👉 Email and Newsletter Legal Requirements in General
👉 Legal obligations when adding users to your mailing list
👉 Legal obligations related to Newsletter content
👉 Consequences of non-compliance
✅ Steps for making your newsletter process compliant with the law
A newsletter is an incredibly powerful marketing tool but is your newsletter legal?
It’s a cost-effective way to build and maintain a relationship with your customers, but it can also end up costing you if you’re not meeting your legal obligations.
👉 If you plan to or are currently maintaining an email newsletter, you’re legally required to have a comprehensive privacy policy in place as you are collecting personal data.
Most laws require that you inform users about your data processing activities (typically done via a privacy notice) and – depending on the region – that you obtain user consent and/or provide an easy way for them to withdraw consent.
Generally, these laws apply to any service targeting residents of the region, which effectively means that they may apply to your business whether it’s located in the region or not. This is even more relevant if you’re using a bought email list as in such a case, you may not know the recipient’s country of residence. For this reason, it’s always advisable that you approach your data processing activities with the strictest applicable regulations in mind.
You can read more about which laws apply to you here or read our General legal overview here.
The vast majority of legislations require that your privacy policy informs your users about your data collection activities in an easy-to-understand, unambiguous and easily accessible way.
It will need to include details on:
Third-party apps and services also need to follow the law. For this reason, it’s often mandatory that all partners and customers that use their services meet regulatory standards. The vast majority of reputable newsletter management platforms have made it mandatory for users of their services to have a comprehensive privacy policy in place that clearly discloses their involvement and that meets regulations.
Here’s an excerpt from the Mailchimp Terms of Service:
Will clearly describe in writing how you plan to use any data collected, including for your use of Mailchimp. You’ll get express consent to transfer data to Mailchimp as part of this process, and you’ll otherwise comply with whatever privacy policy you have posted.
And another from Campaign Monitor’s Terms of Service:
You will adopt and maintain a policy that complies with all applicable privacy laws and which is at least as stringent as our Privacy Policy (as modified by Campaign Monitor from time to time). You acknowledge that all personal information that you provide to us has been collected with the relevant individual’s consent, and that you have informed the individual of the purpose for which that information was collected, and that you may provide this information to us for the purposes of use in relation to the Services. You acknowledge that we may store the personal information that you provide to us on servers located in the United States of America, and you warrant that you have obtained the consent of the relevant individuals to the storage and transmission of their personal information in this manner.
Generally, regulations require that your privacy policy be clearly visible and easily accessible throughout your website or app site, so simply having it in your footer may suffice. However, within the context of transparency (which itself is usually one of the key purposes of data laws), it’s advisable that you also make your privacy policy situationally available; for example, linking to it in both your sign-up form and email newsletter.
No, it’s not illegal to add someone to a mailing list; nevertheless, there are legal obligations you need to abide by when adding users to your mailing list. This depends on where your users are based. Below we cover US and EU law:
Under the FTC’s CAN-SPAM Act, you do not need consent prior to adding users located in the US to your mailing list or sending them commercial messages, however, it is mandatory that you provide users with a clear means of opting out of further contact.
🎯 Short on time? Click here to see what you need to do to comply.
As newsletter sign-up forms are data collection tools, under EU law (namely the GDPR) it is mandatory that you obtain the informed consent of the user before subscribing them to the service. Under EU regulations, acquiring consent can be considered a two-part process that includes informing the user and obtaining verifiable consent via an affirmative action.
When informing the user you must:
You must clearly state the type of email that the user will be consenting to;
The average user should be easily able to understand what they’re consenting to;
Consent must be “freely given”; you may not coerce users into joining your mailing list or make it appear as if joining the list is mandatory. For this reason, you must make it clear that signing up is optional. This is especially relevant in cases where you offer free white-papers (or e-books) for download. While the user’s email address is required for the delivery of the service, signing up for your newsletter is not. In such a case, you must not make it appear as if signing-up to the newsletter list mandatory and must make it clear that it is optional.
So in practice, if, for example, you also wanted to add people that download your e-book to your newsletter list, you should include something similar to the following, under the e-book download form:
As can be seen in the example, users must be made aware that the consent is in fact optional and not mandatory.
The consenting action must be explicit and verifiable.
