Email marketing laws: A comprehensive guide to help you stay compliant

But alas, staying compliant is part of your job too. So, to ensure your knowledge complies with email marketing regulations worldwide, we’ve created this comprehensive guide—the only one you’ll need to read. 

Learn about the 7 most important spam and email privacy laws. Then implement the applicable compliance features and never worry about penalties or accidentally hurting your brand’s reputation.

Email marketing laws guide digital marketers how to use marketing messages for commercial purposes, to ensure that everyone follows legal requirements and ethical practices. These laws protect subscribers’ privacy and prevent them from receiving spam and unsolicited emails.

While initially, email laws were set in place to prevent foreign princes from bribing people into saving their financial downfall, nowadays, email marketing laws are much more centered around data privacy and consent.

The short answer is no.

The more elaborate answer is it depends, but as a good Samaritan, you should always have permission before sending promotional emails.

The long answer is generally no, but there are countries where it’s legal to send marketing emails without prior consent, as long as you comply with the rules that apply in that country. More on that further down.

In the United States, it is legal. Technically, the CAN-SPAM Act doesn’t require prior consent to send digital marketing messages However, this law mandates that emails must include accurate sender information, a clear mechanism for recipients to opt out of further communications, and other provisions to prevent deceptive practices.

That said, it’s a known fact that bought email lists do more harm than good. 

Bought email lists often contain inactive contacts or recipients with zero interest in your message (good luck converting strangers). Without prior consent, you can easily get in trouble outside the United States, where laws are much stricter—such as in the EU, where email marketers adhere to the GDPR.

Plus, when these recipients mark your email as spam, you risk hurting your sender's reputation—which could send all your future emails straight to people’s spam folders. That’s why at MailerLite, it’s against MailerLite’s Anti-spam policy to contact subscribers from whom you do not have explicit, informed, freely given, provable and unambiguous consent.

Most email marketers have read an article (or 20) about GDPR, but are you familiar with the email law regulations in Brazil or India? Countries worldwide have their own email marketing rules around consent and data rights. 

Use this overview and read on as we dive into the 7 most important email compliance regulations globally.

The Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM Act) was introduced in 2003 and is compulsory for every email that reaches recipients within the United States.

To what it applies

The CAN-SPAM Act applies to all commercial emails sent to consumers and businesses. The law defines commercial messages as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service”.

How to comply

• Authentic header information: Your domain name, email address and sender name should all be accurate and non-misleading. Send emails from your company name and provide real contact information, such as a reply-to address from your domain

• No deceptive subject lines: Tell the recipient what’s inside the email, don’t make empty promises using misleading or false subject lines

• Disclose advertisement: Clearly indicate that your email is an advertisement. Show recipients that your email is an ad. You could insert a disclaimer in the subject line, but you might not need to if the purpose is reasonably clear

• Include a valid postal address: Such as a street address, P.O. box or a private mailbox—as long as it’s a legally registered physical postal address

• Provide a visible opt-out link: Make the process simple and easy to find. A one-click action is ideal, where recipients don’t have to log in to unsubscribe. It must remain operational for at least 30 days after the email is sent. You can have an email preference center, as long as there’s the option to unsubscribe from all

• Honor opt-out requests promptly: Process unsubscribe requests within 10 business days. You cannot sell or transfer email addresses after a recipient has unsubscribed

Penalties for non-compliance

Each email that doesn’t comply with the CAN-SPAM Act can be penalized with up to $51,744.

The California Consumer Privacy Act (CCPA) went into effect in 2020, and its enforcement began in July 2020. This privacy law gives California residents more control and privacy over their personal data and ensures that the personal information of children under 16 is cared for with additional protection.

The California Privacy Rights Act (CPRA) amends the CCPA and includes additional privacy protections for consumers. Most provisions of the CPRA came into effect on January 1, 2023, applying to personal data collected on or after January 1, 2022.

