Last updated on 15 March 2022 by Leah Hamilton (Qualified Solicitor. Writer at TermsFeed)
You need to be careful that your email marketing campaign isn't overstepping the boundaries of privacy and anti-spam laws.
Before you start sending promotional emails you should be aware of the following:
You're also going to need a Privacy Policy.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
The best starting point from a legal perspective when it comes to email marketing is to ensure that all of your email subscribers have opted-in and provided consent to be contacted. A fail-proof way to do this is with a double opt-in system.
With this system, when a member signs up, they receive an initial email to confirm that they do in fact want to receive emails from you:
The next thing to tackle from a legal perspective is to have a Privacy Policy.
This is because a Privacy Policy is required by most jurisdictions whenever you collect the personal information of a user through your website or mobile app - such as an email address.
Email addresses are considered personal information.
In the U.S., CalOPPA requires businesses to have a Privacy Policy displayed at all times on their websites or through their apps.
In the UK, the Data Protection Act 1998 requires that a set of data collection principles must be followed when you collect the personal information of users.
The GDPR from the EU has global implications when personal information is collected from EU residents.
Most websites collect email addresses through web forms.
These web forms should have two main components to them: a form of clickwrap, and a link to your Privacy Policy.
The best way of implementing clickwrap is to include a checkbox so that you can confirm that your users have agreed to your legal agreements:
Here's an example of what this looks like, from Timberland UK:
You can see that Timberland has a clearly labeled checkbox and link to its Privacy Policy at the bottom of the form. By requiring users to click the box and also click "Sign Me Up," it's absolutely clear that people intend to sign up for the newsletter and are agreeing to the terms.
A Privacy Policy is required by law, and should cover all of the content that you collect through the web form (including the email address), as well as any information that your website collects outside of the web form, such as:
Remember to always update your agreements to reflect any additional types of information that you begin to collect.
Your Privacy Policy also needs to include:
When you create your web form, add a checkbox that clearly states that your user wants to receive particular types of information or contact from you.
Here's an example of a text message delivery update subscription form that asks users to check a box that shows they agree to receive text messages:
If you offer a variety of types of emails or communications, you can include multiple checkboxes or methods for opting in so that users can select to receive different types of promotional emails from you:
Once you know what kind of information your users want to be sent, there are a number of anti-spam laws around the world that you need to comply with. These laws aim to stop unsolicited email marketing being sent to unsuspecting consumers.
To determine whether a particular country's law applies to you depends on whether you are based in that country, your ESP is based in that country, or your recipients are. If any of those criteria are met, you will need to comply with the laws in that country.
In the United States the main law is CAN-SPAM.
CAN-SPAM requires that you:
Canadian law covers some of the same requirements.
Under the CASL, marketing emails must only be sent with consent, you must identify yourself, and include an unsubscribe mechanism.
Implied consent expires after 36 months if your contact was obtained on or before 1 July 2014, and after 24 months if your contact was obtained after 1 July 2014.
An exception is made where implied permission is given by users by way of certain types of involvement with your company, such as:
The United Kingdom law is also similar.
Under the Privacy and Electronic Communications (EC Directive) Regulations 2003, your email recipients must have opted in (whether by express opt-in or implied opt-in), and you must allow them to opt out at any time.
You must never hide your identity when you send marketing emails, and if you are marketing on behalf of another company or organization you must not conceal their identity either.
To market to someone who isn't already a customer, you must offer them a chance to opt in explicitly.
Here's an example from Apple that shows an explicit option for customers to opt-in to Apple's marketing emails:
If you have purchased a database of email addresses from a third party, these people will not be considered "customers," and you must ensure that those people have opted in to receive your marketing emails. If it is unclear, do not send them marketing emails as you may be in breach of the law.
For individuals, UK anti-spam law also includes something called a soft opt-in. This basically means that in some circumstances, you can treat a customer as if they have consented to receive emails from you, even though they haven't actually done so.
There are a number of rules that you need to follow to comply with the soft opt-in allowance under the law:
The final requirement of the UK anti-spam law is that the recipients of the email marketing must be given the opportunity to opt out in every subsequent email they receive. The unsubscribe option must be easily visible and displayed on every email.
The easiest way to do this is to include a clear link at the bottom of your emails and make it a part of all of your templates.
Here's an example from BabyCentre UK of where the "Unsubscribe" link is placed in a marketing email:
You can include a link to the account preferences page where they can choose to unsubscribe from email marketing. You can see above in the BabyCentre example that there is also a link to "manage your email subscriptions."
Remember that the legal opt-in and opt-out rules only apply to individuals. You can contact a corporate body without them needing to explicitly opt in.
Be careful, though: sole traders and some partnerships are considered to be individuals rather than corporate bodies.
Also, remember that it's good business sense to keep a "do not email" list of companies and individuals that have objected to your emails, and make sure that they are removed from your marketing lists.
On the privacy front, the Data Protection Act prohibits you from allowing a third party to gain access to personal data you collect from your users on one hand.
On the other hand, you can supply third parties with your users' personal information in these cases:
If you outsource your email marketing to third parties, such as MailChimp, that will collect, use and store personal information from your users, your business is responsible for that personal information, including its control.
This 2018 legislation out of the EU applies if you send commercial marketing communications to residents of the EU.
To comply with the GDPR you'll need to:
A question Quora asked the following:
As an online business that collects personally identifiable info, do you have to include a link to your Privacy Policy in emails to customers?
The quick answer is No: Emails don't need a link to a Privacy Policy - yet - but here's why this would be a good idea to do so.
It's now becoming a best practice to include a link to your Privacy Policy even on landing pages, web forms (usually near the email address field) and so on. Including a link to your Privacy Policy in every email that you send to users gives them plenty of opportunities to read it.
In the U.S., the California Business and Professions Code lists a few conditions in respect to Privacy Policies for your website, such as using the word "privacy" in the link's text that redirects to this legal page.
While the law doesn't specify if you need to also link from your communications to users, i.e. the email you send to users, doing so is a way to be consistent in showing that you value the privacy of users.
Here's an example of a standard footer you could include in an email newsletter that links to legal agreements as well as an unsubscribe link:
Booking.com collects personal information, including names, addresses, email address from its members that are passed to hotel owners when you book.
The "deals" emails Booking.com sends out contain a link to its Privacy Statement along with links to an FAQ, Customer Service page, unsubscribe link and a Manage Subscription link:
Here's how Medium includes a link to its Privacy Policy in emails it sends out:
In all the emails that Business Insider sends, it places links to Email Preferences and an "Unsubscribe" link, as well as to the Terms of Service agreement and Privacy Policy:
It's a very standard practice to place links to your legal agreements in your marketing emails, as these pages matter to your readers and they will look for them there.
To comply with laws, the key things to remember when setting up your email marketing campaign are:
Be honest and clear with email headers and subject lines. While it might be tempting to write in the subject line of your email "URGENT, please respond!!" and then display a sale or promotion in the body of your email, this is annoying for your subscribers and it's not following the legal guidelines.
Have a look at these legal guidelines regarding the content of the emails of your email marketing campaign:
Include an "Unsubscribe" link in every email that you send, and honor requests promptly. The most common place to include the unsubscribe link is at the bottom of the email.
If you regularly send marketing emails, add the unsubscribe link to your email templates.
If you don't want to include an unsubscribe link in the email, you can include a link directing the subscriber to their "Preferences" page of their account (if they have one) where they can unsubscribe.
Create Privacy Policy, Terms & Conditions and other legal agreements in a few minutes. Free to use, free to download.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
15 March 2022