Legal Aspects of Email Marketing

While email marketing and other aspects of Internet businesses can sometimes feel like you are operating in the Wild West, email marketing is regulated in the United States, Canada, Europe and in some other developed countries. You will want to learn about your country’s specific regulations regarding email marketing, so you can stay in compliance with the law and avoid getting hit with hefty penalties for unknowingly committing violations.

Before we dive into some of the regulatory environment surrounding email marketing, I should disclaim that I am not an attorney or any kind of legal expert. I believe I have a good understanding of the laws that impact email marketing, but a competent attorney or the government may have a different understanding of the law than I do. If you are planning on doing anything that may skirt the edge of any of the laws mentioned in this chapter, please seek the advice of a competent legal professional.

CAN-SPAM Act of 2003 (United States)

Congress passed the Controlling the Assault of Non-Solicited Pornography And Marketing Act in 2003, better known as the CAN-SPAM Act. CAN-SPAM establishes a basic set of rules for all commercial email. Each separate violation of the CAN-SPAM Act can result in penalties of up to $16,000, so it’s important to make sure your messages stay compliant with the law.

The Federal Trade Commission has put together a guide for businesses titled “CAN-SPAM Act: A Compliance Guide for Business,” which is located at

The guide outlines the main requirements of CAN-SPAM and provides a series of frequently asked questions that clarify different components of the legislation.

I recommend every mailing list owner in the United States read this guide. Here are some of the main requirements of CAN-SPAM listed in the guide:

1. Don’t use false or misleading header information

Your “From,” “To,” “Reply-To,” and routing information-—including the originating domain name and email address—must be accurate and identify the person or business who initiated the message.

2. Don’t use deceptive subject lines

The subject line must accurately reflect the content of the message.

3. Identify the message as an ad

The law gives you a lot of leeway in how to do this, but you must disclose clearly and conspicuously that your message is an advertisement.

4. Tell recipients where you’re located

Your message must include your valid physical postal address. This can be your current street address, a post office box you’ve registered with the U.S. Postal Service, or a private mailbox you’ve registered with a commercial mail receiving agency established under Postal Service regulations.

5. Tell recipients how to opt out of receiving future email from you

Your message must include a clear and conspicuous explanation of how the recipient can opt out of getting email from you in the future. Craft the notice in a way that’s easy for an ordinary person to recognize, read, and understand. Creative use of type size, color, and location can improve clarity. Give a return email address or another easy Internet-based way to allow people to communicate their choice to you. You may create a menu to allow a recipient to opt out of certain types of messages, but you must include the option to stop all commercial messages from you. Make sure your spam filter doesn’t block these opt-out requests.

6. Honor opt-out requests promptly

Any opt-out mechanism you offer must be able to process opt-out requests for at least 30 days after you send your message. You must honor a recipient’s opt-out request within 10 business days. You can’t charge a fee, require the recipient to give you any personal identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request.

Once people have told you they don’t want to receive more messages from you, you can’t sell or transfer their email addresses, even in the form of a mailing list. The only exception is that you may transfer the addresses to a company you’ve hired to help you comply with the CAN-SPAM Act.

7. Monitor what others are doing on your behalf

The law makes clear that even if you hire another company to handle your email marketing, you can’t contract away your legal responsibility to comply with the law. Both the company whose product is promoted in the message and the company that actually sends the message may be held legally responsible.

There have been a small number of criminal indictments under the CAN- SPAM Act of 2003 since its passage. To date, only a handful of large-scale spam operations have been targeted by the Federal Trade Commission.

Most email marketers probably don’t need to worry much about the FTC knocking on their door over a violation, but you should still ensure your mailings follow the CAN-SPAM Act. The rules outlined by the Federal Trade Commission are straightforward and are very easy to follow. Be honest about who you are, where your business is located, and the content of your messages. Provide clear opt-out instructions and honor opt-out request promptly. Do these two things, and you probably won’t have much to worry about.

Interestingly enough, the CAN-SPAM Act of 2003 doesn’t actually outlaw spam. The legislation does not require commercial email senders to get permission before emailing someone. When the legislation was first passed, some referred to it as the “You Can Spam” Act, because it didn’t do anything to limit the amount of spam that people receive.

The CAN-SPAM Act also generally only applies to people living in the United States. Many spammers are located in developing countries around the globe, which makes it extremely difficult to take any legal action against them. Because of the limited jurisdiction of the CAN-SPAM Act and its relatively light regulatory burden, spam continues to be a major problem in the United States and the rest of the world.