The process for getting user consent must be straightforward and involve a clear “opt-in” action. This means that mechanisms such as pre-ticked newsletter sign-up checkboxes at checkout are not allowed, as EU regulation specifically forbids pre-ticked boxes and similar “opt-out” mechanisms.
You may, however, use any method that would require the user to take a direct affirmative action (This can include any verifiable consenting action including sending an email or clicking a check-box).
You must give users the ability to withdraw consent.
Under the GDPR, users have the specific right to withdraw consent. This means that you’re required to make it as easy to withdraw consent as it is to give it. This can be easily achieved by including a visible and valid unsubscribe link in your newsletter. Users should also have the ability to manage their mail preferences from within their account.
The consent acquired must be specific to the type of content being sent.
This means that the newsletter should only contain information that the user consented to receive. So for example, if the user only consented to receive emails about your new products, you should not send them promotional emails related to partner/ third-party offers.
In cases where you want to send more than one type of email to your users, you’re required to get additional consent specific to those uses as you must have multiple consents for multiple purposes.
This does not have to be an additional form. In practice, you can simply add several gdpr checkboxes informing the user of each additional purpose and allowing them to give consent specific to those cases.
This is especially applicable to Direct Email Marketing communications (emails where the singular purpose is to directly advertise products or services). In the case of DEM communications, you must obtain additional consent if also sending emails about third-party products/services in addition to your own.
There are some exceptions to the requirement for the type of active consent mentioned above. Let’s have a look at soft opt-in and explicit form.
Soft opt-in may allow you to bypass the need for prior consent. Soft opt-in can occur when a user has provided their email address while purchasing a product or service from you. In particular, soft opt-in may apply where the following conditions are met:
💡 Learn more about where soft opt-in applies by checking our global email marketing cheatsheet.
An explicit form is where the purpose of the sign-up mechanism is unequivocal. So for example, in a scenario where your site has a pop-up window that invites users to sign up to your newsletter using a clear phrase such as: “Subscribe to our newsletter for access to discount vouchers and product updates!“, the affirmative action that the user performs by typing in their email address would be considered valid consent.
Because consent under the GDPR is such an important issue, it’s vital that you keep clear records related to the consent attained. Records of consent should at least contain the following information:
Maintaining valid records, while mandatory, can be a technical challenge. Our Consent Database simplifies this process, making it easy for you to view, manage and export your recorded consents. you can read more about it here.
While ‘single opt-in’ only requires that users submit their information in order to be added to your list, ‘double opt-in’ requires that users first validate their email address before being added to your mailing list. The validation is carried out when users click on a specific link contained in a “confirmation” message sent to their email address.
With this method, you can ensure the email address receiving your communication actually belongs to the person giving the consent and hereby further ensure that you avoid high unsubscribe rates, retain the integrity of your list and the reputation of your address. This method of registration is considered best practice in many countries, especially Germany and in the EU in general.
In several cases, German courts have decided that a single opt-in process is not sufficient proof of prior consent. An example of this would be the OLG Celle, judgment of 15.05.2014:
In principle, the sender of (e-mail) advertising must state that there is a consent to this and this in particular comes from the addressee… The sender of advertising e-mails can comply with this requirement by the so-called “double-opt-in procedure”… in a reasonable manner for each individual e-mail address.
Depending on where your customers live, specific laws relating to spam may apply. In the US, the FTC’s CAN-SPAM Act sets rules for sending commercial messages, including email.
Use truthful header information.
Your name, email address and routing information (including domain) must be accurate and correctly identify the sender of the message.
Use non-misleading subject lines.
Subject lines must give an accurate depiction of message content.
Identify the message as an ad.
A specific method of doing this is not specified, however, the disclosure must be “clear and conspicuous.”
Tell recipients where you’re located.
You must include your valid physical postal address.
Monitor what others are doing on your behalf.
Even if you’ve out-sourced your email marketing to another company, the law may hold both you and the other company responsible.
Inform users of and provide a visible unsubscribe option.
The “unsubscribe” option must be easily seen and must include a clear explanation of how the user can opt-out of receiving future emails from you. The notice must be easy for an average user to recognize, read, and understand. A practical way to implement this would be to simply include an “unsubscribe” link together with a statement informing the user of the option.
For example, your statement could be something like: “You are receiving this business communication from [Business Name] as you have expressed your interest in our products and services]. If you no longer wish to receive these communications, you can unsubscribe by clicking here”.
