Email Marketing Laws: What You Should Know

They’re a permanent fixture of modern digital marketing and only seem to grow.
They follow you everywhere, their details impossible to know!
They annoy us to no end, but they’re as necessary as can be.
And they’re returning with a vengeance to protect user privacy!

Did you guess what my little riddle was about?

That’s right! Today’s blog post is yet another informative overview of email marketing laws. These pesky regulations may seem daunting, but a skilled email marketing expert can help you navigate these treacherous waters. So, buckle up and prepare for a ride as we explore the world of email marketing’s legal requirements!

What to Know About Email Marketing Laws

The first thing everyone should know is that there are multiple email marketing laws. Thus, legal requirements vary. By territory, the “must-know” electronic communications regulations are…

• The Canada Anti-Spam Legislation (CASL)
• The European Union’s General Data Protection Regulation (GDPR)
• The United Kingdom’s Privacy and Electronic Communications Regulations of 2003 (PECR)
• The United States of America’s Federal CAN-SPAM Act and the regional California Consumer Privacy Act (CCPA)

Naturally, these laws cover different aspects of commercial electronic messages.

The European GDPR is the strictest law; thus, compliance guarantees near-universal safety in other territories. Similarly, American-based businesses abiding by California’s CCPA also adhere to the Federal CAN-SPAM Act.

Anti-Spam Rules Work Both Ways

I also want to dispel some common misconceptions about modern anti-spam laws.

Despite the annoyance these regulations often bring us marketers, they’re a two-way street! These laws protect businesses and consumers.

Now, the consumer-side protections are obvious. Regardless of which law you’re following — be it US Federal law or Canada’s anti-spam legislation — you’re fulfilling the legislation’s primary purpose by delivering a fair and honest commercial advertisement at the recipient’s request. In order to maintain compliance, you must inform consumers without deceptive subject lines or disingenuous wordplay.

However, businesses also benefit from these regulations! On the surface, compliance promotes trust. Consumers are more likely to engage with legally compliant emails; more importantly, email providers are more inclined to deliver your legally abiding content.

But there are hidden benefits to ensuring your email messages obey the law, including…

• Financial Returns: Less data means less investment. Under the strictest of these laws — namely, the General Data Protection Regulation and California’s CCPA — providers must store and protect personally identifying information. Reducing the amount of collected data reduces compliance costs — a win for businesses, consumers, and governments!
• Improved Performance: Every major tech company abides by these laws, and many are taking pre-emptive measures to follow future regulations. Working with these limitations in mind makes it easier to build your mailing address and comply with future changes to pertinent national laws and email marketing software policies.
• Legal Recourse: Limiting data handlers to essential information minimizes the damage caused by data breaches.
• Transparency: Businesses must have valid contact details available at all times. Ideally, you’ll want a valid postal address and phone number. While this may seem like a hassle, it’s easy to add a basic footer to your emails! More importantly, this information assures customers of your business’ legitimacy. Maintaining up-to-date contact information also streamlines customer service requests.

All Laws Have a Common Goal

And don’t worry about the differences between these laws!

All these regulations share common goals. As I noted earlier, their similarities are more powerful than their differences. Generally, complying with your brand’s strictest territorial law guarantees compliance with localized regulations. American brands often prioritize the CCPA; global brands focus on the GDPR.

Regardless of which law you’re following, you’ll ultimately find a few commonalities. After all, these laws have shared goals!

So, as you begin your email marketing journey, double- and triple-check to ensure you’re following these near-global requirements:

• Avoid Misleading Content: You can’t send lies! Aside from the subject line, you must also avoid misleading header information and body text. This applies to all commercial emails. And — honestly — it’s the right thing to do!
• Be Aware of Compliance: Lack of awareness is not a lack of fault. Businesses are responsible for their compliance, even when a third party — e.g., a contractor, email service provider, or marketing agency — handles marketing emails.
• Have an Unsubscribe Process: While the details vary, businesses must have an unsubscribe link. Moreover, the process should be straightforward.
• Include Contact Details: As noted earlier, businesses must have a secondary form of communication available. Your safest bet is to have both a phone number and current street address in every email.
• Obtain Consent: All modern privacy and data regulations require some form of consent. The CAN-SPAM Act is the least restrictive, currently allowing for prior consent with pre-checked boxes. However, other laws require express permission (more on that in a moment)!
• Privacy Protection: Businesses must have modern data protection measures. This is particularly important for businesses storing personal data! Names, birthdays, addresses, and occupations are just a few examples of so-called “personally identifying information” that must be protected.

