In the world of email marketing, the existence of laws and regulations guarantees you use your email for good, not evil. You’ve heard of email marketing laws like the CAN-SPAM Act, GDPR, CASL and the UK’s Data Protection Act 1998, right?
All these email marketing laws outline a number of conditions email marketers are required to follow to avoid not only damage to their sender reputation but also, being slapped with hefty fines. As intimidating as this sounds, if you are using professional email marketing software to send your email campaigns, you are most likely already in compliance with most email marketing legislation.
“If you think compliance with email marketing laws is expensive, try non-compliance.” – EmailOut
Spam continues to be a massive issue on a global scale. All around the world, governments have worked hard to put laws and regulations in place to protect people from malicious unsolicited emails. Many email marketers are aware of local email marketing laws, however, when it comes to international regulations, their knowledge is somewhat lacking. Since email marketers are required to comply with so many email marketing laws, it’s inevitable for things to get a bit overwhelming and confusing.
In this article, we’ll cover the following email marketing laws:
- The U.S.
- Controlling the Assault of Non-Solicited Pornography And Marketing (CAN-SPAM) Act of 2003
- the California Consumer Privacy Act (CCPA)
- The EU’s General Data Protection Regulation (GDPR)
- Canada’s Anti-Spam Legislation (CASL)
- Australia’s Spam Act of 2003
- The UK
- Privacy and Electronic Communications Regulations (PECR) (EC Directive) 2003
- Data Protection Act (DPA) 2018
- Consumer Rights Protection Law 2013
- Measures of the Administration of Internet Email Services 2006
- Singapore’s Personal Data Protection Act 2012 (PDPA)
- Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD)
Ready to dive in?
You’ve organically built a high-quality email list. Your email template is unique and overall, amazing. The email campaign’s copy is well written, engaging and relevant. It appears you have everything you need to unleash your email into the world. But… are you sure you’re compliant with all email marketing laws?
If you are sending emails across borders then you most certainly have to be very familiar and 100% compliant with international email marketing legislation. After all, regulations differ from country to country and what makes you compliant in one country could be completely off-limits in another and you might be subject to hefty fines with lots of zeros.
Statistics show that 62% of people keep receiving emails from brands even after they’ve unsubscribed; moreover, 66% of people receiving emails from companies they’ve never even heard of. This goes against all email marketing laws, data privacy regulations and consumer demands.
People want more regulations. 80% feel there should be more laws protecting their personal data. Furthermore, 35% of customers often exercise their privacy rights with email providers.
With email marketing laws like –
- the GDPR (implemented May 2018)
- the CCPA (effective as of January 1, 2020)
- the PDPA (in effect since May 2020)
- the LGPD (implemented August 2020)
- the DPA 2018 (into effect since May 25, 2018)
- the CASL (effective since July 1, 2014)
- the CAN-SPAM Act (implemented January 1, 2004), and
- the PECR (effective since December 11, 2003)
If only email senders took note and implemented the above, I’d say peoples’ desire for more rules and regulations should be fully satisfied.
To determine whether a particular country’s email marketing laws apply to you depends on three main things –
1) whether you are based in that country
2) if your ESP is based in that country
3) whether your recipients are based in that country
Now, to make sure none of you will be slapped with fines that have lots of zeros, it’s imperative to be aware of all email marketing laws and, of course, comply with them.
Email Marketing Laws In The U.S.
The CAN-SPAM Act
When emailing subscribers in the U.S., the primary legislation you must fully understand and be 100% compliant with is the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003. The CAN-SPAM Act is one of the longest-running email marketing laws in the world. Compared to legislation in Europe or Canada, it is far more relaxed.
To comply with the CAN-SPAM Act, you need to follow these guidelines –
- avoid the use of deceptive email addresses, names, domain names or subject lines that will mislead the recipient
- identify the message as an ad if a recipient has not given you explicit consent
- specify any adult content or graphic imagery in your copy clearly in the subject line
- include a physical address
- provide an obvious and straightforward way for users to unsubscribe and fulfil requests within 10 days
- monitor what others are doing on your behalf (if your email marketing is done by another company, you must ensure it is compliant)
Non-compliance with the CAN-SPAM Act can be costly. Each email in violation of the legislation is subject to penalties of up to $43,280.
For more information on the CAN-SPAM Act of 2003, click here.
The California Consumer Privacy Act of 2018 (CCPA) is legislation allowing any California-based consumer to demand to see all their personal information obtained and stored by businesses as well as a full list of all third-parties their personal data has been shared with. Additionally, this law also allows consumers to sue businesses if there is a violation of the privacy guidelines without an actual data breach occurring. Essentially, the law’s intent is to enhance privacy rights and consumer protection for Cali-based consumers.
