Failure to do so can result in massive penalties.
- Laws that Require Email Clauses in Privacy Policies & Govern Email Marketing
- Considerations for Email Newsletters
- Examples of Email Privacy Policies & Compliant Marketing Emails
Numerous laws worldwide govern what businesses can do with the personal data of their users, and email addresses are considered personal data.
Running afoul of these laws can result in large fines, such as the $56 million Google GDPR fine for the inappropriate processing of users’ personal data.
At the heart of most data processing laws is consent — your users need to consent to receive marketing emails and newsletters. You’re also required to provide users with the option of opting out of (i.e., unsubscribing from) promotional emails at any time.
When obtaining consent for email marketing, you must be upfront about the purpose of email address collection. You cannot assume that consent obtained for a specific purpose (e.g., “sign me up for your monthly newsletter”) extends to other activities (e.g., daily or weekly promotional emails).
3. Laws that Require Email Clauses in Privacy Policies & Govern Email Marketing
The internet opens up your business to customers worldwide, but it also increases legal compliance challenges, as your users can be located anywhere around the world.
Some laws, such as the General Data Protection Regulation (GDPR) and the California Online Privacy Protection Act (CalOPPA), have extraterritorial scope. This means that your company, no matter its location, is subject to those laws if your users are residents of the EU or California, respectively.
For this reason, make sure your marketing efforts satisfy the requirements of the strictest laws worldwide (or at least the strictest laws in the territories you intentionally target users) to minimize noncompliance risks.
Below are summaries of the strictest and most prominent laws that directly affect your email marketing newsletters and campaigns.
The General Data Protection Regulation & ePrivacy Directive
The GDPR is a European Union (EU) law passed to protect the personal data privacy of residents of the European Economic Area and Switzerland (hereafter referred to as the EEA). It places strict requirements on how businesses collect, process, and share the personal data of EEA residents.
Under the GDPR, personal data is defined as any data that can be used to identify an individual, such as first and last names and email addresses.
As touched upon earlier, the GDPR has extraterritorial scope, meaning that if you target users in the EEA, your company needs to comply with this law no matter where it’s located.
The ePrivacy Directive is another EU law that regulates (among many other things) email communications, particularly unsolicited business communications (aka spam). This directive makes it illegal to send promotional emails to users in the EU without their consent.
The GDPR primarily governs how you obtain consent and how you process personal data, whereas the ePrivacy Directive complements the GDPR by establishing rules for direct marketing.
To ensure that your email marketing efforts are not in conflict with the GDPR or the ePrivacy Directive, you need to:
Obtain free and informed consent for email marketing
Consent is especially important for individuals who are not yet your customers. Some legal analysts hold that emailing existing customers does not require user consent, as the company can cite the legal basis of GDPR legitimate interest. Nevertheless, as long as the ePrivacy Directive is in effect, you need to obtain consent prior to sending any form of email marketing to individuals in the EEA.
Provide an opt-out method
Under the GDPR, users have the right to object to the processing of their personal data. One way to enable your users to exercise this right is by including an unsubscribe link in all of your marketing emails (and then, of course, by honoring the unsubscribe request).
To satisfy ePrivacy Directive rules, the sender (your company) should identify itself clearly. Within the email, you should also include a valid contact address (postal or email) where users can direct any requests or complaints.
Keep in mind that the implementation of these rules may differ from country to country. According to EU law, unlike regulations (e.g., the GDPR), directives state only objectives (e.g., to prevent spam).
The methods used to achieve objectives are left to the discretion of the individual EU members. For example, the UK implements the ePrivacy Directive through the Privacy and Electronic Communications Regulations (PECR) Act.
Act on data subject access requests (DSARs)
The GDPR affords EEA residents the right to review their personal data held by companies. Users also have the right to request that companies delete this data. You should have a mechanism in place to handle such requests, as email marketing — by definition — involves the processing of personal data.
