Email is one of the most effective marketing channels around, but email marketing regulations are getting tighter across the globe. Make sure you don’t breach email marketing regulations with our guide to email laws you should follow.
In this post, we’ll look at steps you can take right now to make sure your email marketing meets the most important international standards.
Obviously, the big one here is the General Data Protection Regulation or GDPR…😱
GDPR came into force on 25 May 2018. By including email addresses in its legal definition of “personal data”, GDPR transformed email marketing overnight.
The penalties for breaking GDPR rules are potentially huge: up to 20 million euros or 4% of global business turnover, whichever is greater 😲.
But don’t panic!
We’ve split our tips and advice on GDPR-compliant email marketing down into three big sections, before turning to look at some other important email laws you should follow:
- Email Marketing Regulations: Signing up subscribers under GDPR
- Email Marketing Regulations: Opt-out rights under GDPR
- Email Marketing Regulations: How you handle users’ data under GDPR
- Email Marketing Regulations: The rest of the legal landscape
1. Email Marketing Regulations: Signing up subscribers under GDPR
The GDPR sets out six key principles that anybody making use of another individual’s personal data must follow.
When it comes to adding new subscribers to your email list, the first principle says you need a “lawful basis” to send messages to them. That could be:
- Consent – the person has given permission for you to contact them
- Contract – you need to contact them to fulfill a contractual agreement you have with them
- Legal Obligation or Public Task – you need to contact them to fulfill a legal or official duty
- Legitimate Interests – the contact is necessary for you to pursue your legitimate interests
We’ll ignore 2 and 3 as they don’t really apply to marketing.
You should always get consent before adding a named individual’s email address to your list and sending them marketing messages.
👉 And that consent has to be given through EXPLICIT AFFIRMATIVE ACTION.
What does that mean in practice? Take a look at the two forms below:
- The one on the left says that if you take the free trial you also agree to receive email messages.
- The one on the right gives you the choice of whether to opt in for marketing communications or not.
👉 And that opt-in box cannot be pre-ticked. If it is, then your form is not GDPR-compliant.
That’s because a pre-ticked box requires a user to do something to opt-OUT rather than do something to opt-IN 😉.
A lot of businesses use a double opt-in to be on the safe side of email marketing regulations. That is, they will send an email to a new subscriber asking them to confirm that they understand the terms and conditions and consent to email marketing.
That gives an extra layer of protection. It stops anyone from filling in somebody else’s email address in a form and signing them up for commercial messages they don’t want.
Double opt-in is good practice, but it is not required by law 👍.
Wanna read more about how to create GDPR-friendly subscription forms? 👉Read our earlier post about it here!
In the bad old days, these were often rambling, well-hidden documents. They were packed with small print that gave businesses blanket permission to do whatever they wanted with users’ data 😬.
- What data you are collecting – remember, this won’t just be the email address if you are using tracking cookies or retargeting pixels in your emails
- What your legal basis for collecting that data is
- Who else you intend to share data with (eg if you store data in a cloud-based software platform)
- How data subjects can find out what data you hold on them
- Who is responsible for data protection at your organization and how to contact them
👉 There are lots of template Privacy Policies you can download and tailor to meet your specific needs. For example, here, here, or here.
Think About A Preference Centre
If somebody gives you their email address in the course of buying a product from you, that does NOT consent for you to send them marketing emails. You can only do this if:
- You have made it clear to them that you want to do this AND
- They have agreed to it!
👉 It is best practice to give subscribers the option to receive only those messages they really want.
The penalties for not managing your subscribers’ preferences properly can be severe, as we will see later when we look at unsubscribing.
Avoid Scraping and Buying Email Lists
Clearly, you can’t just scrape lists of emails off the internet if you’re going to depend on consent as your lawful basis.
👉 Nor should you buy email lists from third parties unless they can prove that everyone on those lists has consented to receive email marketing from businesses they sell the lists to.
2. Email Marketing Regulations: Opt-out Rights Under GDPR
GDPR is aimed at giving data subjects control over how their data is used. So you have to make it easy for them to do that – and that includes making it easy to get off your email marketing list.
Provide an “Unsubscribe” Link
All your marketing emails should make it obvious how to unsubscribe, so…
👉 Provide an “unsubscribe” link in your emails, to either immediately remove the subscriber or take them to a preference management page.
- It’s common practice to put this link at the bottom of the email in the footer. After all, you don’t want to ENCOURAGE people to unsubscribe!
- But at the same time, you can’t hide it (eg by using white text on a white background). You have to play fair 👍.
Manage Unsubscribers Carefully
If you are an email marketer, it’s essential that you maintain a BLACKLIST or SUPPRESSION LIST: a list of addresses you must not contact.
