Email marketing is the most ubiquitous form of digital marketing. There's a good reason for email marketing’s popularity; the average email marketing ROI is 122%. That's four times higher than any other digital marketing channel. (Source: Lyfe Marketing)

It’s not surprising that everyone wants a slice of that. Naturally, the competition is high.

Unfortunately, not all marketers play a fair game. With so much at stake, a lot of businesses cut corners... often at the expense of their customers’ privacy.

Numerous privacy laws have come into force to regulate data collection and utilisation. Some are more relaxed, some are stricter. They all change the way email marketing works. To stay on top of your email marketing game, you need to know your laws and act on them. Otherwise all your revenue goes straight down the swanny on legal fees.

The Main Privacy Laws Governing Email Marketing

Depending on where your business is located, you have to abide by different rules and regulations. The primary privacy laws regulating email marketing activity by region are the General Data Protection Regulation (GDPR) in the European Union, Privacy and Electronic Communications Regulations of 2003 in the United Kingdom, the Controlling the Assault of Non-Solicited Pornography And Marketing (CAN-SPAM) Act in the United States and the CASL Laws in Canada.

All of them aim at the same goal -- protecting the privacy of internet users and ensuring their data is collected, stored, shared, used and disposed of correctly.

The EU: The General Data Protection Regulation (GDPR)

The main piece of legislation that regulates digital marketing in the European Union, including both email marketing and SMS-marketing, is the General Data Protection Regulation (GDPR). Unless communication with your business isn’t available from an EU IP, you must adhere to the GDPR rules.

The GDPR came to effect on May 25 2018, and replaced the Data Protection Directive of 1995. It was heavily impacted by the European Convention on Human Rights and provided additional legislation that was not already outlined in the Data Protection Directive of 1995. One of the most notable legal contributions of the GDPR is the acknowledgement of ‘the right to be forgotten’. Since 2018, any group or individual collecting data of the internet users must delete any data on an individual upon their request.

The GDPR covers six legal bases with a wide range of aspects related to digital privacy of the users from the EU. The attributes that affect email marketing are consent and legitimate interest.

On top of that if you collect any data about your users, even without the intent of using it in your email marketing campaigns, you must have a Privacy Policy published on your website that is accessible to all internet users.

The UK: Privacy and Electronic Communications Regulations of 2003

In the UK, the law that governs email marketing has not changed since 2003, when it was first passed. Privacy and Electronic Communications Regulations (PECR) of 2003 manage the main aspects of email marketing activities with the following rules:

  1. If you don’t have any prior commercial relationship with a person, you must obtain their explicit consent to contact them by SMS or email.
  2. You can’t receive this permission by sending them an email or an SMS message to ask for communication consent. The consent must be given actively and knowledgeably, i.e. by the user performing a specific, deliberate action.
  3. Granted you have a prior commercial relationship with the person, you may reach out to them about a similar product or service.The term ‘similar’ is a PECR grey area. There’s no clear definition of the word, so sometimes the description can be drawn out, very expensively, in court.
  4. You must clearly identify the sender of the message.
  5. You must make it easy for recipients of your emails to reach back to you, by providing a clear and valid reply address.
  6. You must give your recipients an option to opt-out from further communications.
  7. To not fall into the spam category, you must identify yourself, the purpose of your email and include any applicable terms and conditions regarding what you’re selling.

A failure to follow the regulations can result in a £5,000 fine in a Magistrates Court or an unlimited fine if the prosecution is pursued in the Crown Court.

The USA: CAN-SPAM Act and California Consumer Privacy Act (CCPA)

The two primary privacy laws protecting internet users from the United States are the CAN-SPAM Act, enacted in 2003, and the new California Consumer Privacy Act (CCPA) that came in force at the beginning of 2020.

According to the CAN-SPAM Act, any business involved in email marketing activities must adhere to the rules below:

  1. Don’t use false or misleading header information. It can be tempting to show your quirky side and surprise your email subscribers with an unusual ‘from’ and ‘to’ format. For example, how do you feel about receiving an email from GhostHunt during Halloween week? Spooktober is here, and we’re living for Halloween references! On a serious note, don’t. As funny as these alternative names are, it’s a violation of the law.
  2. Avoid deceptive subject lines. If you ever asked yourself ‘to clickbait or not to clickbait’... the answer is no. The subject line needs to clearly reflect the contents of the email you send.
  3. Disclose the fact the message is an ad. There isn’t a set mechanism for how you should do this. Interpretation of the law is flexible when it comes to telling your subscribers that you’re trying to sell them something. However, no matter how you approach this problem, the message must be loud and clear; it should be obvious for the recipient of the email that the message is an advertisement.
  4. Give your physical address in the email body. Privacy laws are all about being able to reach out to you. Your emails must include your valid physical postal address.
  5. Clearly explain to recipients how to opt-out of receiving future email from you. Your messages must include a clear and conspicuous explanation of how your email subscribers can opt-out of emails in the future.
  6. Process opt-out requests promptly. You need to process and react to the opt-out requests within ten business days. It’s illegal to charge any fees, request any additional personal information beyond the recipient’s email address, or ask to take any further steps for you to honour their opt-out request. Once your subscribers identify they no longer want to receive emails from you, you can’t use their email addresses in any way.
  7. Be in control of what your delegates are doing on your behalf. The CAN-SPAM Act clearly states that ignorance of the law is no excuse. This implies that even if you delegate your email marketing activities to a different company, you are the one who’ll be held legally accountable for any regulation breaches.

