In Short:
👉 Email and Newsletter Legal Requirements in General
👉 Legal obligations when adding users to your mailing list
👉 Legal obligations related to Newsletter content
👉 Consequences of non-compliance
âś… Steps for making your newsletter process compliant with the law
A newsletter is an incredibly powerful marketing tool but is your newsletter legal?
It’s a cost-effective way to build and maintain a relationship with your customers, but it can also end up costing you if you’re not meeting your legal obligations.
👉 If you plan to or are currently maintaining an email newsletter, you’re legally required to have a comprehensive privacy policy in place as you are collecting personal data.
Email and Newsletter Legal Requirements in General
Most laws require that you inform users about your data processing activities (typically done via a privacy notice) and – depending on the region – that you obtain user consent and/or provide an easy way for them to withdraw consent.
Generally, these laws apply to any service targeting residents of the region, which effectively means that they may apply to your business whether it’s located in the region or not. This is even more relevant if you’re using a bought email list as in such a case, you may not know the recipient’s country of residence. For this reason, it’s always advisable that you approach your data processing activities with the strictest applicable regulations in mind.
You can read more about which laws apply to you here or read our General legal overview here.
Informing users about your data collection activities
The vast majority of legislations require that your privacy policy informs your users about your data collection activities in an easy-to-understand, unambiguous and easily accessible way.
It will need to include details on:
- What data you process;
- How you process it;
- The purpose of the processing (e.g, for sending a newsletter or market analysis);
- All third-party involvement;
- The user’s rights in regards to their data;
- How you handle requests related to their rights;
- The actual mechanisms of communication used (e.g email, paper mail);
- How you protect their data
Third-party Requirements
Third-party apps and services also need to follow the law. For this reason, it’s often mandatory that all partners and customers that use their services meet regulatory standards. The vast majority of reputable newsletter management platforms have made it mandatory for users of their services to have a comprehensive privacy policy in place that clearly discloses their involvement and that meets regulations.
Here’s an excerpt from the Mailchimp Terms of Service:
Will clearly describe in writing how you plan to use any data collected, including for your use of Mailchimp. You’ll get express consent to transfer data to Mailchimp as part of this process, and you’ll otherwise comply with whatever privacy policy you have posted.
And another from Campaign Monitor’s Terms of Service:
You will adopt and maintain a policy that complies with all applicable privacy laws and which is at least as stringent as our Privacy Policy (as modified by Campaign Monitor from time to time). You acknowledge that all personal information that you provide to us has been collected with the relevant individual’s consent, and that you have informed the individual of the purpose for which that information was collected, and that you may provide this information to us for the purposes of use in relation to the Services. You acknowledge that we may store the personal information that you provide to us on servers located in the United States of America, and you warrant that you have obtained the consent of the relevant individuals to the storage and transmission of their personal information in this manner.
Where should you place your privacy policy
Generally, regulations require that your privacy policy be clearly visible and easily accessible throughout your website or app site, so simply having it in your footer may suffice. However, within the context of transparency (which itself is usually one of the key purposes of data laws), it’s advisable that you also make your privacy policy situationally available; for example, linking to it in both your sign-up form and email newsletter.
Legal obligations when adding users to your mailing list
Is it illegal to add someone to a mailing list?
No, it’s not illegal to add someone to a mailing list; nevertheless, there are legal obligations you need to abide by when adding users to your mailing list. This depends on where your users are based. Below we cover US and EU law:
US law
Under the FTC’s CAN-SPAM Act, you do not need consent prior to adding users located in the US to your mailing list or sending them commercial messages, however, it is mandatory that you provide users with a clear means of opting out of further contact.
🎯 Short on time? Click here to see what you need to do to comply.
EU law
As newsletter sign-up forms are data collection tools, under EU law (namely the GDPR) it is mandatory that you obtain the informed consent of the user before subscribing them to the service. Under EU regulations, acquiring consent can be considered a two-part process that includes informing the user and obtaining verifiable consent via an affirmative action.
When informing the user you must:
- Be specific.
You must clearly state the type of email that the user will be consenting to;
- Be clear and unambiguous.
The average user should be easily able to understand what they’re consenting to;
- Make it clear that signing up is optional.
