In brief
Malaysia currently lacks a dedicated legal framework to effectively address the increasing scale and sophistication of spam-related activities, which have seen a nearly 200% surge in reported complaints between 2021 and 2025. In response, the Malaysian Communications and Multimedia Commission (MCMC) is proposing a regulatory framework for Unsolicited Commercial Electronic Messages (UCEM), commonly referred to as spam (“Proposed Framework“). On 13 August 2025, MCMC issued a public consultation paper (PCP) inviting feedback on the Proposed Framework.
The Proposed Framework:
- Will eventually be developed into subsidiary legislation to complement Section 233A of the Communications and Multimedia Act 1998 (i.e., no person shall send, cause to be sent or authorise the sending of UCEM)
- Aims to provide a clear, enforceable set of rules to enhance consumer protection, while supporting responsible digital marketing in Malaysia’s growing digital economy
Set out below is a high level overview of the key proposals outlined in the PCP:
| Concepts | Summary of Proposed Framework | Key requirements and conditions |
| Definitions | Introduces UCEM | UCEM: any commercial electronic message sent through any communication mode (where there is no prior relationship between sender and recipient and no prior consent from the recipient).Electronic message: any message sent using a network service or applications service to an electronic address, endpoint or similar communication mode (regardless of whether the address exists or whether the message reaches the intended recipient).Commercial Electronic Message (CEM): any electronic message sent by electronic means for the purposes of promoting, offering, marketing or supplying (among others) products, services or a person who provides the aforementioned. Includes messages which contain indirect promotional consent or request to send future commercial content. |
| Malaysian link | The CEM must have a “Malaysian link”. | A CEM is considered to have a Malaysian link if it meets any of the following conditions:Sender-based connection: The sender is physically present in Malaysia, a Malaysian citizen or permanent resident (regardless of physical location), or an organization formed, incorporated, or carrying on business in Malaysia (regardless of where the message is sent or the infrastructure used).Recipient-based connection: The message is sent to an individual physically present in Malaysia, a Malaysian citizen or permanent resident, or an organization formed, incorporated, or operating in Malaysia.Infrastructure-based connection: The message is accessed via a computer, server, or network infrastructure located in Malaysia.Intent-based connection: An undeliverable message still has a Malaysian link if there’s evidence of intent to target Malaysian users, such as using a “.my” domain or content with local language and geographic references. |
| Consent Model | The Proposed Framework is based on a consent-based model, requiring voluntary, specific, informed, and unambiguous consent from the recipient before sending a CEM. This consent can be express or implied. | Express Consent: Requires a clear, affirmative act from the recipient, such as checking an unchecked box or submitting a form.It must be voluntary, specific to the purpose of receiving CEMs, and the sender’s identity, message purpose, and message types must be transparently disclosed.Recipients must have a free and accessible way to withdraw consent, with requests processed within 10 working days.Senders must also keep verifiable records of how and when consent was obtained.Implied Consent: Can be reasonably inferred from an existing or prior relationship, such as a commercial transaction, membership, or subscription.The content of the message must be directly related to that relationship.Implied consent is subject to time limitations: up to 24 months from the last transaction or six months from a last inquiry if no transaction occurred.Recipients must still be able to opt out.Senders must maintain records of the relationship from which consent was derived. |
| Mandatory Message Requirements | All CEM must include specific information to ensure transparency and responsible communication. | Clear Sender Identification: The message must clearly display the sender’s name or legally registered business identity and provide functional, responsive and accessible (e.g., no obscure navigation) contact details that can be easily used. This contact information must be accurate and functional for at least 30 calendar days.Functional Opt-Out Facility: Every message must contain a free, clear, and functional mechanism for recipients to unsubscribe. This mechanism must be user-friendly, easily accessible, and remain operational for at least 30 calendar days. All opt-out requests must be processed within five business days.Accurate Message Labelling: The subject line must accurately reflect the message’s content and not be false, misleading or deceptive.The letters  followed by a space must appear at the beginning of the subject line (or the first line of the message body if there’s no subject line) to identify the message as an advertisement.Header information (such as sender name, reply to address and routing data) must also be accurate, not misleading or deceptive. |
| Prohibition of Address Harvesting and Dictionary Attacks | The Proposed Framework includes a clear prohibition on the acquisition, distribution, or use of tools and practices related to address harvesting and dictionary attacks for the purpose of sending UCEM. | The Proposed Framework prevents any person from acquiring, distributing, making available, or using:Automated tools or software designed to extract electronic addresses from online sourcesSoftware that generates addresses through automated or pattern-based guessing, known as dictionary attacksAny databases or lists of electronic addresses obtained through these methodsThe rights to access, sell, or use such software or harvested lists, including those obtained indirectlyAdditionally, senders are explicitly prohibited from sending UCEM to any electronic address that was obtained using address-harvesting software or compiled through a harvested list, or generated via dictionary attacks or similar automated techniques. |
Conclusion
The MCMC is seeking feedback on the Proposed Framework by 5 pm on 27 August 2025. Once implemented, the Proposed Framework is expected to significantly reshape how organizations conduct digital marketing activities. In particular, businesses will need to determine whether their CEMs have a Malaysian link. If so, they must revise their data collection and acquisition strategies, as well as update their marketing materials to comply with the specific requirements of the Proposed Framework.
* * * * *
© 2025 Wong & Partners. All rights reserved. Wong & Partners, member of Baker & McKenzie International. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.
