Legal Requirements for Email Marketing

Written by Peter Fargo (FreePrivacyPolicy Legal writer) and last updated on 07 September 2022.

Legal Requirements for Email Marketing

It is crucial that you understand that laws throughout the world require commercial enterprises to be accountable for managing and protecting the personal data of those from whom they solicit business.

Individuals have always valued their privacy. The legislation enacted throughout North America and Europe in recent years reflects the international public's growing concern with the protection of personal information in the age of digital commerce.

This article will look at some wide-reaching privacy laws that may impact your email marketing campaigns, and what you'll need to do to comply.

Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.

  1. Click on the "Free Privacy Policy Generator" button, located at the top of the website.
  2. Select where your Privacy Policy will be used:
  3. FreePrivacyPolicy: Privacy Policy Generator - Select platforms where your Privacy Policy will be used - Step 1

  4. Answer a few questions about your business:
  5. FreePrivacyPolicy: Privacy Policy Generator - Answer a few questions about your business - Step 2

  6. Enter the country and click on the "Next Step" button:
  7. FreePrivacyPolicy: Privacy Policy Generator - Enter the country - Step 2

  8. Continue with building your Privacy Policy while answering on questions from our wizard:
  9. FreePrivacyPolicy: Privacy Policy Generator -  Answer on questions from our wizard - Step 3

  10. Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.

    FreePrivacyPolicy: Privacy Policy Generator - Enter your email address - Step 4

    That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.

CAN-SPAM, CASL, and the GDPR are Far-Reaching in Scope

CAN-SPAM, CASL, and the GDPR are Far-Reaching in Scope

Each of these laws has implications for compliance when it comes to email marketing:

  • The Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003 (CAN-SPAM) was signed into law on December 6, 2003. (United States)
  • Canada's Anti-Spam Law (CASL) went into effect on July 1, 2014. (Canada)
  • The General Data Protection Regulation (GDPR) came into force on May 25, 2018. (European Union)

As a business owner, one of your initial reactions may be that your enterprise is located within only one of these jurisdictions, and, therefore, you are only required to comply with one of these three laws.

This couldn't be any further from the truth. Where your business is located is irrelevant.

Note the following language contained in Article 3 of the GDPR concerning the territorial scope of the regulation:

  1. This Regulation applies to the processing of personal data...regardless of whether the processing takes place in the Union or not.
  2. This Regulation applies to the processing of personal a controller or processor not established in the Union, where the processing activities are related to:
    1. the offering of goods or services...; or
    2. the monitoring of their behaviour as far as their behaviour takes place within the Union.
  3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

Thus, the GDPR, CAN-SPAM, and CASL, although enacted by different legislatures, generally apply to both organizations located within their respective jurisdictions and organizations located outside of them if they offer goods or services to, or monitor the behavior of, local data subjects.

These laws apply to all companies possessing and processing the personal data of data subjects residing within them, regardless of the company's location.

Applicability of CAN-SPAM

CAN-SPAM applies to all commercial messages, not just bulk emails known generically as spam. The Act defines commercial messages or commercial electronic mail messages as:

"any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service."

Under this law, an electronic communication may contain three different types of information:

  • Commercial - which advertises or promotes a commercial product or service;
  • Transactional or relationship - which facilitates an already agreed-upon transaction or updates a customer about an ongoing transaction (emails containing only this type of content may not contain false or misleading routing information but are otherwise generally exempt from the CAN-SPAM Act); and
  • Other content - which is neither commercial, transactional nor relationship content.

Emails often contain all three types of content. If so, the "primary purpose" of the message determines the extent to which CAN-SPAM may apply to your company's electronic communication.

Applicability of CASL

When (1) a commercial electronic message or "CEM" is (2) sent to an electronic address, then CASL applies. This includes SMS and other messaging to mobile phones and devices.

In determining if an electronic message is a CEM, a fundamental question is whether one of the purposes of the message is to encourage the recipient to participate in a commercial activity.

CASL defines an "electronic address" as an email account, a telephone account, an instant messaging account, and any other similar accounts, which may include social media accounts.

Applicability of the GDPR

The GDPR applies to "the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system."

