The Ultimate Legal Guide to Email Outreach

Governments from around the world have established regulations to protect their citizens from unsolicited emails and privacy and data breaches.

Remember, every email you send to your customers, whether it’s a regular e-newsletter or one-to-one conversation that promotes your product or service, has to comply with the law.

If you’re sending emails internationally, navigating through different email laws and regulations can be difficult. Something that is legitimate in one country can be completely wrongful somewhere else and might result in expensive fines.

As international email outreach is part of what our company does, we found that keeping up with these regulations can be both hard and confusing. That is why we put our efforts in detailed research of different anti-spam laws and asked for legal advice to be able to find the best way to comply with international laws.

We teamed up with Alessandro Mazzi, a lawyer and an expert in the field of email and privacy laws, and made this legal guide to help you stay on track with international email marketing laws without losing too much time.

Note: This guide will also help you legally prepare for the upcoming EU General Data Protection Regulation — GDPR.

Countries and current laws

It’s good to know which email marketing laws apply in the countries where your prospects or subscribers are based. You can find out more by reading specific sections of the law that concern your email outreach.

Note: The laws of the European Union member countries will be unified by one regulation in May 2018 — GDPR. To be able to implement all necessary changes and comply with GDPR requirements, it is good to start preparing as soon as possible.

Here is the list of main anti-spam laws and regulations we researched:

  • United States: CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography And Marketing Act)
  • Canada: CASL (Canada’s Anti-Spam Law)
  • Australia: Spam Act 2003
  • EU: GDPR (General Data Protection Regulation) in May 2018

Current laws in some of EU countries:

EU: The General Data Protection Regulation (GDPR)

The biggest change to data privacy laws of EU will be the enforcement of General Data Protection Regulation (GDPR) on 25 May 2018. It will be immediately applicable in the 28 member countries of the EU. This regulation will harmonize data privacy laws across Europe and it will solve a lot of controversies that currently exist.

GDPR will apply to all companies processing the personal data of people residing in the Union, regardless of the company’s location.

This EU regulation still holds true to the previous directive, but brings many changes and strengthens the rules that were previously left to different interpretation.

These are some of the main changes under GDPR:

  • Extended jurisdiction of the GDPR — it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.
  • The conditions for consent have been strengthened — request for consent must be given in an comprehensible and easily accessible form, with the purpose for data processing attached to that consent.
  • Data subject rights:
  • Right to access — recipients can obtain information whether their personal data is being processed, where and for what purposes. They can also ask for a copy of their personal data free of charge.
  • Data portability — recipients will receive their personal data in a ‘commonly used and machine readable format’.
  • Right to be forgotten — recipients can have their personal data erased and stop further data processing.

Do you need permission to email someone?

All these laws are made in order to empower and protect the citizens with regards to their private information and to shape the way companies or organizations approach data privacy.

In order to do that most of the laws impose the obligation to ask your prospects for consent before sending them emails.

The exception regarding this rule is US CAN-SPAM Act that clearly states that no consent is needed as long as you provide your prospects with an opt-out to unsubscribe at any time.

Consent needed:

  • Canada
  • Australia
  • United Kingdom
  • France
  • Germany
  • Spain
  • Italy
  • Sweden
  • Netherlands

Consent not needed:

  • United States

Note: Even though most of the email laws from EU countries express that it is necessary to obtain consent, there are significant variations and interpretations of these rules. GDPR will replace these laws in 2018 and one of the key changes will be the strengthened conditions for consent. The new norm under GDPR will be focusing on opt-in system rather than the current opt-out system.

In further text we will point out GDPR requirements in place of all current EU email laws and regulations.

What is consent?

Here are a few facts you need to know about consent:

  • Consent is lead’s freely given agreement to the processing of personal data for a specific purpose.
  • The lead’s consent has to be obtained just before you send them email for marketing purposes.
  • It has to be clear and informative so they can understand what they are agreeing to.
  • It has to be given for each purpose. You have to ask the same person for specific consent for each different campaign or product you are contacting them for.
  • Silence or inactivity should not be regarded as consent.

Consent Form

In the consent form you should at least include:

  • The identity of your company
  • Purposes for which the data will be processed by your company
  • Any further information that is necessary to make sure your leads understand how their data will be processed (e.g., the third parties with whom the data may be shared)
  • The existence of their rights:
  • Right to access to and correct personal data
  • Right to object to processing
  • Right to be forgotten
  • Right to withdraw consent

How to obtain consent?

If you are collecting emails through your website you can obtain consent using opt-in boxes.

Note: Canada’s Anti-Spam Law, Australia’s Spam Act 2003 and upcoming EU GDPR don’t allow pre-ticked boxes as a form of affirmative consent.

You can also ask your leads to type their email in the blank field to obtain consent.

If cold emailing is at the core of your lead generation strategy, you can obtain consent by sending a consent form as your first outreach email. Make sure that email with a request for consent does not directly promote your commercial content and that it is targeted at the person you are sending it to.

