line. APP 6 restricts use to the purpose for which information was collected — secondary use requires fresh consent.
• Consent decay. Consent given three years ago for a specific campaign is not perpetual permission for all future marketing. Without tracking when consent was given and for what purpose, you are relying on stale permissions that may no longer be valid.
• Team fragmentation. Sales sends emails from the CRM. Marketing runs campaigns from a separate tool. Customer success sends check-in messages from a third. None share a suppression list. The customer opts out of marketing emails but keeps getting sales sequences and success check-ins — a compliance failure that feels, to the customer, like their request was ignored.

Configuring consent management that actually works

Proper consent management in a CRM requires treating consent as a structured, multi-dimensional field — not a toggle. Here is how to configure it:

Track consent per channel and per purpose

For each contact, record: which channels they have consented to (email, SMS, phone, LinkedIn), what purposes the consent covers (product updates, promotional offers, event invitations, sales outreach), when consent was given, and how (web form, verbal, written). This turns consent from a guess into an auditable record.

Implement a single, cross-channel suppression list

When a contact opts out, the suppression must propagate to every channel and every tool that touches outbound communication. If your sales team, marketing automation and customer success all operate within the same CRM — rather than across three disconnected tools — this is a single update to a single record. If they operate across separate systems, you need integration logic to sync suppressions, and that integration is itself a compliance dependency.

Automate suppression enforcement

Do not rely on individual team members to check consent before sending. The CRM should enforce suppression automatically: if a contact has opted out, no outbound sequence, no campaign, no one-off message should be able to override that status. Manual overrides should require explicit justification and be logged.

Honour the Do Not Call Register

If your CRM triggers phone calls or SMS for marketing, integrate DNCR checking into your outbound workflow. This is not optional for telemarketing — it is a legal requirement with per-contravention penalties.

Set consent expiry and renewal

Consent is not permanent. Define a reasonable validity period and trigger re-consent workflows before expiry. This is especially important under the Privacy Act reforms, which are moving toward stronger consent requirements. A CRM that tracks consent timestamps makes this workflow straightforward; one that stores a bare boolean makes it impossible.

AI and consent: the emerging frontier

AI features in modern CRMs create new consent questions that the original APPs did not contemplate. If your CRM uses AI to score leads, generate personalised outreach, or summarise customer interactions, those AI operations are using personal information — and the purpose for which that information was collected may not extend to AI processing.

The key question: does the AI operate inside your data boundary, or does it send customer data to an external provider? If the latter, that is a disclosure that requires either consent or a legitimate basis under APP 6. Fulcrum CRM's AI agents operate inside the platform boundary — finding prospects, updating deals, drafting follow-ups — without shipping personal information to third-party model providers. This is not just a security feature; it is a consent simplification, because data that never leaves your boundary for AI processing does not trigger a secondary-use or disclosure consent question.

The practical checklist

Run your CRM through this consent management audit:

• Can you identify, for any given contact, what they consented to, when, and through which channel?
• Does opting out through one channel suppress all marketing across all channels?
• Are consent records timestamped and auditable?
• Does the CRM enforce suppression automatically, preventing manual override without justification?
• Are DNCR-listed numbers suppressed from outbound phone and SMS workflows?
• Do AI features process customer data within your boundary, or disclose it to external providers?
• Is there a process for re-consent when existing consent approaches a reasonable expiry?

If the answer to any of these is "no" or "I'm not sure," you have a consent management gap. For a broader view of how the APPs apply to your CRM configuration, see our guide on CRM and the Privacy Act. For the security layer that underpins compliant data handling, our CRM security and data protection guide covers encryption, access controls and audit logging. And for a look at how Fulcrum handles these requirements compared to the alternatives, visit our comparison page.

Consent management is not a marketing operations problem dressed up as compliance. It is a legal obligation with per-contravention penalties, and the CRM is where it is either satisfied or violated. Getting it right protects your business from fines, preserves customer trust, and ensures that every outbound message your team sends has a defensible basis behind it.