The Differences Between Global Anti-Spam Laws

That’s not to say you can safely assume compliance with one law guarantees universal compliance. You will have to tweak your approach for each territory. Overall, despite their similarities, email marketing laws have varying degrees of rigidity.

Most email service providers abide by the GDPR as a rule. They are, after all, global companies! Nonetheless, this does not guarantee compliance. It’s your job as a business owner to ensure CAN-SPAM compliance, and the same is true for any other legal requirements!

The most important variations of note are:

• The scope of included data protection laws
• Opt-out requests
• Oversight (including the governing body)
• Permissions and how they are obtained

Now, The Email Marketers is based in the United States of America; the CAN-SPAM Act applies to most of our clients (as does the CCPA). Nonetheless, I can’t ignore the impact of the European Union’s General Data Protection Act! These two regulations have formed the basis for most global data protection and anti-spam laws; thus, they’ll be the focus of the majority of today’s post.

Data Protection and You

I’ll work my way down this list, starting with data protection differences.

I’ll open with a question. How many data types are protected under the United States of America’s CAN-SPAM Act?

And I’ll give you a few moments to think about it!

… What do you think the answer is?

… One? Two?

Well, you’re in for a surprise! The CAN-SPAM Act covers zero data types. That’s right! America’s Federal anti-spam act doesn’t protect any data.

The Leniency of the CAN-SPAM Act

That link up there (yep, a few words up and back) leads to the text of the American CAN-SPAM legislation. You can read it backward and forward, but you’ll never find a single mention of protected data.

There are a few reasons for this.

First: This law was written in 2003. We simply didn’t have the tech we do now! Nobody could have dreamed of the advances we’ve seen in the past two decades! The first iPhone was introduced in 2007, four years after this bill was written. “Seven Nation Army” had just been released, Finding Nemo was in theaters, and (for the gamers among us) Call of Duty wasn’t even a series. It was a different world.

Second: The law wasn’t meant to protect anyone’s data. In fact, its name is a backronym for “Controlling the Assault of Non-Solicited Pornography and Marketing.” It was less about limiting privacy and data breaches — which weren’t a massive concern at that time — and more about eliminating the then-current plague of explicit email “marketing.”

At its core, CAN-SPAM applies to the electronic mail message — which, at the time, was still the widely accepted way to say “email.”

The Importance of the CCPA

However, that doesn’t mean American companies can ignore email marketing laws! You must still consider local regulations, particularly California’s Consumer Privacy Act.

And here’s the kicker: The CCPA applies to all California residents, even if they’re visiting a site in another state! In other words, you can’t block Californian access and claim you’re abiding by the CCPA. If even one Californian resident in another state visits your non-CCPA-compliant web page, you’re in trouble.

Notably, there are few differences between the CCPA’s and GDPR’s definitions of personal data. Businesses must also keep their eyes on developments surrounding the controversial Kids Online Safety Act and — perhaps more importantly — the larger American Data Privacy Protection Act.

Opt-Out Requests and the Unsubscribe Link

Considering the inconsequential differences between the CCPA and GDPR, I’ll save some time and move to the next topic: opt-out requests. And — as a prerequisite to this section — I must emphasize that every modern email marketing law requires opt-outs.

Moreover, all email marketing must abide by basic consumer protection principles. Globally, businesses must honor opt-out requests promptly and without retaliation. Furthermore, customers cannot be punished for refusing to disclose information. Exceptions can be made on the basis of necessity, but few businesses truly need to know a consumer’s personally identifying information.

I must also emphasize that they’re not a bad thing, either! Uninterested subscribers avoid spam, and marketers send fewer marketing emails. It’s a win-win for everyone, but America and the European Union have different definitions of a legal opt-out request.

How America Interprets the Opt-Out Request

Under American law, the Federal Trade Commission mandates that all opt-out requests meet four requirements:

• Accessibility: Links must be accessible to everyone and easy to understand. That means you can’t jam-pack your opt-out form with legalese babble!
• Free: Businesses cannot charge a user to leave an email list.
• Promptness: Businesses must honor opt-out requests within 10 days.
• Simplicity: The process must be straightforward, requiring no additional action from the user. At most, a business may request that users confirm their email address.