System for storing consent

Your responsibility is to have valid proof of obtained consent, so make sure you have a system where you’ll keep records to demonstrate:

  • What they have consented to
  • What they were told
  • When and how they consented

Note: According to GDPR your recipients have the right to access personal data concerning them and you have to provide them a copy of the personal data undergoing processing.

Make sure you store all necessary information in order to make the obtained consents fully legal.

This is a list of what a copy of their personal data should include:

  • The purposes for processing data
  • The categories of personal data collected
  • The recipients to whom the data have been or will be known
  • Other information about third parties involved
  • The source of data collection
  • The anticipated period for which the data will be stored
  • The existence of the right to request correction or erasure of the data
  • The right to make a complaint

Personal VS non personal data — generic email addresses

Personal data is any information relating to an identified or identifiable “natural person”. Even though it’s not clear, non-personal emails which do not recall a name or identifiable information (e.g. should not fall into these regulations as they apply only to personal data. Therefore cold emailing without a consent in cases of non-personal emails would be allowed.

What if they don’t want to receive your emails anymore?

International laws agree on this matter: You have to let your leads or subscribers know how to opt-out of getting emails from you in the future.

There are different methods through which your recipients can unsubscribe, but one thing is certain:

Emails you send must have a clear and understandable notice about the way your recipients can unsubscribe.

Provide them with a return email address or Internet-based way to allow them to proceed with their decision to opt-out.

Your recipients should be able to unsubscribe from all commercial messages you send.

Even though under CAN-SPAM Act you don’t need to obtain a consent for sending emails, the opt-out mechanism serves the similar purpose, but makes the whole process less strict.

Note: Most of email automation softwares for marketing campaigns have a built in opt-out mechanisms. However, you can also manually add an unsubscribe link to your emails by creating a Google form and linking to it.

What type of information you need to include in each email.

To make your emailing process legit you have to pay attention to information you provide in each of your email.

Your email must contain:

  • Sender’s identification
  • US: CAN SPAM Act
  • Canada: CASL
  • Australia: Spam Act 2003
  • EU: GDPR
  • Option to unsubscribe
  • US: CAN SPAM Act
  • Canada: CASL
  • Australia: Spam Act 2003
  • EU: GDPR
  • Mailing address
  • US: CAN SPAM Act
  • Canada: CASL
  • Recipient’s rights
  • EU: GDPR
  • Canada: CASL

Note: If your emails are not country-specific, add all of the above in your email template.

How can you collect email addresses?

Here is what you should be aware of when it comes to different ways of collecting email addresses and sticking to the rules.

Collecting emails on your website

As long as you have an opt-in mechanism where your visitors can freely decide whether they want to receive your commercial emails or not, this way of obtaining email addresses is legal.

Collecting emails using tools and web scraping

If you are collecting email addresses in order to grow your database you have to obtain specific consent from your leads.

Note: Send the first outreach email where you will ask for consent before storing lead’s email address in a CRM.

Buying email lists

It is legal to collect and sell email addresses as long as you have obtained specific consent for their further use.

If you are buying an email list remember that even though recipients have given their consent to the seller in the first place, you will have to, once again, obtain their specific consent for your own purposes.

Note: US CAN-SPAM act doesn’t require that you obtain consent from recipients before sending them commercial emails. They can receive your emails until they ask to opt-out. This can be a bit tricky because you don’t always have the knowledge of the citizenship of your leads or subscribers.

And although buying email lists without collected consent is legal in US, it is also very risky. It is possible that the email on the list belongs to people that have already opted out of receiving emails from your company or people that are citizens of other countries with more strict email privacy laws like Canada or EU.

Note: Besides legal issues that bought email list can have, they are not an effective method for targeted email outreach. To be fully in control of your email marketing campaign you can use other ways for finding email addresses.

What are the consequences?

Violation of these international laws can result in serious penalties:

  • US: CAN-SPAM Act — up to USD 40,654 per email
  • Canada: CASL — up to CAD 1 million for individuals and 10 million for businesses
  • Australia: Spam Act 2003 — up to AUD 1.8 million
  • EU: GDPR — up to 4% of annual global turnover or €20 Million (whichever is greater)

How to comply with all these laws?

International email marketing laws are not always aligned in the terms of what’s legal or not. The easiest and safest option if you are doing international email outreach is to comply with all the laws and make your emails completely bulletproof wherever you send them.

Follow this checklist to easily stay on track:

  • Don’t mislead your recipients. Be honest about your proposal. Don’t use tricky subject lines.
  • Make sure you have obtained consent for sending commercial emails. If you are cold emailing, ask for consent in your first outreach email.
  • Store collected consent and all necessary information.
  • Respect your recipients rights: right to access to and correct personal data; right to object to processing; right to be forgotten; right to withdraw consent.
  • Include an unsubscribe link in your emails. Make it easy for you recipients to unsubscribe.
  • Make sure your recipients can identify you when they receive your emails. Provide mailing address in emails.

Note: This is a detailed overview of international email laws, but it is not intended, and should not be taken, as a legal advice. For legal advice on email marketing regulations please contact a lawyer.

This Ultimate Legal Guide has been made in collaboration with the lawyer Alessandro Mazzi. If you want to consult further on this subject contact him at:

Originally published on