Legal Requirements for Email Marketing

Last updated on 23 August 2022 by Leah Hamilton (Qualified Solicitor. Writer at TermsFeed)

Legal Requirements for Email Marketing

If you engage in email marketing, you need to be aware of legal requirements that dictate how you can send them, how you handle unsubscribe requests and how you disclose your collection of personal information.

You need to be careful that your email marketing campaign isn't overstepping the boundaries of privacy and anti-spam laws. You're also going to need a Privacy Policy.

This article will discuss global laws surrounding sending unsolicited messages, how you must must include some form of unsubscribe option with your marketing communications, and how this unsubscribe option must work properly requests must be honored within a reasonable amount of time (in the United States this is 10 days). It will also discuss how to integrate the appropriate information into your Privacy Policy.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.
  2. TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  3. Answer some questions about your website or app.
  4. TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  5. Answer some questions about your business.
  6. TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  7. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.

Privacy Policies are Required for Email Marketing

A Privacy Policy is required by most jurisdictions whenever you collect the personal information of a user through your website or mobile app - such as an email address.

In the U.S., CalOPPA requires businesses to have a Privacy Policy displayed at all times on their websites or through their apps.

In the UK, the Data Protection Act 1998 requires that a set of data collection principles must be followed when you collect the personal information of users.

The GDPR from the EU has global implications when personal information is collected from EU residents.

Most websites collect email addresses through web forms.

These web forms should have two main components to them: a form of clickwrap, and a link to your Privacy Policy.

Ensure that all of your email subscribers have opted-in and provided consent to be contacted. A fail-proof way to do this is with a double opt-in system.

With this system, when a member signs up, they receive an initial email to confirm that they do in fact want to receive emails from you:

FreshMail: Confirm signing up for email list

The best way of implementing clickwrap is to include a checkbox so that you can confirm that your users have agreed to your legal agreements:

Here's an example of what this looks like, from Timberland UK:

Timberland subscribe to email newsletter form with checkbox and Privacy Policy link highlighted

You can see that Timberland has a clearly labeled checkbox and link to its Privacy Policy at the bottom of the form. By requiring users to click the box and also click "Sign Me Up," it's absolutely clear that people intend to sign up for the newsletter and are agreeing to the terms.

The Contents of Your Privacy Policy

A Privacy Policy is required by law, and should cover all of the content that you collect through the web form (including the email address), as well as any information that your website collects outside of the web form, such as:

  • Name
  • Address
  • Phone number
  • Email address
  • IP address
  • Other types of legally protected personal information

Remember to always update your agreements to reflect any additional types of information that you begin to collect.

Your Privacy Policy also needs to include:

  • How you collect the information
  • How you will use the information you collect
  • How you will keep it secure, and in what circumstances you will share it
  • How your subscribers can review the information on them that you hold, and make changes to it
  • What date the policy is effective from, and any changes since that date

When you create your web form, add a checkbox that clearly states that your user wants to receive particular types of information or contact from you.

Here's an example of a text message delivery update subscription form that asks users to check a box that shows they agree to receive text messages:

Lord and Taylor mobile sign-up form for text delivery updates with clickwrap checkbox to agree and consent

If you offer a variety of types of emails or communications, you can include multiple checkboxes or methods for opting in so that users can select to receive different types of promotional emails from you:

Jetsetter email preferences page with granular options for unsubscribing

Once you know what kind of information your users want to be sent, there are a number of anti-spam laws around the world that you need to comply with. These laws aim to stop unsolicited email marketing being sent to unsuspecting consumers.

Privacy and Anti-Spam Laws


US Flag

To determine whether a particular country's law applies to you depends on whether you are based in that country, your ESP is based in that country, or your recipients are. If any of those criteria are met, you will need to comply with the laws in that country.

In the United States the main law is CAN-SPAM.

CAN-SPAM requires that you:

  • Don't use misleading email headers or subject lines,
  • Must identify your message as an advertisement,
  • Tell your recipients where you are located,
  • Include an unsubscribe mechanism so that recipients can opt out of receiving future emails from you,
  • Honor any opt-out requests promptly, and
  • Monitor email marketing done on your behalf by another company (if they are doing it on your behalf, it is your duty to make sure you comply with the law)


Canada Flag

Under the CASL, marketing emails must only be sent with consent, you must identify yourself, and include an unsubscribe mechanism.

Implied consent expires after 36 months if your contact was obtained on or before 1 July 2014, and after 24 months if your contact was obtained after 1 July 2014.

An exception is made where implied permission is given by users by way of certain types of involvement with your company, such as:

  • Purchasing or leasing products,
  • Being involved in an investment, or
  • Entering into a contract

EC Directive Regulations 2003

Flag of UK (Great Britain)

Under the Privacy and Electronic Communications (EC Directive) Regulations 2003, your email recipients must have opted in (whether by express opt-in or implied opt-in), and you must allow them to opt out at any time.

You must never hide your identity when you send marketing emails, and if you are marketing on behalf of another company or organization you must not conceal their identity either.

To market to someone who isn't already a customer, you must offer them a chance to opt in explicitly.

Here's an example from Apple that shows an explicit option for customers to opt-in to Apple's marketing emails:

Apple: Email Preference Form

If you have purchased a database of email addresses from a third party, these people will not be considered "customers," and you must ensure that those people have opted in to receive your marketing emails. If it is unclear, do not send them marketing emails as you may be in breach of the law.

For individuals, UK anti-spam law also includes something called a soft opt-in. This basically means that in some circumstances, you can treat a customer as if they have consented to receive emails from you, even though they haven't actually done so.