The CCPA goes even further, defining additional stipulations for email marketing professionals. However, these regulations were crafted to update America’s outdated internet regulations. As such, they share plenty of traits with the GDPR.

The GDPR Definition of an Opt-Out

Like the CAN-SPAM Act, the GDPR forbids unsolicited and intrusive email marketing. Furthermore, a recipient’s opt-out request cannot be refused without a cause; upon refusal, the customer must also be notified of the decision!

Notably, users must opt in before earning the right to opt-out under European law.

Who Oversees Modern Email Marketing Laws?

Not surprisingly, these laws are enforced by different entities. It would be silly otherwise!

Oversight duties for each legislative action are as follows:

• CAN-SPAM: Federal Trade Commission
• CASL: Canadian Radio-Television and Telecommunications Commission
• CCPA: California Privacy Protection Agency
• GDPR: European Data Protection Board

There are also varying levels of oversight. The GDPR is the most restrictive, with the CCPA a fair distance behind.

The United States and Email Marketing Law Enforcement

While CAN-SPAM is a Federal law, CCPA is a state-based legislation. The latter is overseen by a five-person team known as the California Privacy Protection Agency.

In both cases, oversight includes enforcement, investigations, and distribution of legal punishments.

European Oversight for Email Marketing Laws

Comparatively, European law is more organized.

Rather than entrusting privacy to a small number of high-level overseers, the European Union enforces the GDPR with a combination of on-the-ground inspections and administrative oversight. Officers of the European Data Protection Board perform regular compliance checks for all email marketing and online platforms. Should an oversight or violation be spotted, officers report that information to superiors.

You often have more forewarning under the GDPR, as officers must notify businesses of violations. After a short period of potential restitution, further failure to comply results in steep penalties.

Opt-In Requirements

Finally, we reach the most challenging obstacle for email marketing.

Unlike our last few differences, the divide between American and European opt-in legal requirements is massive.

Nonetheless, both legislative actions have a few similarities, including:

• Consent: Users must agree to provide personal data.
• Exclusions: Anyone refusing an opt-in request must be excluded from relevant data collection services. This includes commercial email and non-essential marketing messages.
• Exemptions: Opt-in and informed consent does not apply to certain businesses. Similarly, information can be withheld under certain circumstances.
• Information: Businesses must provide information on a user’s rights before delivering the opt-in request. Users also have the right to request additional information before consenting to the receipt of commercial email marketing.
• Transactional Emails: Users do not have to opt-in to receive transactional emails (e.g., post-purchase flows and receipts).

The CAN-SPAM and CCPA View of Opt-In

In the United States, businesses are not required to disclose as much information as European companies. In fact, Federal law allows for passive or inferred consent, wherein a user’s submission of a pre-filled opt-in form constitutes consent!

However, like the GDPR, the CCPA requires express permission to send email marketing campaigns. As such, businesses cannot comply with the CCPA while using pre-ticked checkboxes or similarly underhanded techniques.

The CCPA also allows businesses to refuse requests to disclose additional information (e.g., data handler contacts, information sources, and information use) for specific reasons. It’s not entirely impossible to refuse a request for information, but it’s not the easiest thing to do. Either way, businesses have 45 business days to respond to such requests.

The GDPR and Opt-In Requests

Conversely, the European Union expressly forbids implied consent on a multi-national level. Users must explicitly provide contact details and active consent before receiving anything more than a confirmation email. (This is one of the many reasons that double opt-in forms are so popular in Europe!)

Like the CCPA, the GDPR allows businesses to refuse requests for information. However, European businesses “bear the burden of proof” for such refusals. In other words, businesses must be able to provide authentic evidence that the specific request meets its strict exclusion requirements.

Avoid the Hassle and Find a Pro

Of course, the easiest way to understand the legal minutiae of these laws is to find an expert!

Fortunately, my team at The Email Marketers knows the ins and outs of online email marketing. We understand the laws and know how to reduce your brand’s legal risks.

Stop struggling with your email marketing! Let the seasoned professionals handle everything. Schedule a free strategy session and see how my team and I can make your promotional emails shine in an inbox and be (legally) squeaky clean. You’ll also find many more tips, tricks, and email marketing hints scattered throughout the blog!

(The information contained in this site is provided for informational purposes only and should not be construed as legal advice on any subject matter.)