To whom it applies

The CCPA applies to for-profit entities that conduct business in California and collect personal data of California residents. They also meet at least one of these criteria:

• Gross annual revenue exceeds $25 million

• Buy, receive or sell the personal data of 50,000 or more California residents, households, or devices per year

• Derive 50% or more of the annual revenue from selling California residents’ personal information

How to comply

Provide a notice at collection: Inform consumers at or before the point of collection that you're collecting their personal data, in which categories and for what purposes. Most companies have a separate page for this, like their Privacy policy.

Comply with the rights: Include the below with their implementation in your Privacy policy.

• The right to know about personal information your business collects about California residents (and how it’s used and shared)

• The right to delete personal information collected from consumers (with some exceptions)

• The right to opt out of the sale of personal information

• The right to non-discrimination for exercising their CCPA rights

• The right to correct inaccurate personal information that a business has collected

• The right to limit the use and disclosure of sensitive personal information

Additional CPRA provisions:

• Consumers can prevent businesses from sharing their personal data

• Businesses are prohibited from retaining personal data for longer than necessary

• The maximum fines for violations involving children under the age of 16 are tripled, up to $7,500 per violation

• Authorizes civil penalties for the theft of specified login information

• Businesses must obtain permission from consumers younger than 16 years old, before collecting their data, and from a parent or guardian before collecting data from consumers younger than 13 years old

Penalties for non-compliance

The penalties are up to $2,500 per violation or $7,500 per intentional violation, but you’re given 30 days to resolve the issue after being notified of a violation. California residents can sue for data breaches when proper security measures are lacking. The statutory damages range from $100 to $750 per incident, or actual damages, whichever is greater.

The General Data Protection Regulation (GDPR) was introduced in 2018 and dictates how individuals and companies can collect, use, store and delete the personal data of individuals within the European Union (EU).

To whom it applies

Any organization, regardless of its location, that processes the personal data of individuals within the EU.

How to comply

Here are the most important practices for email marketing. For a full overview, read MailerLite’s GDPR article below.

• Right to be forgotten: Individuals can ask companies to delete ALL their stored data about them.

• Right of access: Individuals can always request a personal data report stating how data is used and for what purposes.

• Breach notification: Within 72 hours of becoming aware of a data breach, customers and data protection authorities must be notified.

• Right of portability: Individuals can request their data in a ‘commonly used and machine-readable format’.

• Right of rectification: Individuals can correct their data when it’s inaccurate or incomplete
  
  

Penalties for non-compliance

Fines can be up to €20 million or 4% of the annual global turnover, whichever is higher.

Canada's anti-spam legislation (CASL) was created in 2014 and protects Canadian consumers and businesses from spam and cyber threats. It requires either “implied” or “express” consent from recipients to send marketing emails.

• Implied consent means you have a business relationship, where the person bought or donated something within the last 2 years or showed interest in your product in the last 6 months. It can also mean that the person’s email address was publicly available or disclosed to you

Express consent means that a person has given their email address after you’ve disclosed your identity and explained why you’re asking for their email

To whom it applies

This email marketing spam law applies to everyone who sends electronic messages within, from or to Canada for commercial purposes—including individuals, businesses, non-profits, etc. Electronic messages include emails, SMS, instant and social media messages.

Important to note is that the CASL also applied to messages sent from within Canada to Canadian recipients outside the country. Exempt are certain message types, such as custom inquiries, emails between family members, or related to legal obligations.

How to comply

• Obtain prior implied or express permission

• Use accurate sender and reply information

• Provide a clear unsubscribe mechanism

• Honor opt-outs within 10 business days

• The inbox that processes unsubscribes must remain valid for at least 60 days

• Regularly maintain consent records and update unsubscribe mechanisms to ensure ongoing CASL-compliance

The administrative monetary penalty (AMP) for individuals is CA$1 million per violation and CA$10 million for businesses, at most.

The Spam Act 2003 prohibits email marketers from sending commercial messages without consent. Permission can be given expressly or inferred.

• With express permission, the recipient explicitly agrees to receive emails, for example through opt-in forms or a written or verbal agreement

• With inferred permission, consent is implied through the recipients’ actions or a mutual relationship. For example, they’re a current customer or gave their email during a transaction or inquiry

To whom it applies

The Spam Act applies to all businesses that are not otherwise exempt. Even when your business is not required to comply with Australian privacy laws (APP), you have to comply with the Spam Act.

