Most laws require that you inform users about your data processing activities (typically done via a privacy notice) and – depending on the region – that you obtain user consent and/or provide an easy way for them to withdraw consent.
Generally, these laws apply to any service targeting residents of the region, which effectively means that they may apply to your business whether it’s located in the region or not. This is even more relevant if you’re using a bought email list as in such a case, you may not know the recipient’s country of residence. For this reason, it’s always advisable that you approach your data processing activities with the strictest applicable regulations in mind.
It will need to include details on:
Here’s an excerpt from the Mailchimp Terms of Service:
And another from Campaign Monitor’s Terms of Service:
View live demos and have your questions answered in real time by attending one of our free English webinars. They are all practical and designed to really help you with understanding and achieving compliance for your websites or apps.Attend our free webinars
Under the FTC’s CAN-SPAM Act, you do not need consent prior to adding users located in the US to your mailing list or sending them commercial messages, however, it is mandatory that you provide users with a clear means of opting out of further contact.
As newsletter sign-up forms are data collection tools, under EU law (namely the GDPR) it is mandatory that you obtain the informed consent of the user before subscribing them to the service. Under EU regulations, acquiring consent can be considered a two-part process that includes informing the user and obtaining verifiable consent via an affirmative action.
When informing the user you must:
You must clearly state the type of email that the user will be consenting to;
Be clear and unambiguous.
The average user should be easily able to understand what they’re consenting to;
Make it clear that signing up is optional.
Consent must be “freely given”; you may not coerce users into joining your mailing list or make it appear as if joining the list is mandatory. For this reason, you must make it clear that signing up is optional. This is especially relevant in cases where you offer free white-papers (or e-books) for download. While the user’s email address is required for the delivery of the service, signing up for your newsletter is not. In such a case, you must not make it appear as if signing-up to the newsletter list mandatory and must make it clear that it is optional.
So in practice, if, for example, you also wanted to add people that download your e-book to your newsletter list, you should include something similar to the following, under the e-book download form:
As can be seen in the example, users must be made aware that the consent is in fact optional and not mandatory.
The consenting action must be explicit and verifiable.
The process for getting user consent must be straightforward and involve a clear “opt-in” action. This means that mechanisms such as pre-ticked newsletter sign-up checkboxes at checkout are not allowed, as EU regulation specifically forbids pre-ticked boxes and similar “opt-out” mechanisms.
You may, however, use any method that would require the user to take a direct affirmative action (This can include any verifiable consenting action including sending an email or clicking a check-box).
You must give users the ability to withdraw consent.
Under the GDPR, users have the specific right to withdraw consent. This means that you’re required to make it as easy to withdraw consent as it is to give it. This can be easily achieved by including a visible and valid unsubscribe link in your newsletter. Users should also have the ability to manage their mail preferences from within their account.
The consent acquired must be specific to the type of content being sent.
This means that the newsletter should only contain information that the user consented to receive. So for example, if the user only consented to receive emails about your new products, you should not send them promotional emails related to partner/ third-party offers.
In cases where you want to send more than one type of email to your users, you’re required to get additional consent specific to those uses as you must have multiple consents for multiple purposes.
This does not have to be an additional form. In practice, you can simply add several gdpr checkboxes informing the user of each additional purpose and allowing them to give consent specific to those cases.
This is especially applicable to Direct Email Marketing communications (emails where the singular purpose is to directly advertise products or services). In the case of DEM communications, you must obtain additional consent if also sending emails about third-party products/services in addition to your own.
There are some exceptions to the requirement for the type of active consent mentioned above. The exceptions are as follows:
Soft opt-in (where the recipient provided their email address while purchasing a product or service). If the email address was collected as part of a previous sales process on your site, then you may use the details collected to send promotional emails related to similar products and services. This, however, only applies if the user was adequately informed of this occurrence (e.g. a notice on the sales page) and if they choose not refuse such use.
Explicit Form (where the purpose of the sign-up mechanism is unequivocal). So for example, in a scenario where your site has a pop-up window that invites users to sign up to your newsletter using a clear phrase such as: “Subscribe to our newsletter for access to discount vouchers and product updates!“, the affirmative action that the user performs by typing in their email address would be considered valid consent.
Because consent under the GDPR is such an important issue, it’s vital that you keep clear records related to the consent attained. Records of consent should at least contain the following information:
Maintaining valid records, while mandatory, can be a technical challenge. Our Consent Solution simplifies this process, making it easy for you to view, manage and export your recorded consents. you can read more about it here.
