Legal requirements in general
Most laws require that you inform users about your data processing activities (typically done via a privacy notice) and – depending on the region – that you obtain user consent and/or provide an easy way for them to withdraw consent.
Generally, these laws apply to any service targeting residents of the region, which effectively means that they may apply to your business whether it’s located in the region or not. This is even more relevant if you’re using a bought email list as in such a case, you may not know the recipient’s country of residence. For this reason, it’s always advisable that you approach your data processing activities with the strictest applicable regulations in mind. You can read more about which laws apply to you here or read our General legal overview here.
Informing users about your data collection activities
It will need to include details on:
What data you process;
How you process it;
The purpose of the processing (e.g, for sending a newsletter or market analysis);
All third-party involvement;
The user’s rights in regards to their data;
How you handle requests related to their rights;
The actual mechanisms of communication used (e.g email, paper mail);
How you protect their data
Ask our experts live
View live demos and have your questions answered in real time by attending one of our free English webinars. They are all practical and designed to really help you with understanding and achieving compliance for your websites or apps.
Legal obligations when adding users to your mailing list
Under the FTC’s CAN-SPAM Act, you do not need consent prior to adding users located in the US to your mailing list or sending them commercial messages, however, it is mandatory that you provide users with a clear means of opting out of further contact.
As newsletter sign-up forms are data collection tools, under EU law (namely the GDPR) it is mandatory that you obtain the informed consent of the user before subscribing them to the service. Under EU regulations, acquiring consent can be considered a two-part process that includes informing the user and obtaining verifiable consent via an affirmative action.
When informing the user you must:
Be specific. You must clearly state the type of email that the user will be consenting to;
Be clear and unambiguous. The average user should be easily able to understand what they’re consenting to;
Make it clear that signing up is optional. Consent must be “freely given”; you may not coerce users into joining your mailing list or make it appear as if joining the list is mandatory. For this reason, you must make it clear that signing up is optional. This is especially relevant in cases where you offer free white-papers (or e-books) for download. While the user’s email address is required for the delivery of the service, signing up for your newsletter is not. In such a case, you must not make it appear as if signing-up to the newsletter list mandatory and must make it clear that it is optional.
So in practice, if, for example, you also wanted to add people that download your e-book to your newsletter list, you should include something similar to the following, under the e-book download form:
As can be seen in the example, users must be made aware that the consent is in fact optional and not mandatory.
The consenting action must be explicit and verifiable. The process for getting user consent must be straightforward and involve a clear “opt-in” action. This means that mechanisms such as pre-ticked newsletter sign-up boxes at checkout are not allowed, as EU regulation specifically forbids pre-ticked boxes and similar “opt-out” mechanisms.
You may, however, use any method that would require the user to take a direct affirmative action (This can include any verifiable consenting action including sending an email or clicking a check-box).
You must give users the ability to withdraw consent. Under the GDPR, users have the specific right to withdraw consent. This means that you’re required to make it as easy to withdraw consent as it is to give it. This can be easily achieved by including a visible and valid unsubscribe link in your newsletter. Users should also have the ability to manage their mail preferences from within their account.
The consent acquired must be specific to the type of content being sent. This means that the newsletter should only contain information that the user consented to receive. So for example, if the user only consented to receive emails about your new products, you should not send them promotional emails related to partner/ third-party offers.
In cases where you want to send more than one type of email to your users, you’re required to get additional consent specific to those uses as you must have multiple consents for multiple purposes.
This does not have to be an additional form. In practice, you can simply add several checkboxes informing the user of each additional purpose and allowing them to give consent specific to those cases.
This is especially applicable to Direct Email Marketing communications (emails where the singular purpose is to directly advertise products or services). In the case of DEM communications, you must obtain additional consent if also sending emails about third-party products/services in addition to your own.
There are some exceptions to the requirement for the type of active consent mentioned above. The exceptions are as follows:
Soft opt-in (where the recipient provided their email address while purchasing a product or service). If the email address was collected as part of a previous sales process on your site, then you may use the details collected to send promotional emails related to similar products and services. This, however, only applies if the user was adequately informed of this occurrence (e.g. a notice on the sales page) and if they choose not refuse such use.
Explicit Form (where the purpose of the sign-up mechanism is unequivocal). So for example, in a scenario where your site has a pop-up window that invites users to sign up to your newsletter using a clear phrase such as: “Subscribe to our newsletter for access to discount vouchers and product updates!“, the affirmative action that the user performs by typing in their email address would be considered valid consent.
