Email compliance refers to following specific laws and rules that regulate how businesses are required to send marketing emails to their customers. These legal requirements aim to protect people’s privacy and to ensure they aren’t bombarded with unwanted emails.
Email compliance laws are vital for email marketers. Following them will help you stay out of legal trouble and build trust with your audience. Moreover, maintaining email compliance is also instrumental in improving key email marketing metrics such as deliverability, and, indirectly, open and click-through rates. That is because emails that are compliant with the rules and laws applicable in a given region have a lower probability of being tagged as spam by email providers.
Email compliance laws aren’t the same across the world. Different countries and regions have their own legislation, while specific industries such as healthcare can have their own regulations in addition to that. Let’s check out some of the laws you’ll be most likely to encounter in your email marketing routine.
GDPR stands for General Data Protection Regulation. This law protects the personal data of people living in the European Union, even if companies handling the data are based outside the EU. Personal data includes information like phone numbers, email addresses, IDs, and even cookies. In email marketing, any customer data you collect likely falls under this regulation, so it’s important to comply with GDPR to handle it properly.
GDPR has been in effect since May 2018, and it’s managed by Data Protection Authorities (DPAs) in each EU member state. If you find yourself in violation of GDPR, you can face some pretty hefty fines, in some cases reaching up to 4% of your company’s global annual turnover or €20 million, whichever is higher.
CAN-SPAM stands for the Controlling the Assault of Non-Solicited Pornography And Marketing Act. Enacted in 2003, this US law sets the rules for commercial emails, establishes requirements for commercial messages, and gives recipients the right to stop receiving emails from businesses on demand. Unlike GDPR, which is primarily focused on data collection, CAN-SPAM specifically regulates how companies can legally send out certain types of emails, like those that are primarily intended to advertise products or services.
According to the Federal Trade Commission, which is responsible for enforcing CAN-SPAM, each separate email that violates this law is subject to penalties of over $50,000.
HIPAA stands for the Health Insurance Portability and Accountability Act. This US law was enacted in 1996 and protects people’s health information. It makes sure that your medical records and personal health details stay private and are handled safely. HIPAA sets the regulations for who can see or share your health information and how it should be protected, especially when it’s stored electronically. It applies to doctors, hospitals, insurance companies, and anyone who deals with health data.
Thinking this legislation is irrelevant to you as an email marketer? Think again! If you’re dealing with protected health information (PHI), this can fall under the scope of HIPAA. This can include sending emails on behalf of a healthcare provider or organization (like a hospital or insurance company), or including any PHI, such as patient names, medical records, treatment details, or billing information, in your emails. It also means you need to use encryption or other security measures if you’re sending marketing emails with sensitive health data.
You already know about the CAN-SPAM Act in the United States, but some states have their own legislation in addition to that. This includes CCPA — the California Consumer Privacy Act, a law passed in California in 2018. It gives California residents more control over how their personal information is collected, used, and shared by businesses. This includes the rights to know what personal data companies collect, to request its deletion, to opt out of data sales, and to be protected from discrimination for exercising the said rights.
While CCPA is specific to California, it also affects businesses located elsewhere if they’re handling the data of California residents. It also only applies to businesses that generate over $25 million in revenue, collect data on 50,000 or more consumers, or earn more than 50% of their revenue from selling personal data.
Canada has pretty strict anti-spam laws that apply to any communication sent by a Canadian company, to another Canadian company, or any message that is routed through a Canadian server. The CASL law covers everything from spam email and text messages to phishing for sensitive information like passwords.
As you can see, there are a lot of legal factors to bear in mind, which can feel overwhelming, especially if you’re just starting to build your email list. However, there are a few simple steps you can take to make sure your email marketing efforts comply with all the relevant legislation.
A few of the laws mentioned above require that your clients consent to receiving emails from you. This is where the opt-in mechanism comes in.
There are two ways to subscribe customers to your emails: single and double opt-in.
With a single opt-in, when someone signs up for your email list, they’re added to it straight away.
With double opt-in, the potential subscriber needs to reconfirm their sign-up by clicking a link sent to the email address specified in the subscription form, and only then are they added to the list.
In general, double opt-ins are also considered to be more reliable. Legal aspects aside, it ensures that the email address you’re trying to reach is valid, and that the subscriber actually wants to receive your emails.
