Latest Email Laws & Rules: What They Are & How To Stay Compliant
Table of Contents
We spend a lot of time perfecting emails — making sure the copywriting is punchy, the graphics & images are dialed in, and that it's sent at the right time, but we often overlook basic email compliance laws.
Yes, there are many laws to comply with such as the Can Spam Act, the General Data Protection Regulation (GDPR) so it's possible to overlook them. However, repeated violations may result in fines — which is a scenario you must try to avoid.
In this guide, we’ll take a look at the laws around email marketing, such as email regulations and email unsubscribe laws. We’ll explore what these laws are, what they cover, and how to make sure your emails are compliant.
Email rules and regulations
The rules governing email marketing campaigns depend on the countries you serve. If you sell exclusively in the U.S., you will need to abide solely by American law. However, if your business serves other jurisdictions such as Canada and Europe, you’re going to have to go the extra mile and understand email marketing laws and regulations for those countries too.
Let’s take a closer look so that all your future campaigns result in compliant e-mails.
Email marketing laws in the U.S.
The CAN-SPAM Act in the U.S. governs how businesses can act when sending promotional and commercial emails. CAN-SPAM stands for the Controlling the Assault of Non-Solicited Pornography and Marketing Act and is regulated by the Federal Trade Commission (FTC).
The CAN-SPAM Act introduces requirements that promote honesty, transparency, choice, and responsibility. Following the law means that your email recipients have greater control over their inbox, can trust the messages you’re sending, and have the option to leave your list at any time.
The California Consumer Privacy Act also has a section that deals with ccpa email marketing guidelines. It requires firms to maintain reasonable security procedures so all information collected is safely guarded in the event of a data breach.
CAN-SPAM act email marketing guidelines
For CAN SPAM compliance, businesses need to adhere to the following guidelines or run the risk of incurring a fine:
- Don’t use misleading or false header information (e.g. in the sender field)
- Don’t feature deceptive subject lines — they should reflect the content
- Tell your email recipients if the message is an ad
- Share your address or location with your email recipients
- Let people know how they can unsubscribe and opt out of future emails
- Take care to honor these opt out requests promptly
- Ensure that any hired agency or company is complying on your behalf
Failure to follow these rules can land you with a CAN-SPAM fine of up to $43,792 per violation. This applies to each separate email, so it can be a costly adventure if you take a risky approach to sending commercial email.
Email marketing laws in Canada
In Canada, businesses are required to follow Canada’s Anti-Spam Legislation (CASL). This is largely similar to CAN-SPAM, but a notable difference is that you need user consent to be able to email them.
Consent can either be explicit or implied, but implied consent has an expiration date. If you’re relying on implied consent after a purchase, you have two years, while it’s just six months after an inquiry. You also need to display contact information in your emails, beyond the standard physical postal address.
Email marketing laws in the UK
The Privacy and Electronic Communications Regulations (PECR) is the main email marketing law in the UK. The PECR is similar to both the CAN-SPAM Act and the CASL — businesses must share a valid address and are not allowed to conceal their identity.
This doesn’t have to be explicit — you can use implied consent if someone has bought a similar product from you before and you’ve given them a way to opt-out at the point of collection and with every email since.
Take special care when it comes to sending unsolicited emails or “cold emails” internationally. While this is acceptable in the US, in other locations including the UK and Europe sending cold emails to individuals isn’t permitted.
Email marketing laws in the European Union
The EU’s General Data Protection Regulation (GDPR) has specific tenets outlining how to collect, use, store, and transfer data. This can make collecting data for your email list more complicated.
Instead of using a pre-filled checkbox or a generic statement, you instead need to have people opt-in to receive your email newsletter or promotional emails. There’s no specific requirement to use “double opt-in” to confirm consent, but it’s a useful way to demonstrate this.
Email marketing laws in Australia
The Spam Act 2003 and Spam Regulations 2021 are the two main laws governing email marketing in Australia. Similar to the laws mentioned above, Australian rules also compel businesses to actively seek permission from users before sending any promotional emails.
To be compliant with email marketing rules in Australia, you must:
- Identify yourself as the sender
- Contain your contact information
- Make it easy to unsubscribe
Want to make sure you’re compliant? Keep reading for our tips on how to stay within the law for every rule above.
How to Comply With Email Laws and Regulations
The most effective way to think about compliance is to keep the user experience in mind. Hence, if you build trust by including an opt out request, avoid inserting misleading header information, have a valid mailing address, prevent unsolicited email, and state the primary purpose of the email up front, you should be in the clear.
Let's take a closer look at the best practices when sending a commercial email:
1. Always get consent before adding users to your email list
Any attempt to deceive or swindle users is expressly forbidden under email marketing rules. You also can’t do things like scrape public databases and social media accounts to find emails, and then add those to your list.
In a nutshell, each user must give consent before you can send emails. It's preferred that this be express permission, but other forms work too.
The definition of consent is broadly applied in two aspects. One is known as implied consent — this is when a customer makes a purchase on your site, or signs up to be a part of a community. You are allowed to send them commercial emails because they have engaged in an action that implies they are willing to do business with you.
The second definition of consent is called express consent — when users input their information via a pop-up form or a static lead gen form on your website. This is known as express consent because they know that they are signing up for marketing emails once they hand over these details, and are allowing the business to contact them at periodic intervals.
This example of an email opt-in form from Wrike is an excellent way of how you can obtain express consent.
2. Make it clear who the email is from
All the privacy laws we cover in this guide expressly state that your email messages must outline clearly who the sender is. Any attempt to obfuscate that information or to hide the sender information puts you at risk of non compliance.
