How to comply with data privacy laws?
Data privacy laws specifically require your attention as an online marketer. In the US, the most important one is the CAN-SPAM Act (and the CCPA for California). And if your business collects data from the residents of Canada or the EU, their laws (CASL and GDPR) also apply to you. All these laws determine what you can and can’t do in your email marketing. Let’s go through their requirements and see what you can do to comply with them.
The information contained on this webpage and website is provided for informational purposes only, and should not be construed as legal advice on any subject matter. You should not act or refrain from acting on the basis of any content included on this webpage and website without seeking legal or other professional advice.
The CAN-SPAM Act
The main goal of the Act is to define what spam is. And we’re not talking about getting sent to the spam folder. We’re talking about getting fined big time. But the Act provides clear guidelines, so complying with it should not be a problem.
So, what are the rules here?
- Don’t try to fool the recipient. Your header must have the correct information, and your subject line must accurately represent the email's contents. If any of those are misleading, it violates the Act.
- Don’t force your marketing upon recipients. Always ask for consent before sending your emails. And if you send your campaign to someone other than your subscribers, make it crystal clear that the email is an ad.
- Give the recipients information and options. There are two things you must include in every email. These things are the physical address of your company and an option to unsubscribe. And make sure that the address is valid and that you unsubscribe those who request it in the first ten days.
If you’re mailing people that live in California, the CCPA applies to you. Email marketing builds on the CAN-SPAM Act using the wording of the GDPR (we’ll talk about GDPR later). So it’s not a big deal to comply with the CCPA if you’re already familiar with the other two laws.
What’s the difference?
- The CCPA considers not only users’ email addresses but also their engagement rate and personal information. All the data regarding users' open and click rates must be deleted along with their email addresses if they wish to opt-out.
If you have any marketing communications with residents of Canada, the CASL applies to you. It’s a local spam law that regulates email marketing, and it’s very similar to American laws.
What to keep in mind?
- The CASL demands that you ask permission before emailing and tell the recipients that they can always opt-out.
- The company must keep records of consent.
- The CASL requires you to include your company’s name, address, and unsubscribe instructions in your emails and the consent form.
The most extensive data privacy law ever, the GDPR, is the European Union’s initiative. If you collect data from the EU’s residents, you are under the GDPR jurisdiction. Regarding email marketing, the GDPR wants you to follow the same principles as the American and Canadian laws.
When mailing to the EU residents:
- Active consent is a must. You can’t just assume that the recipient agreed to receive your emails or pre-tick the consent checkbox for them. Either they do it, or you don’t email them.
- The company must keep records of each user’s consent.
- You can only email people what they subscribed to. If someone subscribed to your newsletter, you can’t send them sales emails.
- It must be equally easy to both subscribe and unsubscribe from your emails.
As you can see, all of the data privacy laws above have a lot in common. The requirements make sense if you’re not a spammer, so following them is compliance and basic marketing hygiene. The consequences of violating these laws are more severe than just fines: your audience might remember that you failed to respect and protect their private information. And breaking your trusting relationship with the audience is the last thing you want to do.