If you’re in marketing, email is probably one of your love languages. It’s a major channel of communication, after all.  

But email marketers need to know more about click-through rates and optimizing graphic design for mobile. Marketing privacy laws are setting the tone for consumer expectations in the 2020s. 

In other words, how you approach marketing privacy laws will define your business — not just in terms of your sales funnel, but in establishing your brand as one that treats consumer data with respect. 

Yes, laws across the globe are taking a stronger stance on individual rights and how they pertain to privacy and personal data. But instead of playing Whack-A-Mole with your approach to privacy, here’s a bit of food for thought: prioritizing compliance with the strictest privacy laws may take more work, but you’ll see better results in the long run.

What is email marketing? 

But let’s hold up for a moment. Not all email communications are the same. Some are unreservedly marketing-driven. Others are purely transactional. Depending on what you’re sending, there are different rules that apply to it.  

Marketing emails 

Marketing emails are those sent with a fundamentally commercial intent. This could be an e-blast about a big sale you’re running. Others might be sent to nurture leads within your funnel. These emails are sent to groups of contacts, whether segmented or list-wide.  

Transactional Email

Unlike marketing emails, transactional emails are one-to-one emails following a transaction. The most obvious example is getting an email receipt after purchasing an item, but shipping notifications, password resets, or invoice emails are also examples of them, too. To double down on the definition, transactional emails are sent to individuals, not email lists.  

What privacy laws are we looking at?

At this point, it feels like there are a lot of privacy regulations to track, but let’s simplify things here. For email marketers, there are four key regulations to be aware of. Yes, each one is distinct but there’s some fundamental overlap that will ultimately make compliance easier. 

The General Data Protection Regulation (GDPR)

You can’t talk about privacy laws without talking about GDPR. (Well, it’s not a legal requirement, but we don’t advise skipping it.) GDPR is the EU’s landmark, watershed, groundbreaking privacy regulation. It’s the most extensive one in the world and while it applies specifically to EU residents, it has impacted businesses across the world. 

If you’re targeting EU residents via email, you need to comply with GDPR and also the ePrivacy Directive or as it is known in the UK, the Privacy and Electronic Communications Regulation (PECR). In this section, we’ll focus primarily on GDPR’s requirements. However, it’s important that you also are familiar with the ePrivacy Directive, which has differing rules by country and varies if it’s B2B or B2C marketing.  

As an email marketer under GDPR, you need a lawful basis for emailing people. Lawful basis takes six different forms: consumer consent, contract, legal obligation, legitimate interest, vital interests, and public tasks.

When it comes to reasons for contact, consent is the gold standard. Assuming it’s done right, it means people really, truly want to hear from you. So…how do you do it right? You need to collect freely given, specific, informed, and unambiguous consent as per Article 32. To achieve compliance, you have to implement practices that meet stricter requirements for:

  • Consumer opt-in permission rules
  • Allowing consumers to delete their personal information
  • Storing user consent

Consent doesn’t just apply to GDPR, either. Generally speaking, the ePrivacy Directive requires consent. (And here’s a checklist to help you navigate it.)

But if you don’t have to meet strict consent, you do have other options for reaching out to people. “Legitimate interests” offers another commonly trod path to meeting the lawful basis requirements. It wouldn’t be a compliance regulation if you didn’t have an assessment to tackle. Specifically, the legitimate interest assessment (LIA). For an LIA, you have to demonstrate:

  • Are you pursuing an interest that is legitimate and real? There are a whole host of reasons, from supporting IT security to direct marketing for your company.
  • Is it necessary? Can you avoid processing data and meet your goals?
  • Do the data subject’s interests be impacted by your business interests? (Also known as the balancing test.)

Legitimate interest can be applied to both B2B and B2C clients, but different rules apply to them. Here’s a handy chart from the Information Commissioner’s Office, the Data Protection Authority in the UK, that helps explain when legitimate interest might be used. 

Does it look like legitimate interests is the best route to email marketing compliance? It may be a good option—but look before you leap. Be intentional about how you approach which lawful basis to rely upon, no matter what you end up determining. 

How to get a GDPR compliant email program going

It’s our best practice and to stay on your customers’ good side (and GDPR’s good side!), to rely on consent as much as possible and therefore we suggest building these features into your email marketing program: 

Opt-ins (and outs)

Get explicit consent for emails

Before sending out emails to someone, obtain their explicit consent with an opt-in form. Consent should be a specific, informed, and unambiguous indication of your customer’s wishes through affirmative action.

