Ever received an unwanted email from a company you never requested info from and wondered where the heck they got your email address from? What is the legal standpoint on protecting the recipient?
It happens to me so often, especially here in the US, with unwanted emails or phone calls from companies offering their financial services, software or any other kind of things I don’t want or need. Well, the good news is that countries all around the world have already realized it is necessary to do something about it and protect their citizens from receiving unwanted emails/phone calls/text messages. But, as with most good news, it comes with bad news too. It can be very complicated to keep up with all those rules, regulations, and laws governments around the world come up with. What is allowed in one country doesn’t necessarily have to be ok in another, and vice versa.
This two-part article will provide you with answers to some of the most frequent questions we hear from our customers regarding international email laws. Disclaimer: Although this article is designed as a guide to help make sure your email marketing activities comply with the law, do check with current legislation, as laws change every day.
1. If I send messages outside my country, do I need to comply with the local laws of the countries my subscribers are based in?
Along with your national anti-spam law, you must comply with international regulations based on where your subscribers come from. For instance, if your company is based in Canada but does business within the United States and United Kingdom as well, not only do you need to make sure you comply with Canadian anti-spam regulations, but with American and British ones too.
2. Do I need to get approval from the people I am going to email?
This depends highly on where your potential subscribers come from. Once again, imagine your company is based in Canada but your addresses are from the US or UK. According to anti-spam law in the US, you don’t need to have prior consent from the users you are going to email. However, under local law, it is necessary to get approval from Canadian and British recipients. To make things less complicated, isn’t it easier to implement an opt-in process that leaves the decision about whether to start receiving your commercial emails in the hands of the user?
Now, let’s look at what different countries have to say about emailing people with/without their prior consent.
Under the CAN-SPAM act, the sender of commercial email messages does not have to obtain prior permission from their recipients. That being said, marketers can use publicly available sources of information on the Internet to obtain details about those they want to email (unless those sources explicitly prohibit the use of their email addresses).
According to Canada’s anti-spam legislation, it is possible for marketers to send commercial email messages to people who gave them “express” or “implied” consent. By “express” consent, the law understands subscribers who clearly expressed (orally or in a written form) their approval to receive commercial email messages from you. It could be by ticking the box “I want to receive monthly newsletters” or providing their email addresses in a newsletter subscription form.
Note that these consent requirements are currently under a three-year transition period that concludes on July 1, 2017. Once this period is over, marketers may only email people who have given their “express” consent, meaning those who have taken an action to opt-in. Marketers all around the world now run “express consent campaigns” that should allow them to convert “implied consent” subscribers to “express consent” ones.
EU Member states
Article 13 of the Directive on Privacy and Electronic communications (EC Directive) clearly states that commercial emails can only be sent to recipients who have previously opted-in (ticked a box, fill out an email address…). On the other hand, if a user has previously purchased a product or a service from the company, this existing business relationship may also be considered as their consent. You just need to make sure that the possibility to opt-out during the purchase process is in place.
One thing you should know is that the EC Directive only specifies the minimum that needs to be done by each EU member state. Countries such as Germany have transposed it into their national legislation in a much stricter way than what the EC Directive orders.
According to Spam Act 2003, a sender must not send unsolicited commercial electronic messages that were either sent from Australia or delivered to a computer located in Australia. Under this law, it is possible for marketers to send commercial electronic messages to people who gave their “express” consent (see the explanation above for Canada’s anti-spam law) or their consent can be deduced from existing business or another relationship between the recipient and the sender. The law also covers so-called “designated commercial messages” where no prior consent is required.
Now, even though having prior consent is not mandatory everywhere (e.g., U.S., Brazil, Argentina, Russia), letting people actively opt in is always a better and safer option for your business. This way, you make sure your emails are only delivered to people who really want to hear from you.
Sending emails to users who have never heard about you and did not sign up for your emails can result in lower open rates, higher unsubscribe rates, a database of subscribers that changes a lot over time, and bad sender reputation, as people will report your messages as spam. Quality over quantity—this is what you should keep in mind.
3. Are pre-checked boxes under my online forms enough to express a user’s consent to subscribe to my newsletter?
Again, this depends on where you are planning to send your commercial messages. In plenty of countries, such as the United States, it is OK to use pre-checked boxes to add people to the mailing lists automatically (see the example on the right), in others, users must actively check off the boxes to express their consent to opt in.
