If your business uses email marketing, you may be legally required to have a privacy policy that details what you do with your users’ email addresses and other personal data.
Your privacy policy for emails informs your users about if and how you collect, use, share, or sell their personal data and is required by data privacy laws like the General Data Privacy Regulation (GDPR), the California Consumer Privacy Act (CCPA), and more.
Over 60% of small businesses use email marketing (Campaign Monitor), and we’re here to help make sure your campaigns are data privacy law compliant.
In this article, we explain why you need a privacy policy for email marketing, discuss what laws require it, show real-world examples, and provide you with our free privacy policy for email marketing template.
If you send marketing emails, you may be legally required to link to a privacy policy.
If you need a refresher, a privacy policy is a document that outlines:
What personal data you collect from your users
Where the personal data is collected from
Why you collect the personal data
How you collect the personal data from your users
Who you share the information with or sell it to
What rights users have over their personal data
Your company’s contact information
The privacy policy you post for your email marketing can be the same one you use for your website or app, but it must include a clause covering your email marketing practices.
Your privacy policy’s email marketing clause should outline details such as:
Any use of free email list generators or purchasing of emails
What third-party platforms you rely on or share data with
How users can opt out of receiving any future communications from you
Why You Need a Clause for Emails in Your Privacy Policy
You need a clause in your privacy policy explaining what you do with your users’ personal data collected through email marketing, or you risk facing legal repercussions, significant fines, and a tarnished public image.
Email marketing is legally considered a form of personal data collection, as you can use emails to gather the following details about your users:
Email addresses, names, locations, birthdates, and other data gathered at sign-up
Other missing demographic information
Track your users’ online activities through web beacons
Determine what devices your users are using
Let’s discuss the reasons for including a clause for emails in your privacy policy in more detail.
Legal Repercussions and Fines
Several laws worldwide govern how businesses can legally send marketing emails to consumers, and running afoul of these laws may result in hefty fines.
Take, for example, the $56.8 million fine Google received in 2019 for the inappropriate processing of users’ personal data, which isn’t even considered one of the biggest GDPR fines anymore.
You might think there’s no way these laws can affect a company like yours, but many data privacy laws have an extraterritorial scope. That means no matter where your business is located, your company is subject to the laws as long as your users are residents of the areas protected by the data privacy legislation.
For example, the California Online Privacy Protection Act (CalOPPA) applies to your website or app if any of your users come from California.
Under CalOPPA, you must have a privacy policy posted on your website with an email marketing clause outlining what you collect and do with any personal information gathered from your users.
Tarnished Public Image
Besides the legal repercussions associated with not posting a privacy policy in your marketing emails, some alarming data privacy statistics suggest that you also risk losing your consumers’ trust and tarnishing your business’s public reputation.
Now more than ever, people care about their privacy and want to know they can trust your company with their personal data.
You can help retain customers and foster transparency and integrity by sharing a thorough privacy policy that outlines your email marketing practices.
48% of consumers have stopped shopping with a company over data privacy concerns. (Tableau).
Laws that Require Email Clauses in Privacy Policies & Govern Email Marketing
The major laws that govern email marketing or require email clauses in your privacy policy are:
The internet opens up your business to customers worldwide, but it also increases legal compliance challenges, as your users can be located anywhere around the world. So some of these laws apply to your business if you target certain users, regardless of its location.
Let’s go over each of these laws in more detail together.
The General Data Protection Regulation (GDPR) and ePrivacy Directive
If you target users in the European Union (EU) or the European Economic Area (EEA) and meet certain thresholds, then your business falls under the GDPR and ePrivacy Directive and must comply with those data privacy guidelines for email marketing.
These two data privacy laws work in tandem with one another, but the ePrivacy Directive makes it illegal for you to send promotional emails to your users in the EU without their consent. The GDPR, on the other hand, governs how you obtain consent and process your users’ personal data.
These laws define personal information as any data that can directly or indirectly identify an individual, including email addresses.