Records of Consent
Because consent under the GDPR is such an important issue, it’s vital that you keep clear records related to the consent attained. Records of consent should at least contain the following information:
The Identity of the user giving consent;
When they consented;
What disclosures were made (what they were told) at the time they consented;
Methods used for obtaining consent (e.g., newsletter form, during checkout etc.);
While ‘single opt-in’ only requires that users submit their information in order to be added to your list, ‘double opt-in’ requires that users first validate their email address before being added to your mailing list. The validation is carried out when users click on a specific link contained in a “confirmation” message sent to their email address.
With this method, you can ensure the email address receiving your communication actually belongs to the person giving the consent and hereby further ensure that you avoid high unsubscribe rates, retain the integrity of your list and the reputation of your address. This method of registration is considered best practice in many countries, especially Germany and in the EU in general.
In several cases, German courts have decided that a single opt-in process is not sufficient proof of prior consent. An example of this would be the OLG Celle, judgment of 15.05.2014:
In principle, the sender of (e-mail) advertising must state that there is a consent to this and this in particular comes from the addressee… The sender of advertising e-mails can comply with this requirement by the so-called “double-opt-in procedure”… in a reasonable manner for each individual e-mail address.
Legal obligations related to Newsletter content
Depending on where your customers live, specific laws relating to spam may apply. In the US, the FTC’s CAN-SPAM Act sets rules for sending commercial messages, including email.
The major requirements of the CAN-SPAM Act are as follows:
Use truthful header information. Your name, email address and routing information (including domain) must be accurate and correctly identify the sender of the message.
Use non-misleading subject lines. Subject lines must give an accurate depiction of message content.
Identify the message as an ad. A specific method of doing this is not specified, however, the disclosure must be “clear and conspicuous.”
Tell recipients where you’re located. You must include your valid physical postal address.
Monitor what others are doing on your behalf. Even if you’ve out-sourced your email marketing to another company, the law may hold both you and the other company responsible.
Inform users of and provide a visible unsubscribe option. The “unsubscribe” option must be easily seen and must include a clear explanation of how the user can opt-out of receiving future emails from you. The notice must be easy for an average user to recognize, read, and understand. A practical way to implement this would be to simply include an “unsubscribe” link together with a statement informing the user of the option.
For example, your statement could be something like: “You are receiving this business communication from [Business Name] as you have expressed your interest in our products and services]. If you no longer wish to receive these communications, you can unsubscribe by clicking here”.
Under CAN-SPAM, the ability to unsubscribe should be free and should not be behind a login process. This means that users must be able to unsubscribe without paying a fee and without needing to log into their account to do so. The FTC states:
You can’t charge a fee, require the recipient to give you any personally identifying information beyond an e-mail address, or make the recipient take any step other than sending a reply e-mail or visiting a single page on an Internet website as a condition for honoring an opt-out request.
The unsubscribe link must be valid for at least 30 days after you’ve sent the email;
You must honor unsubscribe requests within 10 days
Some types of email are exempt from most of the CAN-SPAM Act’s requirements and are only subject to the requirement of truthful routing information.
These exemptions include emails in which the primary purpose is:
Transactional: These are emails relating to already-agreed-upon transactions, or emails that deliver goods or services as a part of a transaction that the user already agreed to (e.g. License key or E-book delivery).
Relationship: These are emails that update users (that already have a relationship with your service) about changes in product / service terms, features or account information; this also includes warranty, recall, safety, or security information about a product or service.
Other (Non-commercial) emails.
In the EU, the ePrivacy directive sets overall guidelines that are individually implemented by member states, however, some elements (such as the ability to withdraw consent) fall within the scope of the GDPR.
In general, EU anti-spam rules usually require that you:
Provide an unsubscribe link in the email. The withdrawal option must be clear, visible and easily accessible. This element falls under the scope of the GDPR and specifically under the right to erasure; as such, you will have a maximum of 30 days to honor user withdrawal requests. It’s worth saying though that while the law may give you up to 30 days to honor these requests, most subscribers won’t. It is therefore prudent to honor opt-out requests promptly or risk being marked as spam and compromising the total legitimacy of your associated address.
Clearly indicate the identity of the sender. Disguised sender identities are prohibited; the information must be clear and straight-forward.
Include a physical company address. A valid return address must be provided.
