Digital marketing can be an affordable and straightforward way to reach people, but if you breach the rules it could be extremely expensive. That's because a series of laws and regulations around the world restrict how you can gather and use email addresses and other information.
While the details of the rules vary, following the general principle of always getting informed, meaningful consent will go a long way when it comes to your digital marketing campaigns.
We'll explain what you need to know, and what you need to do about it here.
- 1. Overview of Consent and Digital Marketing
- 2. Laws that Affect Digital Marketing
- 2.1. The ePrivacy Directive
- 2.2. Canada's Anti-Spam Law
- 2.3. CAN-SPAM
- 2.4. General Data Protection Regulation (GDPR)
- 3. Penalties For Breaching Digital Marketing Rules
- 4. Key Points in Getting Consent for Digital Marketing
- 4.1. Informed Consent
- 4.2. Active Consent
- 4.3. Specific Consent
- 4.4. Withdrawing Consent
- 5. Other Considerations
- 6. Summary
Overview of Consent and Digital Marketing
When you use digital marketing, you must take into account two different types of legal restrictions relating to consent.
Firstly, you need to follow specific laws on email and digital marketing. This includes laws designed to combat spam. Having consent to send email is usually the key requirement for such laws.
Secondly, you need to follow general laws on data privacy. These cover the way you obtain, store and use personal information. In most cases, an email address counts as personal information, particularly when you link it to other customer information.
Laws that Affect Digital Marketing
Let's run through some of the key laws that you may need to follow. Remember that some of these laws are enforced in one country but can affect businesses in other countries.
Use FreePrivacyPolicy.com to generate the necessary legal agreements for your website/app:
- Free Terms and Conditions Generator
- Free Cookies Policy Generator
- Free Disclaimer Generator
- Free EULA Generator
- Free Return & Refund Policy Generator
You check our Free Cookie Consent to start making your business legally compliant with the Cookies Directive in the EU.
The ePrivacy Directive
The ePrivacy Directive is formally known as the Privacy and Electronic Communications Directive. It's a set of European Commission rules which all EU member countries (and former member country the United Kingdom) have incorporated into their own national laws. Although the precise wording of these laws varies from country to country, the general principles and rules are consistent.
Broadly speaking, the rules cover any communications using a telephone network or the internet. They only cover communication aimed at specific recipients rather than public information such as a web page.
The precise geographic scope of the directive is often disputed. It will definitely apply if you send a message from a country which has put the directive into law, or if you process data in such a country. If you are based outside of the EU, it's still safest to follow the directive when contacting people in Europe. That's because breaching the directive will almost certainly breach the GDPR as well (see below).
The main rule is that you can't send electronic communications such as emails or text messages unless either:
- You have specific consent from the recipient, or
- The recipient is a current or former customer who hasn't taken advantage of an opt-out mechanism
The European Union is working on replacing the ePrivacy Directive with an updated Regulation. This would likely remove the rule about current and former customers, instead making all unsolicited emails and text messages unlawful.
Canada's Anti-Spam Law
This 2010 law applies to any commercial electronic message sent to a Canadian recipient. The sender's location doesn't matter.
CASL's key requirements are:
- Get consent before sending a commercial electronic message. (Usually this must be express consent, though in very limited circumstances it can be implied)
- Identify yourself in the email
- Give the recipient a straightforward and obvious way to withdraw consent for receiving future messages (an "unsubscribe" option)
Known formally as the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, this is the key U.S. national law relating to emails and other electronic messages.
It broadly covers any commercial message, meaning one that promotes a product or service (even if there's no charge.) It doesn't matter if the recipient is a consumer or a business.
CAN-SPAM doesn't cover transactional emails such as a sales receipt or a shipping confirmation.
The law is primarily about honesty rather than consent. For example, it says your sender information (such as the details in the "From:" field) must be accurate and subject lines must not be misleading.
CAN-SPAM allows messages sent on an opt-out basis. This means you don't have to get consent to start sending messages. However, if somebody does ask you to stop sending future messages you must do so.
You must give your postal address in every message along with clear and actionable details of how to opt-out. Recipients must have at least 30 days to make an opt-out request after any message you send. When they do opt out, you must stop sending messages within 10 days.
General Data Protection Regulation (GDPR)
The GDPR is a European Union regulation, meaning it has legal effect in all EU member countries. (The GDPR's measures also still apply in the former EU member country the United Kingdom at the time of writing).
The regulation covers any processing of personal data where the processor, the data subject (the person the data is about) or the processing itself is in an EU country. Processing covers any use of personal data, including collecting it.
Digital marketing comes under the GDPR because you inherently need to collect and use personal information such as an email address.
The key requirement is that you only process personal information when a specific legal basis applies. The most relevant for digital marketing is consent.
You could also rely on the "legitimate interests" basis but this may not apply because, without consent, it's unlikely your business interests in digital marketing will outweigh the recipient's data rights under the GDPR.
