Last updated on 23 August 2022 by Leah Hamilton (Qualified Solicitor. Writer at TermsFeed)
If you engage in email marketing, you need to be aware of legal requirements that dictate how you can send them, how you handle unsubscribe requests and how you disclose your collection of personal information.
In the UK, the Data Protection Act 1998 requires that a set of data collection principles must be followed when you collect the personal information of users.
The GDPR from the EU has global implications when personal information is collected from EU residents.
Most websites collect email addresses through web forms.
Ensure that all of your email subscribers have opted-in and provided consent to be contacted. A fail-proof way to do this is with a double opt-in system.
With this system, when a member signs up, they receive an initial email to confirm that they do in fact want to receive emails from you:
The best way of implementing clickwrap is to include a checkbox so that you can confirm that your users have agreed to your legal agreements:
Here's an example of what this looks like, from Timberland UK:
Remember to always update your agreements to reflect any additional types of information that you begin to collect.
When you create your web form, add a checkbox that clearly states that your user wants to receive particular types of information or contact from you.
Here's an example of a text message delivery update subscription form that asks users to check a box that shows they agree to receive text messages:
If you offer a variety of types of emails or communications, you can include multiple checkboxes or methods for opting in so that users can select to receive different types of promotional emails from you:
Once you know what kind of information your users want to be sent, there are a number of anti-spam laws around the world that you need to comply with. These laws aim to stop unsolicited email marketing being sent to unsuspecting consumers.
To determine whether a particular country's law applies to you depends on whether you are based in that country, your ESP is based in that country, or your recipients are. If any of those criteria are met, you will need to comply with the laws in that country.
In the United States the main law is CAN-SPAM.
CAN-SPAM requires that you:
Under the CASL, marketing emails must only be sent with consent, you must identify yourself, and include an unsubscribe mechanism.
Implied consent expires after 36 months if your contact was obtained on or before 1 July 2014, and after 24 months if your contact was obtained after 1 July 2014.
An exception is made where implied permission is given by users by way of certain types of involvement with your company, such as:
Under the Privacy and Electronic Communications (EC Directive) Regulations 2003, your email recipients must have opted in (whether by express opt-in or implied opt-in), and you must allow them to opt out at any time.
You must never hide your identity when you send marketing emails, and if you are marketing on behalf of another company or organization you must not conceal their identity either.
To market to someone who isn't already a customer, you must offer them a chance to opt in explicitly.
Here's an example from Apple that shows an explicit option for customers to opt-in to Apple's marketing emails:
If you have purchased a database of email addresses from a third party, these people will not be considered "customers," and you must ensure that those people have opted in to receive your marketing emails. If it is unclear, do not send them marketing emails as you may be in breach of the law.
For individuals, UK anti-spam law also includes something called a soft opt-in. This basically means that in some circumstances, you can treat a customer as if they have consented to receive emails from you, even though they haven't actually done so.
There are a number of rules that you need to follow to comply with the soft opt-in allowance under the law:
The final requirement of the UK anti-spam law is that the recipients of the email marketing must be given the opportunity to opt out in every subsequent email they receive. The unsubscribe option must be easily visible and displayed on every email.
The easiest way to do this is to include a clear link at the bottom of your emails and make it a part of all of your templates.
Here's an example from BabyCentre UK of where the "Unsubscribe" link is placed in a marketing email:
You can include a link to the account preferences page where they can choose to unsubscribe from email marketing. You can see above in the BabyCentre example that there is also a link to "manage your email subscriptions."
Remember that the legal opt-in and opt-out rules only apply to individuals. You can contact a corporate body without them needing to explicitly opt in.
Be careful, though: sole traders and some partnerships are considered to be individuals rather than corporate bodies.
Also, remember that it's good business sense to keep a "do not email" list of companies and individuals that have objected to your emails, and make sure that they are removed from your marketing lists.
On the privacy front, the Data Protection Act prohibits you from allowing a third party to gain access to personal data you collect from your users on one hand.
On the other hand, you can supply third parties with your users' personal information in these cases:
If you outsource your email marketing to third parties, such as MailChimp, that will collect, use and store personal information from your users, your business is responsible for that personal information, including its control.
This 2018 legislation out of the EU applies if you send commercial marketing communications to residents of the EU.
To comply with the GDPR you'll need to:
In the U.S., the California Business and Professions Code lists a few conditions in respect to Privacy Policies for your website, such as using the word "privacy" in the link's text that redirects to this legal page.
While the law doesn't specify if you need to also link from your communications to users, i.e. the email you send to users, doing so is a way to be consistent in showing that you value the privacy of users.
Here's an example of a standard footer you could include in an email newsletter that links to legal agreements as well as an unsubscribe link:
Booking.com collects personal information, including names, addresses, email address from its members that are passed to hotel owners when you book.
The "deals" emails Booking.com sends out contain a link to its Privacy Statement along with links to an FAQ, Customer Service page, unsubscribe link and a Manage Subscription link:
It's a very standard practice to place links to your legal agreements in your marketing emails, as these pages matter to your readers and they will look for them there.
To comply with laws, the key things to remember when setting up your email marketing campaign are:
Be honest and clear with email headers and subject lines. While it might be tempting to write in the subject line of your email "URGENT, please respond!!" and then display a sale or promotion in the body of your email, this is annoying for your subscribers and it's not following the legal guidelines.
Have a look at these legal guidelines regarding the content of the emails of your email marketing campaign:
Include an "Unsubscribe" link in every email that you send, and honor requests promptly. The most common place to include the unsubscribe link is at the bottom of the email.
If you regularly send marketing emails, add the unsubscribe link to your email templates.
If you don't want to include an unsubscribe link in the email, you can include a link directing the subscriber to their "Preferences" page of their account (if they have one) where they can unsubscribe.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
23 August 2022