A Privacy Policy for Email Marketing

If you don't have a Privacy Policy, you can't legally send out marketing emails. This is because both privacy laws and third party email marketing services require you to display a Privacy Policy.

This article will explain why you need a Privacy Policy for email marketing, what laws you need to consider, and what essential clauses you must include in your Privacy Policy.

Why You Must Mention Email Marketing in Your Privacy Policy

Your email marketing campaigns are data-driven and use personal information gathered from data subjects both directly and indirectly. Because it involves the processing of personal data, you must mention your use of email marketing within your Privacy Policy.

It's not enough to mention that you send out emails to those who consent.

The nature of email marketing and the ability of an email marketing campaign to track behavior means the subject will show up again and again throughout your Privacy Policy. Some of the clauses where you'll mention email marketing include:

• What data you collect
• How you collect your data
• Cookies and automatic data collection methods
• Distinct email marketing sections (for information on opting-out and unsubscribing)

Your email marketing campaign should get its own section within your Privacy Policy.

Why? Because of the stringent laws that now govern your ability to collect and process data like email addresses, particularly when you use them to contact the email address owner.

Four Laws Governing Email Marketing Practices

These four different (and important) laws govern the way you:

• Collect email addresses
• Store email address
• Ask for consent to collect and process email addresses
• Share email addresses
• Delete email addresses

These laws also apply to all the other personal data you collect.

These four laws are: the GDPR, CalOPPA, US CAN-SPAM, and Canada's CASL laws.

GDPR

The GDPR covers all individuals located in the EU, and you need to comply with it unless you make your site inaccessible from EU IP addresses. As a data controller or processor, the GDPR covers all your activities from end-to-end, including your email marketing campaigns.

The biggest change email marketers experienced compared to existing privacy law lies in the explicit and strict consent requirements put in place by the legislation.

According to the GDPR, consent must be "clear, affirmative actions." That means a data subject consents only when they perform a positive action to provide their consent, such as actively ticking a box.

Your data processing efforts also change because the GDPR says that you can only collect data (like email addresses) when you:

• Have a specific and lawful purpose for processing
• Use it only for the stated purpose
• Offer mechanisms for updating and removing outdated or inaccurate data
• Delete it when you no longer need it

All of the above issues must be addressed in your Privacy Policy.

It also means that you need to actively manage your email subscription lists once you acquire them.

Additionally, the GDPR offers one of the most meaningful lists of data subject rights. It says that:

"Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to any processing of personal data concerning him or her."

You need to cover these rights in your Privacy Policy.

Finally, you also need to make sure the email addresses you keep are accessible to you so that you can provide them to the data subject but also secure enough to prevent theft or damage.

A GDPR-Compliant Privacy Policy

Although consent changes impact your email marketing processes in the most tangible way for you and your subscribers, the GDPR also requires you to have a Privacy Policy.

You must have one if you collect any data - even if you don't use it for email marketing. The GDPR created a baseline as to what must be included in your Privacy Policy.

No GDPR-compliant Privacy Policy is complete without sections on:

• What data you collect
• How you collect the data
• What processes you use data for
• What kind of security you use to protect data subjects
• Whether you involve any third parties
• How users can implement their rights and control

CalOPPA

CalOPPA is a California law that applies to email marketing in that it (1) requires a Privacy Policy and (2) requires you to share what kind of personal information your website or app collects.

To meet CalOPPA requirements, you need to mention that you collect email addresses from data subjects and then note whether or not you share them with third parties. You also need to make it possible for people to opt out of your email marketing campaign.

US CAN-SPAM

CAN-SPAM
includes seven primary requirements that marketers must follow to prevent American consumers from dreaded unsolicited emails:

1. Be honest in your header (including from, to, and routing information)
2. Skip deceptive subjects
3. Disclose the email as an advertisement
4. Share your physical postal address in the body
5. Provide instructions for opting out
6. Honor opt-out requests within 10 business days
7. Make sure third parties or processors comply with CAN-SPAM

Only #5 directly impacts your Privacy Policy. You need to share opt-out instructions both in your email and in your Privacy Policy so that customers have all the options they need to unsubscribe whenever they want.

Canada CASL

CASL is Canada's anti-spam law and it went into effect on July 1, 2014. If your site allows visitors from Canada, you need to comply. CASL covers what it calls a "Commercial Electronic Message" (CEM). A CEM doesn't just apply to email. Instant messages, texts, and social media messages that refer to commercial activities also fall under the umbrella.

