If you’re part of the vast majority of marketers and business owners who invest in email marketing, you’re legally required to have a privacy policy that details what you do with the email addresses and other personal data of your users.
Failure to do so can result in massive penalties.
In this article, we provide you with a free privacy policy for email marketing, explain in detail why you need this legal document, and show real-world email privacy policy examples.
- Email Marketing Privacy Policy Template [Full Text and Download]
- Why You Need a Clause for Emails in Your Privacy Policy
- Laws that Require Email Clauses in Privacy Policies & Govern Email Marketing
- Creating an Email Privacy Policy
- Considerations for Email Newsletters
- Examples of Email Privacy Policies & Compliant Marketing Emails
- Conclusion
1. Email Marketing Privacy Policy Template [Full Text and Download]
Click the box below to see a privacy policy for your website — which includes the necessary clauses on email marketing — or click the button beneath it to download the privacy policy template in Microsoft Word and PDF formats.
2. Why You Need a Clause for Emails in Your Privacy Policy
Numerous laws worldwide govern what businesses can do with the personal data of their users, and email addresses are considered personal data.
Running afoul of these laws can result in large fines, such as the $56 million Google GDPR fine for the inappropriate processing of users’ personal data.
At the heart of most data processing laws is consent — your users need to consent to receive marketing emails and newsletters. You’re also required to provide users with the option of opting out of (i.e., unsubscribing from) promotional emails at any time.
When obtaining consent for email marketing, you must be upfront about the purpose of email address collection. You cannot assume that consent obtained for a specific purpose (e.g., “sign me up for your monthly newsletter”) extends to other activities (e.g., daily or weekly promotional emails).
3. Laws that Require Email Clauses in Privacy Policies & Govern Email Marketing
The internet opens up your business to customers worldwide, but it also increases legal compliance challenges, as your users can be located anywhere around the world.
Some laws, such as the General Data Protection Regulation (GDPR) and the California Online Privacy Protection Act (CalOPPA), have extraterritorial scope. This means that your company, no matter its location, is subject to those laws if your users are residents of the EU or California, respectively.
For this reason, make sure your marketing efforts satisfy the requirements of the strictest laws worldwide (or at least the strictest laws in the territories you intentionally target users) to minimize noncompliance risks.
Below are summaries of the strictest and most prominent laws that directly affect your email marketing newsletters and campaigns.
The General Data Protection Regulation & ePrivacy Directive
The GDPR is a European Union (EU) law passed to protect the personal data privacy of residents of the European Economic Area and Switzerland (hereafter referred to as the EEA). It places strict requirements on how businesses collect, process, and share the personal data of EEA residents.
Under the GDPR, personal data is defined as any data that can be used to identify an individual, such as first and last names and email addresses.
As touched upon earlier, the GDPR has extraterritorial scope, meaning that if you target users in the EEA, your company needs to comply with this law no matter where it’s located.
The ePrivacy Directive is another EU law that regulates (among many other things) email communications, particularly unsolicited business communications (aka spam). This directive makes it illegal to send promotional emails to users in the EU without their consent.
The GDPR primarily governs how you obtain consent and how you process personal data, whereas the ePrivacy Directive complements the GDPR by establishing rules for direct marketing.
To ensure that your email marketing efforts are not in conflict with the GDPR or the ePrivacy Directive, you need to:
Obtain free and informed consent for email marketing
Consent is especially important for individuals who are not yet your customers. Some legal analysts hold that emailing existing customers does not require user consent, as the company can cite the legal basis of GDPR legitimate interest. Nevertheless, as long as the ePrivacy Directive is in effect, you need to obtain consent prior to sending any form of email marketing to individuals in the EEA.
Provide an opt-out method
Under the GDPR, users have the right to object to the processing of their personal data. One way to enable your users to exercise this right is by including an unsubscribe link in all of your marketing emails (and then, of course, by honoring the unsubscribe request).
Identify yourself
To satisfy ePrivacy Directive rules, the sender (your company) should identify itself clearly. Within the email, you should also include a valid contact address (postal or email) where users can direct any requests or complaints.