Even before the GDPR came into force this was a serious issue in email marketing:
- In 2017, Flybe and Honda were hit with big fines from the Information Commissioner’s Office in the UK.
- They sent thousands of messages to people who had unsubscribed from receiving future messages 😱.
Ironically, both Flybe and Honda had reached out to these people as part of their GDPR preparations. They were checking that the details held were accurate and asking for consent!
So, it’s vital to take care around “repermissioning” – ie contacting one-time subscribers who you don’t have recent permissions from.
👉 It’s ok to send repermissioning emails if you genuinely don’t have proper records or you have never asked the question before.
👉 But if you’ve been told before and you’ve just forgotten about it or lost the records, you could be in trouble for making unwanted contact.
Check out our email repremissioning templates here!
The Risks of Marketing Automation
When using marketing automation – including autoresponders and behavioral triggers – you must factor subscriber preferences into your segmentation and workflows.
Otherwise, you could find your systems sending emails to people who have opted out 😭.
3. Email Marketing Regulations: How you handle users’ data under GDPR
GDPR is not just about managing opt-ins and opt-outs. It’s also about ensuring your business processes are able to protect personal data from misuse.
Keep Your Lists Secure
Some of the biggest GDPR penalties to date have been issued to businesses that have allowed personal data to fall into the wrong hands.
- British Airways was fined $230 million in 2017 for failing to protect personal data.
- In the USA, Equifax had to pay $575 million for a data security breach that same year.
👉 Always restrict access to sensitive data like email lists.
- Control access through user privileges and passwords
- Encrypt data at rest and in transit
- Ensure your internal IT network is secure and that you have strong external protections too – eg antivirus protection, firewalls, etc
- Don’t allow anyone to download lists, save local copies of documents or otherwise remove or duplicate sensitive files
You’re already keeping track of who has signed up for your email marketing. Plus what their contact preferences are, who has opted out and when and all the other things we’ve discussed in this post.
So you’ve probably realized that a big part of GDPR compliance is KEEPING THOROUGH RECORDS OF EVERYTHING RELATING TO PERSONAL DATA.
- Remember, if the authorities are investigating a complaint against you, it’s down to you to show how you’ve done everything reasonable to minimize risk.
- That’s a matter of having processes and rules that are up to scratch and making sure they are followed.
👉 It is particularly important to have a Data Breach Procedure: a clear set of rules for what to do if you discover that personal data has been misused.
You’ll need this because the law says you must report breaches to the relevant authorities and to data subjects themselves within certain time limits. You can’t be making up processes in the middle of a crisis!
Subject Access Requests (SARs)
Yet another reason why your records have to be complete: the GDPR gives people on your email list the right to see everything you have on them!
Where Does GDPR Apply?
GDPR applies whenever the personal data of someone from the European Union or European Economic Area is affected, even if your business is not based there.
It also restricts personal data transfers to other countries that may not have similar protections.
👉 You must understand where your third-party service providers process data and what standards they adhere to.
4. Email Marketing Regulations: The rest of the legal landscape
The other big European law you need to know about is the e-Privacy Directive. Unlike GDPR, which applies in all EU countries directly, Directives are implemented by each country locally.
That means the name of the relevant law differs from country to country, and so do the precise rules.
- In Sweden, it’s the Lag (2003:389) om elektronisk kommunikation.
- In the US, commercial electronic messaging is regulated by The CAN-SPAM Act which requires you i.a.: specify your location, not to use ‘deceptive subject lines, honor opt-out requests within 10 working days, never use false or deceptive information, inform your recipients how they can opt-out and mark advertorial content as ‘ads’.
- In the UK, the e-Privacy Directive is enacted through the Privacy and E-Commerce Regulations 2003 (PECR).
And this is where it starts to get complicated… 😬
The British Regulations say that the rules on consent to electronic communications – including email marketing – do not apply to corporate subscribers.
- That covers generic company email addresses (eg email@example.com) but also individual corporate addresses, such as firstname.lastname@example.org.
- Even though the latter is still “personal data” for GDPR purposes, it’s much easier to justify using it under “Legitimate Interests”.
The situation in Germany is totally different though. There, local laws and court rulings state that individual corporate emails should be treated the same as personal email addresses.
The e-Privacy Directive will be replaced by an EU-wide Regulation in the future.
👉 Until then, you should think very carefully about whether you need to segment your mailing activities by country.
And that’s not just because of e-Privacy. Different countries have their own laws that affect email, around consumer protection, advertising, etc.
Plus, there are many voluntary codes of conduct around ethical standards in online marketing as well.
Although email marketing regulations are in place first and foremost to protect consumers, they DO help email marketers too 👍.
If you follow all these rules and communicate only with people who genuinely want to hear from you, if you actively respond to changes in their preferences and take good care of their data, then your response rates, conversion rates, and sales will be much higher!