There are different requirements whether you are a "controller" or "processor" of information.

The Regulation defines "personal data" as "any information relating to an identified or identifiable natural person ('data subject')."

The GDPR defines "processing" as "any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means."

This includes use but may also include collection, recording, organization, structuring, storage, or alteration of data.

Compliance Begins with a Privacy Policy

Compliance Begins with a Privacy Policy

Complying with these laws begins with the creation of a Privacy Policy.

Many countries, some states, and even third parties, such as Google Analytics, require businesses to implement a Privacy Policy. Any data collected on or through your company's website that may identify an individual is protected by and subject to the requirements of CAN-SPAM, CASL, and the GDPR.

You should state in your Privacy Policy that you use email addresses to communicate with your users, and let them know that they can opt out of this.

Dyson devotes three paragraphs of its Privacy Policy to describe how it communicates with customers via email, mentioning consent in an unassuming way by saying, "As long as you are happy for us to do so, we would also like to keep you posted on anything that's happening at Dyson which we think you might like to know about...":

Dyson Global Privacy Policy: Email Communications clause

Keynote speaker and author Jeff Sanders has a separate Email Marketing Policy on his website. He acknowledges the right of members of the EU to actively consent to receive his emails:

Jeff Sanders Email Marketing Policy: Excerpt of Active Consent section

He also includes a section in his Privacy Policy that lets users know they have the right to unsubscribe from his emails, and how they can go about doing so:

Jeff Sanders Privacy Policy: Right to Unsubscribe From Emails clause

While it isn't necessary at all to have a separate email marketing policy, you do need to make sure you at least disclose information related to email marketing and unsubscribing/opting out within your Privacy Policy.

Complying With CAN-SPAM

Complying With CAN-SPAM

CAN-SPAM establishes prohibitions and required inclusions for commercial messages, as well as giving recipients the right to stop receiving emails. CAN-SPAM does not contain an opt-in requirement.

It is one of the few remaining global laws that allows emails to be sent without prior consent. Generally, as long as you follow the Act's requirements, you may send email until the recipient requests to opt out.


An email's header information ("From," "To," "Reply-To,") may not be materially false or misleading. Routing information, including the domain name, originating email address, and any other information that appears in the "From" line must accurately identify the party that initiated the message.

The term "materially" under CAN-SPAM means altering or concealing this information in such a way that would impair the ability of an internet access service to identify, locate, respond to, or otherwise investigate the initiating party.

The subject heading may not be deceptive and the subject line must accurately reflect the message's content. An email may not use a subject line that would mislead a recipient of a material fact regarding the email's contents or subject matter.


When including required information, present it so it's easily recognized, readable, and understandable by an ordinary person. Using font size and color to display certain important information in a conspicuous location within the email is a good first step.

The following must be included in every email transmission:

  • Clear and conspicuous disclosure that the message is an advertisement
  • A valid physical postal address
  • Clear and conspicuously explained information about how the recipient may opt out of future email transmissions

At the top of this email, Comcast clearly discloses in upper case bold-print that its email is an ad. At the bottom of the email its physical address is centered to more conspicuously identify it:

Screenshot of Comcast email footer

Here is an example of how Take-Two provides a blue font color to conspicuously distinguish and highlight the different links on its website and forums for opting-out. It also provides a link to delete all accounts.

Take Two Privacy Policy: How you can unsubscribe from mailings, cancel your account or review and correct your data clause

Opt-Out Requirements

CAN-SPAM also requires the prompt processing of opt-out requests. A recipient's opt-out request must be processed within 10 business days.

Any opt-out mechanism link included in your emails must remain working and able to process opt-out requests for at least 30 days after the message is sent.

Other requirements related to opting-out:

  • You may not charge a recipient a fee to opt-out of future emails
  • You may not require other personal information other than an email address as a condition of opting out
  • You may not make a recipient go beyond sending a reply email or visiting a single page on an Internet website as a condition of facilitating a request to opt-out
  • You may not sell or transfer the email address of anyone who opts-out, even if included as part of a mailing list

It's permissible for an opt-out menu to allow a recipient to opt out of certain types of messages, as long as the option to permanently stop all commercial messages is also provided. Include a return email address or another simple web-based process to easily facilitate recipients communicating their choice of options.