There are a number of rules that you need to follow to comply with the soft opt-in allowance under the law:

  • First, you need to have obtained the customer's email address "in the course of the sale of negotiations for the sale of a product or service," which means that the person has to be already a customer.
  • Second, you can only direct market to those people in respect of "similar products and services." This means that if your customers signed up to receive travel newsletters from you, you can't send them advertisements for scented candles. However, if they are expecting travel newsletters they would reasonably expect you to send them hotel deals, rental car packages, or cheap flights.
  • Third, the recipient of your email marketing must have been given a method of refusing the use of her/his contact details at the time they were initially provided.
  • The final requirement of the UK anti-spam law is that the recipients of the email marketing must be given the opportunity to opt out in every subsequent email they receive. The unsubscribe option must be easily visible and displayed on every email.

    The easiest way to do this is to include a clear link at the bottom of your emails and make it a part of all of your templates.

    Here's an example from BabyCentre UK of where the "Unsubscribe" link is placed in a marketing email:

    BabyCenter email footer with unsubscribe link highlighted

    You can include a link to the account preferences page where they can choose to unsubscribe from email marketing. You can see above in the BabyCentre example that there is also a link to "manage your email subscriptions."

Remember that the legal opt-in and opt-out rules only apply to individuals. You can contact a corporate body without them needing to explicitly opt in.

Be careful, though: sole traders and some partnerships are considered to be individuals rather than corporate bodies.

Also, remember that it's good business sense to keep a "do not email" list of companies and individuals that have objected to your emails, and make sure that they are removed from your marketing lists.

On the privacy front, the Data Protection Act prohibits you from allowing a third party to gain access to personal data you collect from your users on one hand.

On the other hand, you can supply third parties with your users' personal information in these cases:

  • When the user asks somebody else (for instance, their solicitor) to get personal information for them
  • When your business outsources the personal information processing, such as payroll or customer mailing
  • When police or public authorities require it as part of an investigation

If you outsource your email marketing to third parties, such as MailChimp, that will collect, use and store personal information from your users, your business is responsible for that personal information, including its control.


Flag of EU

This 2018 legislation out of the EU applies if you send commercial marketing communications to residents of the EU.

To comply with the GDPR you'll need to:

  • Always get affirmative consent for collecting email addresses for marketing purposes (soft opt-ins and pre-checked consent boxes are no longer allowed),
  • Allow users to revoke this consent at any time, and
  • Only use collected emails for the purposes you requested them for

Linking to a Privacy Policy from Emails

Emails don't need a link to a Privacy Policy - yet - but here's why this would be a good idea to do so.

It's now becoming a best practice to include a link to your Privacy Policy even on landing pages, web forms (usually near the email address field) and so on. Including a link to your Privacy Policy in every email that you send to users gives them plenty of opportunities to read it.

In the U.S., the California Business and Professions Code lists a few conditions in respect to Privacy Policies for your website, such as using the word "privacy" in the link's text that redirects to this legal page.

While the law doesn't specify if you need to also link from your communications to users, i.e. the email you send to users, doing so is a way to be consistent in showing that you value the privacy of users.

Here's an example of a standard footer you could include in an email newsletter that links to legal agreements as well as an unsubscribe link:

Lexology email: Link to Unsubscribe and Privacy Policy collects personal information, including names, addresses, email address from its members that are passed to hotel owners when you book.

The "deals" emails sends out contain a link to its Privacy Statement along with links to an FAQ, Customer Service page, unsubscribe link and a Manage Subscription link:

Booking email newsletter footer with unsubscribe and manage subscriptions links highlighted

Here's how Medium includes a link to its Privacy Policy in emails it sends out:

Medium Email Linking to Its Privacy Policy

In all the emails that Business Insider sends, it places links to Email Preferences and an "Unsubscribe" link, as well as to the Terms of Service agreement and Privacy Policy:

Business Insider email: Link to Terms of Service, Privacy Policy

It's a very standard practice to place links to your legal agreements in your marketing emails, as these pages matter to your readers and they will look for them there.

To comply with laws, the key things to remember when setting up your email marketing campaign are:

  • Get consent. Make sure the people you're emailing have expressly or impliedly given consent for you to send email marketing material to them.
  • Ensure that your subscribers are aware of and agree to your Privacy Policy when you originally obtain their email address, by using clickwrap methods.
  • Ensure that your Privacy Policy covers all of the information you'll collect, what you will do with that information, how you keep it secure, and how your subscribers can update their details.
  • Be honest and clear with email headers and subject lines. While it might be tempting to write in the subject line of your email "URGENT, please respond!!" and then display a sale or promotion in the body of your email, this is annoying for your subscribers and it's not following the legal guidelines.

    Have a look at these legal guidelines regarding the content of the emails of your email marketing campaign:

    • The email header must relate to the content in the body of the email and not be deceptive
    • A legitimate address of the sender must be displayed
    • If adult content is comprised in the email it must be labeled accordingly
  • Include an "Unsubscribe" link in every email that you send, and honor requests promptly. The most common place to include the unsubscribe link is at the bottom of the email.

    If you regularly send marketing emails, add the unsubscribe link to your email templates.

    If you don't want to include an unsubscribe link in the email, you can include a link directing the subscriber to their "Preferences" page of their account (if they have one) where they can unsubscribe.

Create Privacy Policy, Terms & Conditions and other legal agreements in a few minutes. Free to use, free to download.

Get started today ⇢

Screenshot of TermsFeed Generator

Leah Hamilton

Leah Hamilton

Qualified Solicitor. Writer at TermsFeed

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.