This includes your “from”, “to”, and “reply-to” fields and also the routing information that accompanies your email. In simple terms, this rule is asking you not to hide who the sender is.
Take a look at this example here from Adobe. it’s clear from both the “from” field and email address displayed that this is a genuine email from the company.
Being transparent with your field names and the email address domains you use helps create trust between you and the recipient. They can use this information to confirm that you’re the real deal, and that they’re not being targeted by a fraudster.
3. Don’t trick customers with a misleading subject line
We’ve all received those emails where the subject line feels like a trap once you’ve opened the email and read the contents. Not only are these dishonest subject lines a great way to alienate your audience, but they’re also not allowed under anti spam law.
Your email subject line should accurately reflect the content of your email. It doesn’t have to explicitly outline what’s covered, but the two should match up. If you’re promoting a sale or product launch, mention that in your subject line so your recipient knows what to expect.
Here’s a great example of a simple subject line from Storksak. The email introduces the latest seasonal collection, with an understated subject line that lets you know exactly what the email is celebrating.
Using responsible subject lines is a great way to show respect for your recipients’ time. Instead of opting for a flashy or misleading title, keep it simple and let a combination of honesty and your brand personality take the lead.
4. Be Clear That Your Email is an Ad
It’s crucial that you make it clear to your audience that your marketing email is an ad. This is left open to interpretation, as there’s no requirement for your wording to be explicit when it comes to this rule. Instead, use common sense and focus on being clear that this is a commercial rather than a transactional message.
Let’s take a look at this example from clothing brand Monki. It’s clear from the graphics used by email marketers that this is a promotional email or ad, telling customers about the current sale.
The goal with this rule is to distinguish between promotional and non-promotional emails. Your recipient should be able to quickly identify from the content whether this is an information or transaction-based message, or if it’s a sales opportunity for you. Keep this in mind as you craft your email copy and design supporting graphics.
5. Share your location in the footer
The FTC states that you need to share your location with your email recipients in the form of a valid physical mailing address. This is to aid transparency and make it easier for people to get in touch or make a report if they have concerns.
Here’s a great example from Etsy. This email footer covers all bases and provides the recipient with the relevant business name and address details, no matter which location they’re based in.
While the address must be physical and valid, it doesn’t have to be a street address. Under the CAN-SPAM Act, a post office box or private mailbox is an acceptable option. This is great news if you’re just starting up your eCommerce empire and don’t want your home address on the bottom of your emails.
6. Offer a way to process opt out requests
Just because your customers once gave you their email address, that doesn’t mean they’re in a lifelong commitment now. All the regulations state that you have to make it very easy for them to unsubscribe — in fact, the CAN-SPAM Act states that this should be “clear and conspicuous” and written in plain language, so it’s easy for anyone to understand how to take this action.
Let’s take a look at this in action from Fender. Beneath the social media buttons you’ll find a smart and clear footer area. Not only does this feature an obvious unsubscribe link, but links to contact information, terms of use, and their privacy policy too. This is a really effective way to show all the required details without adding clutter.
Try to make the unsubscribe process as pain-free as possible for your recipients. At this point, they’ve already decided to unsubscribe — make the experience simple and warm instead of putting extra barriers in the way. Aim to process a recipient's opt out request as quickly and seamlessly as possible.
7. Honor These Opt Out Requests
You need to make sure that all unsubscribe requests are catered to promptly. While most email marketing tools will process unsubscribe requests as soon as they are received, the onus is still on you to make sure that it happens.
Depending on the laws in your location, you could have anywhere from days to a whole month to do so — but in the US it’s 10 business days. It is legally responsible for you to ensure that this timeline is met.
Not only that, but your system should be able to action these requests for a period of 30 days from when the email was sent. This gives people time to make a decision after they’ve read your email.
8. Be Careful if Outsourcing the Work to Others
Outsourcing your email marketing can take some of the workload off your to-do list, but it can’t remove the legal responsibility from you. Even if you hire another agency or individual to run your email marketing campaigns, the responsibility to act within the law falls on both parties.
Any violations such as misleading information, sending spam, or an unsolicited message will be treated as such. In fact, you might be held legally responsible even if the work was done by the agency.
Be clear with any agency or company that you hire that they should be aware of email laws and regulations and follow them. Have someone on your team authorize emails before they go out too, as an extra opportunity to check for compliance. It’s your brand reputation and a potential fine on the line, so it’s a useful step to add to your process if you outsource your email marketing.
Is it legal to buy an email list?
It’s legal to buy an email list from a software site or vendor but it is illegal to use that list for marketing and commercial purposes. That’s because the people in the email list have not given you express or implied permission to use their addresses — and any attempt to do so will mean you are in violation of email marketing laws and regulations.
Email Laws and Compliance: It’s All About Honesty
Email laws don’t exist to curb your creativity or put unnecessary pressure on your marketing team. Instead, they focus on honesty, transparency, and responsibility. Once you’re all clear on the main rules and how to comply with them, it’s simply a case of making these rules part of your overall approach to data privacy and compliance.
Setting up systems or changing your approach takes time, but once you’re there it’s easier to manage and there’s less pressure on your team to get things right. For a better way to reduce privacy risk, try Enzuzo and complement your team’s knowledge with a specially designed tool to help you run things smoothly.
Osman Husain
Osman is the content lead at Enzuzo. He has a background in data privacy management via a two-year role at ExpressVPN and extensive freelance work with cybersecurity and blockchain companies. Osman also holds an MBA from the Toronto Metropolitan University.