Legal and data protection research writer at TermsFeed.
On this page
- 3. What Laws Govern Email Marketing Practices?
- 3.1. CalOPPA
- 3.2. The CAN-SPAM Act of 2003
- 3.3. CASL
- 3.4. GDPR
- 4. Data Collection and Email Marketing
- 6. Offer an Opportunity to Unsubscribe
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
- What personal information you collect from your users. Personal information can any data that can be used to identify an individual, such as email addresses, mailing addresses, location data, or a user's first and last name.
- Why you collect this personal information
- How you use this personal information and allow any third parties to use the information
The same privacy laws that cover a company's data collection, use, storage, security, sales, sharing, and deletion in regards to websites and overall marketing practices, and which are proliferating worldwide in an effort to protect consumer privacy, also impact a company's email marketing practices.
As email marketing continues to increase in popularity, it is more important than ever for companies to ensure that they are respecting the privacy of their customers.
If you press the rewind button and go back in time a bit, you might remember that email marketing wasn't much more than direct mail-lite in the past. By and large, it was just a bunch of, "Hello, so and so, please buy our stuff."
Fast forward to today, and email marketing has become a lot more sophisticated. Of course, it's still all about getting people to buy "stuff," but really, the entire process has become a way for companies to collect more data, refine their marketing campaigns, and increase ROI.
For instance, you can use email to collect information, such as missing demographic data. You can also learn more about your subscribers' devices using web beacons or track your subscriber's online activities when they open emails and click links.
In fact, you can use the email marketing process to collect much of the same kinds of data as your website or app gathers. Because of that, there is an intrinsic danger to your subscriber's privacy.
Numerous laws govern what businesses can do with the personal data of their users, and email addresses are considered personal data. Running afoul of these laws can result in significant fines such as the $57 million Google GDPR fine for the inappropriate processing of user data.
At the heart of most data processing laws is consent, and it isn't enough to simply inform subscribers that you send emails to consenting recipients.
For instance, some of the clauses where you should mention email marketing include the following:
- What personal information you collect
- How you collect personal information
- Why you collect personal information
- How long you store personal information
- How you secure personal information
- Under what circumstances you share personal information
- With whom you share personal information (if you share)
- Automatic data collection methods and cookies
- A separate email marketing clause (for information on unsubscribing and opting-out)
You can't presume that just because someone is aware of one of your marketing activities, and has given consent for data collection in connection with it (i.e., "send me that free report"), that their consent encompasses every other email marketing activity in which you engage (i.e., promotional emails).
What Laws Govern Email Marketing Practices?
Different laws govern email marketing in different countries. The most important ones are Europe's General Data Protection Regulation (GDPR), The California Online Privacy Protection Act (CalOPPA), the CAN-SPAM Act of 2003, and Canada's Anti-Spam Legislation (CASL).
Each of these laws regulates the manner in which you:
- Collect email addresses
- Store email address
- Request consent to collect and process email addresses
- Share email addresses
- Delete email addresses
Additionally, these laws apply to all the other personal information you collect.
The law applies to email marketing because it requires:
- Transparency about what kinds of personal data your app or website collects
You must also ensure that you provide subscribers with a means of opting out of your email marketing campaigns.
The CAN-SPAM Act of 2003
The CAN-SPAM Act establishes regulations for commercial email, including what information must be included in an email message, the types of messages that are prohibited, and how to unsubscribe from commercial emails.
The CAN-SPAM Act was passed in response to concerns about the increasing amount of spamming and other deceptive marketing practices. The law establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violators.
To be more specific, CAN-SPAM contains seven requirements that marketers must adhere to in order to avoid unsolicited email spamming.
- Be honest and transparent in your header (including from, to, and routing information)
- Do not be deceptive in your subject lines
- Disclose the email as an advertisement
- Provide your physical postal address in the body
- Give instructions for opting out
- Honor opt-out requests within ten business days
- Ensure processors or third parties comply with CAN-SPAM
CASL, or Canada's anti-spam legislation, protects consumers and businesses from misusing digital technology, including spam and other electronic threats. It also aims to help companies stay competitive in a global, digital marketplace.
CASL covers "Commercial Electronic Messages" (CEM), which is a bit broader than simply applying to emails. For example, it also covers instant messages, text messages, and social media messages that are related to commercial activities.
CASL, like the GDPR, touches on consent. You must meet the requirements for implied consent, such as (making a purchase, donation, gift, providing volunteer time or resources, providing an email address, or publishing an email address).
If you do not meet the conditions of implied consent, you must obtain express consent from subscribers. This requires either a written agreement or an oral agreement from the subscriber stating that they consent to receive digital communications from your business.
The GDPR is a privacy and security law passed in the EU. It affects companies outside of the EU, so long as they target or collect data related to people there.
