Post-graduate law degree, CIPP/E from the International Association of Privacy Professionals (IAPP). Privacy and Data Protection Research Writer at TermsFeed.
On this page
- 1. United States: CAN-SPAM
- 1.1. 1. Header Information
- 1.2. 2. Subject Lines
- 1.3. 3. Ad Disclosure
- 1.4. 4. Mailing Address
- 1.5. 5. Unsubscribe Option
- 1.6. 6. Processing Opt-Outs
- 1.7. 7. Email Marketing Providers
- 2. Europe: ePrivacy Directive
- 2.1. ePrivacy Directive in National Law
- 2.2. ePrivacy Directive vs. GDPR
- 2.3. When Do You Need Consent Under the ePrivacy Directive?
- 2.4. When Can You Send Marketing Emails Without Consent?
- 2.5. Unsubscribe Mechanism and Transparency
- 3. Canada: CASL
- 3.1. Implied Consent Under CASL
- 3.1.1. Active Business Relationship
- 3.1.2. Active Non-Business Relationship
- 3.1.3. Publicly Available or Disclosed Email Address
- 3.2. Express Consent Under CASL
- 3.3. Transparency and Opt-Out Requirements Under CASL
- 4. Australia: Spam Act 2003
- 4.1. Inferred Consent Under the Spam Act 2003
- 4.1.1. Relationship or Conduct
- 4.1.2. Published Email Address
- 4.2. Express Consent Under the Spam Act 2003
- 4.3. Transparency and Opt-Ooptut Requirements Under the Spam Act 2003
- 5. Comparison of Email Marketing Laws
- 6. Summary
Sending spam emails is illegal in almost every country. But email marketing is a crucial part of many companies' growth strategies. Getting the rules right is essential, because breaking the law on email marketing can attract regulatory action and harm your reputation.
This article will explore the legal requirements for email marketing in the U.S., Europe, Canada, and Australia, explaining the rules on consent, opt-outs, and transparency in each region.
TermsFeed is the world's leading generator of legal agreements for websites and apps. With TermsFeed, you can generate:
United States: CAN-SPAM
Email marketing in the U.S. is primarily regulated by the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM).
Other laws, such as the California Consumer Privacy Act (CCPA/CPRA) and Virginia Consumer Data Privacy Act (VCDPA) have an impact on marketing teams but do not provide explicit rules covering email marketing.
We've broken down CAN-SPAM's requirements into seven rules for email marketers operating in the United States.
1. Header Information
Your marketing emails must contain accurate header information, which means the email's:
- Source
- Destination
- Routing information, including the originating domain name and email address
This means you must ensure that your organization is represented in the email's "from" and "reply-to" fields.
2. Subject Lines
Emails must have honest subject lines and must not misrepresent "material facts" about what the email is about. For example, don't pretend the recipient has received an exclusive discount or won a prize.
3. Ad Disclosure
Your email must include a "clear and conspicuous" disclosure that it is marketing material. There's a lot of leeway around how to do this. You can use a disclaimer such as "Ad" in the subject line, but you might not need to if the purpose of your email is reasonably clear.
4. Mailing Address
Your email must include a valid mailing address for your company. This address can be your physical office, an official U.S. Post Office Box, or a private post office box that is covered by the Postal Service regulations.
5. Unsubscribe Option
Sending marketing emails under CAN-SPAM does not require consent.
However, marketing emails must include a "clear and conspicuous" unsubscribe method, whether that's an unsubscribe link, or a notice advising recipients that they can reply with "Unsubscribe" to opt out of future marketing emails.
Here's an example from Proton Mail:
6. Processing Opt-Outs
If a recipient chooses to opt out by unsubscribing to your marketing emails, you must honor their decision:
- Within 10 business days
- For free
- Without asking the person to take any additional steps
- Without asking for any additional personal information beyond the person's email address
You must maintain any unsubscribe mechanism (e.g. an inbox for unsubscribe requests) for at least 30 days after sending any marketing email associated with that mechanism.
7. Email Marketing Providers
CAN-SPAM doesn't prohibit you from using third-party services to send marketing emails on your behalf. But all the above rules apply when using a third-party service, and you could be liable for the third party's non-compliance with CAN-SPAM.
Europe: ePrivacy Directive
In most of Europe, the ePrivacy Directive is the most important law when it comes to email marketing.