Under CAN-SPAM, the ability to unsubscribe should be free and should not be behind a login process. This means that users must be able to unsubscribe without paying a fee and without needing to log into their account to do so. The FTC states:
You can’t charge a fee, require the recipient to give you any personally identifying information beyond an e-mail address, or make the recipient take any step other than sending a reply e-mail or visiting a single page on an Internet website as a condition for honoring an opt-out request.
Some types of email are exempt from most of the CAN-SPAM Act’s requirements and are only subject to the requirement of truthful routing information.
Transactional: These are emails relating to already-agreed-upon transactions, or emails that deliver goods or services as a part of a transaction that the user already agreed to (e.g. License key or E-book delivery).
Relationship: These are emails that update users (that already have a relationship with your service) about changes in product / service terms, features or account information; this also includes warranty, recall, safety, or security information about a product or service.
Other (Non-commercial) emails.
In the EU, the ePrivacy directive sets overall guidelines that are individually implemented by member states, however, some elements (such as the ability to withdraw consent) fall within the scope of the GDPR.
Provide an unsubscribe link in the email.
The withdrawal option must be clear, visible and easily accessible. This element falls under the scope of the GDPR and specifically under the right to erasure; as such, you will have a maximum of 30 days to honor user withdrawal requests. It’s worth saying though that while the law may give you up to 30 days to honor these requests, most subscribers won’t. It is therefore prudent to honor opt-out requests promptly or risk being marked as spam and compromising the total legitimacy of your associated address.
Clearly indicate the identity of the sender.
Disguised sender identities are prohibited; the information must be clear and straight-forward.
Include a physical company address.
A valid return address must be provided.
Clearly identify and specify the nature of the message.
You should indicate, in an unambiguous way, the type of message being sent (e.g. promotional or not).
Avoid the use of false or deceptive expressions in your text.
Advertising in any form (including commercial messages) must not be done in a way that would make it likely to deceive the persons to whom it reaches.
Some legislations (e.g. Germany and Australia) may further require that you include information on how to contact the sender. It’s always best practice to either simply follow the most robust legislations or to check the local anti-spam requirements specific to where your recipients are based.
Included below is an example of a commercial communication that contains all the basic elements. In the example, elements such as the name and address are included at the top of the email, however, the placement is entirely up to you provided that the information is visible and easily found.
John’s Store Ltd [address] [City] [State] [ZIP] [Country]
[Return email address (eg. info@johnsstoreltd.com) ]
[Subject: New arrivals for spring! [Your Website Name]
[Type of email (eg.Promotional)]“Dear Customer, we are delighted to offer you our latest arrivals for Spring. See something you like? You can purchase any one of these items by clicking directly on the products in this email and you’ll be taken to our website where you can pay securely.“
[Opt-out] If you no longer wish to receive communications from us, click here to unsubscribe.
The conditions outlined here also apply to other marketing methods that use electronic messages including Direct Email Marketing messages and Viral marketing communications (e.g. asking users to forward a marketing message to their friends).
The legal ramifications of non-compliance include hefty fines in both the EU and the US, with fines ranging from the tens of thousands to millions. But perhaps equally as concerning are the other potential sanctions that may be implemented against organizations found to be in violation. These sanctions include official reprimands (for first-time violations), periodic data protection audits and liability damages.
The GDPR, in particular, gives users the explicit right to file a complaint with a supervisory authority if they feel that any processing of their personal data was done in violation of regulations. So for example, if a report is made to the authority about an instance of regulatory violation, the authority may choose to perform an audit of your data processing operations. If it’s found that some processing activity was done unlawfully, not only is a fine imposed, but you may be forbidden from making further use of both the data of the inquiry and data acquired using similar mechanisms. This means that if the violation use was in regards to email address collection, you risk being barred from using the entire associated email list.
💡 In regards to liability damages, both the EU and US laws give individual users the right to compensation for any damages resulting from an organization’s non-compliance with regulations. This means that violating regulations can leave you open to potential litigation.
Some third-party services may make compliance with legal regulations a part of their terms of use. In such cases, a violation of legal requirements can also be considered a violation of their terms; such violations may lead to service termination or potentially, permanent bans.