While ‘single opt-in’ only requires that users submit their information in order to be added to your list, ‘double opt-in’ requires that users first validate their email address before being added to your mailing list. The validation is carried out when users click on a specific link contained in a “confirmation” message sent to their email address.
With this method, you can ensure the email address receiving your communication actually belongs to the person giving the consent and hereby further ensure that you avoid high unsubscribe rates, retain the integrity of your list and the reputation of your address. This method of registration is considered best practice in many countries, especially Germany and in the EU in general.
In several cases, German courts have decided that a single opt-in process is not sufficient proof of prior consent. An example of this would be the OLG Celle, judgment of 15.05.2014:
In principle, the sender of (e-mail) advertising must state that there is a consent to this and this in particular comes from the addressee… The sender of advertising e-mails can comply with this requirement by the so-called “double-opt-in procedure”… in a reasonable manner for each individual e-mail address.
Depending on where your customers live, specific laws relating to spam may apply. In the US, the FTC’s CAN-SPAM Act sets rules for sending commercial messages, including email.
The major requirements of the CAN-SPAM Act are as follows:
Use truthful header information.
Your name, email address and routing information (including domain) must be accurate and correctly identify the sender of the message.
Use non-misleading subject lines.
Subject lines must give an accurate depiction of message content.
Identify the message as an ad.
A specific method of doing this is not specified, however, the disclosure must be “clear and conspicuous.”
Tell recipients where you’re located.
You must include your valid physical postal address.
Monitor what others are doing on your behalf.
Even if you’ve out-sourced your email marketing to another company, the law may hold both you and the other company responsible.
Inform users of and provide a visible unsubscribe option.
The “unsubscribe” option must be easily seen and must include a clear explanation of how the user can opt-out of receiving future emails from you. The notice must be easy for an average user to recognize, read, and understand. A practical way to implement this would be to simply include an “unsubscribe” link together with a statement informing the user of the option.
For example, your statement could be something like: “You are receiving this business communication from [Business Name] as you have expressed your interest in our products and services]. If you no longer wish to receive these communications, you can unsubscribe by clicking here”.
Under CAN-SPAM, the ability to unsubscribe should be free and should not be behind a login process. This means that users must be able to unsubscribe without paying a fee and without needing to log into their account to do so. The FTC states:
You can’t charge a fee, require the recipient to give you any personally identifying information beyond an e-mail address, or make the recipient take any step other than sending a reply e-mail or visiting a single page on an Internet website as a condition for honoring an opt-out request.
Some types of email are exempt from most of the CAN-SPAM Act’s requirements and are only subject to the requirement of truthful routing information.
These exemptions include emails in which the primary purpose is:
Transactional: These are emails relating to already-agreed-upon transactions, or emails that deliver goods or services as a part of a transaction that the user already agreed to (e.g. License key or E-book delivery).
Relationship: These are emails that update users (that already have a relationship with your service) about changes in product / service terms, features or account information; this also includes warranty, recall, safety, or security information about a product or service.
Other (Non-commercial) emails.
In the EU, the ePrivacy directive sets overall guidelines that are individually implemented by member states, however, some elements (such as the ability to withdraw consent) fall within the scope of the GDPR.
In general, EU anti-spam rules usually require that you:
Provide an unsubscribe link in the email.
The withdrawal option must be clear, visible and easily accessible. This element falls under the scope of the GDPR and specifically under the right to erasure; as such, you will have a maximum of 30 days to honor user withdrawal requests. It’s worth saying though that while the law may give you up to 30 days to honor these requests, most subscribers won’t. It is therefore prudent to honor opt-out requests promptly or risk being marked as spam and compromising the total legitimacy of your associated address.
Clearly indicate the identity of the sender.
Disguised sender identities are prohibited; the information must be clear and straight-forward.
Include a physical company address.
A valid return address must be provided.
Clearly identify and specify the nature of the message.
You should indicate, in an unambiguous way, the type of message being sent (e.g. promotional or not).
Avoid the use of false or deceptive expressions in your text.
Advertising in any form (including commercial messages) must not be done in a way that would make it likely to deceive the persons to whom it reaches.
Some legislations (e.g. Germany and Australia) may further require that you include information on how to contact the sender. It’s always best practice to either simply follow the most robust legislations or to check the local anti-spam requirements specific to where your recipients are based.
Included below is an example of a commercial communication that contains all the basic elements. In the example, elements such as the name and address are included at the top of the email, however, the placement is entirely up to you provided that the information is visible and easily found.
