- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
- 2. Four Laws Governing Email Marketing Practices
- 2.1. GDPR
- 2.2. CalOPPA
- 2.3. US CAN-SPAM
- 2.4. Canada CASL
- 3. Email Marketing and Data Collection
- 4.1. Data Controllers, Processors, and Privacy Policies
- 4.2.1. Opt-Out and Unsubscribe
- 4.2.2. What You Do With Data After Unsubscribing
- 5. Examples of Email Marketing Clauses in Privacy Policies
- 5.1. Nordstrom
- 5.2. Tesco
- 5.3. Mailchimp
- 5.4. Drip
- 6. Summary
It's not enough to mention that you send out emails to those who consent.
- What data you collect
- How you collect your data
- Cookies and automatic data collection methods
- Distinct email marketing sections (for information on opting-out and unsubscribing)
Why? Because of the stringent laws that now govern your ability to collect and process data like email addresses, particularly when you use them to contact the email address owner.
Four Laws Governing Email Marketing Practices
These four different (and important) laws govern the way you:
- Collect email addresses
- Store email address
- Ask for consent to collect and process email addresses
- Share email addresses
- Delete email addresses
These laws also apply to all the other personal data you collect.
These four laws are: the GDPR, CalOPPA, US CAN-SPAM, and Canada's CASL laws.
The GDPR covers all individuals located in the EU, and you need to comply with it unless you make your site inaccessible from EU IP addresses. As a data controller or processor, the GDPR covers all your activities from end-to-end, including your email marketing campaigns.
The biggest change email marketers experienced compared to existing privacy law lies in the explicit and strict consent requirements put in place by the legislation.
According to the GDPR, consent must be "clear, affirmative actions." That means a data subject consents only when they perform a positive action to provide their consent, such as actively ticking a box.
Your data processing efforts also change because the GDPR says that you can only collect data (like email addresses) when you:
- Have a specific and lawful purpose for processing
- Use it only for the stated purpose
- Offer mechanisms for updating and removing outdated or inaccurate data
- Delete it when you no longer need it
It also means that you need to actively manage your email subscription lists once you acquire them.
Additionally, the GDPR offers one of the most meaningful lists of data subject rights. It says that:
"Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to any processing of personal data concerning him or her."
Finally, you also need to make sure the email addresses you keep are accessible to you so that you can provide them to the data subject but also secure enough to prevent theft or damage.
- What data you collect
- How you collect the data
- What processes you use data for
- What kind of security you use to protect data subjects
- Whether you involve any third parties
- How users can implement their rights and control
To meet CalOPPA requirements, you need to mention that you collect email addresses from data subjects and then note whether or not you share them with third parties. You also need to make it possible for people to opt out of your email marketing campaign.
includes seven primary requirements that marketers must follow to prevent American consumers from dreaded unsolicited emails:
- Be honest in your header (including from, to, and routing information)
- Skip deceptive subjects
- Disclose the email as an advertisement
- Share your physical postal address in the body
- Provide instructions for opting out
- Honor opt-out requests within 10 business days
- Make sure third parties or processors comply with CAN-SPAM
CASL is Canada's anti-spam law and it went into effect on July 1, 2014. If your site allows visitors from Canada, you need to comply. CASL covers what it calls a "Commercial Electronic Message" (CEM). A CEM doesn't just apply to email. Instant messages, texts, and social media messages that refer to commercial activities also fall under the umbrella.
Like the GDPR, CASL touches on consent. It requires you to meet the threshold for implied consent (making a purchase, donation, gift; providing volunteer time or resources; providing an email address or publishing an email address).
If you don't meet the conditions for implied consent, you must receive express consent, which requires a written or oral agreement where the data subject says they want to receive digital communications from your business.
Email Marketing and Data Collection
Email marketing is an old-school staple of digital marketing, but what some marketers never considered is that they collect personal data when they engage in the practice. Moreover, email marketing is no longer just as simple as sending out a newsletter and hoping for the best.
You now collect a huge amount of data just through successful email campaigns. Some of that data includes:
- Email addresses (and other data like names, date of birth, location) at sign-up
- Data collection from inside the email (missing data from sign-up)
- Digital behavior tracking (in emails, across your website, and on the internet)
Data collection via email marketing is a double-sided coin for privacy experts and regulations like the GDPR. On one hand, you collect more data, which they warn against particularly if you don't have a use for it. At the same time, when you use data the right way, more data also allows you to send emails that are better targeted, more precise, and better received than the standard spray email method, which is the goal of legislation.