Consent must be “freely given”; you may not coerce users into joining your mailing list or make it appear as if joining the list is mandatory. For this reason, you must make it clear that signing up is optional. This is especially relevant in cases where you offer free white-papers (or e-books) for download. While the user’s email address is required for the delivery of the service, signing up for your newsletter is not. In such a case, you must not make it appear as if signing-up to the newsletter list mandatory and must make it clear that it is optional.
So in practice, if, for example, you also wanted to add people that download your e-book to your newsletter list, you should include something similar to the following, under the e-book download form:
As can be seen in the example, users must be made aware that the consent is in fact optional and not mandatory.
Acquiring consent
The consenting action must be explicit and verifiable.
The process for getting user consent must be straightforward and involve a clear “opt-in” action. This means that mechanisms such as pre-ticked newsletter sign-up checkboxes at checkout are not allowed, as EU regulation specifically forbids pre-ticked boxes and similar “opt-out” mechanisms.
You may, however, use any method that would require the user to take a direct affirmative action (This can include any verifiable consenting action including sending an email or clicking a check-box).
You must give users the ability to withdraw consent.
Under the GDPR, users have the specific right to withdraw consent. This means that you’re required to make it as easy to withdraw consent as it is to give it. This can be easily achieved by including a visible and valid unsubscribe link in your newsletter. Users should also have the ability to manage their mail preferences from within their account.
The consent acquired must be specific to the type of content being sent.
This means that the newsletter should only contain information that the user consented to receive. So for example, if the user only consented to receive emails about your new products, you should not send them promotional emails related to partner/ third-party offers.
In cases where you want to send more than one type of email to your users, you’re required to get additional consent specific to those uses as you must have multiple consents for multiple purposes.
This does not have to be an additional form. In practice, you can simply add several GDPR checkboxes informing the user of each additional purpose and allowing them to give consent specific to those cases.
This is especially applicable to Direct Email Marketing communications (emails where the singular purpose is to directly advertise products or services). In the case of DEM communications, you must obtain additional consent if also sending emails about third-party products/services in addition to your own.
There are some exceptions to the requirement for the type of active consent mentioned above. Let’s have a look at soft opt-in and explicit form.
Soft opt-in may allow you to bypass the need for prior consent. Soft opt-in can occur when a user has provided their email address while purchasing a product or service from you. In particular, soft opt-in may apply where the following conditions are met:
- the email address was collected as part of a previous sales process on your site;
- the customer is adequately informed (e.g. via a notice on the sales page or in your privacy policy) that you use emails collected during the sales process in this way;
- the user has not opted-out of being contacted (e.g. by unsubscribing from your newsletter);
- your future promotional emails are related to your products and services that are similar to the ones initially purchased; and
- the products/ services you intend to promote are your own (not third-party).
đź’ˇ Learn more about where soft opt-in applies by checking our global email marketing cheatsheet.
An explicit form is where the purpose of the sign-up mechanism is unequivocal. So for example, in a scenario where your site has a pop-up window that invites users to sign up to your newsletter using a clear phrase such as: “Subscribe to our newsletter for access to discount vouchers and product updates!“, the affirmative action that the user performs by typing in their email address would be considered valid consent.
Because consent under the GDPR is such an important issue, it’s vital that you keep clear records related to the consent attained. Records of consent should at least contain the following information:
- The Identity of the user giving consent;
- When they consented;
- What disclosures were made (what they were told) at the time they consented;
- Methods used for obtaining consent (e.g., newsletter form, during checkout etc.);
- Whether they have withdrawn consent or not
Maintaining valid records, while mandatory, can be a technical challenge. Our Consent Database simplifies this process, making it easy for you to view, manage and export your recorded consents. you can read more about it here.
While ‘single opt-in’ only requires that users submit their information in order to be added to your list, ‘double opt-in’ requires that users first validate their email address before being added to your mailing list. The validation is carried out when users click on a specific link contained in a “confirmation” message sent to their email address.
With this method, you can ensure the email address receiving your communication actually belongs to the person giving the consent and hereby further ensure that you avoid high unsubscribe rates, retain the integrity of your list and the reputation of your address. This method of registration is considered best practice in many countries, especially Germany and in the EU in general.
In several cases, German courts have decided that a single opt-in process is not sufficient proof of prior consent. An example of this would be the OLG Celle, judgment of 15.05.2014:
In principle, the sender of (e-mail) advertising must state that there is a consent to this and this in particular comes from the addressee… The sender of advertising e-mails can comply with this requirement by the so-called “double-opt-in procedure”… in a reasonable manner for each individual e-mail address.