The good news is, setting this feature up is really easy, especially if you’re using an email service provider like Selzy.
Some of the anti-spam legislation stipulates that you should make unsubscription clear and easy for the recipients of your emails. This entails adding an unsubscribe button or link at the bottom of your message.
While most email marketers use links or buttons, there are also alternative ways to allow unsubscription. These can include QR codes, or prompting the recipient to unsubscribe by replying to your email.
Including your business’ physical address in your marketing emails or newsletters is another requirement stipulated by international anti-spam laws. Placing this information at the bottom of the email in addition to the unsubscribe options will help you stay out of legal trouble.
In addition to legal compliance, providing a valid postal address may signal to your subscribers that your business is real and transparent, thereby increasing trust.
Transparency about how you collect, use, and store customer data is crucial, and is also one of the requirements of anti-spam laws we’ve discussed.
When someone subscribes to your email list, make sure they understand what data you collect, how you plan to use it, and whether it will be shared with third parties. Providing a clear privacy policy and including a brief summary of this information in your sign-up forms or emails helps to set the right expectations. This also includes sharing timely updates with your subscribers, should your privacy policy change.
Regularly cleaning your email list (practice also known as email list hygiene) is essential. It’s important for compliance in particular, as it reduces the chances of being flagged as spam and keeps your email practices in line with GDPR, which requires businesses to only store data that is relevant and up to date.
Aside from compliance with anti-spam regulations, email list management is important for improving your deliverability and engagement, ensuring your emails reach real, interested recipients.
Again, this is something an ESP can help you with. Selzy’s list hygiene feature will help you make sure your list is up to date.
While purchasing email lists to grow your audience may seem like a quick and easy fix, it’s actually a very bad idea that can lead to serious issues with compliance. Many of the laws mentioned above require obtaining explicit consent from individuals before you send them marketing emails, which is something purchased lists lack.
In addition to that, this bad practice can result in your emails being marked as spam by the recipients.
To build a healthy email list and stay away from trouble, check out our tutorial on how to collect emails for email marketing organically here.
Now let’s examine the main challenges that international email compliance creates for marketers.
We’ve already touched upon the fact that different laws cover different regions of the world. The issue is made more complicated by the fact that what’s compliant in one region may not be acceptable in another. For example, GDPR in the EU focuses heavily on data privacy, while CAN-SPAM in the US is more focused on whether the information in the email is true and opt-out options.
You should also conduct research into regional legislation. For example, while the whole of the European Union is covered by GDPR, some EU states like Germany have their own data protection laws.
Differences in requirements regarding consent is another challenge posed by the laws. For example, GDPR mandates explicit, opt-in consent before sending marketing emails, whereas the CAN-SPAM Act allows businesses to send emails without prior consent as long as the recipient can opt out easily.
Many countries impose restrictions on transferring personal data across borders to protect their citizens’ privacy. An example of this is GDPR, which stipulates that the personal data of EU users can only be transferred to countries with adequate data protection standards or when specific safeguards, like standard contractual clauses, are in place.
If your marketing efforts are international, don’t forget about local language rules. For example, some countries require that emails and privacy details be in the local language.
Check out this French-language email below — the body of the email is in French, and so is the legal information below.
To learn more about international email marketing, check out our articles on multilingual email marketing and email localization.
As mentioned earlier, each anti-spam law carries its own financial penalties, and these tend to be pretty hefty. Aside from the fines, violating email marketing regulations can seriously harm your brand’s reputation, leading to loss of customer trust and loyalty.
One of the largest penalties for GDPR violation was imposed in 2023, when the Irish Data Protection Commission (DPC) issued a €1.2 billion fine on the tech giant Meta for sending personal data of European users to the United States without proper protections in place.
As far as the United States is concerned, the Federal Trade Commission imposed a $2.9 million CAN-SPAM fine on Verkada, a firm that specializes in security cameras, earlier this year. The FTC also required Verkada to implement an information security program following claims that it had allowed a hacker to access security cameras.
Understanding email compliance and various data protection laws is no easy feat, but adhering to them is essential for protecting your business and ensuring the efficiency of your email marketing campaigns. We hope our article has helped you gain a deeper understanding of the topic.
To sum it all up,