But you can't rely only on your email client's policy to cover your back. Why?
Because your email client is the data processor and you are the data controller, and that means you need to work together to protect data and uphold the law.
Data Controllers, Processors, and Privacy Policies
Because you're dealing with data subject information including names and email addresses, you are what the GDPR calls a data controller. As defined in the legislation, a data controller:
"means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data"
As soon as you hand it over to a client like Mailchimp, you enter into an agreement that allows the email client to process the data on your behalf and according to your instructions to provide the services you requested.
That makes your email client your data processor.
When you are a data controller, you are largely responsible for compliance with the law. One of your biggest obligations within that vein is the obligation to only hire processors that meet GDPR requirements. It's not enough for you to follow the law - your email client must, too. You can be held responsible if they do not.
The relationship means you have the following obligations:
- You must enter into a contract with your data processor (email client).
Opt-Out and Unsubscribe
New privacy laws mean that users must be able to withdraw consent as easily and as fast as they provide it.
That means that the options for opting-out and unsubscribing need to sit front and center.
The essential components of an opt-out or unsubscribe policy include:
- Describing the right to unsubscribe
- Providing directions for unsubscribing to marketing emails
- Outlining what emails they will continue to receive outside of marketing emails (if applicable)
We'll show you examples of email marketing clauses in the last section.
What You Do With Data After Unsubscribing
The issue about data storage is tricky because the GDPR doesn't allow you to keep data you have no use for, but ecommerce companies in particular might still have a use for the data. If the data subject maintains a profile with your company but unsubscribes from marketing emails, you still have a legal basis for maintaining the data.
You can cover this under the clause that deals with one of the listed GDPR data subject rights - the right to erasure (or "right to be forgotten").
The right to erasure allows EU citizens to withdraw their consent for processing and request that the data controller (you) delete their data "without undue delay."
You can learn more about the conditions for right to erasure here.
The right to erasure isn't absolute for all data processing activities, so it is worth reading up on the right to prepare yourself for complying with requests.
Examples of Email Marketing Clauses in Privacy Policies
You'll cover core issues like:
- What information you collect
- How you collect it
- How you use personal information
- Information about cookies
- Your legal basis for processing
- Data protection rights (opt-out, unsubscribe, right to erasure)
First, Nordstrom discloses that it collects contact information including names and email addresses under "What Information We Collect":
As per the law, Nordstrom describes how the information arrives in its databases. The end of the clause under "You Provide" shows that you will only get marketing emails if you provide your email address:
Nordstrom also describes the ways it uses the personal information it collects. It clearly shows that it uses data for marketing and advertising purposes. It also goes a step further by directing users to the section that shows them how to use exercise their user rights:
As discussed earlier, today's email marketing doesn't limit itself to names, email addresses, and demographic information. It also uses technology like web beacons and tags to share information. Nordstrom describes how it uses automatic data collection processes to gather new data from the marketing emails it sends to subscribers:
Finally, let's look at one of the most important clauses for email marketers - the clause dedicated entirely to email marketing:
In this section Nordstrom ticks all the essential email marketing boxes:
- It states the user right to withdraw consent.
- It provides avenues for exercising that right.
- It offers directions and contact details for getting rid of non-marketing emails, like service and transactional emails.
It wraps up all the essentials within one heading by detailing:
- How it collects data
- Whether it requires consent
- How to opt-out and unsubscribe
- User rights
Tesco also adds a clause about how long it keeps data like email addresses. It keeps data on a case-by-case basis according to factors like why Tesco needs it and whether security demands require it:
Mailchimp is the 500-pound gorilla of email clients, and it takes all the email marketing and privacy laws seriously, including the GDPR, CAN-SPAM, and CASL.
You also need to share that Mailchimp may collect information about your subscribers through third-parties, as outlined in the photo below.
Finally, Mailchimp shares the rights you and your contacts have according to the GDPR including how to use them:
Finally, disclose that the service uses web beacons and other tracking technologies to collect personal data during email campaigns.
- What data you collect as part of your email marketing campaign
- Any third parties you allow to access the data
- How users can exercise their rights and withdraw consent
- What you do with data after they unsubscribe
Failure to include these clauses puts you in violation of laws like the GDPR, which come with hefty fines.