If you engage in email marketing, you need to be aware of legal requirements that dictate how you can send them, how you handle unsubscribe requests and how you disclose your collection of personal information.
You need to be careful that your email marketing campaign isn't overstepping the boundaries of privacy and anti-spam laws. You're also going to need a Privacy Policy.
This article will discuss global laws surrounding sending unsolicited messages, how you must must include some form of unsubscribe option with your marketing communications, and how this unsubscribe option must work properly requests must be honored within a reasonable amount of time (in the United States this is 10 days). It will also discuss how to integrate the appropriate information into your Privacy Policy.
A Privacy Policy is required by most jurisdictions whenever you collect the personal information of a user through your website or mobile app - such as an email address.
In the U.S., CalOPPA requires businesses to have a Privacy Policy displayed at all times on their websites or through their apps.
In the UK, the Data Protection Act 1998 requires that a set of data collection principles must be followed when you collect the personal information of users.
The GDPR from the EU has global implications when personal information is collected from EU residents.
A Privacy Policy is required by law, and should cover all of the content that you collect through the web form (including the email address), as well as any information that your website collects outside of the web form, such as:
Remember to always update your agreements to reflect any additional types of information that you begin to collect.
Your Privacy Policy also needs to include:
Once you know what kind of information your users want to be sent, there are a number of anti-spam laws around the world that you need to comply with. These laws aim to stop unsolicited email marketing being sent to unsuspecting consumers.
To determine whether a particular country's law applies to you depends on whether you are based in that country, your ESP is based in that country, or your recipients are. If any of those criteria are met, you will need to comply with the laws in that country.
In the United States the main law is CAN-SPAM.
CAN-SPAM requires that you:
Under the CASL, marketing emails must only be sent with consent, you must identify yourself, and include an unsubscribe mechanism.
Implied consent expires after 36 months if your contact was obtained on or before 1 July 2014, and after 24 months if your contact was obtained after 1 July 2014.
An exception is made where implied permission is given by users by way of certain types of involvement with your company, such as:
This 2018 legislation out of the EU applies if you send commercial marketing communications to residents of the EU.
To comply with the GDPR you'll need to: