Failure to do so can result in massive penalties.
- Laws that Require Email Clauses in Privacy Policies and Govern Email Marketing
- Special Considerations for Email Newsletters
- Examples of Email Privacy Policies & Compliant Marketing Emails
Last updated [month day, year]
COLLECTION OF YOUR INFORMATION
We may collect information about you in a variety of ways. The information we may collect on the Site includes:
Personally identifiable information, such as your name, shipping address, email address, and telephone number, and demographic information, such as your age, gender, hometown, and interests, that you voluntarily give to us [when you register with the Site [or our mobile application,] or] when you choose to participate in various activities related to the Site [and our mobile application], such as online chat and message boards and subscription to newsletters and promotional emails. You are under no obligation to provide us with personal information of any kind, however your refusal to do so may prevent you from using certain features of the Site [and our mobile application].
Information our servers automatically collect when you access the Site, such as your IP address, your browser type, your operating system, your access times, and the pages you have viewed directly before and after accessing the Site. [If you are using our mobile application, this information may also include your device name and type, your operating system, your phone number, your country, your likes and replies to a post, and other interactions with the application and other users via server log files, as well as any other information you choose to provide.]
The Site [and our mobile application] may by default access your Facebook basic account information, including your name, email, gender, birthday, current city, and profile picture URL, as well as other information that you choose to make public. We may also request access to other permissions related to your account, such as friends, checkins, and likes, and you may choose to grant or deny us access to each individual permission. For more information regarding Facebook permissions, refer to the Facebook Permissions Reference page.
Data From Social Networks
User information from social networking sites, such as [Apple’s Game Center, Facebook, Google+, Instagram, Pinterest, Twitter], including your name, your social network username, location, gender, birth date, email address, profile picture, and public data for contacts, if you connect your account to such social networks. [If you are using our mobile application, this information may also include the contact information of anyone you invite to use and/or join our mobile application.]
Mobile Device Data
Device information, such as your mobile device ID, model, and manufacturer, and information about the location of your device, if you access the Site from a mobile device.
Information from third parties, such as personal information or network friends, if you connect your account to the third party and grant the Site permission to access this information.
Data From Contests, Giveaways, and Surveys
Personal and other information you may provide when entering contests or giveaways and/or responding to surveys.
Mobile Application Information
If you connect using our mobile application:
- Geo-Location Information. We may request access or permission to and track location-based information from your mobile device, either continuously or while you are using our mobile application, to provide location-based services. If you wish to change our access or permissions, you may do so in your device’s settings.
- Mobile Device Access. We may request access or permission to certain features from your mobile device, including your mobile device’s [bluetooth, calendar, camera, contacts, microphone, reminders, sensors, SMS messages, social media accounts, storage,] and other features. If you wish to change our access or permissions, you may do so in your device’s settings.
- Mobile Device Data. We may collect device information (such as your mobile device ID, model and manufacturer), operating system, version information and IP address.
- Push Notifications. We may request to send you push notifications regarding your account or the Application. If you wish to opt-out from receiving these types of communications, you may turn them off in your device’s settings.
USE OF YOUR INFORMATION
Having accurate information about you permits us to provide you with a smooth, efficient, and customized experience. Specifically, we may use information collected about you via the Site [or our mobile application] to:
- Administer sweepstakes, promotions, and contests.
- Assist law enforcement and respond to subpoena.
- Compile anonymous statistical data and analysis for use internally or with third parties.
- Create and manage your account.
- Deliver targeted advertising, coupons, newsletters, and other information regarding promotions and the Site [and our mobile application] to you.
- Email you regarding your account or order.
- Enable user-to-user communications.
- Fulfill and manage purchases, orders, payments, and other transactions related to the Site [and our mobile application].
- Generate a personal profile about you to make future visits to the Site [and our mobile application] more personalized.
- Increase the efficiency and operation of the Site [and our mobile application].
- Monitor and analyze usage and trends to improve your experience with the Site [and our mobile application].
- Notify you of updates to the Site [and our mobile application].
- Offer new products, services, [mobile applications,] and/or recommendations to you.
- Perform other business activities as needed.
- Prevent fraudulent transactions, monitor against theft, and protect against criminal activity.
- Process payments and refunds.
- Request feedback and contact you about your use of the Site [and our mobile application].
- Resolve disputes and troubleshoot problems.
- Respond to product and customer service requests.
- Send you a newsletter.
- Solicit support for the Site [and our mobile application].
