About

Legal Guides for Ecommerce

Legal Guides for Ecommerce

On this page

Email Marketing and Ecommerce Businesses

Despite the rise of social media advertising, email marketing remains the primary way for many businesses to promote their products, bring in new customers, and ensure customer loyalty.

In some ways, successful email marketing campaigns have never been easier:

  • Customers are making more of their personal information and preferences available online
  • Technology allows you to accurately measure the impact of your campaigns
  • Third-party direct email marketing services are available to help businesses target their customers in the most effective way

But there are a lot of new challenges, too:

  • Email spam filters are increasingly vigilant
  • Customers have access to tools which allow them to instantly unsubscribe from email lists en masse
  • Privacy and data protection laws are imposing ever-stricter requirements and restrictions on businesses

The importance of that last point can hardly be overstated. Failing to comply with the laws around email marketing could have disastrous consequences for your business, resulting in fines, litigation, and severe reputational damage.

Laws on Email Marketing

In Chapter 3, we looked at how important it is for your ecommerce store to maintain a Privacy Policy. We're now going to look at the effect privacy law has on your email marketing campaigns.

Remember that you aren't necessarily only affected by the laws of the country in which your ecommerce store is based. You should get to know the laws of your customers' countries, too.

Privacy laws very often have an extra-territorial scope. This means that the law will be enforced even against foreign businesses if they do business within the country where the law is enacted.

United States

United States Flag

Although there is no general privacy law in the United States at the federal level, there is a national law that regulates the sending of email marketing.

The Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act was introduced in 2003, and surely ranks among America's more misleading legislative puns. "Can" is supposed to mean "stop."

CAN-SPAM doesn't "can" unsolicited email altogether. You can still send marketing emails to a person without their consent under this law. But the Act sets out several requirements for the sending of marketing emails.

It provides three broad requirements for marketing emails:

  1. Be clear about who is sending the email
  2. Be honest about your reasons for sending it, and
  3. Make it easy to unsubscribe from future marketing emails

At the Top of Your Email

CAN-SPAM requires that your emails have accurate headers and subject lines.

The header is the part of the email that tells the recipient who the email is to, and who it is from. CAN-SPAM requires that the "from" line "accurately identifies any person who initiated the message."

Here's a compliant example:

Screenshot of Wizz Air email header

The "from" field shows that the email was sent from a domain associated with the business, as expected. Note that the definition of "person" isn't limited to an individual, and can mean a business.

CAN-SPAM requires you to be honest in your subject lines. Rather than forbidding particular phrases or giving examples, the Act states that the sender must not use subject lines that: "would be likely to mislead a recipient, acting reasonably under the circumstances, about a material fact regarding the contents or subject matter of the message."

At the Bottom of Your Email

CAN-SPAM requires your marketing emails to:

  • Give a physical address for your business
  • Let the recipient know that they are receiving a marketing email (unless they have consented), and
  • Offer the recipient the opportunity to unsubscribe

Here's a footer from a marketing email that covers all three bases:

Screenshot of Credit Karma email footer

Credit Karma provides its postal address. This is to comply with the requirement in CAN-SPAM that the marketing emails contain "a valid physical postal address of the sender."

The recipient is told that the email is a promotional email.

Credit Karma provides an unsubscribe link. This is to comply with the requirement that the sender provides "clear and conspicuous notice of the opportunity [...] to decline to receive further commercial electronic mail messages from the sender."

A recipient must be able to unsubscribe by sending one reply to your email, or via a link that takes them to one webpage. It mustn't be any more complicated than that. Unsubscribe requests must be honored within 10 working days.

Canada

Canada Flag

Canada's Fighting Internet and Wireless Spam Act, known as Canada's Anti-Spam Act (CASL), came into effect in 2014.

CASL applies to you if you're planning on sending any marketing email to anyone in Canada, whether your business is based in Canada or not.

One of the most important sections of CASL states that it's illegal to send a marketing email to someone unless you have their consent to do so. There are two broad types of consent under CASL.

CASL allows you to earn consent without explicitly asking for it. It's possible to argue that you have a person's implied consent if:

  1. You share an active business relationship. This might mean that the person has made a purchase from you within the past two years, or expressed an interest in your products in the past six months.

  2. You share an active non-business relationship. This applies in a similar way to type 1 but to clubs, charities and other nonprofits. The "purchase" in this scenario might refer to a donation.

  3. The person's email address was publicly available or disclosed to you. In this case, you can only send marketing emails that are related to that person's business or interests. You can't send the person marketing material if they've made it clear that they don't want to receive it. For example, if they've published their email address on their website with an accompanying message, such as "no spam please."

You must be able to prove that you have implied consent on these terms.

There was a three-year transition period which ended on 1 July 2017. Before this date, businesses could rely on implied consent formed from existing relationships formed before CASL passed in 2014. Now that the transition period is over, the two-year time limit applies to implied consent arising from existing business relationships.

If you don't have implied consent, you can ask for consent. This is called express or explicit consent. For a request for consent to be valid, it must include:

  1. The reason you're asking for consent. For example "please give us your email address so we can send you information on our products."

