Legal Requirements for Email Marketing

You need to be careful that your email marketing campaign isn't overstepping the boundaries of privacy and anti-spam laws.

Before you start sending promotional emails you should be aware of the following:

• In many countries it's illegal to send unsolicited messages.
• You must include some form of unsubscribe option with your marketing communications.
• The unsubscribe option must work properly and the unsubscribe request must be honored within a reasonable amount of time (in the United States this is 10 days).

You're also going to need a Privacy Policy.

The best starting point from a legal perspective when it comes to email marketing is to ensure that all of your email subscribers have opted-in and provided consent to be contacted. A fail-proof way to do this is with a double opt-in system.

With this system, when a member signs up, they receive an initial email to confirm that they do in fact want to receive emails from you:

The next thing to tackle from a legal perspective is to have a Privacy Policy.

This is because a Privacy Policy is required by most jurisdictions whenever you collect the personal information of a user through your website or mobile app - such as an email address.

Email addresses are considered personal information.

In the US, CalOPPA requires businesses to have a Privacy Policy displayed at all times on their websites or through their apps.

In the UK, the Data Protection Act 1998 requires that a set of data collection principles must be followed when you collect the personal information of users.

The GDPR from the EU has global implications when personal information is collected from EU residents.

Most websites collect email addresses through web forms:

These web forms should have two main components to them: a form of clickwrap, and a link to your Privacy Policy.

The best way of implementing clickwrap is to include a checkbox so that you can confirm that your users have agreed to your legal agreement.

Here's an example of what this looks like, from Timberland UK:

You can see that Timberland has a clearly labeled checkbox and link to their Privacy Policy at the bottom of their form. By requiring users to click the box and also click "Sign Up," it's absolutely clear that people intend to sign up for the newsletter and are agreeing to the Terms.

The contents of your Privacy Policy

Because a Privacy Policy is required by law, it should cover all of the content that you collect through the web form (including the email address), as well as any information that your website collects outside of the web form, such as:

• Name
• Address
• Phone number
• Email address
• IP address
• Date and time your website was accessed
• Type of browser and operating system used
• Pages visited
• What site the user came from

Remember to always update your agreements to reflect any additional types of information that you begin to collect.

Your Privacy Policy also needs to include:

• How you will use the information you collect
• How you will keep it secure, and in what circumstances you will share it
• How your subscribers can review the information on them that you hold, and make changes to it
• What date the policy is effective from, and any chances since that date

When you create your web form, add a checkbox that clearly states that your user wants to receive particular types of information or contact from you.

Here's an example of a text message delivery update subscription form that asks users to check a box that shows they agree to receive text messages:

If you offer a variety of types of emails or communications, you can include multiple checkboxes or methods for opting in so that users can select to receive different types of promotional emails from you:

Once you know what kind of information your users want to be sent, there are a number of anti-spam laws around the world that you need to comply with. These laws aim to stop unsolicited email marketing being sent to unsuspecting consumers.

Privacy and anti-spam laws

CAN-SPAM

To determine whether a particular country's law applies to you depends on whether you are based in that country, your ESP is based in that country, or your recipients are. If any of those criteria are met, you will need to comply with the laws in that country.

In the United States the main law is CAN-SPAM.

CAN-SPAM requires that you:

• Don't use misleading email headers or subject lines,
• Must identify your message as an advertisement,
• Tell your recipients where you are located,
• Include an unsubscribe mechanism so that recipients can opt out of receiving future emails from you,
• Honor any opt-out requests promptly, and
• Monitor email marketing done on your behalf by another company (if they are doing it on your behalf, it is your duty to make sure you comply with the law)

CASL

Canadian law covers some of the same requirements.

Under the CASL, marketing emails must only be sent with consent, you must identify yourself, and include an unsubscribe mechanism.

Implied consent expires after 36 months if your contact was obtained on or before 1 July 2014, and after 24 months if your contact was obtained after 1 July 2014.

An exception is made where implied permission is given by users by way of certain types of involvement with your company, such as:

• Purchasing or leasing products,
• Being involved in an investment, or
• Entering into a contract

EC Directive Regulations 2003

The United Kingdom law is also similar.

Under the Privacy and Electronic Communications (EC Directive) Regulations 2003, your email recipients must have opted in (whether by express opt-in or implied opt-in), and you must allow them to opt out at any time.

You must never hide your identity when you send marketing emails, and if you are marketing on behalf of another company or organization you must not conceal their identity either.

To market to someone who isn't already a customer, you must offer them a chance to opt in explicitly.

Here's an example from Apple that shows an explicit option for customers to opt-in to Apple's marketing emails:

If you have purchased a database of email addresses from a third party, these people will not be considered "customers," and you must ensure that those people have opted in to receive your marketing emails. If it is unclear, do not send them marketing emails as you may be in breach of the law.

For individuals, UK anti-spam law also includes something called a soft opt-in. This basically means that in some circumstances, you can treat a customer as if they have consented to receive emails from you, even though they haven't actually done so.