Your ePrivacy Directive and GDPR email marketing compliance must include:
Identifying yourself (your company) clearly within the email and provide contact information
Obtaining freely given, informed consent from users before sending emails or gathering any data
Providing an opt-out method, or ‘unsubscribe’ link, for users to change their minds at any time
Your privacy policy must either include a clause covering your email marketing practices or be a designated privacy policy for your email marketing campaigns. Your policy also needs to outline all of the following details:
How you process your user’s personal data
Whether you may sell or share the data with any third parties
How the user can opt out of further marketing communications
Some legal analysts hold that emailing existing customers does not require consent, as your company could cite the legal basis of GDPR legitimate interest. However, this is still a key issue within the GDPR, and as long as the ePrivacy Directive is in effect, you need consent before sending any emails to individuals within the EEA.
It’s also important to note that how you implement these rules may differ from country to country, as the methods used to achieve the objectives outlined above are left to the discretion of the individual EU members.
Data Controllers, Processors, and Privacy Policies
If your company falls under the jurisdiction of the GDPR, you’re considered a data controller, and you must follow specific regulations with your email marketing, or else you risk:
Fines of up to 4% of your gross annual income of €23 million ($24 million) — whatever is highest
Losing the trust of your customers
Under this law, the users you send emails to are considered the data subjects, and if you use a third-party service like Mailchimp or Hubspot, they become your data processor.
As a data controller, you must:
Enter into a contract with your chosen data processor
Inform your data subjects about what third-party data processors you use
Link to your data processor’s privacy policy within your own
Your data subjects need to be able to read and agree to both your email marketing client’s privacy policy and your own privacy policy before any data collection begins.
You and your company are responsible if your data processor breaks any of the GDPR regulations.
Always be mindful when choosing your email marketing client, and ensure that they follow the same data privacy laws that your company is subject to.
The California Consumer Protection Act
If your business collects consumer data from California residents and meets certain thresholds, it falls under the CCPA and requires you to at least outline your email marketing practices in a clause within your privacy policy.
The CCPA grants users the right to request what personal data you collect, use, share, or sell about them, and email addresses qualify as personal information.
The California Privacy Rights Act (CPRA) expands the CCPA by granting consumers more rights, establishing an enforcement agency, and placing some new requirements on organizations.
The California Online Privacy Protection Act (CCPA)
If your business serves residents of California, the CalOPPA applies to you and requires that you post a privacy policy on your website or app that at least includes a clause explaining your email marketing activities.
Under this law, email addresses are considered personal information, so the details must be outlined in your privacy policy.
This was one of the earliest personal data protection regulations in the US, and it requires that you include the following information in your privacy agreement:
What personal information is collected
How the information is processed
If you share the personal information with third parties
How users can request to have their personal information deleted
The CalOPPA, the CCPA, and the CPRA work in conjunction with one another and a well written privacy policy with an emails clause can help you abide by all three.
The Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
If your company sends commercial emails of any kind to American users, you must abide by the CAN-SPAM Act, which impacts your email marketing because it requires you to include an unsubscribe link.
While this law does not necessarily dictate what your email marketing clause in your privacy policy should look like, it does govern your email marketing practices.
For example, the other key rules of this law are:
Adopt honest practices: Use non-deceptive subject lines and “from” addresses
Label ads: Promotional emails need to be labeled as such, clearly and conspicuously
Warn of explicit content: If your email contains any explicit content, the subject line needs to start with the phrase “SEXUALLY EXPLICIT”
Assume responsibility: Even if you’ve outsourced your marketing or promotional activities to a third party, your business is still primarily responsible for complying with the law
Identify yourself: Like the GDPR requirements, you also must identify your company in all marketing emails you send.
Personal Information Protection and Electronic Documents Act (PIPEDA)
If your business is located in Canada, or if you pass data across provincial borders, then you must follow the ten fair information principles outlined by PIPEDA, which means putting a clause about your email marketing within your privacy policy.
The ten fair information principles of PIPEDA are:
Accountability
Identifying purposes
Consent
Limiting collection
Limiting use, disclosure, and retention
Accuracy
Safeguards
Openness
Individual access
Challenging compliance
Under this law, email addresses qualify as personal information. One way you can comply is by creating a privacy policy that addresses your commitment to keeping your user’s personal data safe, including the data you gather through email marketing.
