Email Marketing Compliance Explained: What To Do To Stay Legal

What is email compliance?

You can say that you maintain email compliance and your emails are compliant with the laws when you conform to rules, regulations, and standards, mostly laid down by public authorities, and ensure that your email data conforms to the requirements of regulatory frameworks.

In particular, the laws prohibit the unauthorized storage and use of personal data, including email addresses. Email compliance also includes ensuring data privacy and protecting information security. The rules of each jurisdiction are different, but you should do as much as possible to avoid negative and unwelcome results: claims and conflicts with your customers, loss of reputation, and heavy fines.

The essence of email compliance is respect for your potential partners and clients. And the fact that there are general state rules indicates that this is an acute issue that affects everyone.

Email marketing compliance step-by-step

Emails are a great marketing tool that helps businesses to win new customers and to inform them about goods, services, prices, important events, and sales. But email compliance in marketing is complicated. Compliance mistakes mean penalties. You need to be very attentive and careful at this point and make a check-up of your email strategy and its technical execution properly, step-by-step.

Permission to email people

Legislation of most countries, including the USA, Canada, and the European Union, restricts the sending of emails without consent. Make sure that you’ve got your email list in a legal way and your recipients really need your emails.

Make getting consent:

• Simple. Let your visitors just tick a box. All forms should be convenient and easy to read.
• Voluntary. Don’t force users to visit other pages.
• Interactive. That means that a form is not pre-filled and potential subscribers need to take an action to subscribe.

Check that your subscription forms do not request irrelevant information. For example, a company that offers school uniforms can ask whether its customers have children and what age they are but have no reason to ask about their cars.

But sometimes subscription requires more information.

For example, one of the popular British job searching services Top CV offers you the template of your CV, and then sends you emails according to your personal settings.

All the details they get by this form will help them to provide better content according to your interests.

It is more safe and preferable to apply double opt-in when users not only enter their details and click Subscribe but have to go to a separate page or additionally click a button to confirm the subscription.

So after filling forms like in the above pictures you’ll get an email like this to validate your consent:

It is how thе double opt-in method filters out those who subscribed unintentionally or entered fake addresses.

Be especially careful when it comes to cold emails when you had no contact with recipients before and never got direct permission by subscription or filling in a form.

No misleading information

This is true for any element of an email, not only the message itself but the sender information and the subject line as well.

The email sender should be listed correctly for a recipient to easily compare the address and the email with the company and its product. The subject line and preheader should also contain information that corresponds to the content and purpose of the message.

Spell out the CTA clearly, i.e. the call to action you are asking the person to take. And this action should be useful and obvious.

Identify your email as an advertisement

There is no difference whether you send a cold email without direct permission or an email to your subscriber — its purpose should be as clear as possible.

Keep in mind that according to the CAN-SPAM Act you are obliged to indicate that you send an email for advertisement purposes. EU legislation also requires you to make your purpose clear and to prove that your recipient wishes to get messages from you.

Include information about the company

The information should allow the recipient to identify the company’s official data, its contacts, or a contact person.

Here the company name catches the eye and you can quickly find out who is the sender and whether you need to read this email. The footer also has company details and a reminder of why you received this message.

Give information about opt-out of your future emails

It is a must for any commercial email. But don’t just apply this requirement formally.

Make opting-out simple and easy, the button or instructions —  clear and visible. For example, all the details of emails from Figma, including the unsubscription link, are easy to find.

Respect opt-out requests

Different countries have different rules for opt-out.

In the USA, the rules set a deadline for opt-out — a sender must honor a recipient’s opt-out request within 10 business days (§ 7704 of CAN-SPAM Act). At the same time, the mechanism of opt-out should stay active within at least 30 days after receiving an email.

European rules allow opt-out at any time. It follows the right of priority of data privacy and “Right to erasure (or ‘right to be forgotten’)”, established by GDPR — you should delete any personal data if you get a request.

There are some exceptions. In general, compliance is not applied to transactional emails that are triggered by recipient actions and contain technical information (delivery status, payment confirmation, or account details).