- How you process user’s personal data (including email addresses)
- Whether that data may be shared with any third parties
- How the user can opt out of further marketing communications
Although the law only requires your website to carry the policy, it’s good practice to include it in your emails and in your email sign-up page/module.
The California Online Privacy Protection Act
- What PII is collected
- How PII is processed
- Whether PII is shared with third parties
- How users can request to have their PII deleted
The Controlling the Assault of Non-Solicited Pornography and Marketing Act
The Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN SPAM Act) regulates commercial emailing at the federal level within the United States. Its key rules are as follows:
- Adopt honest practices: Use non-deceptive subject lines and “from” addresses
- Label ads: Promotional emails need to be labeled as such, clearly and conspicuously
- Warn of explicit content: If your email contains any explicit content, the subject line needs to start with the phrase “SEXUALLY EXPLICIT”
- Assume responsibility: Even if you’ve outsourced your marketing or promotional activities to a third party, your business is still primarily responsible for complying with the law
In addition, similar to the rules under the GDPR/ePrivacy directive, you need to:
- Identify yourself
- Provide an opt-out method
Canada’s Anti-Spam Legislation
Similar to the CAN-SPAM act, Canada’s Anti-Spam Legislation (CASL) regulates digital marketing activities in Canada.
As with the other laws mentioned above, CASL requires the following:
- Obtain informed user consent before sending promotional emails
- Provide an opt-out mechanism within marketing emails
- Include a postal address — as well as an email, phone number, or website address — within marketing emails
A unique feature of CASL is that consent obtained is valid only for 2 years, following which it must be renewed, and any opt-out (unsubscribe) requests must be fulfilled within 10 business days.
If your business targets users worldwide, your marketing practices must be compliant with both:
- the laws where your business is registered, and
- the laws of your target territories
- What personal data you collect (e.g., email addresses, first names, last names)
- How this personal data might be used (e.g., to send promotional emails)
- Whether this personal data might be shared with any third parties (e.g., MailChimp, Google Analytics)
- How a user can opt out of promotional emails (e.g., clicking the unsubscribe link in the email or by writing to a specified email or postal address)
- How a user can contact the sender of the promotional emails (e.g., a postal address or a valid email address)
- Whether email analytics are tracked (and if yes, which)
5. Considerations for Email Newsletters
When running an email newsletter campaign, follow these best practices to ensure that you’re on the right side of the law, and that you’re giving the necessary information and control to your users:
- Make your business identity clear: Identify your business by using an appropriate sender name and by including a valid postal address.
- Provide an unsubscribe link or button: Include in your email an easy way for users to opt out of future promotional emails.
Most of these elements are typically found in the footers of emails, as can be seen in the examples below.
Some laws, like CalOPPA, have specific rules against deceptive practices, such as making it difficult to view or click the unsubscribe link. We strongly recommend you don’t adopt such practices. Apart from being potentially illegal, such acts will damage your brand, as you’ll lose the trust and goodwill of your users.
6. Examples of Email Privacy Policies & Compliant Marketing Emails
The two examples that follow illustrate the legal requirements and best practices for email privacy policies and email newsletters.
The New York Times
Here’s the footer area of a New York Times (NYT) email newsletter:
Let’s compare this against Termly’s checklist from the previous section:
MailChimp Email Marketing
With nearly 60% of the market share, MailChimp is the current leader in email marketing technologies.
When using third-party services like MailChimp, you and MailChimp share the responsibility of complying with data protection and related laws.
For example, under the GDPR, you would be the data controller, and MailChimp would be the data processor, two entities with different legal obligations.
Other third-party newsletter and related service providers
MailChimp’s guidelines for email marketing also apply to any third-party service provider that you may use for that purpose. Examples of third-party service providers relevant to email newsletters include:
- Amazon Simple Email Service
Despite the emergence and onslaught of social media and influencer marketing, email marketing remains an essential component of almost every company’s marketing arsenal. This isn’t surprising, given that:
- 99% of consumers check their email every day
- 85% of US retailers deem email marketing the most effective for customer acquisition
- 73% of millennials prefer business communications through email