According to these countries (amongst them, e.g., Canada, Germany and Australia), you cannot presume consent with a pre-checked box. Users need to perform a positive and conscious action to opt in (see the example on the left). This approach definitely stresses quality over quantity — on one hand, your email list will grow more slowly, but on the other, it will contain subscribers who really want to hear from you.
The most extreme scenario would be to ask users to check off the box (take a “positive action”) if they don’t want to start receiving commercial electronic messages. In my opinion, this is a very misleading behavior, and I am sure nobody wants to grow their mailing lists this way.
4. Am I required to implement a double opt-in confirmation process?
With a single opt-in, a new email subscriber can start receiving commercial messages immediately after entering their email address into the sign-up box. Double opt-in, on the other hand, requires that the subscriber confirms he/she is the owner of the email address. This is usually done by clicking a special link in an email delivered after the email address has been provided in the sign-up form.
Now, both approaches do have their pros and cons.
- Single opt-in allows you to grow your email lists quicker, but you need to be aware that the list may contain plenty of fake or misspelled addresses. In the worst-case scenario, you can be reported as a spammer because someone’s email address was entered without their consent.
- Double opt-in allows you to create a healthier mailing list that will lead to lower unsubscribe rates and better sender reputation. On the other hand, your email list will probably not grow as fast as it would with the single opt-in.
I am sure you understand why the double opt-in process is highly recommended BUT it is not mandatory under any international law. While working on this text, I have come across articles claiming that Germany is the only country that requires a double opt-in confirmation process, but according to Certified Senders Alliance, this does not seem to be correct. “There is no statutory obligation to use the double opt-in process,” they state.
5. What type of information can I ask for in my sign-up forms?
The number and type of fields you include in your sign-up forms depends on what type of business you are and what information you’d like to collect about your subscribers.
Typically, you require their email address, right? Additionally, you can ask for your subscriber’s first and last name, which can be useful if you want to do some First Name personalization. But… be careful about whether to make those fields mandatory, because one day, you could send an email starting with “Hello I don’t want to give my name”.
Currently, there is no law that would prohibit you from collecting any data you want in your sign-up forms. Possibly the closest to making changes to this approach are Germany, Austria, and Switzerland. According to the guidelines for marketers released by Certified Senders Alliance, it should not be necessary to ask for more information than the email address. Any additional data may be given on a voluntary basis but not required.
6. How long can I email people who gave me their consent?
When considering the period during which you can send commercial emails to your subscribers, you should always keep in mind whether the user gave you express or implied consent.
Express consent is not time-limited, and you can email users until they unsubscribe.
Now, even though there is no such law that would prevent you from emailing subscribers who actively opted in, there is one thing I would recommend: check your mailing list periodically and remove unengaged subscribers in order to keep your database clean. There is no point in continuing to email people who have not interacted with you (opened, clicked links, or replied to your emails) in the last X months. If removing sounds too drastic, you can try running special email campaigns to engage unengaged subscribers. I am sure you have already received messages like “We miss you” or “We are unsubscribing you”, both aimed at unengaged subscribers with one common goal: make them feel like they want to get in touch with you again. I just love the way Banana Republic tried to win me back. “Are we in the right inbox?” That is a heck of a subject!
Now, unlike express consent, implied consent should generally be time-limited. Most of the anti-spam laws I looked into do not speak about the period of validity of consent at all, but there are exceptions. One of them is Canada’s anti-spam legislation, which states that the implied consent expires 24 months after the relationship between you and the user was initiated (by the purchase of goods, etc.). It seems to be a reasonable time-frame.
Another thing to consider is whether to start emailing users whose consent you got some time ago but whose email addresses you haven’t used for any email marketing activity so far. German Certified Senders Alliance mentions in its guidelines for marketers that consent which has not been used for more than one and a half year should no longer be valid. Once they have provided their email address, people only expect to hear from you now, not in a year from now when you have already been forgotten.
I hope this article provided you with some useful information on the subscription process and what you need to do in order to comply with email opt-in laws.
Disclaimer: The purpose of this article is to provide you with a general overview of anti-spam laws around the world. It should not be interpreted as legal advice. We recommend contacting your lawyers for legal guidance on specific cases.
This article was originally published on the Kentico Blog.