How to Make your Emails and Newsletter Compliant (with Form Examples)
Legal requirements in general
Most laws require that you inform users about your data processing activities (typically done via a privacy notice) and – depending on the region – that you obtain user consent and/or provide an easy way for them to withdraw consent.
Generally, these laws apply to any service targeting residents of the region, which effectively means that they may apply to your business whether it’s located in the region or not. This is even more relevant if you’re using a bought email list as in such a case, you may not know the recipient’s country of residence. For this reason, it’s always advisable that you approach your data processing activities with the strictest applicable regulations in mind.
Informing users about your data collection activities
It will need to include details on:
What data you process;
How you process it;
The purpose of the processing (e.g, for sending a newsletter or market analysis);
All third-party involvement;
The user’s rights in regards to their data;
How you handle requests related to their rights;
The actual mechanisms of communication used (e.g email, paper mail);
How you protect their data
Ask our experts live
View live demos and have your questions answered in real time by attending one of our free English webinars. They are all practical and designed to really help you with understanding and achieving compliance for your websites or apps.
Legal obligations when adding users to your mailing list
Under the FTC’s CAN-SPAM Act, you do not need consent prior to adding users located in the US to your mailing list or sending them commercial messages, however, it is mandatory that you provide users with a clear means of opting out of further contact.
As newsletter sign-up forms are data collection tools, under EU law (namely the GDPR) it is mandatory that you obtain the informed consent of the user before subscribing them to the service. Under EU regulations, acquiring consent can be considered a two-part process that includes informing the user and obtaining verifiable consent via an affirmative action.
When informing the user you must:
Be specific. You must clearly state the type of email that the user will be consenting to;
Be clear and unambiguous. The average user should be easily able to understand what they’re consenting to;
Make it clear that signing up is optional. Consent must be “freely given”; you may not coerce users into joining your mailing list or make it appear as if joining the list is mandatory. For this reason, you must make it clear that signing up is optional. This is especially relevant in cases where you offer free white-papers (or e-books) for download. While the user’s email address is required for the delivery of the service, signing up for your newsletter is not. In such a case, you must not make it appear as if signing-up to the newsletter list mandatory and must make it clear that it is optional.
So in practice, if, for example, you also wanted to add people that download your e-book to your newsletter list, you should include something similar to the following, under the e-book download form:
As can be seen in the example, users must be made aware that the consent is in fact optional and not mandatory.
The consenting action must be explicit and verifiable. The process for getting user consent must be straightforward and involve a clear “opt-in” action. This means that mechanisms such as pre-ticked newsletter sign-up boxes at checkout are not allowed, as EU regulation specifically forbids pre-ticked boxes and similar “opt-out” mechanisms.
You may, however, use any method that would require the user to take a direct affirmative action (This can include any verifiable consenting action including sending an email or clicking a check-box).
You must give users the ability to withdraw consent. Under the GDPR, users have the specific right to withdraw consent. This means that you’re required to make it as easy to withdraw consent as it is to give it. This can be easily achieved by including a visible and valid unsubscribe link in your newsletter. Users should also have the ability to manage their mail preferences from within their account.
The consent acquired must be specific to the type of content being sent. This means that the newsletter should only contain information that the user consented to receive. So for example, if the user only consented to receive emails about your new products, you should not send them promotional emails related to partner/ third-party offers.
In cases where you want to send more than one type of email to your users, you’re required to get additional consent specific to those uses as you must have multiple consents for multiple purposes.
This does not have to be an additional form. In practice, you can simply add several checkboxes informing the user of each additional purpose and allowing them to give consent specific to those cases.
This is especially applicable to Direct Email Marketing communications (emails where the singular purpose is to directly advertise products or services). In the case of DEM communications, you must obtain additional consent if also sending emails about third-party products/services in addition to your own.
There are some exceptions to the requirement for the type of active consent mentioned above. The exceptions are as follows:
Soft opt-in (where the recipient provided their email address while purchasing a product or service). If the email address was collected as part of a previous sales process on your site, then you may use the details collected to send promotional emails related to similar products and services. This, however, only applies if the user was adequately informed of this occurrence (e.g. a notice on the sales page) and if they choose not refuse such use.
