MCMC seeks feedback on proposed regulatory framework for unsolicited commercial electronic messages: Rahmat Lim & Partners

18 August 2025

On 13 August 2025, the Malaysian Communications and Multimedia Commission (“MCMC”) launched a public consultation to gather feedback on the development of a proposed regulatory framework for unsolicited commercial electronic messages (“UCEM”), commonly known as “spam”. The consultation aims to develop a practical mechanism for implementing section 233A of the Communications and Multimedia Act 1998 (“CMA”). Section 233A, introduced by the Communications and Multimedia (Amendment) Act 2025, prohibits any person from sending, causing to be sent, or authorising the sending of UCEM. Section 233A will come into force at a date to be appointed by the Minister of Communications.

This article discusses the key proposals set out in the public consultation, which closes on 27 August 2025.

Rationale for regulating UCEM

The MCMC recognises the alarming rise in cases relating to unsolicited electronic messages and the regulatory gap in managing growing risks posed through this occurrence. UCEM, in particular, expose consumers to, among other things, privacy violations, scams, phishing attempts, fraudulent schemes, and cyber threats.

Key definitions and concepts

The MCMC defines key concepts such as (a) “unsolicited commercial electronic messages”, “electronic messages”, and “commercial electronic message”; (b) “sender” and “recipient”; and (c) “address harvesting” and “dictionary attack”.

To establish the MCMC’s jurisdiction, a commercial electronic message is considered as having a nexus to Malaysia if:

the sender or recipient are based, present, or incorporated in Malaysia;
the message is sent through a computer, server, device, or telecommunications network infrastructure located in Malaysia; or
there is evidence that the message is targeted at Malaysian users, even if it fails to be delivered due to a non-existent or incorrect address. For example, the electronic address has a domain ending with “.my”, or the content of the message suggests a reasonable intent to reach Malaysian users through factors such as language or currency.

The MCMC seeks to prohibit, among other things:

the acquisition, distribution, or usage of certain tools or software designed to extract electronic addresses from online sources, or mechanisms that generate addresses through automated or pattern-based guessing (commonly known as “dictionary attacks”); and
the sending of unsolicited messages to electronic addresses obtained from address harvesting software or through dictionary attacks.

Commercial electronic messages may only be sent with the recipient’s consent. For this purpose, consent is proposed to be defined as a voluntary, specific, informed, and unambiguous indication of agreement, which may be given expressly or impliedly.

The MCMC also proposes that all commercial messages should include mandatory information, such as clear sender identification details, a functional and no-cost mechanism for recipients to withdraw consent, and accurate message labelling.

Moving forward

The MCMC invites stakeholders to review the proposals set out in the consultation paper and provide feedback by 27 August 2025.

Following the introduction of section 233A of the CMA, businesses should closely monitor their digital marketing processes. In light of the proposed regulatory framework and forthcoming enforcement of section 233A, they should also assess whether existing processes, such as consent management, opt-out functions and labelling standards require enhancement.

Further information

This article has been prepared with the assistance of Associates Siah An Gel and Mohamad Syafiq bin Mohamad Tazri.