When we say "Europe" in this article, we're referring to the UK and the European Economic Area (EEA), which includes all 27 EU countries, plus Iceland, Lichtenstein, and Norway.
ePrivacy Directive in National Law
The ePrivacy Directive doesn't apply directly in European countries. The UK plus each EEA country has implemented the ePrivacy Directive via national law.
For example, in the UK, the ePrivacy Directive is covered under the Privacy and Electronic Communications Regulations 2003 (PECR).
This means that the rules on email marketing can vary slightly from country to country. We'll focus on the ePrivacy Directive's core requirements, but bear in mind that the law applies slightly differently in different European countries.
ePrivacy Directive vs. GDPR
The ePrivacy Directive interacts with another important EU law, the General Data Protection Regulation (GDPR).
Here's one way to think about how these two laws interact:
- The ePrivacy Directive focuses on privacy, whereas the GDPR is all about data protection. These are two distinct but overlapping concepts in European law.
- Sending someone an unwanted email affects the privacy of their communications, which is primarily regulated by the ePrivacy Directive.
- By collecting, using, storing, or sharing someone's email address, you might be "processing" their "personal data," which is regulated by the GDPR.
If an email address is "personal data," you must comply with the GDPR when using it, in addition to the ePrivacy Directive's rules about sending marketing emails.
The GDPR also provides a definition of "consent" for the purposes of email marketing.
When Do You Need Consent Under the ePrivacy Directive?
By default, you must get consent before sending marketing emails under the ePrivacy Directive. There are some important exceptions, which we'll look at below.
The GDPR provides the standard of valid consent: a "freely given, specific, informed and unambiguous indication of the data subject's wishes," given via a "clear affirmative action."
This is a strong standard of consent. If you're requesting consent for email marketing, you must ensure the request is clear and that the person is making an unambiguous, free choice. If you need consent under the GDPR, you can't obtain it via a pre-ticked box.
Whenever you're collecting personal data under the GDPR, you should provide people with information about how and why you're requesting the personal data, and provide a link to your GDPR Privacy Policy.
When Can You Send Marketing Emails Without Consent?
You don't need a person's consent to send them marketing emails if the "soft opt-in" applies.
The "soft opt-in" applies where:
- An individual has given you their email address "in the context of a sale"
- You intend to send marketing emails about "similar products and services" provided by your company
- You give the person the opportunity to opt out of marketing emails, both when collecting their email address and via an unsubscribe method in each marketing email
Under these circumstances, you don't need consent. So you can, for example, display a pre-ticked box during a check-out process that says something like: "I would like to receive marketing emails about similar products and services."
Here's an example from Deister Electronic:
In most European countries, many business-to-business marketing emails are not covered by the ePrivacy Directive.
For example, the UK's implementation of the ePrivacy Directive does not apply if the recipient is a "corporate subscriber," which means that the email address uses a corporate domain, such as [email protected]
You don't need consent to email corporate subscribers. Sole traders and some types of partnerships do not count as corporate subscribers.
This is even true of individual users of corporate email accounts, e.g. [email protected] However, if a corporate email address contains personal data, the GDPR applies even if the ePrivacy Directive does not.
Unsubscribe Mechanism and Transparency
You must include a clear and accessible unsubscribe mechanism in your marketing emails. Much like under CAN-SPAM in the U.S., you must be transparent about who you are, and not mislead people as to the sender of your email.
You should also provide a link to a copy of your Privacy Policy within your email.
Here's how DeepL does this:
People in the EU have the absolute right to object to direct marketing. If a person tells you not to send them marketing emails, you must stop doing so immediately.
Canada: CASL
Canada's Anti-Spam Legislation (CASL), came into effect in 2014. CASL requires consent for sending marketing emails, but the law recognizes two types of consent: "implied" and "express."
Implied Consent Under CASL
CASL states that under certain conditions, a person can imply that they consent to receive marketing emails.
Active Business Relationship
You have "implied consent" to send marketing emails to a person if you share an active business relationship with them.
For example, if the person has bought something from you within the last two years or has expressed an interest in your products in the past six months.
Active Non-Business Relationship
You have "implied consent" to send marketing emails to a person if you share an active non-business relationship with them. This applies to clubs, charities, and other nonprofits.