Explicit Form (where the purpose of the sign-up mechanism is unequivocal). So for example, in a scenario where your site has a pop-up window that invites users to sign up to your newsletter using a clear phrase such as: “Subscribe to our newsletter for access to discount vouchers and product updates!“, the affirmative action that the user performs by typing in their email address would be considered valid consent.
Records of Consent
Because consent under the GDPR is such an important issue, it’s vital that you keep clear records related to the consent attained. Records of consent should at least contain the following information:
The Identity of the user giving consent;
When they consented;
What disclosures were made (what they were told) at the time they consented;
Methods used for obtaining consent (e.g., newsletter form, during checkout etc.);
Whether they have withdrawn consent or not
Maintaining valid records, while mandatory, can be a technical challenge. Our Consent Solution simplifies this process, making it easy for you to view, manage and export your recorded consents. you can read more about it here.
Single Opt-In vs. Double Opt-In
While ‘single opt-in’ only requires that users submit their information in order to be added to your list, ‘double opt-in’ requires that users first validate their email address before being added to your mailing list. The validation is carried out when users click on a specific link contained in a “confirmation” message sent to their email address.
With this method, you can ensure the email address receiving your communication actually belongs to the person giving the consent and hereby further ensure that you avoid high unsubscribe rates, retain the integrity of your list and the reputation of your address. This method of registration is considered best practice in many countries, especially Germany and in the EU in general.
In several cases, German courts have decided that a single opt-in process is not sufficient proof of prior consent. An example of this would be the OLG Celle, judgment of 15.05.2014:
In principle, the sender of (e-mail) advertising must state that there is a consent to this and this in particular comes from the addressee… The sender of advertising e-mails can comply with this requirement by the so-called “double-opt-in procedure”… in a reasonable manner for each individual e-mail address.
Legal obligations related to Newsletter content
Depending on where your customers live, specific laws relating to spam may apply. In the US, the FTC’s CAN-SPAM Act sets rules for sending commercial messages, including email.
The major requirements of the CAN-SPAM Act are as follows:
Use truthful header information. Your name, email address and routing information (including domain) must be accurate and correctly identify the sender of the message.
Use non-misleading subject lines. Subject lines must give an accurate depiction of message content.
Identify the message as an ad. A specific method of doing this is not specified, however, the disclosure must be “clear and conspicuous.”
Tell recipients where you’re located. You must include your valid physical postal address.
Monitor what others are doing on your behalf. Even if you’ve out-sourced your email marketing to another company, the law may hold both you and the other company responsible.
Inform users of and provide a visible unsubscribe option. The “unsubscribe” option must be easily seen and must include a clear explanation of how the user can opt-out of receiving future emails from you. The notice must be easy for an average user to recognize, read, and understand. A practical way to implement this would be to simply include an “unsubscribe” link together with a statement informing the user of the option.
For example, your statement could be something like: “You are receiving this business communication from [Business Name] as you have expressed your interest in our products and services]. If you no longer wish to receive these communications, you can unsubscribe by clicking here”.
Under CAN-SPAM, the ability to unsubscribe should be free and should not be behind a login process. This means that users must be able to unsubscribe without paying a fee and without needing to log into their account to do so. The FTC states:
You can’t charge a fee, require the recipient to give you any personally identifying information beyond an e-mail address, or make the recipient take any step other than sending a reply e-mail or visiting a single page on an Internet website as a condition for honoring an opt-out request.
The unsubscribe link must be valid for at least 30 days after you’ve sent the email;
You must honor unsubscribe requests within 10 days
Some types of email are exempt from most of the CAN-SPAM Act’s requirements and are only subject to the requirement of truthful routing information.
These exemptions include emails in which the primary purpose is:
Transactional: These are emails relating to already-agreed-upon transactions, or emails that deliver goods or services as a part of a transaction that the user already agreed to (e.g. License key or E-book delivery).
Relationship: These are emails that update users (that already have a relationship with your service) about changes in product / service terms, features or account information; this also includes warranty, recall, safety, or security information about a product or service.
Other (Non-commercial) emails.
In the EU, the ePrivacy directive sets overall guidelines that are individually implemented by member states, however, some elements (such as the ability to withdraw consent) fall within the scope of the GDPR.