DISCLOSURE OF YOUR INFORMATION
We may share information we have collected about you in certain situations. Your information may be disclosed as follows:
By Law or to Protect Rights
If we believe the release of information about you is necessary to respond to legal process, to investigate or remedy potential violations of our policies, or to protect the rights, property, and safety of others, we may share your information as permitted or required by any applicable law, rule, or regulation. This includes exchanging information with other entities for fraud protection and credit risk reduction.
Third-Party Service Providers
We may share your information with third parties that perform services for us or on our behalf, including payment processing, data analysis, email delivery, hosting services, customer service, and marketing assistance.
With your consent, or with an opportunity for you to withdraw consent, we may share your information with third parties for marketing purposes, as permitted by law.
Interactions with Other Users
If you interact with other users of the Site [and our mobile application], those users may see your name, profile photo, and descriptions of your activity, including sending invitations to other users, chatting with other users, liking posts, following blogs.
When you post comments, contributions or other content to the Site [or our mobile applications], your posts may be viewed by all users and may be publicly distributed outside the Site [and our mobile application] in perpetuity.
We may use third-party advertising companies to serve ads when you visit the Site [or our mobile application]. These companies may use information about your visits to the Site [and our mobile application] and other websites that are contained in web cookies in order to provide advertisements about goods and services of interest to you.
We may share your information with our business partners to offer you certain products, services or promotions.
Our mobile application may display a third-party hosted “offer wall.” Such an offer wall allows third-party advertisers to offer virtual currency, gifts, or other items to users in return for acceptance and completion of an advertisement offer. Such an offer wall may appear in our mobile application and be displayed to you based on certain data, such as your geographic area or demographic information. When you click on an offer wall, you will leave our mobile application. A unique identifier, such as your user ID, will be shared with the offer wall provider in order to prevent fraud and properly credit your account.]
[Social Media Contacts
If you connect to the Site [or our mobile application] through a social network, your contacts on the social network will see your name, profile photo, and descriptions of your activity.]
Other Third Parties
We may share your information with advertisers and investors for the purpose of conducting general business analysis. We may also share your information with such third parties for marketing purposes, as permitted by law.
Sale or Bankruptcy
We are not responsible for the actions of third parties with whom you share personal or sensitive data, and we have no authority to manage or control third-party solicitations. If you no longer wish to receive correspondence, emails or other communications from third parties, you are responsible for contacting the third party directly.
Cookies and Web Beacons
Website and Email Analytics
You should be aware that getting a new computer, installing a new browser, upgrading an existing browser, or erasing or otherwise altering your browser’s cookies files may also clear certain opt-out cookies, plug-ins, or settings.
SECURITY OF YOUR INFORMATION
We use administrative, technical, and physical security measures to help protect your personal information. While we have taken reasonable steps to secure the personal information you provide to us, please be aware that despite our efforts, no security measures are perfect or impenetrable, and no method of data transmission can be guaranteed against any interception or other type of misuse. Any information disclosed online is vulnerable to interception and misuse by unauthorized parties. Therefore, we cannot guarantee complete security if you provide personal information.
POLICY FOR CHILDREN
We do not knowingly solicit information from or market to children under the age of 13. If you become aware of any data we have collected from children under age 13, please contact us using the contact information provided below.
CONTROLS FOR DO-NOT-TRACK FEATURES
OPTIONS REGARDING YOUR INFORMATION
You may at any time review or change the information in your account or terminate your account by:
- Logging into your account settings and updating your account
- Contacting us using the contact information provided below
Emails and Communications
If you no longer wish to receive correspondence, emails, or other communications from us, you may opt-out by:
- Noting your preferences at the time you register your account with the Site [or our mobile application]
- Logging into your account settings and updating your preferences.
- Contacting us using the contact information provided below
If you no longer wish to receive correspondence, emails, or other communications from third parties, you are responsible for contacting the third party directly.
CALIFORNIA PRIVACY RIGHTS
California Civil Code Section 1798.83, also known as the “Shine The Light” law, permits our users who are California residents to request and obtain from us, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes and the names and addresses of all third parties with which we shared personal information in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please submit your request in writing to us using the contact information provided below.
If you are under 18 years of age, reside in California, and have a registered account with the Site [or our mobile application], you have the right to request removal of unwanted data that you publicly post on the Site [or our mobile application]. To request removal of such data, please contact us using the contact information provided below, and include the email address associated with your account and a statement that you reside in California. We will make sure the data is not publicly displayed on the Site [or our mobile application], but please be aware that the data may not be completely or comprehensively removed from our systems.
[City, State Zip]
Numerous laws worldwide govern what businesses can do with the personal data of their users, and email addresses are considered personal data.