Canada’s Anti-Spam Legislation (CASL)
If you send marketing emails to Canadians, you must follow the guidelines outlined by CASL, which does not impact your privacy policy but does govern your email marketing practices.
The requirements of CASL are as follows:
Obtain informed user consent before sending promotional emails
Provide an opt-out mechanism within marketing emails
Include a postal address — as well as an email, phone number, or website address — within marketing emails
A unique feature of CASL is that consent you obtain is only valid for two years. You must request consent again after that time elapses and fulfill any opt-out or unsubscribe requests within ten business days.
If you use a third-party service for your marketing emails or newsletter, they most likely require you to have a privacy policy in place to use their platform because this helps them ensure they’re abiding by relevant data privacy laws that affect them.
For example, The CM Group owns the following email marketing platforms:
Campaign Monitor
Emma
Liveclicker
Sailthru
Selligent
Vuture
Look at the highlighted text in their service agreement below, which requires their customers to create their own privacy policies and applies to all six of their email marketing groups.
Another popular email marketing company is Mailchimp, who also stipulates in their terms of use, shown below, that you must explain your own data collection practices in a privacy policy to use their services.
To remain compliant with laws like the GDPR, you should also link to the third party privacy agreements within your email marketing clause so your users are properly informed about every service you use that has access to their data.
Essential Things to Cover in Your Privacy Policy for Email Marketing
There are additional essential things you must cover in your privacy policy for email marketing:
User consent to receiving marketing emails
How users can unsubscribe or opt-out of receiving emails
What you do with your users’ data after they opt-out
Let’s talk about each of these in more detail below.
User Consent and Email Marketing
Under the major data privacy laws like the GDPR, freely given consent is required from your users before any data collection starts.
When obtaining consent for email marketing, you must be upfront about the purpose of email address collection.
You can’t assume that consent obtained for a specific purpose extends to other activities.
For example, if a user agrees to receive a monthly newsletter from you, you cannot use that as evidence that they also consent to receive your daily or weekly promotional emails. Doing so could get you in trouble with the GDPR or other similar laws.
Make sure your users know what they’re agreeing to if they sign up for your marketing emails, and properly outline that information in a clause in your privacy policy.
How Users Can Unsubscribe from Your Marketing Emails
We’ve mentioned this a few times throughout the article, but multiple data privacy laws require you to provide your users with a way to opt-out or unsubscribe from your emails, which you should outline in your privacy policy.
At the heart of most data processing laws is consent — you need to make it just as easy for your users to opt out of receiving promotional emails from you as it is for them to opt into the emails.
Within the email marketing clause of your privacy policy, outline your users’ right to unsubscribe, provide direction for how they can follow through on that right, and state if they will still receive any emails from you besides marketing ones.
What You Do With Data After Users Unsubscribe from Marketing Emails
Some data privacy laws, like the GDPR, outline how long you’re allowed to keep personal data, so you must describe this in the email marketing clause in your privacy policy.
The GDPR also grants data subjects the right to be forgotten, or to have their data erased, so you need to provide your users with a way they can follow up on this right, which you can outline in a clause in your privacy policy.
You might be able to prove you have a legal basis for keeping some data after a user unsubscribes from your marketing emails, especially if they still keep an open account with your company. If this is relevant to your business, clearly describe the process you follow in your email marketing clause.
Examples of Email Marketing Clauses in Privacy Policies
As promised, let’s go over some real-world examples of email marketing clauses that appear in privacy policies, which might help you when you go to make your own.
The New York Times
A great example of a privacy policy that includes the necessary information about email marketing comes from the New York Times (NYT).
They mention their email marketing and newsletters directly in the introduction of their privacy agreement, as shown in the example below.
The NYT references whenever specific data could be collected through emails throughout their entire privacy policy and even outlines the proper way for users to unsubscribe or opt-out of their communications, as shown below.
The other essential thing the NYT includes in their privacy policy about email marketing is how their users can follow through on any of their data privacy rights specifically regarding emails, check out the highlighted text below.
When you go to make your own privacy policy for emails and marketing, follow the NYTs lead and include details about how your users can unsubscribe and follow up on their data privacy rights.