John’s Store Ltd [address] [City] [State] [ZIP] [Country]
[Return email address (eg. firstname.lastname@example.org) ]
[Subject: New arrivals for spring! [Your Website Name]
[Type of email (eg.Promotional)]
“Dear Customer, we are delighted to offer you our latest arrivals for Spring. See something you like? You can purchase any one of these items by clicking directly on the products in this email and you’ll be taken to our website where you can pay securely.“
[Opt-out] If you no longer wish to receive communications from us, click here to unsubscribe.
The conditions outlined here also apply to other marketing methods that use electronic messages including Direct Email Marketing messages and Viral marketing communications (e.g. asking users to forward a marketing message to their friends).
The legal ramifications of non-compliance include hefty fines in both the EU and the US, with fines ranging from the tens of thousands to millions. But perhaps equally as concerning are the other potential sanctions that may be implemented against organizations found to be in violation. These sanctions include official reprimands (for first-time violations), periodic data protection audits and liability damages.
The GDPR, in particular, gives users the explicit right to file a complaint with a supervisory authority if they feel that any processing of their personal data was done in violation of regulations. So for example, if a report is made to the authority about an instance of regulatory violation, the authority may choose to perform an audit of your data processing operations. If it’s found that some processing activity was done unlawfully, not only is a fine imposed, but you may be forbidden from making further use of both the data of the inquiry and data acquired using similar mechanisms. This means that if the violation use was in regards to email address collection, you risk being barred from using the entire associated email list.
In regards to liability damages, both the EU and US laws give individual users the right to compensation for any damages resulting from an organization’s non-compliance with regulations. This means that violating regulations can leave you open to potential litigation.
Failure to comply with your legal obligations may lead to users negatively perceiving your business as either incompetent or malicious. This can lead to significant and lasting damage to public trust and the reputation of your organization.
In regards to compliance, it is always advisable that you approach your data processing activities with the strictest applicable regulations in mind. In regards to the newsletter process, compliance at the very least requires that you put the following into practice:
Inform users of:
Obtain prior consent (depending on the regional law) that is:
Provide a means of withdrawing consent that is:
Keep valid records of the consent collected:
With the enforcement of the GDPR, many companies filled user inboxes with requests to renew their consent for marketing communications and data processing. Here’s why sending GDPR consent emails is tricky and should be handled very carefully.
Generally speaking, consent is one of the six legal bases for processing user data. The others are: legal obligation, contractual requirements, vital interests, public interest and legitimate interests.
If this information was not available to users at the time, but one of these legal bases can currently legitimately apply to your situation, then your best bet would be to ensure that your current privacy notice meets requirements, so that you can continue to process your user data in a legally compliant way.
Whether or not the consent can “carry-over” – therefore removing the need to ask for new consent or to rely on another legal basis – depends on whether or not the consent was collected in a GDPR-compliant way and if you can prove this.
Here are some questions you can ask yourself:
Using consent as your legal basis in the past does not mean that you still have to do so now. It might even be ill-advised to do so especially if you’re not completely sure how you collected the contact info/data in the first place (e.g.illegitimately acquired email lists) or if you can’t prove that you collected it in a legally compliant way.
To be clear, if you contact users to ask for consent while currently having no legitimately legal basis for having their data/contact info in the first place, you’ll not only be in violation under the GDPR but also under the existing Data Protection Directive.
Another reason to evaluate whether or not another legal basis can apply as your reason for processing in these cases is that strictly speaking, if you lack the consent necessary to contact users, then you likely lack the consent needed to even email them to ask for consent.
If no other legal basis can legitimately apply to your case, then you may need to collect consent again. A notice on your website or social media posts are some of the legitimate ways in which you can let users know that they’ll need to opt-in if they’d like to keep in touch.
Legal bases can’t be “picked” as such as they need to legitimately apply to your situation. When evaluating whether or not a legal basis can apply, please be sure to go through them with your lawyer as determining the correct legal basis is very important and can be difficult.
The process is straightforward and intuitive, simply click to add your services, fill out your web/app owner and contact details, embed.
Congratulations! Your policy has been created. Simply check that all the details are correct, then:
For more information on privacy policies click here.
Our Consent Solution simplifies the process of collecting and maintaining compliant records of consent. It allows you to track every aspect of consent (including the legal or privacy notice and the consent form that the user was presented with at the time of consent collection) and the related preferences expressed by the user.
To use, simply activate the Consent Solution and get the API key, then install via HTTP API or JS widget and you’re done; you’ll be able to retrieve consents at any time and keep them updated.
For a list of the full features of the Consent Solution click here, read the overview guide here, or for a practical tutorial using a common scenario, read our guide on How to use the Consent Solution with Contact Form 7.
Remember these compliance steps are related specifically to requirements for emails and newsletters. If you’d like more information on overall website requirements, see our Getting Started guide here.