Failure to comply with your legal obligations may lead to users negatively perceiving your business as either incompetent or malicious. This can lead to significant and lasting damage to public trust and the reputation of your organization.
In regards to compliance, it is always a good idea that you approach your data processing activities with the strictest applicable regulations in mind. In regards to the newsletter process, compliance, at the very least, requires that you put the following into practice:
✅ Step 1: Inform your users of the data you collect, why, and the method of delivery (If you’re using direct email marking, make sure to include this in your privacy policy)
✅ Step 2: Inform your users of all third-party providers involved in your newsletter management process, including links to their privacy documents and their rights in regard to their data (including the right to withdraw consent).
✅ Step 3: Keep valid records of the consent collected. Without these records, the consent you collect is considered invalid.
👋 See our step-by-step breakdown for how to achieve this!
Our Consent Database simplifies the process of collecting and maintaining compliant records of consent. It allows you to track every aspect of consent (including the legal or privacy notice and the consent form that the user was presented with at the time of consent collection) and the related preferences expressed by the user.
To use, simply activate the Consent Database and get the API key, then install via HTTP API or JS widget, and you’re done; you’ll be able to retrieve consents at any time and keep them updated.
For a list of the full features of the Consent Database click here, read the overview guide here, or for a practical tutorial using a common scenario, read our guide on How to use the Consent Database with Contact Form 7.
👋 Keep reading for direct email marking and more, or Get Started now for free today!
If using Direct Email Marketing (DEM) for the German market, you must add a statement to your privacy policy that specifies the companies and type of goods and services that will be promoted through the newsletter.
Obtain prior consent (depending on the regional law) that is:
With the enforcement of the GDPR, many companies filled user inboxes with requests to renew their consent for marketing communications and data processing. Here’s why sending GDPR consent emails is tricky and should be handled very carefully.
Generally speaking, consent is one of the six legal bases for processing user data. The others are: legal obligation, contractual requirements, vital interests, public interest and legitimate interests.
If you’re already legitimately processing (meaning collecting, accessing, storing or otherwise interacting with) personal data based on any one of these other legal bases, then there’s no need to send consent request emails — provided that this basis of processing was stated in your privacy policy and that users had easy access to the notice prior to you processing their data.
If this information was not available to users at the time, but one of these legal bases can currently legitimately apply to your situation, then your best bet would be to ensure that your current privacy notice meets requirements, so that you can continue to process your user data in a legally compliant way.
Whether or not the consent can “carry-over” – therefore removing the need to ask for new consent or to rely on another legal basis – depends on whether or not the consent was collected in a GDPR-compliant way and if you can prove this.
Here are some questions you can ask yourself:
Using consent as your legal basis in the past does not mean that you still have to do so now. It might even be ill-advised to do so especially if you’re not completely sure how you collected the contact info/data in the first place (e.g.illegitimately acquired email lists) or if you can’t prove that you collected it in a legally compliant way.
To be clear, if you contact users to ask for consent while currently having no legitimately legal basis for having their data/contact info in the first place, you’ll not only be in violation under the GDPR but also under the existing Data Protection Directive.
Another reason to evaluate whether or not another legal basis can apply as your reason for processing in these cases is that strictly speaking, if you lack the consent necessary to contact users, then you likely lack the consent needed to even email them to ask for consent.
If no other legal basis can legitimately apply to your case, then you may need to collect consent again. A notice on your website or social media posts are some of the legitimate ways in which you can let users know that they’ll need to opt-in if they’d like to keep in touch.
Legal bases can’t be “picked” as such as they need to legitimately apply to your situation. When evaluating whether or not a legal basis can apply, please be sure to go through them with your lawyer as determining the correct legal basis is very important and can be difficult.
→ If you use a third-party service for newsletter management e.g. Mailchimp, Constant Contact etc., you should add the third-party service as well. You can also add “email sign-up form” (or any other collection forms you use) to your policy.
→ If you promote third-party services/products via your email newsletter in any way, you may need to add the Direct Email Marketing clause to your policy.
🎉 Congratulations! Your policy has been created. Simply check that all the details are correct, then:
→ Customize the look of your button or simply choose a text link;
→ Copy the embed code with one click and paste it into your site.
💡 Remember these compliance steps are related specifically to requirements for emails and newsletters. If you’d like more information on overall website requirements, see our Getting Started guide here.
