Anti-Spam Laws Email Marketers Need to Know About

February 27, 2020// Category: Digital Marketing // Author: Caroline Ruhland

GDPR graphic for Off the Lip blog

Email marketing is one of the most effective tools that you have. It can help you speak to your customers directly in a place where they want to hear from you, and it takes relatively little time or up-front investment.

But with the advent of the GDPR and CCPA (and what’s sure to be more laws to come), playing by the rules has become more complicated than ever – and, if you get it wrong, your business can severely pay the price.

Here are all the most important anti-SPAM laws that you need to know about as an email marketer.


Laws You Need to Know About


What It Is

In 2003, President George W. Bush signed the CAN-SPAM Act bill into law to stop the onslaught of spam that was clogging up everyone’s inboxes.

The law, which basically lays out email rules that every company needs to follow, was updated in 2008, and it’s applicable to anyone who is “promoting or advertising a commercial product or service through electronic communication.”

Pretty much every country has its own version: Canada, in particular, has the CASL Laws and the UK has the Privacy and Electronic Communications Regulations of 2003.

What You Need to Do

The CAN-SPAM Act requires that you:

1. Make sure that you have permission to email the people on your list

Depending on the laws, this can be, “implied permission” or “express permission.” To play it safe, opt for express permission, which is when someone explicitly gives you permission to send an email (by entering their email address in a subscription form, for example).

2. Tell readers where your email is coming from

The “From,” “To” and “Reply to” fields need to tell the recipient where the email is from – aka they should have your name or the name of your business (no catfishing).

3. Write an honest subject line

Advertising a new product or a promotion? You have to say it – no lying or offering fake things in your subject line (like “Get A Year’s Worth Of Product Free” when you’re really just offering 10% off) to get more clicks.

Sephora does a great job of this in their email campaigns:

Sephora ad anti spam laws | Off the Lip blog

4. Give a physical address

Your emails have to have a physical address somewhere. This can be your current street address, a postbox address, or an address with a registered commercial mail-receiving company.

Most businesses put them in the footer – but if it’s not somewhere you could be fined.

5. Every email needs an easy opt-out option

Don’t make the “unsubscribe” button hard to find, and make sure it’s included in every single email.

6. Honor opt-out requests quickly

Have you ever opted out and continued to receive emails for months to come? Then you’re dealing with a company that broke the law. Once someone hits that “unsubscribe” button, you legally have 10 days to get them off our list.

7. Monitor what others do for you

If you have another company manage your email lists, you’re responsible if they break any laws. Make sure that you stay on top of them and know what’s going on at all times.



What It Is

While the GDPR and the CCPA don’t relate exclusively to email laws, they’re both really important to understand have top of mind.

The EU’s General Data Protection Regulation (GDPR) was enacted in 2016 to help control data transmissions and privacy guidelines in Europe. It’s seen as the most important change in data privacy regulation in the last 20 years, and its overarching goal is to increase user control and protect user privacy across the board.

California followed suit in 2019 with the California Consumer Privacy Act (CCPA), which is essentially the state’s version of the GDPR. It applies, specifically, to businesses that meet at least one of the following criteria:

  • The business must generate annual gross revenue of more than $25 million
  • The business must receive or share the personal information of more than 50,000 California residents annually
  • The business must derive at least 50% of its annual revenue by selling the personal information of California residents

Since these two pieces of legislation are so similar, it makes sense to suppose that such rules are going to be standard protocol in the near future.

Here’s what you need to know about the GDPR and CCPA:

What You Need To Do

Overall, the GDPR and CCPA are all about protecting users’ private information. And there’s good reason for this. Think about it: we used to have locks on filing cabinets, vaults in banks – tons of measures to help keep personal information safe, secure, and out of the wrong hands.

Now, all that information is out the vaults and online, and users can’t really see what measures companies are taking to make sure that it’s safe.

This can include really valuable information like Social Security numbers, health and medical records, financial data, and even basic (but still sensitive) information like full names, addresses, and birthdates.

The GDPR and CCPA helps give people some say in what personal information companies keep, and they protect against that information getting mishandled or ending up in the wrong hands.

As far as companies are concerned, they don’t stimulate that you can’t collect private information, but they do clarify that you must do so in adherence to their law. This means you must explicitly inform website visitors:

  1. That you are, in fact, collecting their data
  2. Exactly what data you are collecting
  3. A listing of all of the systems and tools where you are storing it
  4. What you will use their information for
  5. Statement and agreement that you are not collecting their data for reselling purposes and will say no to any inbound requests to do so
  6. That you will provide any individual with access to their data upon request
  7. That you will entirely delete personal data upon request
  8. That you require parental consent for data collection of minors (but note that the definition of “minor” varies)

When it comes to email marketing, in particular, the most important thing to remember here is permission. You must ask permission from your subscribers for opt-in offers and other similar strategies – and you may even have to do it twice.

That means avoiding round-about strategies that used to be common email practices. For example, you can’t get people on your mailing lists by automatically checking opt-in boxes even for one-time offers

Similarly, you can’t ignore opt-out requests and continue sending unwanted spam to customers. If you do, you can be held liable under CAN-SPAM for $250 every time that you send another e-mail to a person who already made an “opt-out” request.

Avoid these tricks and make sure that you ask explicitly for permission if you want to avoid GDPR and CCPA consequences, which include:

  • For GDRP,  fines range between the greater of 2-4% of your annual revenue or ~ $11-$22 million (depending on the severity of the non-compliance).
  • The impact of CCPA is defined as fines of up to $2,500 per violation or $7,500 per intentional violation.
  • Consumers can demand compensation if the regulations have been violated. However, under CCPA, businesses have the opportunity to fix the violation and assure the consumer (in writing) that no further violations will occur in order to avoid paying out.


The Bottom Line

Today, more than ever, people want to feel that companies are handling their data and their privacy with safety and transparency – and the laws are supporting them more than ever.

Use good judgment when crafting content and handling email subscriber information. When you set up your next email campaign, remember that it doesn’t hurt to check the boxes and make sure everything is legit.

Happy emailing!

Article Categories
Subscribe to Our Newsletter
Test Form

Are you a Graphic Designer or Copywriter?

We have a great network of vetted local talent that we use for white label work, and we would love to talk shop over coffee.

Say Hello!