Keep in mind that the implementation of these rules may differ from country to country. According to EU law, unlike regulations (e.g., the GDPR), directives state only objectives (e.g., to prevent spam).
The methods used to achieve objectives are left to the discretion of the individual EU members. For example, the UK implements the ePrivacy Directive through the Privacy and Electronic Communications Regulations (PECR) Act.
Act on data subject access requests (DSARs)
The GDPR affords EEA residents the right to review their personal data held by companies. Users also have the right to request that companies delete this data. You should have a mechanism in place to handle such requests, as email marketing — by definition — involves the processing of personal data.
Include a privacy policy link in your emails
The privacy policy URL can lead to either a general privacy policy for your website (with specific clauses on email marketing) or a designated privacy policy for your email marketing campaigns. In either case, the privacy policy should specify the following:
- How you process user’s personal data (including email addresses)
- Whether that data may be shared with any third parties
- How the user can opt out of further marketing communications
- Other details necessary for a GDPR privacy policy
Although the law only requires your website to carry the policy, it’s good practice to include it in your emails and in your email sign-up page/module.
The California Online Privacy Protection Act
The California Online Privacy Protection Act (CalOPPA), one of the earliest personal data protection regulations in the US, states that websites which process the personally identifiable information (PII) of any California resident need to have a privacy policy.
Similar to a GDPR-friendly privacy policy, this policy needs to state:
- What PII is collected
- How PII is processed
- Whether PII is shared with third parties
- How users can request to have their PII deleted
Because email addresses are considered PII, your privacy policy should include clauses about your email address collection and email marketing activities.
The Controlling the Assault of Non-Solicited Pornography and Marketing Act
The Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN SPAM Act) regulates commercial emailing at the federal level within the United States. Its key rules are as follows:
- Adopt honest practices: Use non-deceptive subject lines and “from” addresses
- Label ads: Promotional emails need to be labeled as such, clearly and conspicuously
- Warn of explicit content: If your email contains any explicit content, the subject line needs to start with the phrase “SEXUALLY EXPLICIT”
- Assume responsibility: Even if you’ve outsourced your marketing or promotional activities to a third party, your business is still primarily responsible for complying with the law
In addition, similar to the rules under the GDPR/ePrivacy directive, you need to:
- Identify yourself
- Provide an opt-out method
Canada’s Anti-Spam Legislation
Similar to the CAN-SPAM act, Canada’s Anti-Spam Legislation (CASL) regulates digital marketing activities in Canada.
As with the other laws mentioned above, CASL requires the following:
- Obtain informed user consent before sending promotional emails
- Provide an opt-out mechanism within marketing emails
- Include a postal address — as well as an email, phone number, or website address — within marketing emails
A unique feature of CASL is that consent obtained is valid only for 2 years, following which it must be renewed, and any opt-out (unsubscribe) requests must be fulfilled within 10 business days.
4. Creating an Email Privacy Policy
If your business targets users worldwide, your marketing practices must be compliant with both:
- the laws where your business is registered, and
- the laws of your target territories
To help you with this rather large compliance challenge, we’ve put together a checklist that summarizes the privacy policy requirements of the aforementioned laws — namely, the GDPR, ePrivacy Directive, CalOPPA, CAN-SPAM, and CASL.
Your email privacy policy should state:
- What personal data you collect (e.g., email addresses, first names, last names)
- How this personal data might be used (e.g., to send promotional emails)
- Whether this personal data might be shared with any third parties (e.g., MailChimp, Google Analytics)
- How a user can opt out of promotional emails (e.g., clicking the unsubscribe link in the email or by writing to a specified email or postal address)
- How a user can contact the sender of the promotional emails (e.g., a postal address or a valid email address)
- Whether email analytics are tracked (and if yes, which)
Our free email privacy policy template above meets all of these criteria. Download it now, or generate one using our privacy policy generator.