But here’s a good rule of thumb: Don’t save being explicit and transparent just for your emails. In all things privacy related, you should practice being explicit and transparent. 

Checkboxes for bundled consent

For a single item of consent, checkboxes aren’t mandatory. A few sentences can suffice for getting active consent!

However, if you are asking for consent to multiple things (for example, signing up for your email newsletter AND to use data for targeted ads), then you need to get consents for each action. 

To get these consents, use checkboxes. Just make sure that consent is still active: Don’t use pre-checked checkboxes. 

Link to your privacy policy 

Don’t forget to add a link to your Privacy Policy in the opt-in form. Subscribers have the right to access the information explaining how you process personal data.

Honor subscriber requests 

Revoking consent — i.e., unsubscribing to your emails — must be straightforward and easy. Your email recipients need to be able to:

  • Unsubscribe to that particular marketing communication
  • Unsubscribe to all of your communications
  • Contact a return email address

Storing user data and user consents

Once you get consent, then what? That consent shouldn’t just vanish into thin air. You need to store it as proof in case of audits. This proof should include:

  • Who gave consent
  • When they gave it
  • And what they specifically consented to

Controlling the Assault of Non-Solicited Pornography And Marketing (CAN-SPAM)

While GDPR may be the biggest privacy regulation to date, CAN-SPAM is the oldest when it comes to specific email marketing laws, dating back to 2003. This was in the Wild-West era of the internet, back when your inbox could be filled with a veritable unsolicited brothel, along with basically any other spam content. 

The short version

CAN-SPAM only applies to the United States and only to promotional emails, not transactional ones. (See above.) Businesses using email to communicate with US residents must follow the below requirements to stay in compliance: 

  • Don’t use misleading email addresses, names, domains, or subject lines with the intention of misleading
  • Emails to individuals who haven’t given consent must be labeled as ads (such as somewhere in the email it says this was an advertisement)
  • If the email contains explicit content, this has to be noted in the subject line
  • Include a physical address in all marketing emails
  • Provide a straightforward and easy way to unsubscribe. Requests must be fulfilled within 10 days.

Canada Anti-Spam Legislation (CASL)

Think GDPR, but limited and applying to Canada. CASL has been in effect since July 1, 2014, and hasn’t substantively changed since then. This piece of legislation focuses on protecting e-commerce in Canada by regulating business email activity to prevent identity theft, phishing, spyware, and more. 

The short version

Like GDPR, this regulation doesn’t pertain just to businesses in Canada; it applies to any business that sends marketing communications to Canadian email addresses. The basic rules include:

  • Getting consent, either express or implied, from individuals prior to sending them marketing emails
  • All consent forms must be clearly written and include the identification and contact information for the business
  • Users can revoke consent any time they wish
  • Businesses must keep records of consent for all Canadian residents
  • Marketing emails have to include the name of the company and its information, as well as instructions on unsubscribing

While CASL applies to anyone in Canada or anyone sending to a Canadian resident, there are some exceptions. Some business communications are exempt from CASL, including certain B2Bs communications. Under the B2B exemption, “commercial electronic messages” (CEMs) sent by employees or a representative are exempt providing that the: businesses have a prior relationship and the message pertains to the business activities of the recipient. 

California Consumer Protection Act (CCPA)

CCPA is the big-deal privacy legislation that went into effect on January 1, 2020. Like GDPR, the legislation establishes a series of fundamental privacy rights for consumers in California. 

The short version

Like GDPR, this regulation is geographically restricted in that it protects California residents. However, businesses to whom it applies can be located anywhere as long as they collect California residents’ email addresses. CCPA isn’t primarily focused on email marketing, but some of its rules apply. Remember that:

  • CCPA’s definition of personal information includes email addresses 
  • Every customer should be allowed to opt-out of marketing emails from you and any third-party you “sold”* their data to (such as that webinar where you didn’t have an opt-in to share the information with the sponsors and you shared the whole list)
  • Inclusion in a privacy notice that email is collected and how it’s used. 

*CCPA uses a broad definition of the term “sell.” It doesn’t necessarily mean that money is changing hands. Besides, sell, it can refer to “renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means…”

Five Tips for Success in Privacy-Forward Email Marketing

It’s easy to prioritize bigger picture privacy concerns, but it’s really important to not let email marketing fall by the wayside. 