The GDPR protects your customer's personal information from mishandling by businesses collecting private data. Personal Data under the GDPR refers to any piece of information that could be used personally (e.g., name, I.D. numbers, location details), which can identify someone either on its own or when put together with other pieces of data (like their website browsing history or email address).
However, the regulation covers more than just email addresses. It applies to all types of electronic communication.
With that said, email marketers have to understand that they must abide by super strict consent requirements if they're doing business within the E.U.
The GDPR states that any consent given must be "clear, affirmative actions." In other words, your subscribers only consent when they take a positive action, such as clicking an appropriately worded link or ticking a box.
You must also pay particular attention to your data processing efforts since you can only collect email addresses when the following criteria are met:
- You must have a specific and lawful reason for processing personal information
- You must provide a way for subscribers to update and remove inaccurate or outdated information, and
- You must delete personal information when you no longer need it
You also have to remember that the GDPR gives your subscribers the right to object to you processing (using) their personal data. That means even if they've already provided you with consent, such as filling out a form and providing you with their email address, they have the right to withdraw that consent at any time.
You have to let them know they have that right and ensure that you're able to provide them with any data you've collected as well as a means for them to ask you to stop using it.
Data Collection and Email Marketing
Through successful email campaigns, you can now collect vast amounts of data. For example:
- Email addresses (and other data like locations, names, date of birth) at sign-up
- Data collection from inside the email (missing data from sign-up), and
- Behavior tracking (across your website, in emails, and on the internet)
Privacy experts and regulations such as the GDPR see data collection via email marketing as a double-sided coin. On one side, you may collect more data than you need, which privacy experts warn against, especially if you don't have a legitimate use for it.
On the other hand, if you use personal information correctly, you can send more targeted and precise emails to your customers. This is the goal of legislation like the GDPR.
However, as mentioned several times already, you need to be transparent about it all.
The following examples demonstrate best practices for email marketing and legal requirements for Privacy Policies.
Note how The Epoch Times provides a prominent link to unsubscribe from its mailing list in this example from one of its email newsletters:
Additionally, see how a method is provided for subscribers to manage their email preferences below:
Finally, note how Digital Kickstart lets users know how it shares personal information, in this case, email addresses and more, with third parties. Although it doesn't specifically mention email addresses, you know the company shares them with third parties because it shares personal data given when "registering for an account or service" as seen in the clause below:
Offer an Opportunity to Unsubscribe
Remember that you should always give users the chance to opt out or unsubscribe, even after they've subscribed. A standard way to do this is to include an "Unsubscribe" link in your email newsletters.
According to the CAN-SPAM Act, which spells out rules for commercial email and other commercial messages, you must provide a clear and conspicuous method of opting out of future communications in each of your communications.
CAN-SPAM sets out other requirements for commercial messages that can be viewed in the CAN-SPAM Compliance Guide document.
Here's how Entrepreneurs HQ Limited provides its unsubscribe link in every email and lets users know that by clicking it, they will be unsubscribed:
Here's an example of how Cision lets subscribers know they can unsubscribe by replying to the email in a certain way:
When the opt-out link is clicked by a user, the user must be given an easy way to unsubscribe from your email communications.
Here's another example of an unsubscribe field from Apple that simply asks a user to enter his email address twice and then click the "Unsubscribe" button as a confirmation. The link at the bottom lets the user unsubscribe from Apple's other newsletters that Apple may send to the user:
Make sure the agreement is accessible and easy to read and understand, and that you provide users with a way to easily unsubscribe from your email newsletter.
This URL linked from the app should be the same URL used on your website in the footer.
Now that you've seen some examples in action, let's look at a general overview of the best practices.
We've put together a quick checklist that you can reference at your convenience and that we believe will help you overcome any compliance challenges you may be facing.
No matter where your company operates, it's likely that one of the major privacy laws in existence covers your email marketing activities. What that means for you is that you'll need to comply with relevant legislation.
By adhering to the following points, you'll help your business stay compliant with:
- CAN-SPAM Act of 2003
- What personal information you collect (i.e., first names, last names, email addresses)
- How you use personal information (do you use subscriber's email addresses to provide updates on company activities? Do you send daily or weekly promotions?)
- A statement about whether you share personal information with third parties (i.e., Google Analytics, Infusionsoft)
- How subscribers can opt out of your emails (i.e., writing to a specific postal or email address or by clicking a link to unsubscribe)
- A way for subscribers to contact you (whether about unsubscribing or something else)
- Whether you track email analytics, and if so, which ones
Keeping all of that in mind, remember that just collecting a customer's email address counts as collecting personal information. Doing so means that you're subject to a whole host of legal requirements depending on where you do business.
Finally, you should:
- Specifically mention your use of email addresses and how you use them.
More specific Privacy Templates are available on our blog.