Email Marketing Legal Agreements & Policies

If you engage in email marketing, you need to be aware of legal requirements that dictate how you can send them, how you handle unsubscribe requests and how you disclose your collection of personal information.

You need to be careful that your email marketing campaign isn't overstepping the boundaries of privacy and anti-spam laws. You're also going to need a Privacy Policy.

This article will discuss global laws surrounding sending unsolicited messages, how you must must include some form of unsubscribe option with your marketing communications, and how this unsubscribe option must work properly requests must be honored within a reasonable amount of time (in the United States this is 10 days). It will also discuss how to integrate the appropriate information into your Privacy Policy.

Privacy Policies are Required for Email Marketing

A Privacy Policy is required by most jurisdictions whenever you collect the personal information of a user through your website or mobile app - such as an email address.

In the U.S., CalOPPA requires businesses to have a Privacy Policy displayed at all times on their websites or through their apps.

In the UK, the Data Protection Act 1998 requires that a set of data collection principles must be followed when you collect the personal information of users.

The GDPR from the EU has global implications when personal information is collected from EU residents.

The Contents of Your Privacy Policy

A Privacy Policy is required by law, and should cover all of the content that you collect through the web form (including the email address), as well as any information that your website collects outside of the web form, such as:

  • Name
  • Address
  • Phone number
  • Email address
  • IP address
  • Other types of legally protected personal information

Remember to always update your agreements to reflect any additional types of information that you begin to collect.

Your Privacy Policy also needs to include:

  • How you collect the information
  • How you will use the information you collect
  • How you will keep it secure, and in what circumstances you will share it
  • How your subscribers can review the information on them that you hold, and make changes to it
  • What date the policy is effective from, and any changes since that date

Once you know what kind of information your users want to be sent, there are a number of anti-spam laws around the world that you need to comply with. These laws aim to stop unsolicited email marketing being sent to unsuspecting consumers.

Privacy and Anti-Spam Laws


US Flag

To determine whether a particular country's law applies to you depends on whether you are based in that country, your ESP is based in that country, or your recipients are. If any of those criteria are met, you will need to comply with the laws in that country.

In the United States the main law is CAN-SPAM.

CAN-SPAM requires that you:

  • Don't use misleading email headers or subject lines,
  • Must identify your message as an advertisement,
  • Tell your recipients where you are located,
  • Include an unsubscribe mechanism so that recipients can opt out of receiving future emails from you,
  • Honor any opt-out requests promptly, and
  • Monitor email marketing done on your behalf by another company (if they are doing it on your behalf, it is your duty to make sure you comply with the law)


Canada Flag

Under the CASL, marketing emails must only be sent with consent, you must identify yourself, and include an unsubscribe mechanism.

Implied consent expires after 36 months if your contact was obtained on or before 1 July 2014, and after 24 months if your contact was obtained after 1 July 2014.

An exception is made where implied permission is given by users by way of certain types of involvement with your company, such as:

  • Purchasing or leasing products,
  • Being involved in an investment, or
  • Entering into a contract


Flag of EU

This 2018 legislation out of the EU applies if you send commercial marketing communications to residents of the EU.

To comply with the GDPR you'll need to:

  • Always get affirmative consent for collecting email addresses for marketing purposes (soft opt-ins and pre-checked consent boxes are no longer allowed),
  • Allow users to revoke this consent at any time, and
  • Only use collected emails for the purposes you requested them for