Looking for a simple and compliant way to manage consent for newsletter subscriptions?
Try our Newsletter Opt-in Booster 👉 it adds a customizable signup form to your site, allowing you to collect and manage consent through a double opt-in process for a more engaged and responsive audience.
Activate nowLegal obligations related to Newsletter content
US Law
Depending on where your customers live, specific laws relating to spam may apply. In the US, the FTC’s CAN-SPAM Act sets rules for sending commercial messages, including email.
The major requirements of the CAN-SPAM Act are as follows:
Use truthful header information.
Your name, email address and routing information (including domain) must be accurate and correctly identify the sender of the message.-
Use non-misleading subject lines.
Subject lines must give an accurate depiction of message content. -
Identify the message as an ad.
A specific method of doing this is not specified, however, the disclosure must be “clear and conspicuous.” -
Tell recipients where you’re located.
You must include your valid physical postal address. -
Monitor what others are doing on your behalf.
Even if you’ve out-sourced your email marketing to another company, the law may hold both you and the other company responsible. -
Inform users of and provide a visible unsubscribe option.
The “unsubscribe” option must be easily seen and must include a clear explanation of how the user can opt-out of receiving future emails from you. The notice must be easy for an average user to recognize, read, and understand. A practical way to implement this would be to simply include an “unsubscribe” link together with a statement informing the user of the option.For example, your statement could be something like: “You are receiving this business communication from [Business Name] as you have expressed your interest in our products and services]. If you no longer wish to receive these communications, you can unsubscribe by clicking here”.
Under CAN-SPAM, the ability to unsubscribe should be free and should not be behind a login process. This means that users must be able to unsubscribe without paying a fee and without needing to log into their account to do so. The FTC states:
You can’t charge a fee, require the recipient to give you any personally identifying information beyond an e-mail address, or make the recipient take any step other than sending a reply e-mail or visiting a single page on an Internet website as a condition for honoring an opt-out request.
Unsubscribe requests
- The unsubscribe link must be valid for at least 30 days after you’ve sent the email;
- You must honor unsubscribe requests within 10 days
Exemptions
Some types of email are exempt from most of the CAN-SPAM Act’s requirements and are only subject to the requirement of truthful routing information.
These exemptions include emails in which the primary purpose is:
Transactional: These are emails relating to already-agreed-upon transactions, or emails that deliver goods or services as a part of a transaction that the user already agreed to (e.g. License key or E-book delivery).
Relationship: These are emails that update users (that already have a relationship with your service) about changes in product / service terms, features or account information; this also includes warranty, recall, safety, or security information about a product or service.
Other (Non-commercial) emails.
EU law
In the EU, the ePrivacy directive sets overall guidelines that are individually implemented by member states, however, some elements (such as the ability to withdraw consent) fall within the scope of the GDPR.
In general, EU anti-spam rules usually require that you:
Provide an unsubscribe link in the email.
The withdrawal option must be clear, visible and easily accessible. This element falls under the scope of the GDPR and specifically under the right to erasure; as such, you will have a maximum of 30 days to honor user withdrawal requests. It’s worth saying though that while the law may give you up to 30 days to honor these requests, most subscribers won’t. It is therefore prudent to honor opt-out requests promptly or risk being marked as spam and compromising the total legitimacy of your associated address.-
Clearly indicate the identity of the sender.
Disguised sender identities are prohibited; the information must be clear and straight-forward. -
Include a physical company address.
A valid return address must be provided. -
Clearly identify and specify the nature of the message.
You should indicate, in an unambiguous way, the type of message being sent (e.g. promotional or not). -
Avoid the use of false or deceptive expressions in your text.
Advertising in any form (including commercial messages) must not be done in a way that would make it likely to deceive the persons to whom it reaches.
Some legislations (e.g. Germany and Australia) may further require that you include information on how to contact the sender. It’s always best practice to either simply follow the most robust legislations or to check the local anti-spam requirements specific to where your recipients are based.
Included below is an example of a commercial communication that contains all the basic elements. In the example, elements such as the name and address are included at the top of the email, however, the placement is entirely up to you provided that the information is visible and easily found.
