Most countries have anti-spam and privacy regulations for email marketing. Failure to adhere to guidelines can tarnish your small business reputation, terminate your contract with email service providers, and result in financial penalties. Thanks to the internet, many small businesses reach a global audience. While this provides many benefits, it also comes with additional responsibilities.
Fortunately, the guidelines from the United States, Canada, Australia, the United Kingdom, and others are similar. You can maintain compliance while connecting with your customers by understanding the rules and following email marketing best practices.
United States: CAN-SPAM Act
The Controlling the Assault of Non-Solicited Pornography And Marketing (CAN-SPAM) Act was passed in 2003. According to the Federal Trade Commission, CAN-SPAM sets rules for all commercial messages, defined as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service.” Each CAN-SPAM Act violation can cost your company up to $50,120.
Follow these guidelines to ensure CAN-SPAM compliance:
- Include your business postal address in all emails.
- Make it easy for email recipients to unsubscribe.
- Honor opt-out requests within 10 business days.
- Use subject lines that reflect the email content (avoid deceptive clickbait).
- Ensure anyone sending emails on your behalf complies with CAN-SPAM.
- Have accurate email header fields (from, to, reply to, and routing information).
- Let recipients know that a commercial email is an ad or promo versus an account statement.
[Read more: A Beginner's Guide to Creating and Managing an Email Marketing List]
California Consumer Privacy Act (CCPA)
The CCPA was enacted in January 2020, and updates rolled out in January 2023. It gives individuals control over their data. However, CCPA only affects for-profit companies that do business in California and gross over $25 million a year; buy, sell, or share information of 100,000 or more California residents, households, or devices; or earn half or more of their yearly revenue from selling California residents’ data. CCPA is much stricter than CAN-SPAM and similar to GDPR.
Email marketers should take the following actions for CCPA compliance:
- Inform consumers before or when you collect their personal data, like email addresses; tell them how you will use it; and link to your privacy policy.
- Notify people about their CCPA rights and how to exercise them.
- Let them opt out of sharing or selling their personal information and unsubscribe from marketing emails.
- Put proper safeguards in place to protect consumer email addresses and personal information.
- Assess data collection and privacy policies of any third parties with access to your customer data and refer to them in your privacy policy.
- Use email marketing software with CCPA compliance tools.
- Review CCPA’s “purpose limitation” provision and only send messages that align with the original purpose the consumer agreed to when they opted in.
- Once an individual unsubscribes or ask your business to delete their information, stop sending emails and inform all third parties.
Canada’s Anti-Spam Legislation (CASL)
CASL was implemented in July 2014. It applies to any company sending emails to Canadian email addresses, regardless of the business location. The Canadian Radio-television and Telecommunications Commission provides a helpful CASL FAQs page explaining the various electronic communications covered, including text messaging.
Businesses must obtain express or implied consent to email Canadian recipients. Express consent means you ask them to opt-in to receiving emails from your company and tell them how you will use any collected data. Implied consent is action-based, like a customer who purchased from your business within the past two years. Like CAN-SPAM, your commercial emails must provide identification information and an unsubscribe mechanism.
Introduced in 2018, the GDPR has the strictest data privacy regulations and covers all EU member states (27), including Germany, Ireland, and France.
Australia: Spam Act 2003 and Spam Regulations 2021
Australia’s spam laws resemble CAN-SPAM and CASL. Businesses must obtain written or implied consent, provide contact details, and make unsubscribing easy. However, the Spam Act requires companies to honor opt-out requests within five working days, whereas CAN-SPAM allows for 10. The Australian Communications and Media Authority advises against using email lists created with address-harvesting software.
United Kingdom: Privacy and Electronic Communications Regulations (PECR) of 2003
PECR covers electronic mail marketing in Regulation 22. It requires express or inferred consent, valid contact information in all communications, and a way for consumers to opt out of receiving emails. Additionally, businesses can’t hide their identity. The Information Commissioner Office warns against encouraging email recipients to forward messages to friends, as by “instigating” this action, you must comply with PECR.
[Read more: 20 Smart Ways to Boost Your Email Marketing Campaign]
EU General Data Protection Regulation (GDPR)
Introduced in 2018, the GDPR has the strictest data privacy regulations and covers all EU member states (27), including Germany, Ireland, and France. It also has the steepest fines. GDPR goes beyond CAN-SPAM by giving consumers personal data rights, such as access to their information, the ability to delete or correct it, and knowing how it’s used. Because of this, businesses need to take additional measures to comply with GDPR, like creating a web page with relevant privacy data information that you can link to from emails.
Here’s what you need to know about GDPR compliance and email marketing:
- Provide an email opt-in method: Consumers must check an opt-in box that is empty, not pre-filled. A GDPR-compliant subscription form should explain why you’re requesting the user’s personal information (email address or name), and if it’s for multiple reasons (sending promotional emails and account statements), have separate checkboxes.
- Link to your privacy statement: Your opt-in form and emails should link directly to your website’s GDPR declaration, which outlines how your business complies with GDPR.
- Include an opt-out option: All emails must let individuals unsubscribe easily, and companies must remove them within 30 days.
- Maintain records: GDPR requires accountability. Organizations must retain information like recipients’ proof of consent, third-party involvement (any person or software accessing customer information), and data processing methods.
- Avoid using third-party email lists: In most cases, GDPR prohibits email marketing lists unless the individuals consent to share their data with your business and receive emails.
Ensure compliance with email marketing best practices
Email marketing laws constantly change. And consumer privacy and security remain key issues. Therefore small businesses should evaluate their current email lists and workflows. Get into the habit of protecting email recipients’ rights now, and you’ll be well-positioned to handle future regulations.
Use the following guidelines to ensure compliance with U.S. and international email marketing laws:
- Leverage email marketing software with built-in compliance features and tools.
- Require double opt-in when adding people to promotional email marketing lists.
- Regularly clean your email list to remove recipients with outdated implied consent.
- Create email marketing templates with your address, opt-out, and other details.
- Review and approve emails sent on your behalf by third parties.
- Segment your email lists by location to ensure you comply with local rules.
CO— aims to bring you inspiration from leading respected experts. However, before making any business decision, you should consult a professional who can advise you based on your individual situation.
CO—is committed to helping you start, run and grow your small business. Learn more about the benefits of small business membership in the U.S. Chamber of Commerce, here.
