Data Privacy and Spam Laws: A Refresher for Email Marketers
To paraphrase The Clash, if you fight the law, the law’s going to win. How well do you know the laws surrounding email spam and data privacy? Are you trying to fight them and sneak around them, or would you rather learn how to follow them?
Spam and data privacy laws are reaching a point where they affect practically every company – even the smallest ones. Aside from fines and logistical requirements, failure to live up to these laws can also hurt your email deliverability.
Make no mistake. Privacy is extremely important to the majority of subscribers on your list. Cisco found that 89% of consumers care about data privacy and want more control. But the truth is, the same survey found only 32% of people have taken action to protect themselves.
Most people rely on data privacy laws and the platforms they use to provide protection and help them avoid spam. Can you blame them? It’s rough out there. Spammers and scammers are relentless.
So, let’s take a closer look at how to be a law-abiding email marketer that your subscribers can trust.
Table of content
Why do we need spam and data privacy laws?
We live a huge part of our lives online. The personally identifiable information (PII) flowing through digital ecosystems represents a treasure trove of data that spammers and cybercriminals can use for nefarious purposes. We’re way past Nigerian princes now.
Spam is just one of the problems data privacy laws aim to address. But it’s a big one. Statista cites research indicating around half of global email traffic is from spammers. Beyond the typical unsolicited marketing messages, there are much more serious issues like phishing and brand spoofing for people to worry about.
Unfortunately, spam and data privacy laws won’t stop bad actors… nothing will. However, regulations do give the good guys guidelines to follow to ensure you stay on the right side of the law. Data privacy laws also make it possible to prosecute and punish email senders who try to take advantage of people for profit.
As one of the good guys, your role is to understand the risks and protect the privacy of your subscribers’ sensitive data. That includes the information you collect through online forms, purchase behaviors, and yes… every single email address on your list.
You may not have bad intentions, but you can still land outside of data privacy and spam laws meant to protect consumers. That’s why it’s important to brush up on what’s required and what’s prohibited.
Spam and data privacy laws around the world
Here are the main data privacy laws to be aware of so you can be sure you’re in compliance and protecting your email deliverability. Keep in mind that your company doesn’t have to be located in these regions to be subject to the laws. What matters is if you have contacts living in regions that protect them. Be sure to check out to the full articles on these laws to learn more.
Quick Disclaimer: This article is for informational purposes only and should not be taken as professional legal advice. Please contact your attorney for official guidance on data privacy laws and your obligations.
CAN-SPAM
The CAN-SPAM Act of 2003 is an anti-spam law that established the United States’ national standards for sending commercial email. It defined commercial email messages, which are different from transactional or relationship emails. It also provided guidelines for sending behavior, content, and unsubscribe compliance.
To follow the guidelines in CAN-SPAM, you must include:
- Visible and operational unsubscribe options in your commercial emails
- The legitimate physical address of the company
- Accurate “from” information
- Accurate subject lines
Plus, you cannot send to harvested email addresses.
Being about 20 years old, CAN-SPAM has taken its share of criticism, much of which may be fair but also concerns certain things that didn’t even exist back in 2003.
One of the biggest criticisms is that individuals cannot file suits against companies that violate the law. Enforcement depends on the Federal Trade Commission (FTC), state attorneys general, and the Federal Communications Commission (FCC). So, it’s up to the government to enforce a law that primarily affects ordinary people, who were left mostly powerless even after the law was passed.
Plus, the law has ended up looking fairly weak compared to newer regulations like GDPR. The Coalition Against Unsolicited Commercial Email (CAUCE) says one of the biggest shortfalls is the lack of a requirement to opt-in to an email list. Yes, CAN-SPAM requires an easy way to opt out, but companies can add anyone to their email lists without violating this law.
Find out more about CAN-SPAM compliance
CASL
When it passed in 2014, CASL – Canada’s Anti-Spam Law – took the fight against spam much further than CAN-SPAM.
Some people initially assume that, if it’s a Canadian law, it doesn’t matter to the rest of the world. However, it does because the law can apply to any company sending emails to someone living in Canada, not just Canadian companies.
CASL quickly set a new standard and advanced far beyond CAN-SPAM. That law set requirements that gave consumers a trustworthy way to opt out of an email list. But CASL set requirements regarding the opt-in process.
With CASL, you must acquire consent from the subscriber before adding them to your email list. You cannot presume it with a pre-checked box. And, CASL applies to other types of communications from companies, such as text messaging, social media, and instant messaging.
CASL’s biggest achievement was to solidify the consumer’s ability to choose to be added to an email list.
Learn more about CASL compliance, and see examples of how to get express consent.
GDPR
The General Data Protection Regulation (GDPR), which was passed in 2018, is a European law that applies to every member nation of the EU. Like CASL, the GDPR affects companies from around the world if they have email subscribers who live in EU nations.
GDPR took data privacy far beyond CASL and CAN-SPAM. It has become the standard to which other data privacy laws are compared.
These are the seven key principles of GDPR:
- Lawfulness, fairness, and transparency: Have a legitimate reason for collecting personal data and be clear and honest about how it’s used.
- Purpose limitation: Set boundaries around how and why you’ll use personal data.
- Data minimization: Only collect the personal data you actually need.
- Accuracy: Make sure the data is clean and up-to-date.
- Storage limitation: Justify the length of time you store personal data.
- Integrity and confidentiality: Secure the data and protect it from internal or external threats.
- Accountability: Keep records that prove you are following GDPR guidelines instead of just saying you are in compliance.