If you fail to comply with the CAN-SPAM Act, you can face serious legal consequences. Each separate email in violation is subject to penalties of up to USD 43,280.

Another privacy law that aims to protect the digital privacy of internet users in the USA is the California Consumer Privacy Act (CCPA). It is a new piece of legislation that only went into effect on January 1, 2020, and began being enforced on July 1, 2020.

Unlike the CAN-SPAM Act, the CCPA doesn’t apply to all businesses across the country. Instead, it’s called to protect the privacy of residents of California. You only need to comply with the CCPA if your business ticks the following boxes:

  • It’s a for-profit enterprise.
  • You operate your business in California, i.e. you collect personal data of California residents.
  • At least one of these conditions applies to your business:

    1. You earn gross annual revenue of over USD 25 million.
    2. You buy, receive or sell the personal information of 50,000 or more California residents, households, or devices per year.
    3. You derive 50% or more of your annual revenue from selling California residents’ personal information.

Just like the CAN-SPAM Act, the CCPA doesn’t regulate how you can obtain personal data. Instead, it focuses on the customers’ right to remove it from your databases. If you meet any of the previous criteria, you must ensure you respect the following rights of the Californians.

  • To know what personal information is collected from them.
  • To know how their personal information is being used and whether it’s being transferred to third-party organisations.
  • To be able to access all the personal information collected from them.
  • To opt-out of the sale of any personal information.
  • To continue to access the same services at the same price if they choose to opt-out of the sale of their personal information.
  • To have all the personal data collected from them deleted at their request.

While the European privacy law caps the fines for noncompliance at a specific figure, the CCPA legal consequences for failing to abide by the law are unlimited.

The CCPA penalties are assessed individually on a per violation basis — up to USD 2,500 and up to USD 7,500 per intentional violation.

Canada: The CASL Laws

Canada’s Anti-Spam Legislation was passed on July 1, 2014, defining the regulations regarding web visitors from Canada.

The CASL Laws don’t just manage email marketing, but cover a much more comprehensive range of digital commercial communications named "Commercial Electronic Message" (CEM).

The law touches on the subject of consent required for a commercial relationship online. In the CASL Laws framework, there are two types of consent — implied and express.

What qualifies for implied consent under the CASL Laws:

  • A recipient has made a commercial deal with your business in the past 24 months.
  • Your organisation is a registered charity or political enterprise, and the recipient has made a donation, has volunteered, or has attended a meeting held by you.
  • A professional message is sent to someone whose email address was given to you or is conspicuously published, and who told you that they don't want unsolicited messages.

If you don’t have the implied consent, you need to receive express consent before you can contact customers digitally. This requires deliberate and active action; you can only obtain express consent if your request contains these elements.

  • A clear and comprehensive explanation of the reasoning and purpose behind the consent request.
  • A description of messages you'll be disseminating to subscribers.
  • Your business’ name and contact information.
  • An indicator that the recipient has an option of unsubscribing at any given time.

Furthermore, you need to ensure that you keep records of all consent confirmations. Checkboxes cannot be pre-filled to suggest consent, and you need to process and honour all opt-out requests within ten business days.

Lack of compliance with the CASL Laws can trigger severe legal prosecutions. You can be faced with up to USD 1 million in fines for individuals and up to USD 10 million for corporations per violation.

What Does It Mean for Businesses?

There’s always a lot of speculation regarding the consequences of legal changes. Back in 2018, when the GDPR passed, there were predictions that stricter laws would diminish email lists, lower the number of new opt-ins, and damage email marketing as a strategy altogether.

Two years from then, it’s clear that the doomsayers were wrong. Turns out, the GDPR didn’t ruin email marketing but helped to make it more efficient.

56% of UK email marketers claimed the GDPR had a positive effect on their business operations; 41% of respondents saw a decrease in the opt-out rates; 55% stated spam complaints were down.
[The UK DMA’s 2019 Marketer Email Tracker Report]

However, these positive results were only possible because marketers adjusted their email marketing strategies in accordance with new legislation. This means operational changes for both the sales team and the marketing team, those who are most involved with email marketing.

The Consequences of Tighter Privacy Laws for the Sales Team

Personal data is the lifeblood of the sales teams as they rely on it to generate leads. To move leads down the sales pipeline and eventually close the deal, salespeople need to reach out and pitch.

Under the new regulations businesses are no longer allowed to send out cold emails, catch up, or conduct product demos unless the prospect has explicitly consented to it.

