3 Key Email Marketing Laws For Compliance You Should Know

You’ve picked the perfect email template. You agonized over the subject line, and now you’ve got it just right.

Your email copy and images are ready, and you’ve triple-tested just about everything. You’re ready to send, but is there something you’ve forgotten? 

Oh, right. Are you breaking any email marketing laws? 

Legal compliance might be the last thing you think about when creating email marketing campaigns. But don’t overlook it; the cost is steep, both in loss of consumer trust and literal fines. 

(Having trouble convincing your boss? Just show them the fines.)

Fortunately, you don’t need to hit the legal books and read every statute to learn the laws. 

We’ve got you covered. In this guide, we’ll go over the three main laws for email marketing you need to know and some best practices to remain compliant and increase open rates. 

There are multiple laws governing email marketing based on where you and your recipients are based. But the ones every marketer should know are the CAN-SPAM Act (United States), CASL (Canada), and GDPR (Europe). (We’ll go over each of these in more detail below.)

These regulations don’t make email marketing illegal—quite the opposite. 

They give a framework for businesses to engage with customers over email while protecting individuals’ rights. 

In plain language, these laws set the rules that give customers back some control over what lands in their inboxes. 

These rules exist to give consumers the rights to basic protections such as the ability to unsubscribe and avoid fraudulent or deceptive commercial emails.

The FTC defines a commercial email as one which “advertises or promotes a commercial product or service, including content on a website operated for a commercial purpose.”

On the other hand, a transactional email “facilitates an already agreed-upon transaction or updates a customer about an ongoing transaction.” Examples of this include an order confirmation, software notification, or electronic statement. 

Read more: What Is Email Marketing? + 5 Key Tips To Get Started & Boost ROI [Guide]

Back in 2003, Americans were getting spammed. A lot. 

Think back to the days of AOL and Yahoo!, chain emails, and businesses discovering mass email for the first time. 

Enter the CAN-SPAM Act, sometimes just shortened to “CAN-SPAM.” It’s a law passed in 2003 that establishes the US’s national regulations and standards for sending commercial emails and essentially gives recipients the right to have you stop emailing them.

CAN-SPAM governs email marketing in the US and stands for (get ready) Controlling the Assault of Non-Solicited Pornography and Marketing. 

Here are a couple main facts about the law:

• The Federal Trade Commission (FTC) is responsible for enforcing it. 
• Despite several reviews, the FTC hasn’t passed any major updates since it passed.

The law applies to all companies sending commercial or transactional emails within the United States (i.e., sending emails to a US resident). 

Your company is still responsible for compliance even if you contract out your email marketing to a third party. In fact, if there’s a violation, you may both be liable. 

Each individual email violating the CAN-SPAM Act can carry a penalty of up to $46,517. 

Yikes. 

Interestingly, individuals can’t sue companies under the law. Instead, the FTC, state attorney generals, or even an internet service provider (ISP) can levy fines or lawsuits on a customer’s behalf. 

Regardless of who might sue you, you just don’t want it to happen. 

To keep yourself out of the hot seat, follow these simple rules:

• Don’t use false or misleading header information. Your “From” field, sending domain name, and the reply-to email address should accurately match the sender. In other words, you can’t make your email look like it’s coming from a celebrity or from an unknown source. 
• Don’t use deceptive subject lines. You’ll do anything for a good open rate, right? Just make sure that your subject line actually matches the message in the email body. For instance, “You’ve won 1 million dollars!!!!!!” isn’t a good subject line…unless it’s true. 
• Identify your message as an ad. This one is a little tricky. You don’t need to explicitly state, “This is an advertisement” in your email, but the fact shouldn’t be hidden, either. Items like offers, coupons, and links to landing pages all indicate that your message is an ad from a brand, not a message from a friend.
• Give a mailing address. You’re required by law to include a legitimate mailing address in every email that you send. Most companies do this by building it into their standard email footer. If you don’t have a physical address, you can include a home address, a PO box, or an address you set up through a registration service. 
• Tell recipients how to opt-out. You must include instructions to recipients on how to unsubscribe from your email list. Technically, the law doesn’t stipulate that you need to include an unsubscribe link, but this is a best practice. Also, you can’t charge a fee to opt-out.  
• Honor opt-out requests in a timely manner. You have 10 business days to remove someone who unsubscribed from your mailing list, and your opt-out mechanism must process requests for at least 30 days after sending. 