These are the guidelines you need to follow to comply with the CCPA –
- conducting a personal information audit to determine –
- the type of personal information collected
- the source(s) of personal information
- if you sell personal information
- if you share personal information
- setting up a process to facilitate “the right to know” and “the right to delete”
- setting up a “Do Not Sell My Personal Information” page if you are selling personal data
The Right To Know: Any consumer has the right to know what, how and for what purpose their personal information has been collected. If your business receives a verifiable request, you are obliged to make the information available within 45 days without charging the consumer for it and you are not required to provide personal information to a consumer more than twice in twelve months.
The Right To Delete: Any consumer has the right to invoke their right to delete. If you receive a verifiable request to erase, you are obliged to delete the consumer’s personal information from all your records as well as request all third-parties you shared it with to do the same. However, there are certain exceptions to “the right to delete”. You will not be obligated to abide with deletion requests if the personal information collected is necessary for one of the following reasons –
- to perform a contract
- to ensure security
- for debugging purposes
- exercising free speech
- to comply with the California Electronic Communications Privacy Act (CalECPA)
- to conduct specific research
- for solely internal and plausible uses
- to comply with a legal obligation
The CCPA applies not only to California-based businesses but to any business operating from anywhere in the world that is processing the personal information of consumers based in California will have to adhere to the CCPA’s requirements.
Email Marketing Laws in Europe: The GDPR
If you’re emailing European subscribers, the General Data Protection Regulation (GDPR) is what you will need to ensure that you are compliant with. This law’s purpose is to protect the data privacy of all European citizens. Even though the GDPR is an EU regulation, it applies to and will be reinforced upon all global businesses that collect and email EU-based subscribers.
Since its implementation, and even now, the GDPR confuses email marketers sometimes. Whilst it does address permissions, it’s primarily focused on the processing of personal data. For example, GDPR explicitly permits email marketing when the personal data is processed correctly but PECR is the email marketing law that outlines permissions.
To ensure compliance with the GDPR, you will need to –
- obtain the consumers’ valid explicit consent to receive marketing emails (soft opt-ins and pre-checked boxes are not allowed)
- keep clear records of each consumer verified consent
- allow consumers to revoke their consent just as easily as they’ve given it
- only use the collected emails for the purposes you said you would
- provide access to their data if the users request it
N.B. Buying or renting email lists might seem like the most brilliant approach for business growth, however, it is not. It will be harmful to your brand and email deliverability, lead to poor results and, most of all, this practice is in direct violation of the spirit of email marketing laws.
Despite the fact the UK withdrew from the EU on January 21, 2020, it will remain subject to EU laws including the GDPR until the end of the transition period – December 31, 2020.
Violation of the GDPR can result in fines of up to 4% of the annual global turnover of the preceding fiscal year or €20 million (about £18 million) – whichever is greater.
You can find more information about GDPR here.
Email Marketing Laws in Canada: CASL
Canada’s Anti-Spam Legislation (CASL) does not apply exclusively to Canadian businesses. If you are sending marketing emails to Canadian citizens, you will be subject to CASL. This regulation’s purpose is to protect Canadians from spam, personal data leaks and other types of digital tech misuse.
To make sure you comply with CASL, you need to –
- always obtain explicit consent from each person
- ensure the consent form is plainspoken and has your business’s identification and contact information
- make clear people can revoke consent anytime they want
- always keep records of consent
- include the name of the business, contact info and instruction to unsubscribe in all marketing emails
- process unsubscribe requests within 10 days
CASL defines two types of consent – implied and express. Consent is considered to be implied when –
- a person has purchased a product/service from your business in the last 24 months
- you’re a registered charity or political organisation to which the person has made a donation, volunteered or attended an organised meeting
According to CASL, implied permissions expire – for purchase, it’s valid for 2 years; for an enquiry about a product or service, it’s valid for 6 months. Overall, if a user has not renewed their implied permission, it’ll expire.
Consent is considered to be express and valid when the following information is included –
- a clearly stated concise description of the purpose you want to obtain the consent
- a brief of the emails you’ll be sending
- the business’s name and contact info
- a clear message about revoking consent at any time
Essentially, if people have opted-in into your marketing communications they have given you their express consent. The most common examples of express consent are filling in a signup form, clicking on links to confirm the subscription, checking a box during a purchase process or over the phone. Also, express permission does not expire.
If you violate any of the regulations in CASL, the penalty can reach up to CAD 1 million for individuals (USD 770,630/£586,930) and up to CAD 10 million for businesses (USD 7.7 million /£5.8 million).
To find out more about CASL, click here.