Yes, it’s expensive to miss the marketing compliance mark. It’s also a surefire way to damage your reputation and customer trust. After all, email is a daily part of life for people. It’s a major touchpoint for marketing teams. If you drop the ball, you’re showing them that you aren’t thinking about their needs and their privacy — right in their own inbox!

Tip #1: Double up on the opt-in

All of the privacy regulations above require some level of opt-in. How do you streamline the process to work for everyone?

Double opt-ins. It’s only specifically required in Germany as a result of their interpretation of the ePrivacy Directive, but it’s a good process to implement across the board. It’s an additional step for your customers and it can drop your subscriber rate. But it does two important things for your business that ultimately create more value for everyone:

  1. It improves your email list. You get more accurate data, protects against fake subscribers and scammers, and (most importantly) it delivers leads that are more qualified
  2. It lowers the cost of your email marketing program because you’re bringing fewer invalid emails to the table (i.e., less money) and it improves your deliverability 
  3. It provides a better route to explicit consent. The two-step process guards against involuntary or accidental requests. 

You’ll remember that US CAN-SPAM doesn’t require you to get your subscribers or leads to opt-in. But the other regulations do and when it comes to privacy, opting for the more intensive measures is always the better option. Why? By making sure you’ve taken the safe route, you avoid the risk of running afoul of compliance regulations. Basically, if you follow all the rules, you don’t break any rules. 

But there’s also an important customer trust point to consider. Making the effort to get their consent actively demonstrates that you respect their choice in the matter. 

Tip #2: Keep your records up-to-date

Obtaining consent is critical. So is keeping track of it. You need to be able to prove that you’ve received valid consent and have proof of it. As such, your database should allow for you to track consents, including:

  • Who consented
  • What they consented to
  • When they consented
  • How they consented

Again, CAN-SPAM is the outlier in email marketing privacy by not requiring that you keep records of consent. See the advice above, rinse, and repeat. 

Tip #3 Don’t forget to offer an opt-out

Here’s an important point of agreement on the privacy front. Four out of four privacy regulations agree: give your subscribers the option to unsubscribe from your emails. Unsubscribing shouldn’t be like passing a Senate spending bill, though: it should be uncomplicated and timely.

The approach that we’re all about? Customer preference centers, which allow your customers to customize their email relationship with you. Do they want to hear about everything that you’re doing? Do they want to just receive the greatest hits? Preference centers facilitate this by providing nuance in customer relationships. Changing email addresses, receiving fewer or different emails, hitting the snooze button on emails, or receiving communications across other channels like SMS or social. 

Don’t forget to include a global unsubscribe option, as well. CAN-SPAM requires it!

Tip #4 And proceed with extreme caution when buying email lists

Why? There are a number of reasons. Privacy laws like GDPR make buying email lists cumbersome because of the necessary due diligence before a company can email them. 

Moreover, cold leads from an email list don’t particularly perform well. It’s not hard to guess why — these people didn’t express any interest in your business. Even the most well-crafted email will land with a thud if the recipient isn’t interested in it. And another “moreover”: purchased email lists often contain inactive or outdated emails. Sending an email to them could risk a privacy violation in and of itself!

Tip #5 Be honest about what you’re about

Your emails always need to clearly articulate who you are, your address, website, and how someone opted in to receive it.

No catfishing. Not in your online social life, and not in your email marketing. Make your proposition clear, simple, and then deliver on it. This means no clickbait headlines and no misleading promises of deals or discounts just to improve your open rates. Much like with enacting double opt-ins, you see a more measured response, but the response that you do see will be more genuine and more likely to lead to results. 

You shouldn’t just be honest with your customers, either. You should also be honest with yourself about what you’re using data for. It’s easy to be ambitious and think of reasons to collect information, but collecting data that you aren’t actually needing or using can be considered a violation. 

One thing is for sure: this is not the email marketing landscape of 20 years ago. Compliance and trust need to be a part of every interaction and every email that gets sent. Lots of marketing professionals have piecemealed out their compliance efforts, but ultimately, that leaves them scrambling to adapt and their customers wary about their privacy. 

So let’s try this instead: Take the road of more compliance. More effort. It’s worth it to keep your email marketing practices in line, and to keep your customers feeling good about your relationship with them. Ready to talk email and privacy? Drop us a line to schedule a consultation.


Download our free guide about what email marketing developers need to know about marketing privacy laws.