5. Considerations for Email Newsletters
When running an email newsletter campaign, follow these best practices to ensure that you’re on the right side of the law, and that you’re giving the necessary information and control to your users:
- Obtain lawful, free, and informed opt-in consent: Your email newsletter sign-up should not contain any pre-checked consent boxes which does not count as GDPR consent. Ideally, place your privacy policy link beneath the sign-up module.
-
Example of a good newsletter sign-up (NYT Parenting newsletter). Note the privacy policy link beneath the sign-up button and the “Emails may include promotional content…” statement.
- Include a privacy policy link: Ensure that your promotional emails carry a privacy policy link. The link should lead to your email or website privacy policy, detailing all the elements we’ve discussed in the previous section.
- Make your business identity clear: Identify your business by using an appropriate sender name and by including a valid postal address.
- Provide an unsubscribe link or button: Include in your email an easy way for users to opt out of future promotional emails.
Most of these elements are typically found in the footers of emails, as can be seen in the examples below.
Some laws, like CalOPPA, have specific rules against deceptive practices, such as making it difficult to view or click the unsubscribe link. We strongly recommend you don’t adopt such practices. Apart from being potentially illegal, such acts will damage your brand, as you’ll lose the trust and goodwill of your users.
6. Examples of Email Privacy Policies & Compliant Marketing Emails
The two examples that follow illustrate the legal requirements and best practices for email privacy policies and email newsletters.
The New York Times
Here’s the footer area of a New York Times (NYT) email newsletter:
-
Footer of an NYT newsletter containing an unsubscribe link, a privacy policy link, and its business identity and postal address.
Here’s what the NYT privacy policy contains:
-
List of sections in the NYT’s privacy policy.
Let’s compare this against Termly’s checklist from the previous section:
A compliant privacy policy should describe:
- What personal data you collect [Sec. 1] ✔
- What personal data you collect [Sec. 2] ✔
- Whether this personal data would be shared with any third parties [Sec. 3] ✔
- How the user can opt out of promotional emails (e.g., clicking the unsubscribe link in the email or by writing to a specified email or postal address) [Sec. 6] ✔
- How the user can contact the sender of the promotional emails (e.g., a postal address or a valid email address) [on the page; not shown in image] ✔
- Whether and which email analytics are tracked [Sec. 4] ✔
MailChimp Email Marketing
With nearly 69% of the market share, MailChimp is the current leader in email marketing technologies.
MailChimp would be a third party in the relationship between you and your users. Therefore, if you use MailChimp, you should declare it in your privacy policy.
-
A privacy policy listing all the third-party services the associated website uses, which includes MailChimp.
When using third-party services like MailChimp, you and MailChimp share the responsibility of complying with data protection and related laws.
For example, under the GDPR, you would be the data controller, and MailChimp would be the data processor, two entities with different legal obligations.
For this reason, MailChimp imposes rules on its users to help it comply with relevant laws. Therefore, in addition to the aforementioned rules and regulations, you should follow MailChimp’s anti-spam rules and its terms of use to ensure full compliance.
Other third-party newsletter and related service providers
MailChimp’s guidelines for email marketing also apply to any third-party service provider that you may use for that purpose. Examples of third-party service providers relevant to email newsletters include:
- ActiveCampaign
- Amazon Simple Email Service
- AWeber
- CampaignMonitor
- ConstantContact
- ConvertKit
- Emma
- GetResponse
- Mandrill
- Mailgun
- SendGrid
- SendinBlue
In brief, ensure that your privacy policy addresses your relationship with all third-parties that process your users’ personal data.
8. Conclusion
Despite the emergence and onslaught of social media and influencer marketing, email marketing remains an essential component of almost every company’s marketing arsenal. This isn’t surprising, given that:
- 99% of consumers check their email every day
- 85% of US retailers deem email marketing the most effective for customer acquisition
- 73% of millennials prefer business communications through email
Considering these eye-popping stats, if you aren’t already into email marketing, you should be, and if you are, you definitely need a privacy policy for email marketing. Download our template, or head on over to our privacy policy generator to create one in a matter of minutes.