Email Marketing Laws and Rules

Email marketing is an effective way to communicate with customers. It's less expensive than other types of communication, and it provides a direct way to contact consumers. Companies send promotional emails to new and existing customers to promote products and services and to maintain customer relationships.

But business owners should be aware of the laws governing digital marketing. Email marketing laws govern the collection, use, and storage of customer data.

The legal requirements also cover how organizations can communicate with recipients. These electronic communications regulations aim to:

• Protect consumers from spam
• Protect consumer privacy
• Allow consumers to control their inboxes

Email marketing laws often impose hefty fines and penalties for non-compliance.

Typically, data privacy and protection laws require that senders obtain consent to send communications. They also require that commercial email messages include an option to unsubscribe.

We make business formation EASY. Click here to start your free LLC.

What Is Spam?

When marketing a product or service through email, it's best to avoid sending spam. Spam is unsolicited electronic messages sent to many recipients.

Email spam is the most pervasive form of spam, but recipients can also receive spam messages through texts and social media. Email spam is also referred to as bulk email and junk mail.

Data Privacy and Protection Laws

When engaging in email marketing, it's important to follow the laws that regulate sending commercial emails. Most countries have legal requirements regulating commercial emails.

• The European Union has the General Data Protection Regulation (GDPR) to govern digital marketing
• The United States has the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) to govern such activity
• Canada has similar legislation, Canada's Anti-Spam Legislation (CASL)
• Australia, Brazil, China, India, Japan, South Korea, and the United Kingdom also have laws on the books that regulate commercial electronic messages

States can also enact their own anti-spam laws. The California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (VCDPA) are important examples.

We discuss details of the GDPR, CAN-SPAM, and the California Consumer Privacy Act below. We also discuss the Virginia Consumer Data Protection Act.

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a 2018 law that protects personal data in the European Union. It applies to those who use, collect, or store the personal data of EU citizens. It's seen as the toughest privacy and data security law in the world.

Seven provisions must be followed when your company sends promotional emails under GDPR:

• Personal data processing must be transparent and fair
• Personal data should be up-to-date
• Store the data only as long as necessary
• Personal data must be kept secure (e.g., by using encryption) and confidential
• Collect the data only for the purpose specified when collected
• Process and collect only as much data as is necessary
• Show compliance with GDPR (you must be able to do so)

The CAN-SPAM Act

The CAN-SPAM Act is a federal law regulating the transmission of commercial emails and messages in the United States.

“Commercial messages" refers to "any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service." The act also covers messages promoting commercial websites.

Commercial message senders must:

• Avoid the use of false email header information
• Use accurate information in the subject line
• Identify the message as an advertisement
• Provide a valid physical address or valid postal address
• Tell recipients how to opt out of future email correspondence
• Honor opt-out requests from your email list within 10 business days
• Ensure that third parties who send out messages on your behalf comply with the CAN-SPAM Act

The law doesn't apply to emails only containing "transactional communication."

Transactional communication includes content that:

• Provides a customer with updates regarding a transaction
• Confirms a transaction
• Gives safety information about a product
• Delivers goods or services agreed to by the consumer
• Provides change of terms or warranty information

A message containing both commercial and transactional content may be subject to the Act. According to the Federal Trade Commission (FTC), a message with commercial and transactional content is a commercial communication if:

• The subject line indicates a commercial purpose; or
• The transactional content does not appear at the beginning of the communication

The FTC enforces the CAN-SPAM Act. It provides a compliance guide that can be used by small businesses to avoid legal liability.

California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) covers California residents. It applies to businesses that do business in California and meet any of these requirements:

• Makes over $25 million a year
• Collects personal information from more than 100,000 consumers
• Makes more than 50% of revenue from selling people's personal information

The CCPA doesn't apply to nonprofit organizations or government agencies.

Golden State residents have the right to know how and when their personal information is being handled, collected, and stored. The CCPA also grants consumers the right to ask that their data be deleted.

Businesses must have a privacy policy page that explains the types of personal information collected and consumer rights. The policy must also clearly explain how a consumer can make a request related to their data. Businesses can't discriminate against individuals exercising their privacy rights.

Several high-profile employers have paid fines and penalties for violating the state law.

Virginia Consumer Data Protection Act

Virginia is the second state to implement comprehensive consumer privacy legislation. The Virginia Consumer Data Protection Act (VCDPA) went into effect in January 2023.

The law applies to all businesses that do business in Virginia or offer products or services aimed at Virginia residents and that either:

1. Control or process the personal data of at least 100,000 consumers during the calendar year; or
2. More than 50% of gross revenue comes from the sale of personal data and control or process the personal data of at least 25,000 consumers

The VCDPA gives Virginia residents the right to access their data and request that their personal information be deleted. Consumers can opt out of the processing of personal data for targeted advertising and sales. The state law also requires that businesses conduct data protection assessments related to processing personal data for targeted advertising and sales purposes.

Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act (HIPAA) protects patient medical information. The U.S. federal law gives patients control over their health information, including review and amendment of medical records.

Under HIPAA, email marketers are prohibited from targeting individuals or organizations based on medical information without explicit consent.

HIPAA violations can lead to fines, depending on the type of violation.

Email Marketing Best Practices

No matter where your business is located, a few best practices can help you communicate with customers effectively without running into legal issues.

Keep the following tips in mind when you're planning an email marketing campaign:

• Learn the laws that apply to your email campaigns. Laws are evolving. Several states are considering enacting email privacy and data protection laws. Before you start digital marketing, check to see if there are laws in place that will affect your advertising campaign.

• Use a reputable email service provider. A top-notch email service provider (ESP) will offer robust security features that protect customer data and compliance tools that keep you out of legal trouble. Look for an ESP that offers help with encrypting, managing, and securely storing customers' data. It should also have features such as unsubscribe links, double opt-in, and data access requests. A good ESP will also monitor your open rates, email deliverability, and spam complaints.

• Obtain explicit consent. Even if an email marketing campaign complies with e-commerce laws, the communication may be viewed as spam. Nobody likes spam, and sending unwanted correspondence can quickly give a company a negative reputation. So, one of the best practices in email marketing is to get permission to send email correspondence. For example, permission can be obtained when a person signs up for a newsletter or to receive promotional material from your company.

• Handle personal data responsibly. This means using strong and up-to-date information security measures, such as encryption, secure data storage, and regular backups.

• Be transparent. Provide clear information on how you collect, use, and protect customer data.

• Pay attention to the content of the email. Finally, crafting relevant and honest email content is a safe and legal strategy that also enhances a company's reputation. Don't use deceptive subject lines. Provide valid “reply to" and contact information.

Get Legal Help With Email Marketing

Commercial email communications must follow applicable laws. Email privacy and data security considerations are important. A business and commercial law attorney can advise you on which laws apply to your digital marketing. They can help you craft an email marketing strategy that stays within legal boundaries.

See FindLaw's Marketing and Advertising Laws section for more articles and resources.