Email Marketing Laws in Australia: The Spam Act 2003
The purpose of the Australian Spam Act 2003 is to protect Aussie subscribers and prevent Aussie senders from sending spam and disrupting user’s personal data. Essentially, the Act forbids sending unsolicited commercial emails (a.k.a spam) with an Australian link. According to the Act, “a message has an Australian link if it originates or was commissioned in Australia, or originates overseas but was sent to an address accessed in Australia.”
To ensure you are compliant with the Spam Act 2003, you must –
- always include your company name and contact info in every email
- provide a clear opt-out and process unsubscribe requests within 5 days
- never use email harvesting or buy/rent email lists
Emails from government bodies, registered charities, registered political parties and educational institutions can be sent without consent to Australian recipients.
The penalties for noncompliance with the Spam Act 2003 can reach up to AUD 2.1 million ($1.5 million/£1.1 million).
For more details about Australia’s Spam Act 2003, click here.
Email Marketing Laws in the UK
Privacy and Electronic Communications Regulations (PECR) (EC Directive) 2003
The Privacy and Electronic Communications Regulations 2003 also referred to as PECR or the EC Directive is legislation under which email recipients located in the United Kingdom must have consented either by express or implied permission to receive marketing communications from you. This regulation is pretty similar to the Australian Spam Act and CASL, however, the main difference is regarding the number of days you have to process unsubscribe requests and clean up your email lists.
To comply with PECR, you must –
- obtain explicit consent to receive marketing emails from each of your subscribers
- never hide your identity
- always introduce yourself and provide detailed contact information in every email
- give users a clear and simple way to unsubscribe or request to be deleted and ensure the request is processed within 28 days
For individuals, UK anti-spam law has something known as a soft opt-in. Essentially, it means that in certain cases you can email subscribers as if they’ve consented even though they have not done it.
To comply with the soft opt-in rule, you must follow a certain set of guidelines –
- prove you’ve obtained the person’s email address “in the course of the sale of negotiations for the sale of a product or service”. Simply put, if the recipient is already a customer then they’ve softly opted-in
- only directly market to existing customers in respect of similar products/services
- always give the recipients a method to refuse the use of their contact details at the same time they’ve initially provided them
- as with all international email marketing laws, users must be given a visible clear way to unsubscribe from your email list in every email
Remember, legal opt-in and opt-out regulations are only applicable to individuals. If you want to contact a corporate body, you can do so without them having to explicitly opt-in.
If you violate the EC Directive, you can be subject to penalties as high as £500,000.
More detailed information about the EC Directive can be found here.
Data Protection Act (DPA) 2018
The Data Protection Act 2018 (DPA) is legislation aimed at protecting the privacy of personal data. The DPA was first composed in 1984, updated in 1998 and enforceable until May 25, 2018, when it was superseded by the Data Protection Act 2018. The DPA applies to any business or individual who holds or uses personal data of others within the EU and the UK.
The purpose of the DPA 2018 is to –
- facilitate the secure transfer of data within the EU
- prevent businesses and individuals from using and holding inaccurate consumers’ data
- assure people how their personal data is and will be used
- provide people whose personal data is stored (a.k.a. data subjects) with the legal right to check the information business’s hold about them
- offer data subjects more control over how data controllers handle their data
- ensure there is accountability regarding how businesses securely handle data
- make sure organisations keep individuals’ personal data safe and secure
- command data users or data holders to register with the Information Commissioner
The eight key principles of the DPA 2018 (and GDPR) are –
1) fair and lawful processing of personal data
2) the personal data must be processed for specific lawful purposes
3) adequate, relevant and non-excessive personal data
4) accurate and up-to-date personal data
5) not keeping personal data longer than necessary
6) processing personal data per the rights and freedoms of data subjects
7) personal data must be kept safe and secure at all times
8) transferring personal data outside the EEA (European Economic Area) without adequate provisions in place for its protection is prohibited
If at any point you receive a request for access or deletion, you must respond within a month.
Remember the Facebook/Cambridge Analytica Scandal? The data protection violation which happened in 2015 resulted in the maximum possible penalty – £500,000. In a very lucky turn of events for Facebook, this data violation became public (early 2018) before the implementation of the GDPR. Otherwise, the ICO would’ve slapped the social media conglomerate with a fine of 4% of Facebook’s 2018 global revenue – around £1.7 billion.
Email Marketing Laws in China: Consumer Rights Protection Law 2013 and Measures of the Administration of Internet Email Services 2006
If you are email marketing in China there are two very important email marketing laws you need to abide by – the Consumer Rights Protection Law 2013 (CRPL) and Measures of the Administration of Internet Email Services 2006 (MAIES).
The CRPL 2013 forbids the distribution of commercial information and materials to consumers unless you have obtained their consent via a request or the consumer has explicitly rejected the information/materials.
The MAIES 2006 purpose is to regulate and safeguard the legitimate rights of consumers using email services via the internet in the territory of the People’s Republic of China.