  2. The identity of your company

Here's an example from the Canadian War Museum:

Canadian War Museum email subscribe form

The Canadian War Museum provides very comprehensive information about its organization and the purposes of joining its mailing list.

Here's another example of a valid express consent request from Music Canada:

Music Canada email subscribe form

Compliant Emails

Even when you have a person's consent under CASL, there are certain rules about the content of your marketing emails. These requirements are broadly similar to those made by CAN-SPAM.

You must include:

  • Clear information about who you are and how you can be contacted

  • An unsubscribe mechanism. This must allow the recipient to unsubscribe by reply email, or by visiting a web page. The reply email address or web page link must be valid for at least 60 days. Unsubscribe requests must be honored within 10 working days.

Australia

Australia Flag

The Spam Act 2003 regulates marketing emails sent to and from people in Australia. The Act is quite similar in its effects and language to CASL. It also effectively bans the use of email-harvesting software in Australia.

The Spam Act refers to marketing emails with an "Australian link." This includes any emails that are sent from Australia or might reasonably be expected to be opened in Australia.

There is some scope for a business to argue that it did not expect its marketing email to be opened in Australia. But to be safe, it's better to take a few steps to comply with the Act than to risk violating it.

The Spam Act is quite clear that it generally applies "extraterritorially" - outside of Australia.

The Spam Act bans unsolicited marketing email. Sending "unsolicited" emails effectively means sending emails without consent. The Spam Act recognizes two types of consent: inferred and express consent.

You can infer that you have consent to email a person if:

  1. You have an existing business relationship with the person. There is little guidance in the Act about what constitutes an existing business relationship. The Australian Communications and Media Authority (ACMA) suggests it would be a relationship where "there is a reasonable expectation of receiving commercial electronic messages."

  2. The person has conspicuously and publicly published their email address. This doesn't apply if the person has stated that they don't wish to receive marketing emails. The emails you send must be relevant to their industry or profession.

This is very similar to the model of implied consent we looked at under CASL.

Express consent means that the person has actively agreed to receive marketing emails from you. Again, the Act is a little thin on the details here. But the ACMA provides the following advice:

  • A double opt-in is good practice. For example, once your customer has subscribed to your marketing newsletter, send an initial welcome email to ask them to confirm their subscription.

  • You cannot use a pre-ticked box to gain consent

  • Silence (e.g. not unsubscribing) doesn't constitute consent

Compliant Emails

The requirements around the content of marketing emails under the Spam Act 2003 are very similar to those under CAN-SPAM and CASL.

  1. The sender must be clearly identified. The information must include the name of the person or company sending the email, and their Australian Business Number (if applicable). If you're having a third party send emails on your behalf, they must identify your company as the originator of the email.

  2. Include information about how the recipient can contact you. This can simply be a matter of replying to the email, depending on what's in the "From" field.

  3. Always include an unsubscribe facility, in every email.

All this information must be valid for at least 30 days. Unsubscribe requests must be honored within 5 working days.

European Union

Flag of EU

The EU has the strictest privacy laws around. There's no EU-wide law specifically related to the regulation of spam, but a patchwork of rules can be inferred from laws such as the ePrivacy Directive and the GDPR. Each EU country will implement these rules in a slightly different way, but there is an accepted minimum set of standards that they must adhere to.

There is a lot to be done in order to comply with the GDPR. Much of this has to do with creating a Privacy Policy, which we covered in Chapter 3. When it comes to sending marketing emails, the main thing to remember is that when the EU says "consent," it really means it.

Again, if you're seeking EU customers, you'll need to comply with the EU's privacy laws even if you aren't based in the EU.

One of the myths of the GDPR is that processing someone's personal information always requires consent. This is not true. If you wish to process someone's personal data (this includes sending them marketing emails), you won't have to ask for consent in every case. This even applies to email marketing in some circumstances.

But in many contexts, consent will be the way to go, especially if you're hoping to gain new customers with your email marketing campaign.

Canada and Australia's anti-spam laws say that they require consent, but this includes "implied" or "inferred" consent. The GDPR doesn't recognise this type of consent. Consent must be freely given, via a clear, affirmative action.

Always "opt-in," never "opt-out."

Here's a bad (and since updated) example from Walmart. When creating an account, the customer is presented with a pre-ticked box which allows Walmart to send them marketing information:

Walmart account sign-up form with pre-checked email consent box

The customer can't be said to have given clear, affirmative consent here. They're clicking a button that says "Create Account," and they might not even realize that they're also signing up to marketing emails. You shouldn't "piggyback" consent for marketing in this way.

Getting consent for one type of communication doesn't mean you have consent for all types of communication. You should break down your consent requests so that your customers know exactly what they're agreeing to and are presented with choices and options.

Let's take a look at an example from Logitech:

Logitech account registration page with consent checkbox for communications

Logitech is using one consent statement to ask its customers to consent to receive several different types of communication here.

Ideally this would be broken down so that the customer could, for example, consent to receiving the Logitech newsletter, but decline to receive information about "exclusive offers."