John’s Store Ltd [address] [City] [State] [ZIP] [Country]
[Return email address (eg. info@johnsstoreltd.com) ]
[Subject: New arrivals for spring! [Your Website Name]
[Type of email (eg.Promotional)]“Dear Customer, we are delighted to offer you our latest arrivals for Spring. See something you like? You can purchase any one of these items by clicking directly on the products in this email and you’ll be taken to our website where you can pay securely.“
[Opt-out] If you no longer wish to receive communications from us, click here to unsubscribe.
The conditions outlined here also apply to other marketing methods that use electronic messages including Direct Email Marketing messages and Viral marketing communications (e.g. asking users to forward a marketing message to their friends).
Consequences of non-compliance
Legal consequences
The legal ramifications of non-compliance include hefty fines in both the EU and the US, with fines ranging from the tens of thousands to millions. But perhaps equally as concerning are the other potential sanctions that may be implemented against organizations found to be in violation. These sanctions include official reprimands (for first-time violations), periodic data protection audits and liability damages.
The GDPR, in particular, gives users the explicit right to file a complaint with a supervisory authority if they feel that any processing of their personal data was done in violation of regulations. So for example, if a report is made to the authority about an instance of regulatory violation, the authority may choose to perform an audit of your data processing operations. If it’s found that some processing activity was done unlawfully, not only is a fine imposed, but you may be forbidden from making further use of both the data of the inquiry and data acquired using similar mechanisms. This means that if the violation use was in regards to email address collection, you risk being barred from using the entire associated email list.
đź’ˇ In regards to liability damages, both the EU and US laws give individual users the right to compensation for any damages resulting from an organization’s non-compliance with regulations. This means that violating regulations can leave you open to potential litigation.
Other consequences
đź“Ś Loss of Services
Some third-party services may make compliance with legal regulations a part of their terms of use. In such cases, a violation of legal requirements can also be considered a violation of their terms; such violations may lead to service termination or potentially, permanent bans.
đź“Ś Reputational damage
Failure to comply with your legal obligations may lead to users negatively perceiving your business as either incompetent or malicious. This can lead to significant and lasting damage to public trust and the reputation of your organization.
Steps for making your newsletter process compliant with the law
What you need to do
In regards to compliance, it is always a good idea that you approach your data processing activities with the strictest applicable regulations in mind. In regards to the newsletter process, compliance, at the very least, requires that you put the following into practice:
✅ Step 1: Inform your users of the data you collect, why, and the method of delivery (If you’re using direct email marking, make sure to include this in your privacy policy)
âś… Step 2: Inform your users of all third-party providers involved in your newsletter management process, including links to their privacy documents and their rights in regard to their data (including the right to withdraw consent).
âś… Step 3: Keep valid records of the consent collected. Without these records, the consent you collect is considered invalid.
đź‘‹ See our step-by-step breakdown for how to achieve this!
How do I keep valid Records of consent?
Our Consent Database simplifies the process of collecting and maintaining compliant records of consent. It allows you to track every aspect of consent (including the legal or privacy notice and the consent form that the user was presented with at the time of consent collection) and the related preferences expressed by the user.
To use, simply activate the Consent Database and get the API key, then install via HTTP API or JS widget, and you’re done; you’ll be able to retrieve consents at any time and keep them updated.
For a list of the full features of the Consent Database click here, read the overview guide here, or for a practical tutorial using a common scenario, read our guide on How to use the Consent Database with Contact Form 7.
đź‘‹ Keep reading for direct email marking and more, or Get Started now for free today!
Using Direct email marketing?
If using Direct Email Marketing (DEM) for the German market, you must add a statement to your privacy policy that specifies the companies and type of goods and services that will be promoted through the newsletter.
Obtain prior consent (depending on the regional law) that is:
- based on a clear affirmative action;
- informed;
- specific.
Sending GDPR consent emails: necessary or bad idea?
With the enforcement of the GDPR, many companies filled user inboxes with requests to renew their consent for marketing communications and data processing. Here’s why sending GDPR consent emails is tricky and should be handled very carefully.
Generally speaking, consent is one of the six legal bases for processing user data. The others are: legal obligation, contractual requirements, vital interests, public interest and legitimate interests.