Like the GDPR, CASL touches on consent. It requires you to meet the threshold for implied consent (making a purchase, donation, gift; providing volunteer time or resources; providing an email address or publishing an email address).

If you don't meet the conditions for implied consent, you must receive express consent, which requires a written or oral agreement where the data subject says they want to receive digital communications from your business.

Email Marketing and Data Collection

Email marketing is an old-school staple of digital marketing, but what some marketers never considered is that they collect personal data when they engage in the practice. Moreover, email marketing is no longer just as simple as sending out a newsletter and hoping for the best.

You now collect a huge amount of data just through successful email campaigns. Some of that data includes:

• Email addresses (and other data like names, date of birth, location) at sign-up
• Data collection from inside the email (missing data from sign-up)
• Digital behavior tracking (in emails, across your website, and on the internet)

Data collection via email marketing is a double-sided coin for privacy experts and regulations like the GDPR. On one hand, you collect more data, which they warn against particularly if you don't have a use for it. At the same time, when you use data the right way, more data also allows you to send emails that are better targeted, more precise, and better received than the standard spray email method, which is the goal of legislation.

However, you need to be transparent about what data you collect, and you must share your practices in your Privacy Policy. Failing to do so already places you in violation of the most sweeping privacy law currently on the books - the GDPR.

If you change your practices drastically and update your Privacy Policy to reflect this (which you must do), consider using Update Notices to keep your users informed of the changes.

Third Party Email Clients and Your Privacy Policy

If you use one of the big players like Mailchimp, it is likely that your email client already covers all the essential points in its own Privacy Policy, and your Privacy Policy needs to not only meet legislative requirements but your email client's rules as well.

But you can't rely only on your email client's policy to cover your back. Why?

Because your email client is the data processor and you are the data controller, and that means you need to work together to protect data and uphold the law.

Data Controllers, Processors, and Privacy Policies

Because you're dealing with data subject information including names and email addresses, you are what the GDPR calls a data controller. As defined in the legislation, a data controller:

"means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data"

As soon as you hand it over to a client like Mailchimp, you enter into an agreement that allows the email client to process the data on your behalf and according to your instructions to provide the services you requested.

That makes your email client your data processor.

When you are a data controller, you are largely responsible for compliance with the law. One of your biggest obligations within that vein is the obligation to only hire processors that meet GDPR requirements. It's not enough for you to follow the law - your email client must, too. You can be held responsible if they do not.

Part of this means being as transparent as possible about your data processing activities - even and especially if you are using another processor to do the work for you. Because you are the legal and business face of the processing, you must align your Privacy Policy with your email client's to accurately represent the processing activities that take place.

The relationship means you have the following obligations:

• You must enter into a contract with your data processor (email client).
• Your Privacy Policy must reflect your processor's Privacy Policy because the processor works on your behalf.
• You need to link to your processor's Privacy Policy to provide full transparency to data subjects.

Essential Topics to Cover in Your Privacy Policy

In addition to building the email marketing clause of your Privacy Policy to reflect yours and your email client's data processing activities, there are two other big issues that your Privacy Policy needs to cover in relation to your email marketing campaigns: opt-out and unsubscribe, data processing after a user opts-out.

Opt-Out and Unsubscribe

New privacy laws mean that users must be able to withdraw consent as easily and as fast as they provide it.

That means that the options for opting-out and unsubscribing need to sit front and center.

In addition to providing opt-out options within each email (and your email client makes that simple), you need to cover it within your Privacy Policy.

The essential components of an opt-out or unsubscribe policy include:

• Describing the right to unsubscribe
• Providing directions for unsubscribing to marketing emails
• Outlining what emails they will continue to receive outside of marketing emails (if applicable)

We'll show you examples of email marketing clauses in the last section.

What You Do With Data After Unsubscribing

The issue about data storage is tricky because the GDPR doesn't allow you to keep data you have no use for, but ecommerce companies in particular might still have a use for the data. If the data subject maintains a profile with your company but unsubscribes from marketing emails, you still have a legal basis for maintaining the data.

You can cover this under the clause that deals with one of the listed GDPR data subject rights - the right to erasure (or "right to be forgotten").

The right to erasure allows EU citizens to withdraw their consent for processing and request that the data controller (you) delete their data "without undue delay."

You can learn more about the conditions for right to erasure here.