Here's an example of how something like this could look, with multiple options and opportunities to give consent:

Time to Change email updates preferences checkboxes to get granular consent

Compliant Emails

It almost goes without saying that it should be easy for your EU users to unsubscribe. Even the least demanding of the spam laws we've looked at, CAN-SPAM, requires this.

The guiding principle comes from Article 7 of the GDPR, which states that "it shall be as easy to withdraw as to give consent." Including a facility in your marketing emails that will allow a customer to withdraw by visiting a single webpage should satisfy this requirement.

You should also link to your Privacy Policy in the footer of all automated emails.

Laws Across the EU

EU law is implemented slightly differently in different EU countries, with laws setting a minimum level of protection. The GDPR demands clear consent. Some individual countries lay further protections on top of this, or make small changes as permitted under the GDPR's exemptions.

Other Major Economies

Email marketing laws vary significantly around the world. Generally speaking the strictest are found in Europe. Here are the laws of some other major economies.

Argentina

The Personal Data Protection Act and Regulatory Decree 1558/01 regulate marketing emails. There has also been data protection reform in 2023.

Allows opt-outs and recognizes implied consent.

The subject line of a marketing email must read "advertisement" and nothing else.
Brazil

There is effectively no anti-spam law in Brazil.

The Civil Rights Framework for the Internet ("Marco Civil") provides the right for individuals to request deletion of personal information but does not mention spam specifically.

The Self-Regulation Code for E-mail Marketing Practices is a voluntary code for email marketers in Brazil.

The Brazilian Data Protection Law (LGPD), known as "Brazil's GDPR" went into force in 2020.
China

The Regulations On Internet Email Services cover marketing emails. Broader internet censorship laws are also relevant.

Marketing emails must contain the word "Ad" (or the Chinese equivalent) in the subject line. Explicit consent is required.
Hong Kong

Under the Unsolicited Electronic Messages Ordinance, marketing emails must contain:

  • Accurate sender information
  • An unsubscribe facility
  • Honest subject lines

Unsubscribe requests must be honored within 10 working days.
Indonesia

Marketing emails are not regulated by law in Indonesia.

Law 11 Concerning Electronic Information and Transactions covers internet privacy.
Israel

The Communications Law (Telecommunications and Broadcasting) 1982 was amended in 2008 to include some provisions about email marketing.

The law recognizes informed "opt-out" consent where a customer provides their email address at the point of a previous sale. The marketing material must be connected to the type of product sold. Consent can be easily withdrawn.

Marketing emails must contain:

  • The word "Advertisement" in the subject line
  • The contact details of the business
  • An unsubscribe facility
Japan The Act on Regulation of the Transmission of Specified Electronic Mail requires businesses to gain express, opt-in consent before sending marketing emails, and to keep records that can prove that they have done this.
Malaysia The Communications and Multimedia Act (1998) forbids "intent to annoy, abuse, threaten or harass" via email.
New Zealand

The Unsolicited Electronic Messages Act 2007 recognizes express, inferred and "deemed" consent (implied consent via conspicuous publication of an email address).

Marketing emails must contain:the contact details of the business and details of how to unsubscribe. Unsubscribe requests must be honored within five working days.
Singapore

The Spam Control Act regulates marketing emails with a "Singapore link" (this language can also be seen in Australia's Spam Act 2003).

Marketing emails must begin with the characters <ADV>, and not contain misleading headers or subject lines. They must contain an unsubscribe facility.
Switzerland

Marketing email is regulated by the Federal Law against Unfair Competition 2007 and Telecommunications Act. The law is very strictly enforced and only recognizes express consent.

Businesses must state a clear legal basis for sending marketing emails. Marketing emails must be clearly identified as such, and contain accurate sending information and an unsubscribe facility.
South Africa

The Electronic Communications and Transactions Act 2002 allows marketing email to be sent on an opt-out basis.

The Protection of Personal Information (POPI) Act 2013, a privacy law very similar to the GDPR, has been gradually coming into force but has yet to take full effect. Email marketing rules will be much stricter once it has.

Case Study

Plastic Pipes is a plumbing company based in the UK. It ships all over the EU. It is compiling a mailing list of existing customers and website sign-ups. It plans to distribute a weekly newsletter and regular promotional emails.

Plastic Pipes needs to do the following:

  • Ensure customers are actively consenting to receiving marketing email:

    • Via a form on its website
    • Via a uniticked consent boxes when making a purchase

  • Give customers an honest representation of what they'll be receiving, and offer a choice over which sorts of marketing correspondence they receive, for example:

    • "Tick here if you would like to receive marketing materials and information about our new products."
    • "Tick here if you would like to receive our weekly newsletter, which will sometimes contain information about promotions and offers."

  • Ensure it sends emails via an email address that can be easily associated with its company, for example [email protected]

  • Write subject headers that are an honest representation of what's contained in the email, for example "Weekly Newsletter and Special Offers," or "Exclusive Discount on Our New Pipes Range"

  • Include the company's address and contact details in every email

  • Provide a facility by which recipients can unsubscribe - for example a link that leads to a single web page that automatically removes the customer from its mailing list

Previous

Chapter 6: Disclaimers and Ecommerce Businesses

Next

Chapter 8: Growing Your Ecommerce Store