Open in app

Sign in

Write

Sign in

Is your marketing legal?

Johann Sigmund
Email Bullseye
Published in
10 min readSep 7, 2021

Regulations prevent chaos.

Inboxes of recipients who haven’t even solicited their emails, it’s become a pressing issue to implement laws that protect these users’ privacy & personal data.

Yet, despite the many attempts governments carry out to address these problems, it’s still safe to say email marketing tends to fall on the spammy side.

Statistics show over 60% of people keep receiving emails from brands long after they’ve unsubscribed; or worse, receiving emails from companies they’ve never even heard of.

This amount of spam and shady activity in the Email Marketing space is one of the big reasons why Email Deliverability is so incredibly important — have you looked at our Email Deliverability guide yet?

Both users and Email Service Providers are looking for more and more regulations and safeguards to protect users from this flood.

This might have even led to the new user security features Apple implemented in their iOS 15 software update, which promises to change the whole landscape of the Email Marketing world for good.

Now, for the user, these are fantastic news. But for us marketers however, it’s a whole different story.

Many of these regulations can often handicap our ability to sell goods & services, as we often find ourselves maneuvering to comply with them.

And with the increasing plethora of marketing laws that seem to pop up day-to-day, it’s no wonder owners find themselves overwhelmed & confused over what’s the safest way to run their campaigns.

After all, who would want to get slapped with a hefty $43,000 fine on their face?

Things are delicate. Which is why, over the next few minutes, we’ll be listing out all of the important email marketing laws & regulations that you should keep an eye on while emailing your recipients.

That way you can ensure your marketing complies with these rules, and your email efforts don’t go flushing down the toilet.

To begin with, it’s important to note not all laws are created equal. They are highly determined by three main things:

  1. Where are you based?
  2. Where is your ESP (Email Service Provider) based?
  3. Where are your recipients based?

For instance, while you’re not allowed to obtain consumers’ email addresses through soft-opt-ins and pre-checked boxes in Europe, these practices are completely legal in the US.

As a result, in this article we’ll mainly focus on describing which laws apply based on each country. We did our best to include the laws that apply globally, and affect a higher number of marketers & business owners.

Let’s jump right into it.

The CAN-SPAM Act: To Be Followed In The US

Established in 2003, the CAN-SPAM Act is one of the first & long-running email marketing laws in the world. And for obvious reasons.

As its name indicates, the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act, prevents the marketing of unsolicited adult content or deceptive advertising via email. Read that name again… Assault — it’s a war out there!

This regulation is far from relaxed. It’s the primary US legislation you must fully understand and comply with, or the consequences can turn out quite costly.

Each email in violation of this legislation can be subject to penalties up to $43,280, making it imperative for you to follow it to the tee.

In order to comply with the CAN-SPAM Act, the main guidelines are:

  • Restrain from the use of deceptive email addresses, names, domain names or subject lines that could mislead the recipient
  • Provide a blatantly obvious and straightforward way for users to unsubscribe, and fulfill requests within 10 days or less
  • When promoting any form of adult content or graphic imagery in your copy, show it clearly beforehand in the subject line of each email.
  • Clarify your message is an ad if the recipient has not given you explicit consent to be on his inbox.
  • Always include a physical address in your emails.
  • When outsourcing your marketing duties, monitor what others are doing on your behalf (in other words, ensure their work is compliant.)

If you’d like more information on the CAN-SPAM Act, get it here.

The GDPR: To Be Followed In Europe

If your objective is to sell to european recipients, then you need to ensure to comply with this law.

The General Data Protection Regulation (GDPR) was implemented to protec the data privacy of all European citizens. And here’s the kicker. Even when the GDPR is an EU regulation, it still applies to and is reinforced upon all global businesses that aim to collect & email EU-based subscribers. In other words, if your marketing database contains any European email addresses, this regulation will apply to you, no matter where your company is based.

Now, here is where it might get a bit confusing to some marketers.

The main difference this rule holds to US based legislation, is this law is mainly focused on the processing of personal data. Simply put, GDPR explicitly permits email marketing if and only if the personal data is processed correctly. The law which indicates permissions is the PECR however, which we’ll cover further down the article.