Mailchimp
Next, we’ll look at the privacy policy covering email marketing practices from Mailchimp, who controls nearly 69% of the current market share (Datanyze), making them a leader in email marketing technology.
Because they’re an email marketing platform, they have a separate privacy policy for their emails.
Take a look at the screenshot below, which answers the question about how Mailchimp uses the data they gather about their client’s contacts.
We like that Mailchimp organizes their email marketing privacy agreement as frequently asked questions, which makes it easy for their users to navigate through.
Mailchimp also thoroughly explains how they store and protect their users’ data, which you should also do in your email marketing privacy policy.
Take a look at the screenshot below, and notice how they even include relevant links to other pages and policies directly in their clauses.
In fact, Mailchimp consistently uses links throughout their entire privacy policy, which we recommend you also do, as this helps your users find the most updated and relevant information related to any questions they might have about your privacy agreement.
In the example below, see how many different links Mailchimp includes in their clause explaining how their users can cancel their account and opt out of future email marketing.
It’s very important that your privacy policy explains your email marketing practices in a way that is easy for your users to read and understand, that way, they can genuinely consent to the agreement.
Both the NYT and Mailchimp are great examples to read through for inspiration.
To help you create an email privacy policy that complies with both the laws where your business is registered and the laws of your target territories, we’ve put together a checklist that summarizes the privacy policy requirements of the laws mentioned above.
Email marketing privacy policies should cover:
What personal data you collect (e.g., email addresses, first names, last names)
How this personal data might be used (e.g., to send promotional emails)
Whether this personal data might be shared with any third parties (e.g., MailChimp, Google Analytics)
How a user can opt out of promotional emails (e.g., clicking the unsubscribe link in the email or by writing to a specified email or postal address)
Whether email analytics are tracked (and if yes, which)
How a user can contact the sender of the promotional emails (e.g., a postal address or a valid email address)
Now let’s go over how you can turn each of the sections mentioned above into clauses in your privacy policy agreement for email marketing.
What Personal Data You Collect from Users
To abide by laws like the GDPR and CCPA, you need to outline what data you collect from your users through email marketing, including web beacons, cookies, or other trackers.
See an email privacy policy example below from marketing platform Emma, the highlighted text emphasizes their use of cookies placed on browsers through emails their clients send.
We like how Emma separates their agreement into information given to them by individuals versus information they collect automatically, this is a good way to organize this clause for your users.
How You Might Use the Personal Data You Collect
Another requirement from several data privacy laws like the GDPR and the CCPA is to inform your users about how you use the personal data you collect about them, which you can outline in a clause.
The sample below comes from Mailchimp and explains what they do with the data they gather about their clients’ users.
If You Share or Sell the Personal Data and With Whom
Laws like the GDPR and the CCPA require you to tell your users if you share or sell their personal data, and if so, who you sell it to or share it with, including the data that comes from your email marketing campaigns.
Below, we’re using Emma as our example again, as we like how clearly they describe why they might share data with any third parties.
How Your Users Can Opt-Out of Marketing Emails
Multiple data privacy and marketing laws like the GDPR, ePrivacy Directive, CASL, and CAN-SPAM require you to include an unsubscribe option for your users in all of your marketing emails, but you also need to outline this process in a clause in your privacy policy.
In the example below, see how the clothing store brand Nordstrom communicates how their users can unsubscribe from marketing emails in their privacy policy.
Details About if Your Email Analytics Include Cookies or Trackers
Because marketing emails can contain web beacons, trackers, or other cookies that get stored on users’ browsers, you must outline if you use any and which ones within your privacy policy to comply with laws like the GDPR and the CCPA.
This is a great place to put a link to your cookie policy, like how Emma does it in their privacy policy, shown below.
How Your Users Can Contact You About Your Promotional Emails
Under laws like the GDPR, ePrivacy Directive, and CAN-SPAM, you must include identifying information about your company, including contact information, in your email marketing materials, but you should also put this information somewhere in your privacy policy.
The screenshot below shows how the New York Times lists their contact information as well as the details for their data controller, Wirecutter, which is highlighted.
Email Marketing Privacy Policy Template [Full Text and Download]
Click the box below to see a privacy policy sample — which includes the necessary clauses on email marketing — or click the button beneath it to download the privacy policy template in a Microsoft Word doc file.