Tips on following the email compliance

There are lots of requirements for email compliance and they are constantly changing. But do not expect that inspection authorities miss compliance violations because of the number of emails. A single complaint from a user is enough to be detected. No one will care whether you or your staff knew about the email compliance rules and regulations, or whether you made a mistake unintentionally or because of a technical failure.

For example, the obvious careless mistake when several persons could see each other’s email addresses cost the individual in Germany €2,500. If it concerned a company, the loss would be even higher — for a Romanian Unicredit bank, the violation for uploading unprotected user information resulted in a fine of €130,000.

Of course, there can be no 100% guarantee that there will be no email compliance defaults, but if you follow a few simple guidelines, you can significantly reduce the risks.

Know your regulatory requirements

You need to be aware of the contents of data protection regulations, such as GPPR for European Union countries or the CAN-SPAM Act for the US.

But, firstly, these are not the only jurisdictions and, secondly, the knowledge of legislation alone is not enough to properly organize mailings and comply with the necessary requirements.

You need to know what is applicable in each case. To do this, consider:

• The geographical location of your recipients. Get as much information about where your customers live as you can. Ask them about it via subscription forms or get information from your internet provider. This will help determine which email compliance rules to apply.

Note that the legislation protecting personal data is exterritorial which means that you should follow the laws of your recipients’ countries no matter where your company is situated.

• The subject specifics. For example, in addition to general personal data, there is also medical data. Special legal provisions in the US regulate medical information exchange more strictly than the CAN-SPAM Act does. For example, under HIPAA (Health Insurance Portability and Accountability Act), you must get patient permission before sharing protected health information or patient lists with third parties.

Educate your employees

If you work at a smaller company, hold meetings or inform colleagues personally to ensure that all key employees are aware of what the compliance requirements are about and understand the new rules. It’s good to have a single document that regulates email handling and compliance rules and that you can refer to.

Provide regular staff training on the principles of work with personal data and email compliance, information exchange, archiving of messages, and the use of the software.

Use marketing automation tools as much as possible to avoid sending emails to customers without the right details (subject line, address, company information) or make other compliance mistakes like sending a message to somebody who has previously unsubscribed. It’s easier to keep track of those things if you use an email service provider (ESP) like us. For example, if a person unsubscribes from a newsletter sent via Selzy, they won’t receive any further emails automatically though they will still be on the list.

Buy archiving solution

The volume of commercial emails is usually too large to handle manually. And you also need to store it and provide the safety of data. This is where archiving solutions come in handy.

Email archiving is the automatic creation of a copy of each incoming message, without affecting the actions of the recipient or sender. All message details (sender, recipient, message body) remain unchanged. With archiving solutions, you can quickly find, recover, and delete the data securely, if an EU citizen wants to exercise their right to be forgotten, for example. Specialized solutions will also make sure your data is stored safely, with no data loss and unauthorized access.

The list of such tools includes:

• Hornetsecurity
• Jatheon Archiving Suite
• Mailstore Server

and others.

They offer cloud-based archiving solutions with a variety of search options.

Again, ESPs usually combine sending capabilities, data protection, support, etc. with archiving services, so most of them develop, use and support their own archiving systems.

Know about modern trends

Email compliance is becoming more important and more complex. For example, the usability and adaptability of the message for mobile devices play an important role.

From an email compliance point of view, it is important that the various notifications, capture forms, subscriptions, and unsubscribes are clear and readable. Users rarely read laws but can easily complain if your email is irritating and its purpose is not clear.

So, a user-friendly interface can not only bring you the loyalty of your audience but also help you be more compliant. Conversely, users will suspect you to be a scammer and will even not open your message if they can’t find information about the sender, and do not understand why they see the email.

When choosing an ESP, make sure they have an email builder with a mobile layout. In all popular builders, Selzy’s one included, blocks are responsive — you create responsive emails by default.

Responsibility for non-compliance

In case of serious GDPR violations, the fine can be up to 4% of the total annual turnover or €20 million whichever amount is greater. The amount of the fine is determined by Article 83 of the GDPR and depends on which requirement has been violated.

Administrative fines for CAN-SPAM violations can be as high as $43,280 per email. State authorities can also demand compensation for losses of up to $2 million.

However, the legislation of individual countries may set its own penalties for compliance mistakes.

