« go to the main website

iubenda blog

iubenda's blog, privacy policy generator for websites and apps

Posted on by Simon Schmid


In this post we are addressing the problem of how to craft a privacy policy for your email newsletter and what the key elements are that you must consider. We'd also like to show you how you can conveniently generate a privacy policy for your newsletter via iubenda:

newsletter_guide

 

When you maintain an email newsletter you are faced with the fact that you collect and maintain personal information about your recipient. This usually happens via your website when you collect that email address to add it to your database.

Therefore: what do you have to do regarding privacy in your newsletter?

1) Do I have to include a privacy policy in my email newsletter?

There are two sides to this question from a legal perspective:

  • There is the legal side of it: Depending on where you are you may fall under European including UK, American (Californian) or Australian privacy laws. The list could go on since most countries have some sort of privacy regulations that extend onto the web and web services - and hefty penalties for non-compliance. These privacy laws make sure you disclose your data collection in a document like a privacy policy. What do you use the email addresses for? Does any third party have a hand in processing the personal data you collect? You have to tell your users.
  • Newsletter sending: your newsletter is collecting and maintaining personal data mainly in two ways. First and foremost the newsletter requires you to handle an email address that is saved to your database. Secondly, there is the issue of some data collection that the third party services perform on your behalf: when is the user opening the email, what links is he following?  These are facts that you have to disclose within a document like a privacy policy: More information about the legal framework can be found here.
  • There is the company policy side to it as well:  Depending on which newsletter service provider you use, you might find that they require you to have and abide by a privacy policy in order to use them (2).

2) Am I required by my newsletter service provider to post a privacy policy?

Depending on which newsletter provider you use, you will find that you can't use their service without including using a privacy policy. Lets take a look at some of the popular services out there:

Will clearly describe in writing how you plan to use any data collected, including for your use of MailChimp. You’ll get express consent to transfer data to MailChimp as part of this process, and you’ll otherwise comply with whatever privacy policy you have posted.

You will adopt and maintain a policy that complies with all applicable privacy laws and which is at least as stringent as our Privacy Policy (as modified by Campaign Monitor from time to time). You acknowledge that all personal information that you provide to us has been collected with the relevant individual’s consent, and that you have informed the individual of the purpose for which that information was collected, and that you may provide this information to us for the purposes of use in relation to the Services. You acknowledge that we may store the personal information that you provide to us on servers located in the United States of America, and you warrant that you have obtained the consent of the relevant individuals to the storage and transmission of their personal information in this manner.

Every email message sent in connection with the Products must contain an "unsubscribe" link that allows subscribers to remove themselves from your mailing list and a link to the then-current Customer Privacy Policy. Each such link must remain operational for at least 60 days after the date on which you send the message, and must be in form and substance satisfactory to us. You agree that you will not remove, disable or attempt to remove or disable either link

and among others

The Site and the Products shall only be used for lawful purposes and you shall use the Site and the Products only in compliance with this Agreement, the CAN-SPAM Act and regulations thereunder and all other applicable U.S., state, local and international laws in your jurisdiction, including but not limited to (a) Canada's Anti-Spam Legislation and any other policies and laws related to unsolicited emails, spamming, privacy, obscenity, or defamation, copyright and trademark infringement and child protective email address registry laws (...)

You represent, covenant, and warrant that you will use the Services only in compliance with the Agreement and all applicable laws (including but not limited to policies and laws related to spamming, privacy, obscenity, or defamation).

and among others

You will adopt and maintain the Permissions and Privacy Policy, which may be modified by Mad Mimi from time to time.

Customer agrees that each email sent by Customer in connection with the Services shall contain a link to the then current Privacy Policy, unless Customer has obtained specific authorization from VerticalResponse to remove such link. Failure to comply with this requirement may result in a termination of Customer's account by VerticalResponse

and

Customer represents, covenants, and warrants that Customer will use the Services only in compliance with VerticalResponse's Privacy Policy and Anti-Spam Policy as published at www.verticalresponse.comor otherwise furnished to Customer and all applicable laws (including but not limited to policies and laws related to spamming, privacy, obscenity, or defamation and child protective email address registry laws).

Email Footer. Upon activation of Customer’s email account, ExactTarget adds a default footer to each email sent via
the Platform. The default footer includes: (a) Customer’s physical mailing address; (b) links to ExactTarget’s profile update and
unsubscribe centers; (c) a link to ExactTarget’s Privacy Policy (which may be viewed at www.exacttarget.com); and (d) an
attribution that the email was powered by ExactTarget. Notwithstanding the foregoing, Customer may opt at any time to
remove one or more portions of the default footer from email messages sent via the Platform; provided, however, that should
Customer opt to remove (a), (b), and/or (c) above, it shall add within the body of such email messages (i) the identification of
the sender; (ii) instructions on how the recipient can opt-out of future commercial mailings; (iii) the sender’s valid physical
mailing address; and (iv) a link to Customer’s privacy policy, as applicable.