The right to erasure isn't absolute for all data processing activities, so it is worth reading up on the right to prepare yourself for complying with requests.

Examples of Email Marketing Clauses in Privacy Policies

What does a Privacy Policy for email marketing look like?

Whether email marketing is your only processing activity or it's a small part of the bigger picture, your Privacy Policy for email marketing won't look much different than a standard privacy policy.

You'll cover core issues like:

• What information you collect
• How you collect it
• How you use personal information
• Information about cookies
• Your legal basis for processing
• Data protection rights (opt-out, unsubscribe, right to erasure)

Nordstrom

Nordstrom collects a huge amount of data from almost every source available to it. It also has one of the most inclusive Privacy Policies available online, and it does a superb job of integrating its email marketing practices into its general Privacy Policy.

First, Nordstrom discloses that it collects contact information including names and email addresses under "What Information We Collect":

As per the law, Nordstrom describes how the information arrives in its databases. The end of the clause under "You Provide" shows that you will only get marketing emails if you provide your email address:

Nordstrom also describes the ways it uses the personal information it collects. It clearly shows that it uses data for marketing and advertising purposes. It also goes a step further by directing users to the section that shows them how to use exercise their user rights:

As discussed earlier, today's email marketing doesn't limit itself to names, email addresses, and demographic information. It also uses technology like web beacons and tags to share information. Nordstrom describes how it uses automatic data collection processes to gather new data from the marketing emails it sends to subscribers:

Finally, let's look at one of the most important clauses for email marketers - the clause dedicated entirely to email marketing:

In this section Nordstrom ticks all the essential email marketing boxes:

• It states the user right to withdraw consent.
• It provides avenues for exercising that right.
• It offers directions and contact details for getting rid of non-marketing emails, like service and transactional emails.

Tesco

Tesco is a retailer that uses email marketing as part of its general and membership-specific digital strategy. It includes all its communication policies within its Privacy Policy under the heading "Marketing and Research."

It wraps up all the essentials within one heading by detailing:

• How it collects data
• Whether it requires consent
• How to opt-out and unsubscribe
• User rights

Tesco also adds a clause about how long it keeps data like email addresses. It keeps data on a case-by-case basis according to factors like why Tesco needs it and whether security demands require it:

Finally, Tesco covers some of the other data it collects through its emails by providing specific examples of the way its uses cookies through marketing emails:

Mailchimp

Mailchimp is the 500-pound gorilla of email clients, and it takes all the email marketing and privacy laws seriously, including the GDPR, CAN-SPAM, and CASL.

Its Privacy Policy caters to Members (your business), Contacts (data subjects and your email marketing recipients), and general visitors to the Mailchimp site.

The section that applies to Mailchimp members is Section 2: Privacy for Members, but you'll also need to include information from Section 3: Privacy for Contacts. You need to read and understand this section so that you can reflect it in your own Privacy Policy (because you are the controller and Mailchimp is the processor).

What's most important for your Privacy Policy? You want to focus on the sections dealing with the information Mailchimp processes on your behalf. For example, under the section, Information Your Provide, the policy says:

You also need to share that Mailchimp may collect information about your subscribers through third-parties, as outlined in the photo below.

Finally, Mailchimp shares the rights you and your contacts have according to the GDPR including how to use them:

Finally, disclose that the service uses web beacons and other tracking technologies to collect personal data during email campaigns.

Drip

Drip takes a different approach to its Privacy Policy and largely places the onus on you - the customer - to dictate the processing methods and display them in your Privacy Policy.

However, it also requires you to refer directly to its Privacy Policy if you create your own and demands that you ensure your disclosure is consistent with Drip's policy. Here's that requirement in the Drip Terms of Service.

Summary

If you collect email addresses for marketing campaigns, you need a Privacy Policy. This is a requirement of privacy laws as well as third-party email processing services.

Your Privacy Policy should contain information on:

• What data you collect as part of your email marketing campaign
• Any third parties you allow to access the data
• How users can exercise their rights and withdraw consent
• What you do with data after they unsubscribe

Failure to include these clauses puts you in violation of laws like the GDPR, which come with hefty fines.

Remember to mirror your email client's Privacy Policy with your own. As the data controller, it is up to you to make sure you and anyone you hire to process data on your behalf uphold the law. Including their policy and adding a link provides a clearer picture of what kind of data you collect, use, and store as part of your campaign so that your contacts can make informed decisions.