Email laws and regulations that you need to know

Sending emails follows the email laws and regulations of the recipient’s country. Let’s review the main jurisdictions and laws.

GDPR for EU

The GDPR, or General Data Protection Regulation for the European Union, came into force on 25 May 2018. It is probably one of the strictest acts defining data processing.

The GDPR defines personal data as including:

• General data (address, age, contact addresses/phone numbers, or messengers)
• Physical characteristics (gender, skin color, hair and eye color, clothing size)
• Personal identification data (driving license numbers, insurance numbers, etc.)
• Property information and bank details

When it comes to European users you should be aware that a person should be clearly interested in receiving your emails. However, note that the possibility of opt-out has no deadline but you should provide the possibility to delete personal data at any time.

It is compulsory to obtain the consent of legal guardians or parents to process the data of minors (under 16 years of age generally).

It is prohibited to process personal data on race, ethnicity, biometric or genetic data.

Remember also that any of the EU states may set their own, stricter rules than the GDPR. For example, the German Act Against Unfair Competition is known as the most difficult jurisdiction for commercial mailings.

CAN-SPAM Act for the US

The CAN-SPAM Act took effect on January 1, 2004. It is aimed directly at regulating emails. It puts more emphasis on making sure that the information about the products, services, and companies is clear and true. Аccording to the CAN-SPAM Act the recipient must have the right and ability to opt-out.

But the CAN-SPAM Act does not prohibit the sending of promotional emails, as long as:

• You mark your sending as an advertisement.
• Mailing addresses were not obtained through the collection, i.e. by special programs that automatically collect information that was left for a completely different purpose.

Also, according to the CAN-SPAM Act, the sender has 10 days from the moment of the user’s opting-out to stop campaigns that are addressed to this user.

As for content that is not preferable for children, then under the CAN-SPAM Act, you need to mention “sexually oriented material” in the subject heading.

You should also be aware that in addition to the CAN-SPAM Act in the USA there are many other legal acts dealing with electronically stored information like the Gramm-Leach-Bliley Act and specific data protection legislation such as HIPAA.

Canada Anti-Spam Legislation

Canada Anti-Spam Law came into force on July 1, 2014, and requires only direct permission for commercial sendings except for the situation when you can prove your close relationship with the recipient.

To be compliant you need to:

• Identify the sender or the person on whose behalf you send the email.
• Provide contact details.
• Specify a mechanism for opt-out with a link to the website. The link must be valid for 60 days and you will have 10 days to comply with the request.

Australian Spam Act

The Australian Spam Act was issued in 2003. This is one of the strictest email regulations governing mailings. Unsolicited emails are not allowed, opt-out is a must and messages have to contain accurate information about the sender.

This regulation details the consent procedures. Two types of consent are allowed: express (direct) consent and inferred consent. The latter requires that your recipient gives the contact information intentionally. This is only possible if you already have some sort of relationship with the recipient.

Even direct consent can only be given for a certain type of email. However, it is still permissible to obtain consent by telephone call.

The sender has only 5 days to handle opt-out requests and the recipient does not have to create an account or log in.

The use of address-collection software is also not allowed.

Conclusion

Make sure you follow email compliance and how to send mass emails and stay legal:

• Research your audience and get up-to-date information on subscribers’ actions. This will help you to offer your audience relevant and useful information, to customize your emails according to your recipients’ needs. And this is important to prevent your emails from getting into spam.
• Make regular audits of your email services and mailing rules, both for advertising and internal mailings. To stay email compliant, you need to manage technical issues: check opt-in forms, preheaders, subject lines. All the details of your emails should be correct and comprehensive.
• Consider the requirements of different jurisdictions: point out that your sending is an advertisement for the US as it is required by the CAN-SPAM Act, ensure you can delete information according to European GDPR, check that you can technically handle different opt-out deadlines of recipients from different countries.
• Automate your mailing process and archiving as much as possible. Use special services or ESPs’ help. Update your email lists to assure that addresses are gained legally and recipients’ permission is obtained.
• Issue a privacy policy, describe there what you do to be email compliant, and update it regularly. Make it easy for your customers to review it and to agree with it. Include the link in your email footers.