Running afoul of these laws can result in large fines, such as the $56 million Google GDPR fine for the inappropriate processing of users’ personal data.
At the heart of most data processing laws is consent — your users need to consent to receive marketing emails and newsletters. You’re also required to provide users with the option of opting out of (i.e., unsubscribing from) promotional emails at any time.
When obtaining consent for email marketing, you must be upfront about the purpose of email address collection. You cannot assume that consent obtained for a specific purpose (e.g., “sign me up for your monthly newsletter”) extends to other activities (e.g., daily or weekly promotional emails).
3. Laws that Require Email Clauses in Privacy Policies and Govern Email Marketing
The internet opens up your business to customers worldwide, but it also increases legal compliance challenges, as your users can be located anywhere around the world.
Some laws, such as the General Data Protection Regulation (GDPR) and the California Online Privacy Protection Act (CalOPPA), have extraterritorial scope. This means that your company, no matter its location, is subject to those laws if your users are residents of the EU or California, respectively.
Curious to know how laws like the GDPR are enforced in the US? Our GDPR requirements for US companies guide has the answers you’re looking for.
For this reason, make sure your marketing efforts satisfy the requirements of the strictest laws worldwide (or at least the strictest laws in the territories you intentionally target users) to minimize noncompliance risks.
Below are summaries of the strictest and most prominent laws that directly affect your email marketing newsletters and campaigns.
The General Data Protection Regulation & ePrivacy Directive
The GDPR is a European Union (EU) law passed to protect the personal data privacy of residents of the European Economic Area and Switzerland (hereafter referred to as the EEA). It places strict requirements on how businesses collect, process, and share the personal data of EEA residents.
Under the GDPR, personal data is defined as any data that can be used to identify an individual, such as first and last names and email addresses.
As touched upon earlier, the GDPR has extraterritorial scope, meaning that if you target users in the EEA, your company needs to comply with this law no matter where it’s located.
The ePrivacy Directive is another EU law that regulates (among many other things) email communications, particularly unsolicited business communications (aka spam). This directive makes it illegal to send promotional emails to users in the EU without their consent.
A new EU law based on the ePrivacy Directive is in the works. Read all about it in our ePrivacy Regulation summary.
The GDPR primarily governs how you obtain consent and how you process personal data, whereas the ePrivacy Directive complements the GDPR by establishing rules for direct marketing.
To ensure that your email marketing efforts are not in conflict with the GDPR or the ePrivacy Directive, you need to:
Obtain free and informed consent for email marketing
Consent is especially important for individuals who are not yet your customers. Some legal analysts hold that emailing existing customers does not require user consent, as the company can cite the legal basis of GDPR legitimate interest. Nevertheless, as long as the ePrivacy Directive is in effect, you need to obtain consent prior to sending any form of email marketing to individuals in the EEA.
Most companies get express permission to send marketing emails by adding a checkbox (for receiving emails) to a signup form, page, or pop-up.
Provide an opt-out method
Under the GDPR, users have the right to object to the processing of their personal data. One way to enable your users to exercise this right is by including an unsubscribe link in all of your marketing emails (and then, of course, by honoring the unsubscribe request).
To satisfy ePrivacy Directive rules, the sender (your company) should identify itself clearly. Within the email, you should also include a valid contact address (postal or email) where users can direct any requests or complaints.
According to EU law, unlike regulations (e.g., the GDPR), directives state only objectives (e.g., to prevent spam). The methods used to achieve objectives are left to the discretion of the individual EU members. For example, the UK implements the ePrivacy Directive through the Privacy and Electronic Communications Regulations (PECR) Act.
Act on data subject access requests (DSARs)
The GDPR affords EEA residents the right to review their personal data held by companies. Users also have the right to request that companies delete this data. You should have a mechanism in place to handle such requests, as email marketing — by definition — involves the processing of personal data.
Worried about how to handle your first DSAR? Follow this simple how-to guide.
- How you process user’s personal data (including email addresses)
- Whether that data may be shared with any third parties
- How the user can opt out of further marketing communications
Although the law only requires your website to carry the policy, it’s good practice to include it in your emails and in your email sign-up page/module.
The California Online Privacy Protection Act
- What PII is collected
- How PII is processed
- Whether PII is shared with third parties
- How users can request to have their PII deleted
In the US, California is often the pioneer when it comes to personal data protection laws. When the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, it created another chapter in California’s privacy and data protection legacy.