In general, EU anti-spam rules usually require that you:
Provide an unsubscribe link in the email. The withdrawal option must be clear, visible and easily accessible. This element falls under the scope of the GDPR and specifically under the right to erasure; as such, you will have a maximum of 30 days to honor user withdrawal requests. It’s worth saying though that while the law may give you up to 30 days to honor these requests, most subscribers won’t. It is therefore prudent to honor opt-out requests promptly or risk being marked as spam and compromising the total legitimacy of your associated address.
Clearly indicate the identity of the sender. Disguised sender identities are prohibited; the information must be clear and straight-forward.
Include a physical company address. A valid return address must be provided.
Clearly identify and specify the nature of the message. You should indicate, in an unambiguous way, the type of message being sent (e.g. promotional or not).
Avoid the use of false or deceptive expressions in your text. Advertising in any form (including commercial messages) must not be done in a way that would make it likely to deceive the persons to whom it reaches.
Some legislations (e.g. Germany and Australia) may further require that you include information on how to contact the sender. It’s always best practice to either simply follow the most robust legislations or to check the local anti-spam requirements specific to where your recipients are based.
Included below is an example of a commercial communication that contains all the basic elements. In the example, elements such as the name and address are included at the top of the email, however, the placement is entirely up to you provided that the information is visible and easily found.
John’s Store Ltd [address] [City] [State] [ZIP] [Country] [Return email address (eg. email@example.com) ] [Subject: New arrivals for spring! [Your Website Name] [Type of email (eg.Promotional)]
“Dear Customer, we are delighted to offer you our latest arrivals for Spring. See something you like? You can purchase any one of these items by clicking directly on the products in this email and you’ll be taken to our website where you can pay securely.“
[Opt-out] If you no longer wish to receive communications from us, click here to unsubscribe.
The conditions outlined here also apply to other marketing methods that use electronic messages including Direct Email Marketing messages and Viral marketing communications (e.g. asking users to forward a marketing message to their friends).
Consequences of non-compliance
The legal ramifications of non-compliance include hefty fines in both the EU and the US, with fines ranging from the tens of thousands to millions. But perhaps equally as concerning are the other potential sanctions that may be implemented against organizations found to be in violation. These sanctions include official reprimands (for first-time violations), periodic data protection audits and liability damages.
The GDPR, in particular, gives users the explicit right to file a complaint with a supervisory authority if they feel that any processing of their personal data was done in violation of regulations. So for example, if a report is made to the authority about an instance of regulatory violation, the authority may choose to perform an audit of your data processing operations. If it’s found that some processing activity was done unlawfully, not only is a fine imposed, but you may be forbidden from making further use of both the data of the inquiry and data acquired using similar mechanisms. This means that if the violation use was in regards to email address collection, you risk being barred from using the entire associated email list.
In regards to liability damages, both the EU and US laws give individual users the right to compensation for any damages resulting from an organization’s non-compliance with regulations. This means that violating regulations can leave you open to potential litigation.
Loss of Services
Failure to comply with your legal obligations may lead to users negatively perceiving your business as either incompetent or malicious. This can lead to significant and lasting damage to public trust and the reputation of your organization.
Steps for making your newsletter process compliant with the law
What you need to do
In regards to compliance, it is always advisable that you approach your data processing activities with the strictest applicable regulations in mind. In regards to the newsletter process, compliance at the very least requires that you put the following into practice:
the data you collect;
the purposes for collection;
the specific types of communications you may send;
your method of delivery.
Inform users of:
any third-party providers involved in your newsletter management process and include links to their privacy documents;
their rights in regards to their data (including the right to withdraw consent).
Obtain prior consent (depending on the regional law) that is:
based on a clear affirmative action;
Provide a means of withdrawing consent that is:
available in the newsletter itself;
easy to see and understand;
Keep valid records of the consent collected:
If you fall within the scope of the GDPR (you probably do), you’ll need to collect and maintain valid records of your consents. Without these records, the consent you collect is considered invalid. Your records of consent should include when and how consent was acquired from the individual user; exactly what the user was told at the time; and which conditions/legal documents were applicable at the time at which the consent was acquired.
Sending GDPR consent emails: necessary or bad idea?
With the enforcement of the GDPR, many companies filled user inboxes with requests to renew their consent for marketing communications and data processing. Here’s why sending GDPR consent emails is tricky and should be handled very carefully.
