Here's what you need to know.
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
- 2.1. California Online Privacy Protection Act (CalOPPA)
- 2.2. Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
- 2.3. General Data Protection Regulation (GDPR)
- 2.4. Personal Information Protection and Electronic Documents Act (PIPEDA)
- 4.1. Website Footer Link
- 4.2. Sign-Up Form Link
- 4.3. Linked to Each Newsletter
- 5. Conclusion
While you might think of a newsletter as you providing information to the reader, by definition you need to collect and store the reader's email address so that you can send the newsletter.
An email address counts as personal data under most relevant privacy laws and regulations and is therefore enough to trigger requirements for Privacy Policies.
California Online Privacy Protection Act (CalOPPA)
CalOPPA applies to any commercial website or online service that collects personal data about an individual consumer who lives in California. It doesn't matter where the site is based.
An email address meets the law's criteria of being "personally identifiable information."
- Telling users if and how they can review and edit their stored personal data
- Telling users if you will pass on data to other parties
Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
CAN-SPAM's applicability is determined by putting email messages into three categories:
- Commercial (for example, for advertising or promotion)
- Transactional or relationship (for example, for updating a customer about an order they placed)
- Other (for example, a newsletter about a particular topic)
CAN-SPAM applies if the primary purpose of the message is commercial.
If a message contains content that falls into more than one of the categories, CAN-SPAM's applicability depends on factors such as how much space is given to each type of content, the order in which the different types of content appear in the message, and the subject line.
Some of the requirements of CAN-SPAM are specific to sending emails: for example, you must accurately identify who is sending the message, identify when a message is an advertisement, and avoid deceptive subject lines.
General Data Protection Regulation (GDPR)
The GDPR covers the use of data relating to an individual who can be directly or indirectly identified. This means the data itself could identify the person, or that the data can combine with other information to identify them.
Although the GDPR is a European Union law, it doesn't matter where the data is physically stored or processed. Instead, the GDPR applies when:
- The organization that processes the data operates in a European Union country, or
- The organization that processes the data offers goods or services to individuals who are in a European Union country
Processors must follow six principles under the GDPR when collecting and processing personal data. These are:
- Process data lawfully, fairly and transparently
- Only collect data for a stated, lawful purpose
- Only collect the minimum amount of data necessary for the stated purpose
- Make sure the stored data is accurate and update it if needed
- Delete data when it's no longer needed for the stated purpose
- Protect the data against unauthorized access, modification or deletion
This example from MedMastery details compliance with the GDPR:
Note how it mentions that MailChimp is used to send out emails, and specifically makes mention of the GDPR and its legal bases for sending out its newsletter.
Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA generally applies where a private sector organization in Canada collects or processes personal data while carrying out a commercial activity. Key exceptions include:
- Organizations already covered by general data privacy laws in Alberta, British Columbia or Quebec
- Organizations already covered by health data privacy laws in Labrador, New Brunswick, Newfoundland and Nova Scotia
- Non-profit groups, charities and political parties (unless engaged in commercial activities that aren't related to the group's main purpose)
- Some federal government organizations
PIPEDA always applies if data is passed across provincial borders or shared internationally. It also always applies to federally regulated organizations.
While most personal data is covered, including personal email addresses, PIPEDA doesn't cover a business email address that's collected and used only for communicating in relation to the person's job. However, a newsletter won't qualify for this exemption because it is a general communication rather than written specifically for one person.
PIPEDA requires the organization collecting and handling data to follow 10 detailed principles. As an overview, the organization must do the following:
- Designate a staff member to be accountable for complying with PIPEDA
- Decide and explain why it is collecting the data
- Get the consent of the individual to collect the data
- Collect only data needed for the stated purpose
- Only use the data for the stated purpose and delete it when no longer needed for that purpose
- Make sure the data is accurate, up-to-date and complete
- Safeguard the data against security risks
- Let the individual check and correct the stored data
- Let the individual challenge any non-compliance
- You collect and store email addresses (and any other collected data)
- You use the email addresses for sending out your newsletter
- Whether or not you share the email addresses with anyone else
- How the user can request that you delete their email address from your records
- How often you will send newsletters and a general outline of what they will and won't include
- Exactly how the user can unsubscribe from the newsletter
- Whether and how the user can unsubscribe from the newsletter but still have you keep their address on file, for example for dealing with their online orders
This example from MySociety shows how it includes information about the newsletter in its general clause about what information the company collects:
It also includes an informative clause for how to go about unsubscribing from the newsletter:
Remember to also include an unsubscribe link at the bottom of every email newsletter you send out.
- Your website footer
- In the email newsletter sign-up form or landing page
- In each email newsletter you mail out
Website Footer Link
Your users know to look here, and it will be available on every page of the website for easy access.
Here's a standard example of a footer menu from Co-op:
Sign-Up Form Link
This is an important step if you have users in the EU as it complies with the GDPR's requirements for obtaining consent.
Linked to Each Newsletter
Here's an example from Comcast:
Let's recap what you need to know and do if you have an email newsletter.
- Simply collecting a customer's email address counts as collecting personal data and triggers a range of legal requirements for Privacy Policies depending on your location and that of your subscribers. Become familiar with specific laws you may fall under.