Let’s take a look at an email example that demonstrates most of the above:

CASL stands for “Canada’s Anti-Spam Legislation” and was signed into law in 2014. This federal law deals with spam and other electronic threats. It’s primarily designed to protect recipients while still ensuring businesses can continue to send marketing emails. 

CASL applies to all consumer electronic messages (CEMs) that send from, to, or between Canadian residents. 

It’s not pretty. 

CASL violations carry a penalty of $1 million per violation for individuals and $10 million per violation for companies. Directors and officers of companies can also be found personally liable. 

So, what do you need to know about CASL? 

• You need consent to send CEMs. To obtain consent for electronic communications in Canada, your request for consent should contain the following:
  • the name of the person or organization seeking consent
  • a physical address and either a phone number or website where recipients can contact an agent for more information
  • the identity of any third party used to obtain consent
  • a free unsubscribe mechanism including the ability to opt-out of all communications 
  • consent must be proactive (i.e., checkboxes should not be prefilled)
• Implied consent is acceptable, but it has an expiration date. Forms of implied consent can include communications in the context of a pre-existing relationship or if recipients publish or voluntarily disclose their contact information. Implied consent only lasts for two years after a purchase and six months after an inquiry. After that, you’ll need to request consent again. 
• Keep records of consent. The burden of proving that you have consent is on the business. Set up a record-keeping system that shows the date, time, and manner of consent. 
• Respond to unsubscribe requests quickly. Process unsubscribe requests within 10 days.
• Exceptions. There are a few areas exempt from CASL, including charity and political fundraising emails, secure confidential accounts such as banks, and messages sent from instant messaging platforms where consent and unsubscribe options are clear to access. Under a partial exemption, businesses can send a single message seeking an opt-in with a third-party referral. 

Here’s how good ol’ Tim Hortons follows CASL in their email below:

If you’ve read headlines about social media companies winding up in court in Europe, it’s probably because Europe is very serious about its citizens’ privacy laws. 

GDPR is the strictest of the three laws we’re examining and the most recent, taking effect in 2018. 

GDPR stands for “General Data Protection Regulation.” As you can guess from the name, it covers a lot more than just email marketing.

The law requires companies to have express permission to collect, use, store, and transfer data of any kind about a customer. 

GDPR applies to any company that handles the data of a resident or citizen of the European Union, even if you aren’t specifically marketing to them. The EU has 27 member states, so it applies to most European countries. 

The consequences of violating GDPR are no joke. Violators are subject to a fine of 20 million Euros or 4 percent of their global revenue (whichever is higher), plus compensation for damages. 

GDPR is a very broad law covering all aspects of data privacy. You should do a deep dive with your IT team to make sure you’re in compliance, but here are the most important things for email marketing pros to know: 

• You need express consent. To send email marketing messages, your recipients need to opt-in with consent that’s “freely given, specific, informed, and unambiguous.” Requests for consent must also be in plain language and separate from other communications. It can’t be buried in terms and conditions or added at the bottom of a purchase flow. And like CASL, you can’t use pre-checked boxes. 
• You need to keep a record of consent. Like CASL, you need to keep records of consent to be able to prove you’re within the law.
• Consumers can withdraw consent at any time. Consumers can withdraw consent whenever they want by unsubscribing, and it must be free. 
• You need to secure customers’ data. You’re responsible for protecting personal data against “accidental loss, destruction or damage, using appropriate technical or organizational measures.” Email encryption and enabling dual authentication are two common ways to keep customer data secure. 

Since the UK left the EU in 2021, GDPR no longer applies to its citizens. However, it adopted its own regulatory framework called UK-GDPR, which is nearly identical to the EU’s GDPR rules. 

You should follow GDPR principles for UK citizens, but keep an eye out for future changes that may differ.   

In most cases, you need consent to send email marketing messages. The definition of consent, though, can vary.   

In the US, many countries operate under an implicit permission framework. This means that companies consider different actions to give implied permission to send marketing messages, even if that person hasn’t formally opted in. 

Some examples are completing a purchase, subscribing to a service, or registering for an event. 

By this looser definition, customers have given general consent to the company to send some form of communication.  

