Email laws and regulations

Anagha Venugopal
Technical Content Writer

For someone who runs an online store, emails are crucial in establishing long-lasting customer relationships and improving sales. However, your email strategy doesn’t end after drafting a catchy email with good copy and design. There is an underlying caveat often overlooked while sending emails – laws and regulations that regulate them. They differ for different countries, so having all the checks in place is crucial to ensure strict compliance.

Email laws are highly nuanced and complex, and this blog aims to simplify them and give you a headstart if you are new to this area. For more specific legal details, I advise you to visit the websites of governing bodies. So with that in mind, let’s begin.


CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003) is a US law adopted in 2003. Regulated by Federal Trades Commission (FTC), this law protects consumers and businesses from unwanted emails. It gives them the right to ask you to stop emailing them. It establishes laws for commercial and promotional messages and emails.


To know if CAN-SPAM laws apply to your email, you need to find out the “primary purpose” of your email. CAN-SPAM divides emails into three categories based on their primary purpose.

Categories of emails as per CAN-SPAM

  • Commercial Content – The primary purpose of such emails is commercial or promotional. They should comply with CAN-SPAM regulations.
  • Transactional or relationship content – primary purpose is personal or transactional( payment confirmation, user manuals, etc.) and includes already agreed upon content. As long as your email has no misleading or false information, it is exempt from the CAN-SPAM laws.
  • Other content – This does not belong to any of the above categories.

What if marketing content creeps into your transactional mail?

It boils down to the primary purpose of your email. If, by reading the subject line of your email, the consumer feels that it is commercial, then it has to comply with CAN-SPAM laws. Similarly, if promotional content features at the beginning of your email instead of transactional content, it should abide by the rules.

CAN-SPAM – Main guidelines

  • Your header information should not be false or misleading: What you provide in your email header catches the customer’s attention first. So it is essential to include accurate information so that user knows what to expect in the mail.
  • Subject lines should not be deceptive: Your subject line should unambiguously depict your email’s content.
  • Inform the recipients if your email is an ad: You can do this in multiple ways, but your mail must disclose it clearly without any scope for misinterpretation.
  • Share your location with the recipients: For your mail to stay compliant with the CAN-SPAM Act, you should include a valid postal address.
  • Provide an option to opt out of your emails: Your email must communicate to the recipient how to unsubscribe your content if required. You should include the opt-out option in a way that is easy for the recipient to notice.
  • Honor the opt-outs: Once the recipient requests an opt-out, it is essential to acknowledge it within ten business days. They should not be charged or asked to divulge personal details for opting out.
  • Third-party compliance: If you have assigned an agency to handle your emails, monitor them and ensure they comply with the laws and regulations. However, you must also share the legal responsibility if the agency violates the rules.

GDPR – European Union

GDPR, which came into effect in 2018, is one of the most strict privacy laws in the world. It imposes regulations on organizations no matter which part of the world they are in, so long as they collect data related to people in the EU.

There is also no distinction between different businesses, and the rules apply to all organizations that deal with the data of people in the EU, be it B2B, B2C, profit, or non-profit. It gives consumers complete control over their data and regulates how companies use personal data.

Let’s now look at a few legal terms defined by GDPR to understand the law better.

  • Data subject: This term refers to the person whose data is being collected and used.
  • Data controller: The person who decides how and why the data is processed. It refers to the company’s owner.
  • Data processor: If you have assigned a third party to handle the data of your consumers, then they are called data processors. It could be an agency or cloud storage services.

“It is the data controller’s responsibility to ensure that data handling complies with GDPR. The data controller will be equally liable if a data breach happens at the hands of a data processor.”

Consent is king

  • Consent must be unambiguous, freely given, informed, and specific.
  • While requesting a subject’s consent, you should do so in simple language in a way that is distinguishable from other sections.
  • Data subjects have the right to withdraw previously given consent. In such a scenario, it is the data controller’s responsibility to honor the same.
  • You should document the consent given by the subject.
  • While obtaining consent from children under 13 years of age, permission from their parents is mandatory.

GDPR-compliant emails – Essential guidelines

Data Security and protection: GDPR requires “data protection by design and default.” Organizations should encrypt their emails and adopt other organizational measures to minimize damage during a data breach. You can implement two-factor authentication on accounts where data is stored. Additionally, you can train your staff about data management and provide data access only to employees who handle it.

Email retention: Article 17 of GDPR states that when intimated, a controller should erase any data concerning a data subject with no delay. To stay GDPR compliant, you should review your email retention policy and periodically remove any personal data that is no longer required.

Marketing and spam: GDPR is not against marketing emails, but they should satisfy specific criteria to ensure they don’t invite a hefty fine. Consent is of utmost importance in marketing emails. It should include an unsubscribe option and be sent only to someone who signed up for it. It should not advertise anything unrelated to a product/service the recipient has never used.

Transactional emails: If you want your transactional emails to be GDPR compliant, they must not include marketing content. You should send them only when there is an actual need to do so. When your emails contain the subject’s data, you should process it according to the data processing principles laid out by GDPR in a “lawful, fair, and transparent” manner.

The Privacy and Electronic Communications Regulations (PECR) – UK

Post-Brexit, the UK has retained GDPR, which is called UK GDPR. However, marketing through emails and other electronic communication comes under the purview of PECR. PECR laws apply to you even if you aren’t processing any data through your email. Information Commissioner’s Office(ICO) is responsible for enforcing PECR.

What are the implications if you breach PECR?

PECR is a set of laws that covers many areas, but we will only be looking at its impact on emails.

PECR-compliant emails – A checklist

  • You should send emails to your customers only if they have specifically consented to receive emails from you.
  • You can email an existing customer who has already purchased a product or service. But ensure to give them a simple and conspicuous way to opt out when collecting their details and in every email you send.
  • You must not disguise or conceal your identity and must provide a valid contact address.
    There must be an option to unsubscribe or opt -out of your emails, and you must honor the opt-outs promptly.
  • You must keep a list of people who have chosen to unsubscribe from your emails and make sure not to send emails to anyone on this ‘do-not contact list.’
  • You should not ask people to divulge the contact details of their friends or family. It is advised not to send emails even if you obtain their contact information because you have indirectly obtained their details.

Wrapping up…

Complying with these laws ensures that your email stays within the permissible limits of customer privacy, eventually reducing the possibility of being unsubscribed or categorized as spam. Privacy and consent of every individual is paramount. If you frequently wade into these sensitive areas, respecting the boundaries in place is crucial to uphold your credibility.


You might also like