Website Privacy Policy Template [Text Format]
PRIVACY NOTICE
Last updated [Date]
This privacy notice for [Company Name] (doing business as [Company Short Name]) ("Company," "we," "us," or "our"), describes how and why we might collect, store, use, and/or share ("process") your information when you use our services ("Services"), such as when you:
Visit our website at [Website URL], or any website of ours that links to this privacy notice
[Download and use our application(s), such as our mobile application — [Mobile App Name], our Facebook application — [Facebook App Name], or any other application
You’ve learned about email privacy laws, compliance newsletter ideas, and more. Now check out some of our most frequently asked questions we get about email marketing and data privacy.
Is a privacy policy required for emails?
Yes, your business is required by law and third-party email marketing services to have and display a privacy policy if you send marketing emails.
Does the GDPR apply to emails?
Yes, the GDPR applies to your use of marketing emails if your business falls under the jurisdiction of the law, and it requires you to get user consent before sending any marketing emails.
What are GDPR rules about emails?
Under the GDPR, you must get user consent or prove another legal basis before you’re legally allowed to send your users any marketing emails because emails qualify as personal information.
Within your marketing emails, you also must:
Identify your company within the email and provide contact information
When running an email newsletter campaign, follow these best practices to ensure that you’re on the right side of the law, and that you’re giving the necessary information and control to your users.
Obtain Lawful, Free, and Informed Opt-In Consent
If you fall under laws like the GDPR that require consent before email marketing or data collection can begin, make sure you’re getting unambiguous opt-in consent from your users.
We recommend using the clickwrap method for consent, which means you ask users to select a checkbox on their own accord to opt-in or agree to receive the newsletter or your email marketing.
In the screenshot example below, see how Slate uses clickwrap consent for their email newsletter sign-ups.
However, your email newsletter sign-up should never contain any pre-checked consent boxes, as these aren’t sufficient for consent under the GDPR.
Include a Privacy Policy Link
Most of the laws we mentioned above require you to inform your users about your personal data tracking practices, which you can do by including a link to your privacy policy in your newsletters or marketing emails.
The example below shows how Pinterest includes a link to their privacy policy in the footer of their marketing emails.
By ensuring that your promotional emails have a privacy policy link, you remain compliant with laws like the GDPR and the CCPA.
Plus, you’re meeting the requirements of any third-party platforms you’re using that might expect you to also share a privacy policy.
Make Your Business Identity Clear
The ePrivacy Directive, the GDPR, the CAN-SPAM act, and PIPEDA all require you to identify your business by using an appropriate sender name within all of your marketing emails.
Don’t skip this step!
Under some of those laws, you also must include proper contact information, so we suggest putting a valid postal address in your marketing emails as well.
We like how Slack does it in their promotional emails, pictured below.
Provide an Unsubscribe Link or Button
Under laws like the CAN-SPAM act, the GDPR, the ePrivacy Directive, CalOPPA, and CASL, you must include some kind of opt-out or unsubscribe method that’s easy for your users to locate and use.
The example below shows how HubSpot includes an unsubscribe link in the footer of their marketing emails.
You should also understand that some laws, like CalOPPA, have specific rules against deceptive practices, so you can’t make it difficult to view or click your unsubscribe link.
We strongly recommend you don’t adopt such sneaky marketing practices.
Apart from being potentially illegal, this type of deceptive behavior could damage your brand, and you might lose the trust and goodwill of your users.
Summary
Email marketing is an essential component for businesses like yours, but you have to outline your practices within a clause in your privacy policy to abide by major data privacy laws like the GDPR, the ePrivacy Directive, the CCPA, CASL, and more.
Don’t let the privacy requirements scare you away from using email marketing, especially when the statistics are in your favor:
85% of US retailers deem email marketing the most effective for customer acquisition (Lyfe Marketing)
68% of millennials prefer business communications through email (HelpLlama)
Termly can help your email marketing comply with relevant data privacy laws.
More about the author
Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP
Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes... More about the author
Build Your Privacy Policy
Answer a few simple questions to have your fully compliant policy generated in MINUTES!