Nowadays, outbound selling requires a clear opt-in from prospects. This means it isn’t enough to just find an email address and add it to your contacts list. Instead, you need to obtain their consent first. Moreover, the consent in question also has to be:

  1. Freely given
  2. Specific and transparent about what it will be used for
  3. Able to withdraw it at any time

Let’s break down each of these components to understand which actions of the sales team are legal and which are not under the GDPR.

‘Freely given’ means that you can’t force your customers to give you consent to record, store and use their personal data as a requirement for using your services. At the same time, it can’t be passively given; you need to ensure that all the opt-in boxes are unchecked by default, and people are deliberately selecting them.

At the same time, you have to state what you’re using their personal data for explicitly. For instance, if you’re collecting their email address to send them a checklist or an e-book, you can’t use it for anything other than that. It’s illegal to send them sales emails unless they have explicitly opted-in.

Finally, you also need to give users a chance to withdraw their consent at any time and have their personal information deleted from your database. This means not only should they be exempt from receiving further emails, but also have their entire profile and communication history deleted from a business’s system.

One way to ensure information is easily removed is by automating its automation. Having a dedicated CRM system to  gather all different occurrences of communication between you and your leads simplifies the managerial process for salespeople.

Pro Tip: Under the GDPR, there’s no difference between bulk emailing and one-to-one emailing cold outreach.

There’s a lot of controversy surrounding the subject of bought mailing lists. Under the GDPR, it’s not advised to buy email lists as you should build one yourself. That way, you always know that all the contacts have given consent.

Pro Tip: If you do buy, to prove the fact of consent, you need to double-check your bought lists come with metadata attached explaining how and when each person gave consent.

For the sales team, the tightening of the privacy laws means that businesses should focus on inbound sales and advertising more to eliminate the risks associated with growing the sales pipeline the outbound way.

The Consequences of Tighter Privacy Laws for Marketing Teams

Marketers who want to comply with legislation need to keep in mind all the requirements that ensure their marketing campaigns are fully legal.

The aforementioned legal changes call for the following consequences: new rules of email list building process, new email structure for email marketing campaigns and new rules of subscriber management.

The New Rules of the Email List Building Process

As you grow your mailing list, you need to remember that you can only send emails to those subscribers who have explicitly consented to it. This means it’s not recommended to buy email lists unless you can account for every single contact they contain and have proof of their consent for you to use their personal data.

The key rules for GDPR-appropriate mailing list building process include.

  • Opt-out is off the list. You’re no longer allowed to add users to your mailing list automatically. Instead, they need to actively opt-in.
  • Forget about passive opt-in. It’s illegal to have the ‘subscribe’ box pre-checked in. Users have to tick the box themselves.
  • Introduce double opt-in forms. In order to eliminate accidental opt-ins, you need to ask users twice whether they’d like to subscribe to your business/ email marketing campaigns.

The New Rules of Email Structure

There are additional rules regarding the structure of the emails, too. Depending on the area your business operates in, you’ll find different regulations regarding the contents of the emails. The general rule is that you need to ensure the following.

  • Explain legitimate interest in the email copy you’re sending out to subscribers.
  • Include a conspicuous opt-out button.
  • Make sure to include a postal address and/or your physical address.
  • Identify your email as an advertisement.
  • Ensure you have a transparent and undeceiving header.

The New Rules of Subscriber Management

If your business is new and doesn’t have a mailing list yet, you should adhere to the GDPR when building one. Easy-peasy. But what should you do if you already have a mailing list with lots of contacts in it? It’d be a shame to lose them all to GDPR.

Step 1 - First of all, you need to check your database to see whether you can account for existing subscribers. If you have records of explicit consent to store and use their personal data for marketing purposes, you can keep them. Watch out for the following contact characteristics.

  • Contact details were obtained from third parties.
  • No opt-in record available.
  • Unspecific opt-in (doesn’t explicitly give consent for each use of data)
  • No opt-in for specific ways you use the data

If any of these features apply to the contacts, you can’t use their data.

Step 2 - Segment all your subscribers into different lists according to their consent status and the purposes they’ve given their consent for. Once you organise your subscribers according to these two criteria, you'll be able to see which contacts can be used and which require further work.

Step 3 - Launch a re-opt-in campaign. If you want to keep the ‘grey area’ subscribers, you need to ensure they still want to be a part of your mailing list. To do that, you need to craft a re-opt-in campaign and offer them to provide their explicit consent to join your mailing list or opt-out from it.

Email marketing is a powerful strategy to boost your business’ performance. However, with great power comes great responsibility.

Data is believed to be the most valuable asset on Earth, so you need to treat it accordingly. It’s essential your business follows the rules when collecting, storing, disseminating and disposing of personal data of the users providing you with it.

This shouldn’t be too hard if you’re not doing anything dodgy. However, if you are, you better get your story straight quick. While we’re not going to snitch, trust us, the Big Brother is watching, and you could be looking at a small fortune in fines if you don’t fix your contacts list ASAP.  

Officer NetHunt. Keeping your emailing lists above board.

Don’t forget to share this post with friends and colleagues!