For example, if the person has made a donation within the last two years or expressed an interest in your organization in the past six months, you can have implied consent.
Publicly Available or Disclosed Email Address
You have "implied consent" to send marketing emails to a person if their email address was publicly available, or was disclosed to you.
In this case, you can only send marketing emails that are related to that person's business or interests.
You can't send the person marketing material if they've made it clear that they don't want to receive it. For example, if they've published their email address on their website with an accompanying message, such as "no spam please."
Express Consent Under CASL
If none of the conditions for implied consent apply, you must get express consent before sending a person marketing emails.
For express consent to be valid, you must explain why you are asking for the person's email address, and disclose your identity
Here's an example from the Canadian War Museum:
You don't need to provide this much information in your consent request. You can just provide your company's name and your reason for requesting the person's email address. It's good practice to also provide a link to your company's Privacy Policy.
Transparency and Opt-Out Requirements Under CASL
Under CASL, a marketing email must include accurate sender and reply information.
You must offer people an unsubscribe option and honor any opt-outs within five business days. The inbox or other mechanism you've set up to process opt-outs must remain valid for at least 60 days.
Australia: Spam Act 2003
Email marketing in Australia is regulated under the Spam Act 2003. The Spam Act 2003 is similar to Canada's CASL in that it also recognizes both "express" and "implied" consent (or "inferred consent" under Australia's law).
Inferred Consent Under the Spam Act 2003
Under the Spam Act 2003, you can infer you have a person's consent to send them marketing emails under two main conditions.
Relationship or Conduct
The Spam Act 2003 permits you to infer you have a person's consent based on their "conduct" or "business or other relationships."
The law does not say what sort of relationship or conduct would imply consent. The Australian Communications and Media Authority (ACMA) suggests that an existing business relationship may exist if "there is a reasonable expectation of receiving commercial electronic messages."
Published Email Address
Under the Spam Act 2003, you do not need consent to send marketing emails to a person that has "conspicuously published" their email address, unless the person has also stated that they don't want to receive marketing emails.
This rule only applies when sending business-to-business emails, and the law specifies the types that recipients must act in one of the following roles within an organization:
Emails sent under this exemption must be relevant to the recipient's industry or profession.
Express Consent Under the Spam Act 2003
The Spam Act 2003 doesn't provide any conditions for express consent. However, when requesting express consent, you must "clearly and simply" explain:
- The purposes for which you are seeking consent
- Your identity
Transparency and Opt-Ooptut Requirements Under the Spam Act 2003
Under the Spam Act 2003, a marketing email must include accurate sender and reply information
You must offer people an unsubscribe option and honor any opt-outs within five business days. The inbox or other mechanism you've set up to process opt-outs must remain valid for at least 30 days.
Comparison of Email Marketing Laws
This chart will help you see side-by-side comparisons of requirements of different laws in different regions so you can understand what you must do to comply, regardless of which laws you must follow.
| United States (Federal level) | Europe (EEA and UK) | Canada | Australia | |
| Express consent required | Only if the recipient has previously opted out | Always, except for existing customers under certain conditions | Sometimes, unless implied consent is allowed | Sometimes, unless implied consent is allowed |
| Implied consent allowed | N/A | No (but "soft opt-in" may apply for existing customers) | Yes, if there is an active relationship or the email is publicly available | Yes, if there is an active relationship or the email is publicly available |
| Exemption for publicly-available information | N/A | No | Yes, when sending emails relevant to the person's profession | Yes, when sending emails relevant to the person's profession |
| Unsubscribe option required | Always (unless the recipient consents) | Always | Always | Always |
| Days to honor unsubscribe requests | 10 business days | Immediate | Five business days | Five business days |
| Period for which opt-out mechanism must be maintained | 30 days | Not specified | 60 days | 30 days |
| Accurate sender information required | Yes | Yes | Yes | Yes |
Summary
If you engage in email marketing, you must be aware of legal requirements around this common and effective marketing practice.
The common thread seen amongst all of the laws is an aim for transparency and choice. You should always disclose to people why you're collecting their email address and how you will use it. You must also always give them a choice to change their minds at any time.
Having an email marketing Privacy Policy and offering an unsubscribe mechanism are two of the most easy and effective ways of complying with legal requirements for email marketing.