How to comply

• Obtain prior express or inferred permission

• Do not acquire email addresses through address-harvesting

• Use accurate sender and reply information

• Offer clear and easy opt-out mechanisms

• Honor opt-outs within 5 business days

• The inbox that processes unsubscribes must remain valid for at least 30 days

Penalties for non-compliance

Organizations can be penalized to AU$220,000 and individuals up to AU$44,000 for the first contravention for a single day. When non-compliance is repeated, organizations can be fined up to AU$1.1 million per day and individuals up to AU$220,000.

The Lei Geral de Proteção de Dados (LGPD) came into effect in 2020 and regulates how personal data is processed. It gives people the right to confirm, access, correct, anonymize or delete their information.

To whom it applies

The General Data Protection Law applies to any individual or organization, regardless of their location, that processes the personal data of individuals in Brazil. Exempt are persons who collect data for personal purposes, such as for journalistic or academic purposes.

How to comply

• Obtain consent before collecting and processing personal data. Consent must be freely given, specific, informed, and unambiguous

• Provide information about data processing activities

• Inform, correct, anonymize, delete or provide a copy of the data when requested

• Delete customer data after the purpose for which it was collected has been fulfilled

• Allow people the right to withdraw their consent

• Provide clear opt-out mechanisms for receiving communications or restricting the processing of their personal data

• Implement data security measures to protect personal data

• Inform the National Data Protection Authority and affected individuals after a data breach

Penalties for non-compliance

Penalties can reach up to 2% of the company’s revenue in Brazil, capped at R$50 million per violation. In April 2024, a bill was sent to the Commission on Communication and Digital Law to increase the fine to 4%, capped at R$100 million. Track the bill’s progress here.

The Digital Personal Data Protection Bill (DPDP) from 2023 is a legal framework that safeguards people’s data and includes rules on collecting, storing, processing and sharing personal information.

To whom it applies

The bill applies to the government, companies incorporated in India and foreign companies that process the personal data of individuals in India.

How to comply

• Obtain consent before collecting and processing personal data

• Collect only the data necessary for the specified purpose

• Provide information about data processing activities

• Inform, correct, anonymize, erase or provide a copy of the data when requested

• Allow people the right to withdraw their consent

• Implement data security measures to protect personal data

• Inform the Data Protection Board and affected individuals after a data breach

Penalties for non-compliance

Non-compliance penalties can range from ₹50 crore up to ₹250 crore (almost $30 million) for significant violations. You could get up to ₹250 crore for not taking security safeguards. Data Principals may be penalized up to ₹10,000 crore for infringement of their duties.

Get consent from all email recipients

Before sending commercial emails or processing personal data, you need explicit consent. Most small businesses inform subscribers about their data collection practices and the signup purpose below their opt-in forms. When recipients check this box, you obtain consent.

While not GDPR-required, we always advise using double opt-in to collect email subscribers.

Double opt-in reduces the risk of spammers and bots, increases deliverability and protects your sender’s reputation. Since subscribers need to additionally confirm their subscription, they’re more interested and likely to engage more with your emails. This will lead to increased open rates and click-through rates.

Manage your subscriber lists regularly

Apart from unsubscribe mechanisms and ensuring that opt-out requests are processed as quickly as a McDonald's order, you also want to manage your subscriber lists often.

Email list management is the practice of weeding out inactive subscribers and keeping those who engage with your content, click links and stay far away from the “Mark as spam” button. While downsizing can be daunting, a healthy email list boosts clicks and lowers bounces.

Implement global content requirements

To comply with the global anti-spam laws, obtain consent that is freely given, specific, informed, and unambiguous before sending commercial emails. Communicate clearly how their data will be used. Each marketing email you send should include the following:

• A subject line that sets the right expectation of what content is inside the email

• An accurate newsletter header that doesn’t mislead or has false information

• Clear sender information, including the sender name, from address and reply-to email

• A legally registered physical postal address

• A clear and easy way to opt out of receiving further emails

When sending your commercial emails through an email service provider (ESP), it’s on you to check whether the company follows all email compliance regulations on your behalf. MailerLite does, just FYI. 😉

Are you a MailerLite customer (or considering becoming one)? First, we appreciate you! 🙇 Second, let’s see which MailerLite features you can implement to comply with global email laws.