Guitar Center offers a page where customers can manage their communications subscriptions. The page includes a general opt-out box in the center as well. At the top of the page, it clearly places a link to its Privacy and Unsubscribe Policy:

Guitar Center: Manage My Subscriptions form with unsubscribe box highlighted

Companies may be held liable for violations of the CAN-SPAM committed by vendors who send email on the company's behalf. Thus, companies must monitor what third parties do on their behalf.

You cannot contract away your legal responsibility to comply with CAN-SPAM.

Complying With CASL

Complying With CASL

If your email marketing database contains an email address that you believe belongs to a Canadian, or if anyone opens your email in Canada, CASL is applicable even if your business is based in the U.S. or any of the member states of the European Union.

Unlike CAN-SPAM, consent is the hallmark of CASL.

Under CASL, individuals and businesses are required to obtain consent from customers before sending them commercial electronic messages. Because of statutes like CASL, a permission-based email marketing policy is not only wise but mandatory. Equally important is maintaining records that indicate proof of consent.


Because the Act prohibits sending commercial electronic messages (CEMs) without some explicit or implied consent of the recipient, pre-checked boxes and other passive methods of obtaining consent are prohibited under CASL.

In sum, CASL prohibits the following:

  • Sending CEMs (email, social media and text messages) without the recipient's consent;
  • Altering the transmission data in a CEM so that the message is sent to a different destination without the recipient's express consent
  • Installing software on a recipient's electronic devices without consent
  • Using false or misleading representations to promote products or services online
  • Collecting personal information by illegally accessing a computer or electronic device
  • Harvesting (collecting) addresses without consent


Like CAN-SPAM, CASL requires certain basic, core information to be included in a commercial electronic message.

A CEM must include:

  • The sender's business name and the name of anyone on whose behalf the message is sent,
  • A current mailing address and either a phone number, email or website address,
  • Accurate contact information that will be valid for at least 60 days after the message is sent, and
  • An unsubscribe mechanism in accordance with subsection 11(1) of CASL

Opt-Out Requirements

Under CASL, an unsubscribe or opt-out mechanism must be provided that enables the recipient to indicate, at no cost to them, a wish to no longer receive any commercial electronic messages.

This wish may be expressed using either the same electronic means by which the message was sent or, if not practicable, any other electronic means that will enable the person to indicate the wish. Some electronic address or link to a page must be provided to which the unsubscribe request may be sent.

Any expressed indication to unsubscribe or withdraw consent must be given effect without delay, and, in any event, no later than 10 business days after the indication was sent, without any further action required.

NHL Shop offers the following instructions in its help center to help users make unsubscribe requests. It includes a note that it may take up to 24 hours before the email address is unsubscribed..

NHL Shop Help Center: Unsubscribe email address instructions section

The more places you let your users know that they can unsubscribe and how to go about doing so, the better your compliance with the law will be.

Complying With The GDPR

Complying With The GDPR

Under the GDPR, having a detailed, comprehensive, thorough, far-reaching Privacy Policy is not only a wise business decision but a necessary one.

The GDPR (the "Regulation") is a much broader law than CAN-SPAM and CASL which both specifically apply to commercial electronic messages. Many consider the GDPR the strongest and most modern data protection rule to date.

Art Fire, a business entity located in Arizona, provides an express statement that its Privacy Policy was prepared based on many laws, specifically mentioning the GDPR:

Art Fire Privacy Policy: Legal information clause

To legally process data under the GDPR, you must identify a "lawful basis" under the Regulation for collecting and using personal data.

Art Fire explains its legal basis for processing personal data, including that it may be allowed to process this data until the user opts-out unless he or she is subject to the European law such as the GDPR:

Art Fire Privacy Policy: Legal basis of processing clause highlighted

Like CASL, the GDPR focuses on users giving affirmative consent to the collection of their email address for marketing purposes. Under the GDPR, consent must be "freely given, specific, informed and unambiguous."

The GDPR requires users to provide "a statement or a clear affirmative action."