Note: Buying or renting email lists might seem like a viable business growth tool in the US, but not in the EU. This practice can not only kill your deliverability, but it also goes in direct violation with legislation imparted in the EU.

Violation of the GDPR can lead to fines of up to 4% of your annual global turnover of the previous fiscal year (which was €20 million) — making it greater than the US’s.

In order to comply with the GDPR, the main guidelines are:

  • Obtain valid explicit consent from consumers to receive marketing emails (unlike the US, soft opt-ins and pre-checked boxes are not allowed)
  • Permit the consumer to revoke their consent as easily as they’ve given it
  • Only use data or collected emails for the purposes you laid out beforehand
  • Keep a clear & verifiable record of each consumer consent
  • Give access to their data if a user requests for it

If you’d like more information about the GDPR, get it here.

CASL: To Be Followed In Canada

Similarly as the GDPR, this law doesn’t apply exclusively to Canadian based businesses.

Canada’s Anti-Spam Legislation (CASL) main purpose since its inception is to protect Canadians from digital tech misuse (this includes spam or data leaks). Which means, if you are a company that’s sending marketing communications to Canadian citizens, you will be subject to CASL.

In order to comply with CASL, the main guidelines are:

  • Always get explicit consent from each user
  • Ensure the consent form is plainspoken, along with having your business’s identification & contact information
  • Always keep records of consent
  • Process unsubscribe request within 10 days or less
  • Clarify to users they can revoke consent anytime they feel like doing so
  • Include the name of your business, contact info, and instructions to unsubscribe in all marketing material (these includes email.)

This legislation gets into a bit more detail on what they define as ‘legal’. CASL defines two types of consent — implied & express.

Consent is implied when:

  1. A person has purchased a product/service from your business in the last 24 months.
  2. You are a registered charity or political organization to which the user has made a donation, volunteered or attended a meeting.

However, according to CASL, this implied permissions can expire. For purchase, it can last for 2 years. For an enquiry about a product or service, it’s valid for 6 months. In other words, if a user did not renew their implied permission, it’d have expired.

Consent is expressed when it includes:

  1. A clear concise description of the purpose you want to obtain the consent for
  2. Your business’s name and contact info
  3. A clear message on how the user can revoke consent at any time
  4. A rundown of the emails you’ll be sending

So to clarify, if people have opted-in into your marketing material, they have given you expressed consent. And unlike the previous one, this permission does not expire.

Violation of any of the regulations of CASL can lead to penalties of up to CAD 1 million for individuals, and up to CAD 10 million for businesses.

To find more information about CASL, get it here.

The Spam Act: To Be Followed In Australia

This law shares a lot of resemblances to the SPAM Act of the US, as it was also introduced in 2003 to prevent Aussie subscribers from getting spammed & protect their personal data.

In a nutshell, this Act forbids sending unsolicited commercial emails with an Australian link. For a much clearer picture, here’s an excerpt from the Act itself:

“A message has an Australian link if it originates or was commissioned in Australia, or originates overseas but was sent to an address accessed in Australia.”

In order to comply with the Spam Act of 2003, the main guidelines are:

  • Always include your company name and contact info in each email
  • Like in other legislations, provide a clear opt-out, but never take more than 5 days to process unsubscribe requests
  • Ensure your subscribers not only accept your Privacy Policy, but also any other rules involved when obtaining explicit consent
  • Never buy or rent any email lists (it can cost you down the road.)

Only emails from government bodies, registered charities or political parties, and educational institutions can be sent without consent to Australian recipients.

Now, the penalties. Noncompliance with the Spam Act 2003 can cost upwards to AUD 2.1 million.

Lower than European GDPR fines, but still a bit on the dear side.

For more information about Australia’s Spam Act, get it here.

PECR & The DPA: To Be Followed In The UK

The GDPR and these two laws go hand by hand.

First, the Privacy and Electronic Communications Regulations (PECR), which states all email recipients located in the United Kingdom must have consented to receive marketing promotions, either by expressed or implied permission.