Explicit permission means that a person has taken action to opt-in to your mailing list. In some areas like Europe, you need explicit permission to send commercial emails. Other companies adopt explicit permission as a matter of best practice. 

In the US, it’s legal to buy lists of email addresses from a third party. But is it the best practice? Meeeh, we say skip it.

Why? 

For one reason, many email service providers don’t allow emails to be sent to purchased lists using their platform. You’re also not likely to see engagement from customers who haven’t even heard of you and might be frustrated to suddenly receive unsolicited emails. 

Since data protection is key for GDPR compliance and a best practice, there are a few supplemental actions you can take to increase your email deliverability rate and prevent a spammer from spoofing your account. 

These are technical, so you don’t need to worry about setting these up yourself. Get in touch with your email vendor or IT department to see if you have these and request setup if not.  

DKIM is a protocol for email authentication that allows a company to validate ownership of a message. This method uses public key cryptography to verify that messages come from an authorized mail server. Mailbox providers recognize this validation and are less likely to place authenticated emails in a spam folder. 

Nope, we’re not talking sunscreen.

SPF is another email authentication method that validates that an email has come from an authorized mail server. Your company can specify exactly which mail servers emails from their domain name must originate from, blocking a third party from creating spam messages on their behalf. 

SPF is very effective at preventing phishing messages and can be used in tandem with DKIM for maximum security. 

This mouthful of an acronym is another authentication method that can be layered on top of DKIM and SPF for even greater email security. 

DMARC gives domains another way to prevent spoofing attacks by allowing the domain name owner to specify how unauthenticated messages should be treated by mailbox providers. The three common policies you can specify in the DMARC DNS record are NONE, QUARANTINE, and REJECT. 

With all these patchwork laws, you need to create a strategy and follow email marketing best practices to keep yourself in utmost compliance. 

To satisfy these different regulations, you have two choices: 

1. Create separate email lists and strategies by location. Many enterprise and global companies already segment their email marketing by location. Tailoring your approach to each location can give you more flexibility, but it requires more administration. It can also still be easy to inadvertently break the law if someone subscribes to a list while outside the country where they live. 
2. Create a policy that covers all locations. To cover all your bases and simplify your implementation, create a unified policy that can be applied to all geographic areas and incorporates best practices in email marketing. 

When creating an email marketing strategy, here are some things to consider to ensure further compliance.

To keep yourself out of trouble, adopt a policy and approach that incorporates the most conservative law you want to meet. How you will handle opt-in and opt-out requests are an important part of this policy. 

This can be a tough choice, making it slower to build your email lists. You’ll see an ROI in time, however, with a more engaged and loyal email list because of the trust that you’ve built. 

Documenting and maintaining your email policy is a must. 

Educate new hires on your policies and why they’re important. When you don’t, standards start to slide for future emails, and you put your company at risk. 

Remember, you’re liable for mistakes made by any vendors and third parties managing your email marketing. Choose an email software and email partner that know the ins and outs of US and international email laws. At KlientBoost, we take this seriously.

A lot of the problems these regulations are trying to address come down to deception. Stay away from clickbait subject lines that don’t accurately represent your content. 

Make sure that your body copy is transparent and clearly distinguishes commercial offers from transactions or personal emails. 

Consumers are more likely to opt-in to an email subscription when they know the type and frequency of communications they’ll receive. Examples of this are:

• “We take your data privacy seriously and will never sell or share your email address.”
• “Our monthly newsletter shares tips, news, and announcements.”
• “You may receive special offers from us no more than once a week.”

Some brands also use a list management automation system that recipients can access by clicking “Manage Subscriptions” in their footer. 

There, they can see which lists they’re subscribed to and can select or deselect individual lists or change their email frequency. 

We’re done with acronyms, we promise.

As you can see, the anti-spam laws are fairly easy to understand and follow. In most cases, you don’t need to consult a lawyer to set up compliant email marketing.  

Many of these laws have overlapping, common-sense legal requirements that can guide you to a smart email marketing policy. 

Your boss and legal counsel will thank you for keeping your company in the clear. 

In the end, shady email marketing tactics don’t pay off. You’ll lose your customers’ trust, tank your open rates, and risk paying some serious fines.

Think of yourself as an advocate for the user: by creating trust over time, you’ll build a more engaged subscriber base with the leads and revenue to go with it.