Tiny letter is a MailChimp company, the terms are therefore following their lead

You represent and warrant that your use of TinyLetter will comply with all applicable laws and regulations. You’re responsible for determining whether our Services are suitable for you to use in light of any regulations like HIPAA, GLB, EU Data Privacy Laws, or other laws.

If you’re located in the European Economic Area (EEA) or send to anyone in the EEA, you represent and warrant that in creating your Email distribution list, sending Emails via TinyLetter and collecting information from sending Emails, you:

therefore you

1) Will clearly describe in writing how you plan to use any data collected, including for your use of TinyLetter. You’ll get express consent to transfer data to TinyLetter as part of this process, and you’ll otherwise comply with whatever privacy policy you have posted.
2) Have complied, and will comply, with all regulations, as well as data protection, electronic communication, and privacy laws that apply to the countries where you’re sending any form of email through TinyLetter.

Failing to include in each Email a link to the then-current Privacy Policy applicable to that Email.

3) How do I properly add a privacy policy to my newsletter?

The usual position to properly place a privacy policy link is in the footer of a website, or in this case of the email. The link should point to your privacy policy and be clearly visible (skip sketchy obfuscation methods).

This will be a slightly different process depending on how your email newsletter provider handles these templating/customization tasks. Usually your privacy policy is hosted on some website (yours?) and this is where you will link to. If this is not what you are looking for, iubenda offers to host your privacy policy when you generate one with us.

Adding the link to your privacy policy in the newsletter makes sure that your users can find the relevant information right where it matters and don't have to look for it somewhere they might not expect to find it.

Is there anything else I have to think about?

Yes, you should take a look at anti-spam legislation like the US CAN-SPAM act (depending on where your recipients are based, you should take a look at local anti-spam requirements as well). These anti-spam rules usually make you

  • include an unsubscribe link
  • usually a physical company address

That's also what Privacy and Electronic Communications Regulations in Europe requires:

  • a sender must not conceal his identity
  • and must include a valid address for opt-out requests
  • as well as information about the company

The opt-in/opt-out discussion:

The biggest difference in international law (and sometimes a little tricky to understand) is the opt-in/opt-out discussion. This is the way how you collect email addresses and what you're allowed to with them. This means you will need to get consent by people where you collect email addresses. Below is the British model:

Opt-in: 

Opt-in is where you don’t get marketing emails from an organisation unless you actively consent to receive them. This consent is usually given by actively ticking a box as an indication that you understand and want to be contacted by email for newsletters. The basic rule looks like this: organisations must collect your email address on an opt-in basis unless they can satisfy three exemption criteria.

Opt-in is usually the best method to make sure that your recipient has given you their address with prior consent (condition to legitimately send that newsletter).

The safest way to handle email address collection is a so called double opt-in method. The process involves a checkbox that tells you "yes I consent to receiving your email newsletter & and to your privacy policy" and subsequently the user gets a confirmation email in which he'll have to repeat his intent to get emails from you. The reason for this is that anyone could enter their email into your form.

Opt-out:

Opt-out is where you are told that you will get marketing emails unless you say you don't want them. For this you need to have three exemption criteria:

  • your email address was collected in the course of a sale or negotiations for a sale
  • the sender only sends promotional messages relating to their similar 

    products and services; and 

  • when your address was collected, you were given the opportunity to opt-out (free of charge except for the cost of transmission) which you didn’t take. The opportunity to opt-out must be given with every subsequent message.

4) An example privacy policy for a newsletter?

A lot of people ask for sample privacy policies for their newsletters. In reality those samples don't do anyone much good because they're far too generic. Let's start with an enumeration of what needs to go into a privacy policy. Most countries' privacy laws require you to include the following information:

- What kind of personal data is collected
- Describe how this information will be used by the company.
- Describe how this information will be transferred to third party companies.
- Provide instructions on how users can modify or delete their personal information.
- Provide instructions on how users can opt-out of future communications.
- Identify its effective date and outline how you notify people of material changes to your privacy policy.

Depending on who your newsletter provider is - you would include some information about them and what their privacy practices look like. Luckily iubenda offers exactly that.

What do I do now?

You can either hire a lawyer, write your own complete policy or use iubenda's generator right away to make your policy for you.

Our Approach of Generating a Privacy Policy for Newsletters

So here's where iubenda's privacy policy generator will come in very handy:

1. Define the services and categories of data collection your site/app/newsletter is making use of.

2. Add the services (and categories of data collection like "Contact form", "Mailing List or Newsletter", "Mailchimp" & "Direct Email Marketing (DEM)") you are using to your policy. iubenda will then generate your privacy policy for you.

newsletter_choose

3. Get the link to embed the policy into the footer of your newsletter (full disclosure the embedding link is a PRO feature).

newsletter_link

 

Try Our Privacy Policy Generator

Posted on by Simon Schmid | Posted in Category