FTC Endorsement Guidelines (United States)

If you are going to promote another company’s products as an affiliate, you need to be aware of the Federal Trade Commission’s paid endorsement guidelines. Generally, you need to disclose whenever you are getting paid to promote a product or service for another company. Your disclosure must also be “clear and conspicuous” and as close to the endorsement as possible. This means that you shouldn’t try to hide your disclosure in the footer of your messages or in some other inconspicuous location.

The Federal Trade Commission issued a guide in March 2013 that outlines disclosure rules and recommendations for paid digital media endorsements titled, “.com Disclosures: How to Make Effective Disclosures in Digital Advertising”.

Canada’s Anti-Spam Legislation (CASL)

The Canadian Parliament passed the Fighting Internet and Wireless Spam Act (FISA) in December 2010. The legislation, better known by the nickname of Canada’s Anti-Spam Legislation (CASL), went into effect on July 1st, 2014. CASL requires that marketers only send email to individuals who consent to receive messages, with a few exceptions. CASL is arguably one of the most stringent pieces of anti-spam legislation in the world due to its consent requirements and other restrictions put in place by the legislation.

Under CASL, you can only send email to subscribers that have expressly opted in to your mailing list or to recipients that have passively agreed to accept email through some form of implied consent.

For example, you can email anyone that’s purchased a product from you or has done a business deal with you within the last 24 months under the guise of implied consent. There are also a variety of exceptions for recipients that you have an existing personal or business relationship with and for recipients that you need to notify of a product recall, court order, or updates and changes to an existing product or service they previously purchased.

CASL also puts a number of other restrictions on marketers. The legislation requires mailing list operators to have a working opt-out mechanism. CASL also makes it illegal to harvest email addresses using software and installing computer programs without consent. The legislation makes it illegal to alter messages in transit and makes it illegal to use false or misleading representations online in the promotion of products or services.

The legislation is enforced by the Canadian Competition Bureau, the Canadian Office of the Privacy Commissioner, and the Canadian Radio- television and Telecommunications Commission (CRTC). Individuals that violate the legislation can face fines of up to one million dollars, and businesses in violation can face fines of up to $10 million. The law will go into full effect in 2017 when private citizens can take civil action against spammers that violate the provisions of CASL.

If you don’t live in Canada, you might think that the provisions of CASL won’t apply to you. However, if you live in the United States or another jurisdiction and have subscribers in Canada, you need to pay attention to the legislation.

CASL applies where “a computer system located in Canada is used to send or access” an electronic message.26 This means that CASL will apply if a sender in the United States sends an email to a Canadian citizen who opens it on a computer or smartphone located in Canada.

While it remains to be seen if Canada will try to enforce the CASL outside of its borders through extradition, it’s probably a good idea to stay in compliance with CASL if you are going to have any Canadian customers.

The American Bar Association has published an article that contains additional information about CASL’s implications for citizens in other countries titled “Canada’s Tough New Anti-Spam Legislation: Beware Its Extra- Territorial Reach”.

For more information about CASL and how to stay compliant, visit

General Data Protection Rules (Europe)

The regulatory environment surrounding email marketing changed dramatically in 2018 when the European Union’s General Data Protection Rules (GDPR) went into effect. The primary aim of GDPR was to give consumers control over the personal data that companies have about them and to streamline data protection rules for businesses in the European Union.

The law impacts email marketers because it includes new permission opt-in rules, requires businesses to store proof of consent and requires businesses to provide a method through which consumers can ask their personal information removed.

Europe’s General Data Protection Rules are a concern for both European businesses and businesses that have customers in the European union, because it was written in such a way that it applies to the data of citizens of the European Union, regardless of where the company is located. This caused many U.S. businesses to scramble to become GDPR compliant when the law went into effect in May of 2018. Other U.S. businesses simply blocked traffic from the European Union because they felt that complying with GDPR’s requirements were unclear and too onerous to comply with.

GDPR’s new opt-in permission rules will perhaps have the biggest impact to email marketers. The law requires that marketers receive freely given, specific, informed and unambiguous consent from a user. This means that users must know specifically what they are signing up for, provide their information to you freely and click a button indicating they want to receive email from you. Soft opt-in methods such as a pre-checked box that opts a user into your mailing list or requiring users to check a box to opt-out of receiving email from you are not in compliance with GDPR.

The United States only requires you to not email users that have opted-out of your messages under the CAN-SPAM Act of 2003. Europe’s rules are much stricter because you are only allowed to email people that have given you consent to email them. This is one of the few anti-spam laws in the world that actually makes unsolicited commercial email (e.g. spam) illegal. Whether this reduces the amount of spam that E.U. citizens receive remains to be seen.

Under GDPR, you also need to track consent so that you can prove that a user opted-in to your mailing this. In practice, this will happen by storing a user’s IP address, browser information and cookie information for auditing purposes. Any email service provider that claims to be GDPR compliant will likely do this for you, so it’s not something you need to worry about as long as you verify your email service provider is tracking proof of consent.