1. Set up consent forms

When creating signup forms, you can add checkbox fields with consent text that explains why and how data is collected, and for what purposes. When subscribers tick the boxes, they consent.

In the MailerLite form editor, you can:

• Add a consent copy below the signup form without a checkbox. This applies when asking for consent for one item, like receiving the newsletter

• Add checkboxes with your own text, when asking for consent for two or more separate things

• Add GDPR-compliant and Privacy policy fields with a pre-written copy that you can edit

2. Implement double opt-in

Double opt-in is our preferred way to collect subscribers, as it prevents scam bots and encourages recipients who are truly interested to sign up.

3. Manage unsubscribes

Most email unsubscribe laws require you to process opt-out requests pronto. Luckily, MailerLite automatically inactivates recipients who unsubscribe, deleting them from all the email lists and automation workflows they were on. This status remains until the recipient opts in again.

Learn more about subscriber management in MailerLite’s knowledge base.

4. Using segmentation for compliance

MailerLite’s email segmentation lets you categorize subscribers into smaller groups based on characteristics. This can be a great feature when dealing with email privacy laws. For example:

• Segment subscribers who have and have not given explicit consent

• Group recipients whose consent has expired or needs renewal

• Categorize subscribers by country or state

• Segment audiences by age to comply with child data protection laws

• Group based on engagement to filter out inactive recipients that can hurt your sender’s reputation

• Segment on preferences to respect people's choices on which promotional emails to receive

As an email marketer, one event to add to your calendar is performing regular email compliance audits. 

During these audits, you review consent records and ensure that explicit, freely given, informed, and unambiguous consent is obtained from everyone on your email list. Review your sign-up forms, checkboxes and agreements. Make sure that these records are still valid, as some email compliance regulations (like GDPR) require periodic re-consent. Lastly, double-check that all unsubscribed recipients are not receiving emails.

Then analyze content for compliance. Do all emails clearly state that you're the sender, are the email headers non-deceptive, and do you provide an unsubscribe link in every email? Your Privacy Policy and signup forms should outline how personal data is collected, used and protected.

Lastly, use reporting tools, like MailerLite’s performance reports, to track unsubscribes, spam complaints, bounces and other critical measures. These statistics help you understand the overall health of your email marketing campaigns.

The penalties differ, but looking at the amounts mentioned earlier, it’s best not to risk getting hefty fines or being sued. Also, non-compliance can hurt your reputation.

• Consumers can distrust your business if you don’t handle their data securely

• Negative publicity around breaking email privacy laws can affect your brand reputation

• Long-term customer relationships can be hard to rebuild after reputational damage

Our advice is to always comply with email marketing laws unless you want to end up like:

• Google, who was fined €50 million in 2019 for violating GDPR compliance

• Uber, who settled for $148 million after not disclosing a 2016 data breach that affected 25 million users and drivers in the U.S.

• Facebook, who paid €265 million in Ireland in 2022 for a GDPR data breach that exposed the personal data of 533 million users

• Kellogg Canada, who made a monetary payment of CA$60,000 after violating CASL compliance and sending commercial emails without proper consent

If there’s anything to take away from this email law guide, it’s hopefully that staying compliant will save your business and humanity. While the global email and anti-spam laws are all slightly different, the practices to follow are quite similar. And when using an email tool like MailerLite, many compliance features are built-in, automated or easy to implement.

Here’s what to remember about email marketing compliance:

• Always get consent before sending commercial emails or processing personal data

• Send email campaigns with non-misleading or deceptive headers and subject lines

• Provide clear and easy unsubscribe mechanisms in every email and process opt-outs promptly

• Keep recipient records, in case people use their right to access the data

• Implement safety measures to protect the personal data of your subscribers

• Whatever you do, refrain from buying email lists

And that’s a wrap, folks. 🎬 

If anything is still unclear, do ask away in the comments—email law is not for the faint of heart!