Clearly identify and specify the nature of the message. You should indicate, in an unambiguous way, the type of message being sent (e.g. promotional or not).
Avoid the use of false or deceptive expressions in your text. Advertising in any form (including commercial messages) must not be done in a way that would make it likely to deceive the persons to whom it reaches.
Some legislations (e.g. Germany and Australia) may further require that you include information on how to contact the sender. It’s always best practice to either simply follow the most robust legislations or to check the local anti-spam requirements specific to where your recipients are based.
Included below is an example of a commercial communication that contains all the basic elements. In the example, elements such as the name and address are included at the top of the email, however, the placement is entirely up to you provided that the information is visible and easily found.
John’s Store Ltd [address] [City] [State] [ZIP] [Country] [Return email address (eg. email@example.com) ] [Subject: New arrivals for spring! [Your Website Name] [Type of email (eg.Promotional)]
“Dear Customer, we are delighted to offer you our latest arrivals for Spring. See something you like? You can purchase any one of these items by clicking directly on the products in this email and you’ll be taken to our website where you can pay securely.“
[Opt-out] If you no longer wish to receive communications from us, click here to unsubscribe.
The conditions outlined here also apply to other marketing methods that use electronic messages including Direct Email Marketing messages and Viral marketing communications (e.g. asking users to forward a marketing message to their friends).
Consequences of non-compliance
The legal ramifications of non-compliance include hefty fines in both the EU and the US, with fines ranging from the tens of thousands to millions. But perhaps equally as concerning are the other potential sanctions that may be implemented against organizations found to be in violation. These sanctions include official reprimands (for first-time violations), periodic data protection audits and liability damages.
The GDPR, in particular, gives users the explicit right to file a complaint with a supervisory authority if they feel that any processing of their personal data was done in violation of regulations. So for example, if a report is made to the authority about an instance of regulatory violation, the authority may choose to perform an audit of your data processing operations. If it’s found that some processing activity was done unlawfully, not only is a fine imposed, but you may be forbidden from making further use of both the data of the inquiry and data acquired using similar mechanisms. This means that if the violation use was in regards to email address collection, you risk being barred from using the entire associated email list.
In regards to liability damages, both the EU and US laws give individual users the right to compensation for any damages resulting from an organization’s non-compliance with regulations. This means that violating regulations can leave you open to potential litigation.
Loss of Services
Failure to comply with your legal obligations may lead to users negatively perceiving your business as either incompetent or malicious. This can lead to significant and lasting damage to public trust and the reputation of your organization.
Steps for making your newsletter process compliant with the law
What you need to do
In regards to compliance, it is always advisable that you approach your data processing activities with the strictest applicable regulations in mind. In regards to the newsletter process, compliance at the very least requires that you put the following into practice:
the data you collect;
the purposes for collection;
the specific types of communications you may send;
your method of delivery.
Inform users of:
any third-party providers involved in your newsletter management process and include links to their privacy documents;
their rights in regards to their data (including the right to withdraw consent).
Obtain prior consent (depending on the regional law) that is:
based on a clear affirmative action;
Provide a means of withdrawing consent that is:
available in the newsletter itself;
easy to see and understand;
How iubenda can help
The process is straightforward and intuitive, simply click to add your services, fill out your web/app owner and contact details, embed.
1. Add your services
Click “Add a service” and start typing the name of the service you’d like to add. In this case, it will be “Newsletter”;
Select the “Mailing list or Newsletter” clause and customize by simply adding the specific types of personal data you collect (our lawyer-crafted, pre-created clauses automatically include the relevant user-rights disclosures and service definitions based on your input here);
If you use a third party service as part of your newsletter management process e.g. MailChimp, Constant Contact etc., you should add these third-party services as well (you can also include “email sign-up form” or any other collection forms where applicable);
If you promote third party services/products via your email newsletter in any way, you should take a look at the “Direct Email Marketing” clause and add it if it applies;
If you’d like to add a custom clause, simply click the “create custom service” button and fill out the built-in form
2. Fill out your web/app owner and contact details
Enter name and full address;
Enter email address.
Congratulations! Your policy has been created. Simply check that all the details are correct, then:
Customize the look of your button or simply choose a text link;
Choose the embedding method between footer widget, direct link and text in the body;
Easily embed wherever you’d like! As mentioned above, you’re required to choose a location that is easily accessible and visible to users. In the spirit of transparency, you may also want to consider embedding the policy in your newsletter as well.
For more information on privacy policies click here.