Generally speaking, consent is one of the six legal bases for processing user data. The others are: legal obligation, contractual requirements, vital interests, public interest and legitimate interests.
If this information was not available to users at the time, but one of these legal bases can currently legitimately apply to your situation, then your best bet would be to ensure that your current privacy notice meets requirements, so that you can continue to process your user data in a legally compliant way.
Can the consent carry over?
Whether or not the consent can “carry-over” – therefore removing the need to ask for new consent or to rely on another legal basis – depends on whether or not the consent was collected in a GDPR-compliant way and if you can prove this.
Here are some questions you can ask yourself:
Was the consent given via a verifiable affirmative action? (was it given via an unambiguous opt-in mechanism such as clicking in a checkbox? Quick note: If your sign-up process included pre-checked boxes or any mechanism that required the user to “opt-out” rather than “opt-in”, then your method was not compliant and you’re required to either rely on another legal basis — if applicable — or collect new valid consent).
Was the consent freely given? (was it clear that signing up was optional and not mandatory?)
Was the consent specific? (did you clearly state what users would be consenting to in a granular way and was the consent collected specific to each individual purpose? See example here)
Did you provide users with a way to withdraw consent?
Do you have appropriate records of these consents? (were the consents and privacy notice available to users at the time of collection documented; can you prove that the consent was collected in a compliant way if required?)
If the consent I obtained in the past was not done in a GDPR compliant way, what are my options?
Using consent as your legal basis in the past does not mean that you still have to do so now. It might even be ill-advised to do so especially if you’re not completely sure how you collected the contact info/data in the first place (e.g.illegitimately acquired email lists) or if you can’t prove that you collected it in a legally compliant way.
To be clear, if you contact users to ask for consent while currently having no legitimately legal basis for having their data/contact info in the first place, you’ll not only be in violation under the GDPR but also under the existing Data Protection Directive.
Another reason to evaluate whether or not another legal basis can apply as your reason for processing in these cases is that strictly speaking, if you lack the consent necessary to contact users, then you likely lack the consent needed to even email them to ask for consent.
If no other legal basis can legitimately apply to your case, then you may need to collect consent again. A notice on your website or social media posts are some of the legitimate ways in which you can let users know that they’ll need to opt-in if they’d like to keep in touch.
Legal bases can’t be “picked” as such as they need to legitimately apply to your situation. When evaluating whether or not a legal basis can apply, please be sure to go through them with your lawyer as determining the correct legal basis is very important and can be difficult.
How iubenda can help
The process is straightforward and intuitive, simply click to add your services, fill out your web/app owner and contact details, embed.
1. Add your services
Click Add a service and start typing the name of the service you’d like to add. In this case, it will be Newsletter;
Select the Mailing list or Newsletter clause and customize by simply adding the specific types of personal data you collect (our lawyer-crafted, pre-created clauses automatically include the relevant user-rights disclosures and service definitions based on your input here);
If you use a third party service as part of your newsletter management process e.g. Mailchimp, Constant Contact etc., you should add these third-party services as well (you can also include “email sign-up form” or any other collection forms where applicable);
If you promote third party services/products via your email newsletter in any way, you should take a look at the Direct Email Marketing clause and add it if it applies;
If you’d like to add a custom clause, simply click the Create custom service button and fill out the built-in form.
2. Fill out your web/app owner and contact details
Enter name and full address;
Enter email address.
Congratulations! Your policy has been created. Simply check that all the details are correct, then:
Customize the look of your button or simply choose a text link;
Choose the embedding method between footer widget, direct link and text in the body;
Easily embed wherever you’d like! As mentioned above, you’re required to choose a location that is easily accessible and visible to users. In the spirit of transparency, you may also want to consider embedding the policy in your newsletter as well.
For more information on privacy policies click here.
Records of the consent you collect
Our Consent Solution simplifies the process of collecting and maintaining compliant records of consent. It allows you to track every aspect of consent (including the legal or privacy notice and the consent form that the user was presented with at the time of consent collection) and the related preferences expressed by the user.
To use, simply activate the Consent Solution and get the API key, then install via HTTP API or JS widget and you’re done; you’ll be able to retrieve consents at any time and keep them updated.