If you’re already legitimately processing (meaning collecting, accessing, storing or otherwise interacting with) personal data based on any one of these other legal bases, then there’s no need to send consent request emails — provided that this basis of processing was stated in your privacy policy and that users had easy access to the notice prior to you processing their data.
If this information was not available to users at the time, but one of these legal bases can currently legitimately apply to your situation, then your best bet would be to ensure that your current privacy notice meets requirements, so that you can continue to process your user data in a legally compliant way.
Can the consent carry over?
Whether or not the consent can “carry-over” – therefore removing the need to ask for new consent or to rely on another legal basis – depends on whether or not the consent was collected in a GDPR-compliant way and if you can prove this.
Here are some questions you can ask yourself:
- Was the user properly informed at the time? (was there an easily accessible privacy policy that contained all the relevant info including the purpose for processing, the method of processing, all third-parties that might be involved, and users’ rights in regards to their data?)
- Was the consent given via a verifiable affirmative action? (was it given via an unambiguous opt-in mechanism such as clicking in a checkbox? Quick note: If your sign-up process included pre-checked boxes or any mechanism that required the user to “opt-out” rather than “opt-in”, then your method was not compliant and you’re required to either rely on another legal basis — if applicable — or collect new valid consent).
- Was the consent freely given? (was it clear that signing up was optional and not mandatory?)
- Was the consent specific? (did you clearly state what users would be consenting to in a granular way and was the consent collected specific to each individual purpose? See example here)
- Did you provide users with a way to withdraw consent?
- Do you have appropriate records of these consents? (were the consents and privacy notice available to users at the time of collection documented; can you prove that the consent was collected in a compliant way if required?)
If the consent I obtained in the past was not done in a GDPR compliant way, what are my options?
Using consent as your legal basis in the past does not mean that you still have to do so now. It might even be ill-advised to do so especially if you’re not completely sure how you collected the contact info/data in the first place (e.g.illegitimately acquired email lists) or if you can’t prove that you collected it in a legally compliant way.
To be clear, if you contact users to ask for consent while currently having no legitimately legal basis for having their data/contact info in the first place, you’ll not only be in violation under the GDPR but also under the existing Data Protection Directive.
Another reason to evaluate whether or not another legal basis can apply as your reason for processing in these cases is that strictly speaking, if you lack the consent necessary to contact users, then you likely lack the consent needed to even email them to ask for consent.
If no other legal basis can legitimately apply to your case, then you may need to collect consent again. A notice on your website or social media posts are some of the legitimate ways in which you can let users know that they’ll need to opt-in if they’d like to keep in touch.
Note
Legal bases can’t be “picked” as such as they need to legitimately apply to your situation. When evaluating whether or not a legal basis can apply, please be sure to go through them with your lawyer as determining the correct legal basis is very important and can be difficult.
Step-by-step breakdown
1. Add your services
- Click Add a service and start typing the name of the service you’d like to add. In this case, it will be Newsletter. Select the Mailing list or Newsletter clause.
→ If you use a third-party service for newsletter management e.g. Mailchimp, Constant Contact etc., you should add the third-party service as well. You can also add “email sign-up form” (or any other collection forms you use) to your policy.
→ If you promote third-party services/products via your email newsletter in any way, you may need to add the Direct Email Marketing clause to your policy.
2. Fill out your web/app owner and contact details
- Add name, address, and email.
🎉 Congratulations! Your policy has been created. Simply check that all the details are correct, then:
3. Embed
- Easily embed wherever you’d like! As mentioned above, you’re required to choose a location that is easily accessible and visible to users. In the spirit of transparency, consider embedding the policy in your newsletter as well.
→ Customize the look of your button or simply choose a text link;
→ Copy the embed code with one click and paste it into your site.
💡 Remember these compliance steps are related specifically to requirements for emails and newsletters. If you’d like more information on overall website requirements, see our Getting Started guide here.
See also
- Using third-party newsletter management services? Check out our guides for Mailchimp, Campaign Monitor, Mad Mimi and VerticalResponse
- Have a specific scenario in mind? Check out ePrivacy and Direct Email Marketing (DEM) or our guide on legal requirements for websites and apps used by children
- Read more about global legislation with our GDPR Guide, our ePrivacy (Cookie Law) Guide or our Guide to US law
- Using Google services? Read our guides on Google Analytics, Adsense and Ads
- Read our service-specific guides for App creators, E-commerce websites