GDPR also allows users to request what information a business has on file about them and allows users to request a business permanently delete their data. This is a true “right to be forgotten” law that requires businesses, upon request, to eliminate any trace of a user’s data from their database. In the first year that GDPR rules have gone into effect, MarketBeat has not received a single request from a user asking for their data to be removed or be provided to them for review.

As of the creation of this masterclass, there is virtually no case law regarding GDPR. This makes compliance with some of the specific statues in GDPR unclear. For example, does a notice saying “This website tracks your personal data through cookies” constitute the “freely given, specific, informed and unambiguous consent” to gather data that Article 32 of GDPR requires? Or, does a user have to click a specific button that says, “I agree to have my data tracked by this website through the use of cookies for the next 90 days?” As of early 2019, we don’t know the answer to questions like this with any amount of certainty because no GDPR cases have made their way through the courts.

At MarketBeat, we have made a best effort to comply with GDPR rules based off the information currently available regarding the law. We have re- written our opt-in forms to make it clear what users are signing up for. We have modified our terms of service to include specifics relating to the GDPR. We have setup a special email address for users to send GDPR related requests to. We are also tracking additional information about opt-in sources to prove user consent if that should ever become necessary. I believe we follow the principles of GDPR, but it would be impossible to prove we are compliant with the letter of the law given the vagueness of some of its requirements.

I suspect that making a best effort to comply with GDPR will be enough for most small businesses, since GDPR appears to primarily target large technology companies such as Google, Facebook, Amazon, Apple and Microsoft. I’m not an attorney, but it’s unlikely that European regulators will come after small businesses that have email lists, especially if they are not located in the European Union. At minimum, spend a couple of hours making sure you are compliant with the broad strokes of GDPR’s requirements for email marketers. If you want to make sure you are totally compliant, you can hire a GDPR to audit your email marketing practices.


While regulations that surround email marketing will vary depending on what country you live in, you probably won’t have a lot to worry about if you follow what I refer to as the three golden rules of email marketing:

  1. Only send email to people that have opted into receiving your messages.
  2. Only send content that you would want to receive if you were a subscriber to your mailing list.
  3. Don’t be deceptive in the content of your messages,and don’t try to hide your identity to your subscribers.

If you only send high-quality, relevant, and honest content to your subscribers and you only email people that have expressly opted in to your mailing list, it’s extremely unlikely that anyone is ever going to get upset with you enough to try to hit you over the head with a civil suit for failing to follow anti-spam legislation. You should still pay attention to your country’s anti-spam legislation and try to follow its provisions, but you won’t have a target on your back if you follow the three golden rules of email marketing.

Action Steps

  • If you live in the United States, verify that your email sending practices comply with the CAN-SPAM Act of 2003.
  • If you live in Canada, verify that your email sending practices comply with Canada’s Anti-Spam Legislation (CASL).
  • If you have subscribers in the European Union, verify that your sending practices are in compliances with the principles of the E.U. General Data Protection Rules (GDPR).
  • If you live in another country, research your own country’s anti-spam laws to make sure you comply your country’s laws and regulations. 
  • Follow the three golden rules of email marketing.

Recommendation: The Best Email Marketing Tools

You must choose the right email marketing tool if you are really serious about email marketing. There are many autoresponders available, so comparing them can be quite challenging.

Many online marketers use ActiveCampaign as an autoresponder to build their campaigns.

My online business depends on ActiveCampaign, which I have used for many years.

ActiveCampaign was founded in 2003. Businesses can connect with customers with its affordable email and marketing automation software.

Today, it offers a powerful email marketing platform and CRM platform with a history of more than a decade, so business owners can easily control email marketing.

My ActiveCampaign review is very comprehensive. Before deciding to use it, you may want to read it.

WordPress users looking for a cheaper email marketing tool may want to consider Groundhogg. Using Groundhogg will be more technical. 

With Groundhogg, you can manage your CRM, Email, and Marketing Automation directly in the WordPress dashboard. You have complete control over everything.

When it comes to CRM and Email Marketing, most people are forced to use expensive SaaS platforms, so Groundhogg is here to change this. I recommend reading my Groundhogg review to determine if it is for you.

Along with a powerful email automation tool, I found a tool that allows you to send videos via email. With only one click, you can insert videos into your clients’ emails for massive traffic, conversions, and sales. This is not a GIF, but a video.

Email Videos Pro is said to increase engagement by over ten times and profitability by over ten times, according to the developers. Check out my Email Videos Pro review to see it is suitable for you.

Leave a Comment