There are a number of rules that you need to follow to comply with the soft opt-in allowance under the law:

• First, you need to have obtained the customer's email address "in the course of the sale of negotiations for the sale of a product or service," which means that the person has to be already a customer.
• Second, you can only direct market to those people in respect of "similar products and services." This means that if your customers signed up to receive travel newsletters from you, you can't send them advertisements for scented candles. However, if they are expecting travel newsletters they would reasonably expect you to send them hotel deals, rental car packages, or cheap flights.
• Third, the recipient of your email marketing must have been given a method of refusing the use of her/his contact details at the time they were initially provided.

• The final requirement of the UK anti-spam law is that the recipients of the email marketing must be given the opportunity to opt out in every subsequent email they receive. The unsubscribe option must be easily visible and displayed on every email.

  The easiest way to do this is to include a clear link at the bottom of your emails and make it a part of all of your templates. Here's an example from BabyCentre UK of where the "Unsubscribe" link is placed in a marketing email:

  

  You can include a link to the account preferences page where they can choose to unsubscribe from email marketing. You can see above in the BabyCentre example that there is also a link to "manage your email subscriptions."

Remember that the legal opt-in and opt-out rules only apply to individuals. You can contact a corporate body without them needing to explicitly opt in.

Be careful, though: sole traders and some partnerships are considered to be individuals rather than corporate bodies.

Also, remember that it's good business sense to keep a "do not email" list of companies and individuals that have objected to your emails, and make sure that they are removed from your marketing lists.

On the privacy front, the Data Protection Act prohibits you from allowing a third party to gain access to personal data you collect from your users on one hand.

On the other hand, you can supply third parties with your users' personal information in these cases:

• When the user asks somebody else (for instance, their solicitor) to get personal information for them
• When your business outsources the personal information processing, such as payroll or customer mailing
• When police or public authorities require it as part of an investigation

If you outsource your email marketing to third parties, such as MailChimp, that will collect, use and store personal information from your users, your business is responsible for that personal information, including its control.

The GDPR

This 2018 legislation out of the EU applies if you send commercial marketing communications to residents of the EU.

To comply with the GDPR you'll need to:

• Always get affirmative consent for collecting email addresses for marketing purposes (soft opt-ins and pre-checked consent boxes are no longer allowed),
• Allow users to revoke this consent at any time, and
• Only use collected emails for the purposes you requested them for

Linking to Privacy Policy from emails

A recent question Quora asked the following:

As an online business that collects personally identifiable info, do you have to include a link to your Privacy Policy in emails to customers?

The quick answer is No: Emails don't need a link to a Privacy Policy - yet - but here's why this would be a good idea to do so.

It's now becoming a best practice to include a link to your Privacy Policy even on landing pages, web forms (usually near the email address field) and so on. Including a link to your Privacy Policy in every email that you send to users gives them plenty of opportunities to read it.

In the US, the California Business and Professions Code lists a few conditions in respect to Privacy Policies for your website, such as using the word "privacy" in the link's text that redirects to this legal page.

While the law doesn't specify if you need to also link from your communications to users, i.e. the email you send to users, doing so is a way to be consistent in showing that you value the privacy of users.

Lexology sends a daily newsletter with information on a variety of legal topics. Each of the emails includes a link to the Privacy Policy that points to the same legal page as found on their website:

Very Short List is "a delightful e-mail that shares cultural gems from a different curator every day."

Booking.com collects personal information, including names, addresses, email address from its members that are passed to hotel owners when you book.

The "deals" emails Booking.com sends out contain a link to its Privacy Statement along with links to an FAQ, Customer Service page, unsubscribe link and a Manage Subscription link:

Here's how Medium includes a link to its Privacy Policy in emails it sends out:

In all the emails that BusinessInsider sends, it places links to Email Preferences and an "Unsubscribe" link, as well as to the Terms of Service agreement and Privacy Policy:

It's becoming a very standard practice to place links to your legal agreements in your marketing emails as these pages matter to your readers and they will look for them.

Checklist to follow

To comply with the law, the key things to remember when setting up your email marketing campaign are:

• Get consent. Make sure the people you're emailing have expressly or impliedly given consent for you to send email marketing material to them.
• Ensure that your subscribers are aware of and agree to your Privacy Policy when you originally obtain their email address, by using clickwrap methods.
• Ensure that your Privacy Policy covers all of the information you'll collect, what you will do with that information, how you keep it secure, and how your subscribers can update their details.

• Be honest and clear with email headers and subject lines. While it might be tempting to write in the subject line of your email "URGENT, please respond!!" and then display a sale or promotion in the body of your email, this is annoying for your subscribers and it's not following the legal guidelines.

  Have a look at these legal guidelines regarding the content of the emails of your email marketing campaign:

  • The email header must relate to the content in the body of the email and not be deceptive
  • A legitimate address of the sender must be displayed
  • If adult content is comprised in the email it must be labeled accordingly

• Include an "Unsubscribe" link in every email that you send, and honor requests promptly. The most common place to include the unsubscribe link is at the bottom of the email.

  If you regularly send marketing emails, add the unsubscribe link to your email templates.

  If you don't want to include an unsubscribe link in the email, you can include a link directing the subscriber to their "Preferences" page of their account (if they have one) where they can unsubscribe.