The Controlling the Assault of Non-Solicited Pornography and Marketing Act
The Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN SPAM Act) regulates commercial emailing at the federal level within the United States. Its key rules are as follows:
- Adopt honest practices: Use non-deceptive subject lines and “from” addresses
- Label ads: Promotional emails need to be labeled as such, clearly and conspicuously
- Warn of explicit content: If your email contains any explicit content, the subject line needs to start with the phrase “SEXUALLY EXPLICIT”
- Assume responsibility: Even if you’ve outsourced your marketing or promotional activities to a third party, your business is still primarily responsible for complying with the law
In addition, similar to the rules under the GDPR/ePrivacy directive, you need to:
- Identify yourself
- Provide an opt-out method
Want to be doubly sure you’re not inadvertently breaking the law? Use double opt-in instead of single opt-in as your means of consent.
Canada’s Anti-Spam Legislation
Similar to the CAN-SPAM act, Canada’s Anti-Spam Legislation (CASL) regulates digital marketing activities in Canada.
As with the other laws mentioned above, CASL requires the following:
- Obtain informed user consent before sending promotional emails
- Provide an opt-out mechanism within marketing emails
- Include a postal address — as well as an email, phone number, or website address — within marketing emails
A unique feature of CASL is that consent obtained is valid only for 2 years, following which it must be renewed, and any opt-out (unsubscribe) requests must be fulfilled within 10 business days.
If your business targets users worldwide, your marketing practices must be compliant with both:
- the laws where your business is registered, and
- the laws of your target territories
- What personal data you collect (e.g., email addresses, first names, last names)
- How this personal data might be used (e.g., to send promotional emails)
- Whether this personal data might be shared with any third parties (e.g., MailChimp, Google Analytics)
- How a user can opt out of promotional emails (e.g., clicking the unsubscribe link in the email or by writing to a specified email or postal address)
- How a user can contact the sender of the promotional emails (e.g., a postal address or a valid email address)
- Whether email analytics are tracked (and if yes, which)
Web and email analytics tools like Google Analytics collect numerous personal data items, such as IP addresses and locations. Stay on the right side of the law by following our Google Analytics GDPR guide.
5. Special Considerations for Email Newsletters
When running an email newsletter campaign, follow these best practices to ensure that you’re on the right side of the law, and that you’re giving the necessary information and control to your users:
- Make your business identity clear: Identify your business by using an appropriate sender name and by including a valid postal address.
- Provide an unsubscribe link or button: Include in your email an easy way for users to opt out of future promotional emails.
Most of these elements are typically found in the footers of emails, as can be seen in the examples below.
Some laws, like CalOPPA, have specific rules against deceptive practices, such as making it difficult to view or click the unsubscribe link. We strongly recommend you don’t adopt such practices. Apart from being potentially illegal, such acts will damage your brand, as you’ll lose the trust and goodwill of your users.
6. Examples of Email Privacy Policies & Compliant Marketing Emails
The two examples that follow illustrate the legal requirements and best practices for email privacy policies and email newsletters.
The New York Times
Here’s the footer area of a New York Times (NYT) email newsletter:
Let’s compare this against Termly’s checklist from the previous section:
- What personal data you collect [Section 1] ✔
- What personal data you collect [Section 2] ✔
- Whether this personal data would be shared with any third parties [Section 3] ✔
- How the user can opt out of promotional emails (e.g., clicking the unsubscribe link in the email or by writing to a specified email or postal address) [Section 6] ✔
- How the user can contact the sender of the promotional emails (e.g., a postal address or a valid email address) [Contact us on the page; not shown in image] ✔
- Whether and which email analytics are tracked [Section 4] ✔
MailChimp Email Marketing
With nearly 60% of the market share, MailChimp is the current leader in email marketing technologies.
When using third-party services like MailChimp, you and MailChimp share the responsibility of complying with data protection and related laws.
For example, under the GDPR, you would be the data controller, and MailChimp would be the data processor, two entities with different legal obligations.
Other third-party newsletter and related service providers
MailChimp’s guidelines for email marketing also apply to any third-party service provider that you may use for that purpose. Examples of third-party service providers relevant to email newsletters include:
- Amazon Simple Email Service
Another way to boost trust with your users is to have a well-written return policy. You can use our return policy template for reference on how to make a clear and concise policy that your customers can easily understand.
Despite the emergence and onslaught of social media and influencer marketing, email marketing remains an essential component of almost every company’s marketing arsenal. This isn’t surprising, given that:
- 99% of consumers check their email every day
- 85% of US retailers deem email marketing the most effective for customer acquisition
- 73% of millennials prefer business communications through email