GDPR also addresses the larger question of what comprises “personal data.” Is it just information like name, email, phone number, and numerical identification? Or is it also photos, health records, social posts, and purchase history?
With regard to email privacy and spam, GDPR elaborated on the concept of consent. This law prohibits even asking for consent for an email address unless it’s necessary for the service being provided. In other words, you may need their email address to send transactional emails like receipts and shipping notices, but you cannot just add that address to your marketing email list without their permission.
Companies must also make it clear what a user is consenting to when they sign up, and they must name any third parties – specifically – who will be given access to the user’s data. This is usually done in the privacy policy on your website.
Recordkeeping is important for GDPR compliance. You must keep documentation of consent history for each subscriber, and have a way to provide all the PII upon request. That’s because consumers can make Data Subject Access Requests (DSARs), which require companies to produce all of the data collected on an individual and provide it to the subject.
See eight tasks to make sure you’re in compliance with GDPR
UK GDPR
Hold on there – what about Brexit? When GDPR passed, the UK was part of the EU, but they have since separated. When that happened, GDPR no longer applied to the UK.
But, the UK government liked how that law was protecting their people’s personal data, so they quickly passed their own version of the same law.
The UK GDPR law basically kept all the same rules and requirements of the EU version.
Again, this is an indication of where the world is headed with regard to spam and data privacy laws.
CCPA
The California Consumer Privacy Act (CCPA) came out not long after GDPR and caused a similar level of upheaval. Though just a state, California is a big state – more populated than many countries. That means plenty of companies will have people from California on their email subscriber lists. So, these email senders must abide by CCPA for those subscribers.
You can either fish all those people out of your contact list and create a unique segment of California-based subscribers, or you can use the same level of data privacy policies for all your subscribers. This could be smart if you anticipate that other states and countries are going to come around to something similar before long.
CCPA places several requirements on companies concerning personal data that go beyond GDPR. Subscribers must:
- Know their personal data is being collected
- Know if it’s being shared
- Have the right to refuse the sale of their data
- Be able to request that their data be deleted
- Suffer no discrimination for making any requests related to this law
CCPA covers even more personal information than GDPR, because it opened up a broader definition of what "personal data" means.
See what CCPA requires of companies – including B2B email marketing.
Because the United States does not yet have a federal data privacy law similar to GDPR, more and more states are beginning to pass their own laws. A growing handful have either passed data privacy laws or are in the process of doing so.
But, is a national data privacy law coming soon to the US?
ADPPA
The Amercian Data Privacy Protection Act (ADPPA) is the latest attempt to bring a comprehensive data privacy regulation to the U.S. As of this writing, it’s still just a bill (cue Schoolhouse Rock), and it will need to pass both the House and Senate. But so far, the ADPPA is getting largely bi-partisan support.
The hope is that this legislation would make data privacy laws in the U.S, more consistent and comparable to the EU’s GDPR. According to a write-up from Lexology.com, there are some key differences between the GDPR and ADPPA, but “the key principles of transparency, data minimization, necessity, and proportionality apply.”
Even though both sides of the U.S. political aisle seem to support the ADPPA, there’s still some controversy surrounding it.
One dispute being batted around regarding ADPPA concerns whether it should preempt the growing number of state-level data privacy laws. If the current version passed, it would preempt those laws but would allow for some exceptions. Lawmakers in California, where the CCPA is in place, are generally opposed to the ADPPA.
Another disagreement concerns whether consumers should be able to file suits against companies that violate the law. The current version of the law allows for this, but it places limits on the damages. We’ll see how this plays out over the next few months.
Other international data privacy and spam laws
As you can see, the movement toward protecting consumer data isn’t slowing down. More and more countries are passing their own laws. Here’s a United Nations page with updates about international data privacy laws. And here’s another page that lists out each country’s current data privacy laws.
For a sampling of data privacy and spam laws in various countries, use the list below.
- Australia – Data Privacy Act
- China – Personal Information Protection Law - PIPL
- India – Personal Data Protection Bill - PDPB
- Japan – Personal Information Privacy Act - PIPA
- Great Britain – UK GDPR
- Brazil – General Personal Data Protection Law - LGPD
- Belgium – E-commerce Directive (2000/31)
- Cyprus – Regulation of Electronic Communications and Postal Services Law of 2004
- Czech Republic – Act No. 480/2004
- Estonia – Information Society Service Act
- France – CNIL Guidelines on Email Marketing
- Germany – Art. 7 German Unfair Competition Law
As you can see, this quickly becomes an alphabet soup requiring a graduate degree to digest. Compliance is complex, confusing, and ever-changing. But it’s ultimately the responsibility of each company to follow these laws.
Are data privacy laws and deliverability connected?
Here’s the good news about following all these laws. It means you’re doing the right thing as an email marketer. And that means mailbox providers are more likely to see you in a positive light. A good sender reputation means better email deliverability.
But here’s another fact to consider… Even when you follow all the laws, you can still have email deliverability issues. What if you end up on a blocklist or your emails start landing spam and you have no idea why?
Compliance and deliverability are two complex topics. That’s why Mailgun Optimize offers Deliverability Services that provide you with dedicated technical experts. They can help with some of the more complicated situations and answer your toughest questions. You’ll get a custom email deliverability plan. And, if you ever end up on a blocklist, our experts will mediate the situation and work with mailbox providers on your behalf.
See what else Mailgun Optimize can do.
This article was updated on September 7, 2022. It was originally published in April of 2016.