This affirmative action indicating consent may include checking a box on a website or "another statement or conduct" that clearly indicates permission to the data processing. "Silence, pre-ticked (checked) boxes or inactivity," are considered insufficient indications of consent under the GDPR.

Thus, consent must be shown by some active rather than passive expression of the user.

Sony uses the following to have users indicate their consent to receiving transmissions of marketing messages. It directly asks whether users want to receive these types of notifications.

If so, users must actively check a box that indicates their consent, as well as their acknowledgement that they understand they may unsubscribe at any time. By clicking "Agree and Create Account," users confirm that they agree to Sony's Terms of Service and have read and understand Sony's Privacy Policy:

Sony account sign-up form with checkboxes for marketing emails and to share personal information

Under the GDPR, not only must you obtain consent from potential customers to receive commercial emails, but you must also provide a simple means for them to unsubscribe from the mailing lists of your business.

Allowing users to easily subscribe and unsubscribe are of equal importance in complying with the GDPR.

The Strat-O-Matic Game Co. includes a blue highlighted link in its emails to customers that allows them to opt-out using a third-party service. Users are taken to a page where they click a box to easily unsubscribe.

Strat-O-Matic Game Company: Email footer with unsubscribe opt-out link

Use of Data Only for Intended Purposes

Simply because users affirmatively opt-in to your Terms of Service which may include receiving promotional emails, it does not mean that your business may freely use personal data without limitation. For purposes of GDPR compliance, you must ensure the personal data you are processing is:

  • Adequate - Sufficient to properly fulfill your stated purpose,
  • Relevant - Has a rational link to this purpose, and
  • Limited to what is necessary - You retain no more data than necessary for your purpose

Art Fire lists in detail the sixteen specific purposes for which personal data is used. Here is an example of how it uses personal data for one of these purposes - advertising:

Art Fire Privacy Policy: Advertising clause

The Privacy Policy of And Co provides that it collects, uses, and retains personal information for limited purposes. It also states that "We will only use your Personal Information for the purposes described in this policy or in accordance with your express consent."

And Co Privacy Policy: We collect, hold and use your personal information for limited purposes clause

DailyLit's Privacy Policy contains a statement stating what the company will never do with a user's email address as well as when it may be shared and how a user can remove an email address from DailyLit's access.

DailyLit Privacy Policy: Your email address clause

Under the GDPR, you may only use the personal data for a new purpose if the use is compatible with your original purpose, you receive consent, or there is a clear legal basis.

Data Retention And Security

As a business owner, you may only retain data for as long as it fulfills your stated purpose. While any personal data is in your possession, you must ensure its accuracy, as well as protect its confidentiality. You must take responsibility for how you use the data and comply with other principles contained in the Regulation.

Take-Two uses a Data Retention clause to describe the amount of time it will retain data. These include:

  • As long as the account is active
  • As needed to provide services
  • To administer services

Take-Two Privacy Policy: Data Retention clause

Take-Two discloses how users may request that the company discontinue use of their personal data.

QVC notes in its Privacy Policy how it uses a third-party program to protect its customers' personal information:

QVC Privacy Policy: How do we protect our customers personal information - security clau


Because of the broad applicability, rigorous standards, and severe financial penalties of all three acts, companies that do business anywhere in North America and the European Union must implement necessary compliance procedures to meet the requirements of international privacy laws that include CAN-SPAM, CASL, and the GDPR.

A core policy of both the GDPR and CASL is that a website business may not send commercial electronic transmissions unless the recipient affirmatively opts-in. In contrast, CAN-SPAM generally allows a web merchant to send commercial electronic transmissions until the recipient affirmatively opts-out.

If you hope to or already conduct business on an international level, it makes sense to formulate and implement the most comprehensive Privacy Policy possible.

This Privacy Policy should include provisions that require:

  • Adhering to an email marketing policy based on the recipient's affirmative consent
  • Sending electronic transmissions that never contain any false or misleading information
  • Full disclosure in all electronic communications about their true content
  • Providing a procedure to withdraw consent so that may recipients may easily and quickly opt-out of any further messages
  • The management and protection of all personal data