Penalties For Breaching Digital Marketing Rules
Breaching laws and regulations on digital marketing can prove costly. Maximum penalties include:
- ePrivacy Directive: Varies from country to country. For example, in the Republic of Ireland (where many overseas businesses use data centers) the maximum fine is $250,000.
- CASL: $1 million (Canadian) per violation if you are an individual and $10 million (Canadian) if you are a business.
- CAN-SPAM: $16,000 for each email that breaches the rules. (Each recipient counts as a separate email even if you send the same message to many people.)
- GDPR: €20 million or four percent of global annual turnover.
With most laws on digital marketing, authorities have powers other than fines. This can include a temporary or permanent ban on certain activities, including sending marketing emails.
Key Points in Getting Consent for Digital Marketing
While the precise wording of laws varies, the following are common requirements in making sure you get legally valid consent to send emails and other digital communications.
Most spam and privacy laws that require consent say that consent must be informed. In other words, the user must understand what their consent means and what will happen after they give it.
At the very least, you should tell the person:
- What type of messages you will send. (It's helpful to give an idea of how often you'll send them.)
- Who you are and how to contact you
- Whether you'll pass on the user's email address or other details to a third party
While the precise rules vary across different laws, you can usually only rely on consent that is active. This means the user has taken a clear action that shows they give consent.
You cannot usually use an opt-out mechanism where you assume consent unless the user indicates otherwise (except where CAN-SPAM is the only law that affects you).
As laws evolve through regulatory rulings and court interpretations, the general trend is towards requiring more certainty that the user has given consent. This means you should not use measures such as a checkbox or a toggle where the default setting is to give consent. There is too much risk that users either don't spot this setting or click through by accident.
The safest way to ensure active consent is through a double-action mechanism. One way is to require the user to check a box or switch a toggle, then click a separate confirmation button.
One Place's signup actually requires three actions. The user needs to type in an email address, tick at least one specific newsletter to sign up to, and click the 'SIGN UP' button:
Another option is to collect the user's details, then send a message with a confirmation link that they must click to complete the sign-up process. This also helps deal with cases where somebody mistakenly (through a typing error) or maliciously signs somebody else up to a mailing list.
Accelera uses an email confirmation link:
Most privacy laws say consent is only valid for a specific purpose. This means you can't get blanket consent to use somebody's data in any way you like.
With digital marketing, this usually means consent only covers holding the email address or phone number and sending emails of a specific type. You must get separate, specific consent for different uses.
These could include:
- Sending marketing messages rather than transactional messages
- Digital profiling, for example by analyzing which links a particular user clicks in marketing emails and using this information to customize what messages you send them
- Disclosing contact details to a third party
The Open clearly explains that signing up to "exclusive offers and promotions" will not only mean consenting to receiving such messages, but also to their details being shared with third parties:
The BBC explains the ways it will use data:
Privacy and spam laws usually say users must:
- Have the right to withdraw consent
- Know how to exercise this right
- Be able to exercise this right easily and without unnecessary expense or hassle
The safest way to make sure you comply with all laws is to include a clear explanation of this right (and a link to exercise it) at multiple stages including:
- At the point the user consents to digital marketing
- In any promotional messages you send
Make the process as simple as possible. Usually this should require a maximum of two clicks: one to trigger the withdrawal and one to confirm it.
Do not make the process unnecessarily complicated to try to deter a user. If you present the user with a survey, for example asking why they have unsubscribed, do not make it mandatory to complete the survey as part of the withdrawal process.
Frontier uses a dedicated web page to go into full detail about the process and consequences of withdrawing consent:
A user's email address is normally classed as personal information, particularly when combined with other information that relates to, or identifies, an individual.
This means you'll need to follow other rules beyond gaining consent:
- Secure the email address and related information. This may require a combination of physical, organizational, and technical measures. Only allow staff access to the information where necessary.
- Check specific laws before passing on an email address to a third party, whether or not you receive anything in exchange.
- Only collect an email address, and only link it to other data about an individual, where necessary for the purposes you listen when getting consent.
- Make sure somebody in your organization is specifically responsible for the way you follow these rules.
Let's recap what you need to know and do to get suitable consent for digital marketing.
- Digital marketing comes under two types of rules: those specifically covering messages such as emails and texts, and those covering personal data privacy.
Such rules include:
- The ePrivacy Directive
- Canada's Anti-Spam Law
- The US CAN-SPAM Act
- The GDPR
- Each has rules on commercial messages sent electronically, with a range of financial penalties.
Most such rules have a broad requirement to have consent to send commercial (marketing) messages. To comply with such rules you should:
- Make sure consent is active, meaning an opt-in system with no room for ambiguity about the person's intentions.
- Make sure consent is specific, meaning you and the person know exactly what they are consenting to.
- Make sure people know they can withdraw consent and how to do so. Make sure this is a simple process.
- You'll also need to follow broader privacy rules such as securing personal data, only sharing data in a lawful manner, and having a staff member responsible for data protection.