Overall, both email marketing laws aim to protect Chinese residents and people who at the time of receiving marketing emails are on Chinese territory.
To comply with both pieces of legislation, you must –
- state your emails are sent for commercial purposes at the opt-in stage
- obtain verifiable explicit consent to send marketing emails for every user
- clearly state your business information and sender name
- ensure you’ve clearly outlined that any links to third-party services have nothing to do with spyware and in no way can facilitate hackers
- give people an easy way to unsubscribe from your mailing list and process opt-out requests within 30 days
- avoid any political or other sensitive topics in your email copy
- identify any advertisement by using the English words for “advertisement” or “ad” or their equivalent in Chinese in your email subject line
Violation of MAIES 2006 can result in fines of up to CNY 30,000 ($4,525/£3,446); whilst non-compliance with the CRPL 2013 can result in a maximum fine of CNY 500,000 ($75,419 /£57,393).
Email Marketing Laws in Singapore: The PDPA
The purpose of the PDPA is “to govern the collection, use and disclosure of personal data by organisations in a manner that recognises both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.”
If you breach the PDPA, you will be subject to fines of up to 10,000 Singapore dollars (USD 7,417/£5,643) and you could also be imprisoned for up to 3 years.
To ensure compliance with the PDPA, you must –
- obtain the individuals’ consent to collect, use and disclose their personal data
- clearly outline the purpose of collecting, using and disclosing the individuals’ personal data – you cannot collect personal data simply because you have access to it, there must be an explicit purpose
- make sure the personal data collected is accurate and complete
- never transfer personal data outside Singapore if the jurisdiction to which the data is transferred to does not provide legal protection
- ensure that you’ll retain the personal data ONLY for as long as there are a business or legal reasons to do so
- always offer people a way to opt-out from your email lists
- check the Do Not Call (DNC) Registry (three separate registers covering telephone calls, text messages and faxes of businesses who do not want to be contacted for marketing purposes)
Non-compliance with the PDPA can result in fines of up to 10% of the company’s annual turnover or $1 million – whichever is higher. Stiffer fines will be imposed only on businesses with an annual turnover above $10 million.
For further information regarding Singapore’s PDPA, click here.
Brazil: The LGPD
Brazil’s LGPD is the first legislation to provide a comprehensive framework that establishes rules for collecting, handling, storing and sharing personal data of Brazillian citizens. Essentially, if your business has subscribers/customers from Brazil, this legislation applies to you and you must comply.
To comply with the LGPD, you need to –
- outline the purpose of the consent request
- only process personal data necessary for the fulfilment of your stated purposes
- maintain records of the data processing activity
- allow people free and easy access to information about the processing of their data
- ensure the accuracy of the collected data and keep it up-to-date
- be transparent about how you process users’ data
- safeguard the collected personal data from unauthorised access, accidental and unlawful destruction, alternation and unsolicited communication
- offer a clear and easy way for people to unsubscribe from your marketing emails and delete subscribers’ data if they’ve requested it
- appoint a Data Protection Officer (DPO) (this is also required under GDPR)
The maximum fine for violating the LGPD is 2% of the total revenue for the prior fiscal year (excluding taxes) and up to a total of BRL 50 million ($9.3 million/£7.1 million) per violation.
More on the LGPD can be found here.
Unlike all the other email marketing laws where consent must be given before sending marketing emails, the U.S. CAN-SPAM Act does not require consent before emailing as long as you’ve included an option for recipients to unsubscribe. Furthermore, to ensure 100% compliance, it is your responsibility as the sender to keep a record of obtained consents – i.e. subscribers’ IP address and opt-in date and time as an example. Remember, with the exception of the CAN-SPAM Act, all other email marketing laws require you to obtain the users’ consent.
If subscribers no longer wish to receive marketing emails from you, all email marketing laws agree that you must give them the opportunity to opt-out. While there are different opt-out methods (i.e. via a call to support or an email reply), including an unsubscribe link in every email is a must and a legal requirement.
The most important things to remember in terms of unsubscribe requests are –
a) never charge the person who wants to opt-out, and
b) never ask for more info
Offering an easy and clear way for your subscribers to opt-out is a legal requirement under all email marketing laws. The only difference concerns the time allowed to process an unsubscribe request. While legislation may give you up to 30 days to do so, subscribers certainly won’t. Not to mention the hefty fines you’ll be subject to.
Bottom line: always obtain explicit consent, collect, handle, process and use personal data with care, never transfer data outside of your country without ensuring the recipient country has proper data security legislation in place, be honest and clear about your intention for the data and, most of all, always provide an option for people to unsubscribe.
Remember, understanding email marketing laws is not just about avoiding massive fines. It’s about mutual respect between your business and its subscribers.