It bears a lot of similarities to the regulations mentioned above, the only difference being in the number of days you have to process unsubscribe requests & clean up your list.

In order to comply with PECR, the main guidelines are:

  • Obtaining explicit consent to receive marketing material from each of your recipients
  • Never hide your identity, the more you can display in your emails, the better. Introduce yourself and provide detailed contact information in every email
  • And as always, give subscribers a clear and simple way to unsubscribe or request to be deleted, ensuring the request is processed within 28 days

As luck would have, this law also allows individual marketers to enjoy the luxury of employing soft opt-ins to market to their consumers. Naturally, this means in certain cases you can email subscribers as if they’ve consented, even though they might not have done so!

To comply with this rule however, you must meet the following criteria:

  • Prove you’ve obtained the user’s email address. This can be a recipient who’s already a customer.
  • Only directly market to existing customers if it’s to sell them similar products/services
  • Always provide the subscribers a method to refuse the use of their contact details at the time they’ve initially provided them
  • As with all laws mentioned previously, contacts must be given a clear way to unsubscribe from your email list in each email

These regulations only apply with individuals though. If you’d like to contact a corporate body, you can do so without them having to opt-in explicitly.

Violators of these laws can be subject to fines as high as £500,000.

Now, we can’t forget to mention the Data Protection Act 2018 (DPA.)

First written in 1984, this legislation is aimed at protecting the privacy of personal data for all European citizens, so it applies to any business or individual who holds or collects personal data of users within the EU.

The main key principles of these law are:

  • Fair and lawful processing of personal data
  • Adequate, relevant and non-excessive personal data
  • The personal data must be processed for specific lawful purposes only
  • Personal data must be kept safe and secure at all times
  • Not keeping personal data longer than necessary
  • Processing personal data per the rights and freedoms of data subjects
  • Accurate and up-to-date personal data
  • Transferring personal data outside the EEA (European Economic Area) without adequate provisions in place for its protection is illegal

Also, if at any moment you receive a request for access or deletion, failing to respond within a month can get you in some serious trouble.

Same as the GDPR, fines can reach up to 4% of your annual global turnover of the previous fiscal year.

Talk about some good slap in the face.

To get more details about these laws click here.

To Wrap It Up

We hope this article has helped shed light into an often complicated side of this business that often gets overlooked.

You now have a better understanding of the legal side of email marketing than 99% of business owners in the industry. Use this newly-found knowledge to make compliant decisions that plough your business forward (instead of pushing it backwards.)

To summarize, in order to remain compliant, make sure to keep a record of all obtained consents from your recipients — i.e. subscribers’ IP address & opt-in data. Outside of the CAN-SPAM Act, all other email marketing laws require you to obtain the users’ consent. Always collect, handle, process and use your recipients data with care — most ESPs already do that for you, luckily.

If subscribers no longer wish to receive marketing emails from you, all email marketing laws agree that you must give them the opportunity to opt-out. Not doing so, would be violating every legal requirement stipulated not only in North America, but all over the globe.

Regardless of the opt-out method you decide to use, please ensure to include an unsubscribe link in every email you send. Make it very easy & clear to notice. Because even though legislation may permit up to 30 days to process an unsubscribe request, believe me, subscribers won’t give you that luxury.

Thanks for reading — By now you should have a better understanding of the legal side of Email Marketing, and following these rules will not only protect your business, but also help you hit subscribers’ inboxes. Getting your emails delivered is a key part of Email Marketing.

When we work with you, we‘d start by creating an Email Marketing Battle Plan to get a clear picture of your current situation & your next steps to success (Marketing Copy, Deliverability, Automations, Segmentation, Strategy).

The first step here is our Email Deliverability Process, every. single. time. It’s an easy way to get some wins before the more complex stuff happens, like the Automations, Segmentation, Email Marketing Strategy, etc.

You can apply for your Audit here.

--

--

Johann Sigmund
Email Bullseye

Written by Johann Sigmund

77 Followers
Editor for

Email Marketing for Outdoor focused eCommerce Brands — Bullseye Persuasion

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams