IDC Names Securiti a Worldwide Leader in Data Privacy


Email Marketing Legal Requirements: A Comprehensive Guide for Businesses

By Securiti Research Team
Published July 6, 2023

Listen to the content

The first instance of email marketing dates back to 1978, driving $13 million in sales and demonstrating its sheer impact and industry value. Since then, email marketing has evolved and proved to be powerful and effective tool organizations increasingly leverage to connect with their audience and improve engagement.

According to recent data by the Radicati Group, the number of emails sent and received daily in 2023 is 347.3 billion worldwide. That’s close to 50 emails daily per individual worldwide. While email marketing is great for businesses, in an ever-evolving data privacy landscape, email marketing is subject to various legal requirements. As data privacy laws become stricter and individuals become more aware of their data privacy rights, it is crucial for organizations to recognize consumer rights and comply with the legal obligations associated with email marketing.

Regulations such as the European Union’s General Data Protection Regulation (GDPR), ePrivacy Directive, the United Kingdom’s Privacy and Electronic Communications Regulations (PECR), the United States Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM), Canada's Anti-Spam Legislation (CASL), and Australia’s Spam Act 2003 are some of the laws that impact email marketing.

This comprehensive guide aims to arm companies with the necessary knowledge and understanding of email marketing legal requirements to successfully navigate the complex web of regulatory requirements and conduct email marketing campaigns in a legal and ethical manner. Organizations that comply with laws, obtain valid consent, ensure user transparency, and prioritize data security as per the requirements of applicable privacy laws can avoid non-compliance complexities and increase the impact of their email marketing campaigns.

The GDPR, which went into effect in May 2018, is a comprehensive and landmark data protection law that has transformed the EU's data privacy landscape. The GDPR has extra-territorial application and also applies to organizations outside the EU that monitor the behavior of EU residents or offer them goods or services. The GDPR is complemented by the ePrivacy Directive, which specifies privacy requirements in relation to electronic communications. Let's dive into GDPR’s main provisions read with the e-Privacy Directive that impact email marketing:

The GDPR strongly emphasizes the significance of having a legal basis for processing personal data. Organizations must identify the appropriate legal basis for the processing of personal data for the purposes of email marketing. Consent is considered the legal basis for email marketing, necessitating organizations to obtain freely given, specific, informed, and unambiguous consent from individuals before sending marketing emails. In this respect, the following should be ensured:

  • Organizations must allow individuals to actively confirm their consent by taking affirmative action, such as ticking an unchecked opt-in box.
  • An individual’s consent should be specific to the purpose of receiving email marketing.
  • Consent should not be bundled up as a part of the terms and conditions of use for the organization’s product or service.
  • Individuals should be provided with an easily accessible and free-of-charge consent withdrawal mechanism whereby they can withdraw their consent at any time.

Here's a step-by-step guide for marketers to be GDPR compliant.

Soft Opt-in Exception

The ePrivacy Directive allows a soft opt-in exception to the explicit opt-in requirement for email marketing. The soft opt-in exception applies when marketing communications are sent to existing customers, i.e., individuals whose details the organization has collected in the context of the sale of a product or service, and there has been a transaction (purchase/service agreement) in which the organization is obliged to deliver something and the individual/customer to pay for it.

Soft opt-in exception means that organizations can send marketing communications to individuals without obtaining their consent, provided that they have allowed individuals to opt-out. The following conditions should be fulfilled in order to rely on the soft opt-in exception:

  • The recipient’s contact details are obtained in the context of the sale of a product or service.
  • The organization only emails the recipient about its products or services that are similar to the product or service in relation to which the recipient’s details were collected.
  • A simple and free-of-charge opt-out facility was offered to the individual at the time their details were collected, and the individual did not opt-out.
  • The organization clearly and distinctly reminds individuals about their ability to opt-out in each subsequent marketing communication. The opt-out ability should be simple and free-of-charge.

Opt-Out and Data Security

Organizations must offer clear, easy-to-use mechanisms for individuals to opt-out of getting marketing communications. Opt-out requests should be honored and processed quickly. Moreover, necessary technical and organizational safeguards must be implemented to protect personal data against authorized access, data breaches, etc.

Learn the ins and outs of email marketing requirements under GDPR and ePrivacy Directive.

Non-compliance with the GDPR's email marketing legal requirements can result in significant fines and reputational damage. Less severe infringements can result in a fine of up to €10 million or 2% of a firm's annual revenue from the preceding financial year, depending on which amount is higher. More serious violations can result in a fine of up to €20 million or 4% of a firm's annual revenue from the preceding year, depending on which amount is higher.

The Privacy and Electronic Communications Regulations (PECR) implemented the ePrivacy Directive in the UK, necessitating organizations to comply with specific legal requirements when conducting email marketing campaigns.

Organizations must obtain the recipient's prior consent before sending any marketing emails and keep clear records of the same. Consent should be freely given, specific, and informed. For example, it should be provided by actively signing up for the mailing list or checking an opt-in box.

Consent should not be transferable, i.e., marketing emails should only be sent to the email address provided by the user for this purpose and not to any other email belonging to the user. Moreover, consent requests must be prominent, concise, and easy to understand. Users should also be able to withdraw their consent at any time.

Furthermore, organizations must not hide or disguise their identity when sending marketing emails and provide a valid contact address for people and businesses to opt-out or unsubscribe.

Soft Opt-In Mechanism

An organization might send direct marketing to individuals without their consent if their contact details were collected directly from them during a sale or negotiations for the sale of the entity’s products or services (‘Soft opt-in’). Negotiations for sale mean that the individual actively expressed an interest in buying the products or services.

Further prerequisites for relying on soft opt-in are that the organization only emails the individuals about similar products and services to the one in relation to which an individual’s contact details were collected, it provides individuals a clear and simple way to opt-out of direct marketing at the time their details are collected and also provides individual a clear, free and simple way to opt-out of marketing in each subsequent marketing message sent to them.

Here's a detailed UK guide on direct marketing via email.

Non-compliance with PECR's email marketing legal requirements can result in enforcement action and penalties. A PECR violation may subject the perpetrator to criminal prosecution, non-criminal enforcement, audit, and monetary penalties of up to £500,000, which can also be used against the directors of an organization. It's crucial to remember that actions that violate the PECR may also violate the UK GDPR.

CAN-SPAN was the first comprehensive law governing email marketing practices. After years of email spam and unwanted content filling inboxes worldwide, the United States enacted the legislation in 2003. It applies to US businesses that engage in sending commercial electronic mail messages.

Accurate Header Information

Organizations must use accurate and non-misleading header information in the "From," "To," and "Reply-To," sections when sending commercial emails. Information such as the sender's name and email address must accurately identify who sent the email.

Clear Identification of Emails

Emails from organizations must be explicitly marked as promotional. They should not misrepresent the commercial nature of the email by using false subject lines or deceptive content.

Address the Source & Location

The email body must contain a working physical postal address which can be the street address the organization is currently using, a post office box registered with the U.S. Postal Service (USPS), or a private mailbox registered with a commercial mail receiving agency.

Opt-Out Mechanism

A clear and prominent description of how the recipient can choose not to receive your emails in the future must be included in your message. Create the message in a format/style that will be simple for the average person to read, recognize, and comprehend.

Provide a return email address or another simple online method for recipients to contact you to communicate their choice. Organizations may allow granular opt-outs from certain messages, but should also give a choice to stop receiving all commercial messages from the organization altogether. Ensure that your spam filter does not block these opt-out requests.

Any opt-out feature you provide must be able to handle requests for at least 30 days after your message is sent. A recipient's request to opt-out must be honored within 10 business days. To honor an opt-out request, organizations cannot charge a fee, demand additional personal information from the recipient other than their email address, or require them to take action other than replying to your email or visiting a single webpage as a condition for honoring the request.

Understand the difference between Opt-In vs. Opt-Out.

Prohibition of Email Harvesting

Email harvesting is prohibited, that is, automated or manual collection of email addresses from websites or other sources, without the owner's consent.

Even if an organization employs another company to conduct its email marketing, legal action could be taken against both the entities - the business whose product is advertised in the message and the business that actually sent it.

Non-compliance with CAN-SPAM's email marketing legal requirements can result in enforcement action and penalties. More than one marketer may be held accountable for legal violations if their authorized ‘sender’ does not comply with the applicable requirements when advertising or promoting their goods, services, or websites. Marketers may face fines of up to $50,120 for each individual email that violates the law.

Canada's Anti-Spam Legislation (CASL), which came into force on 01 July 2014, is a federal law in Canada that addresses spam and other electronic threats. It safeguards Canadians and applies to commercial electronic messages (CEMs) sent to electronic addresses.

Before sending commercial electronic messages (CEMs), organizations must ensure that they have the express or implied consent of the recipient. To obtain explicit consent, a person must provide the requisite information, including the purposes for which consent is sought, identification and contact details of the person seeking consent, and an indication that the recipient can unsubscribe.

In certain contexts, such as an already-existing business or non-business relationship, or a publicly available email address without any statement (which is relevant to the relevant person’s official or business role) signifying that the person does not wish to receive unsolicited CEMs, organizations can rely on implied consent. Pre-checked boxes to request consent cannot be used. Organizations should maintain consent records, including the date, time, and method of obtaining consent.


Within commercial electronic messages, organizations must explicitly include their identity information. This information should contain the sender's name, the entity or organization on whose behalf the communication is sent (if different from the sender), and accurate contact details such as a postal address, phone number, or email address. Such contact details should remain valid for a minimum of 60 days after the CEM has been sent.

If a CEM is sent on behalf of more than one person, all such persons shall be named in the CEM. If it is impractical to provide this information in the body of a CEM, a hyperlink to a webpage that contains this information is permissible as long as the receiver of the CEM may easily access it for no charge. The CEM must prominently and clearly provide the link to the webpage. Not every individual connected to sending a CEM needs to be named. Instead, only those individuals who significantly influence the CEM's content and/or the recipients' selection must be identified.

Unsubscribe Mechanism

Every commercial electronic message must provide a prominent unsubscribe mechanism feature that receivers can use to, at no cost, quickly and easily opt-out of receiving more messages in the future. The unsubscribe mechanism should specify an electronic address or a link to a webpage to which the indication to unsubscribe may be sent. The mechanism may require the use of the same electronic means to unsubscribe by which the CEM was sent, or if using such means is not practicable, any other electronic means that will enable the person to indicate their wish. The electronic address or webpage should continue to work for at least 60 days. An unsubscribe procedure must be "readily performed" and should be quick, easy, and uncomplicated for the user.


The email message should be accurate and not contain any non-misleading information.

Non-compliance with Canada's Anti-Spam Legislation (CASL) email marketing requirements can result in penalties. The penalties for spammers under CASL include fines of up to $1 million for individuals and $10 million for businesses per infringement. A corporation's directors, officers, agents, and mandataries may be held accountable if they directed, authorized, consented to, acquiesced in, or took part in the commission of the violation. Whether or not a lawsuit is filed against the corporation, these people may still be held accountable for the infraction.

The Australian Parliament passed the Spam Act in 2003 to regulate commercial e-mail and other types of commercial electronic messages.  A commercial electronic message is any electronic message which, amongst other purposes, offers to supply, advertises, or promotes any goods or service or a supplier thereof, or a business or investment opportunity or a provider thereof. It is important to note that commercial electronic messages to non-existent electronic addresses are not permitted.

The Spam Act allows commercial electronic messages with an Australian link if an organization has the express or inferred consent of the recipient.

A commercial electronic message has an Australian link in either of the following scenarios: the message originated in Australia, the sender is physically present or has its central management and control, in Australia, the message is accessed on a computer, device, or server in Australia, or the recipient is an individual who is physically present or an organization that carries on operations, in Australia.

Express consent constitutes a person expressly agreeing to receive marketing messages. An organization may infer consent if an individual knowingly and directly provides their address, and it is reasonable to believe that they would expect marketing, particularly because of their ongoing relationship with the organization and a direct link between the marketing and such relationship.

Organizations must maintain records of consent, including details about how consent was received and the time and date of consent. Moreover, a business is still in charge of ensuring that the appropriate consent has been obtained and that the messages comply with the Spam Act, even if a third-party service is being used to send commercial electronic messages on its behalf.


Commercial electronic messages must include precise sender identification information. This contains the sender's name/legal name and contact information and Australian Business Number (ABN). Such information should reasonably be valid for at least 30 days after sending a message.

Unsubscribe Mechanism

A clear, free, visible and easy-to-use unsubscribe mechanism must be included in every commercial electronic message. The unsubscribe facility should remain functional for at least 30 days after a message has been sent, allow the user to unsubscribe using the same kind of technology as was used to receive the message, and not require any additional information or steps to unsubscribe. Organizations must honor unsubscribe requests within 5 business days and ensure that recipients are removed from their mailing lists once they opt out.

Address-Harvesting Software

Organizations must not use address-harvesting software or an electronic address list produced with such software. Address-harvesting software is a tool particularly created or sold for use in searching for electronic addresses on the internet or on a public telecommunications network, as well as collecting, compiling, capturing, or otherwise obtaining those addresses.

Designated Commercial Electronic Messages

The Spam Act allows designated commercial electronic messages. Designated commercial electronic messages either contain no more than factual information, or are authorized by a government body, a registered political party or a registered charity, or a present or former member or student of an educational institution. Designated commercial electronic messages should include information about the entity that authorized the message, and are not required to have an unsubscribe facility.

Non-compliance with Australia’s Spam Act 2003 email marketing legal requirements can result in penalties. The Australian Communications and Media Authority (ACMA) is responsible for enforcing the Spam Act, and violations can incur fines of up to 10,000 penalty units, which is currently equivalent to Australian Dollars 2,750,000.

Learn more about the direct marketing laws in Australia.

Organizations must use ethical and legal email marketing practices to build and maintain customer trust, foster positive customer relationships, and comply with evolving rules and regulations. Here’s a roundup of ethical and legal email marketing practices:

Obtain consent before sending promotional emails and ensure consent is freely given, specific, informed, clear, and explicit. Review and revise your consent and preference management procedures frequently. Make it simple for subscribers to change their settings, such as the frequency of emails received by them and the content categories in relation to which they want to receive emails.

Provide Clear Identification

Emails must expressly identify you as the sender and should include your name, the name of your organization, and operational contact details such as a phone number or email address. Transparency is essential in maintaining a long-lasting and impactful relationship with the recipient.

Accurate Subject Lines

The email’s subject should not mislead or deceive. The email subject line should honestly and accurately depict what’s written in the email. Avoid click-bait subject lines that entice the recipient to open an email.

Honor Opt-Out Requests

Honor opt-out requests without confusing the recipient. Every email should have a clear and simple unsubscribe option. Recipients that have unsubscribed from your mailing list should no longer be sent a marketing email unless they opt-in or subscribe to the mailing list.

Protect Personal Data

Personal data is protected under data privacy laws, and details such as the recipient's email address and name are regarded as personal data. Organizations should take the necessary security precautions by employing encryption or other adequate safeguards that prevent illegal or unauthorized access to, use of, or disclosure of personal data.

Comply with Data Privacy Laws

Recognize which laws apply to your organization and segment your mailing list if your audience is scattered across multiple jurisdictions. Keep a close grip on which laws apply to a certain segment and ensure your email marketing practices comply with local and international laws.

Build an Opt-In Email List

Offer valuable content, discounts, offers, contests, or giveaways that incentivize individuals to subscribe to your email list. Place opt-in forms prominently on your website and utilize call-to-action buttons and a user-friendly interface. Leverage the power of social media to target a larger cross-border audience.

How Can Securiti Help

Securiti is renowned in the data privacy, security, compliance, and governance industry. With a comprehensive PrivacyOps and Unified Data Controls framework, Securiti offers a wide range of automation tools that can assist companies in complying with legal email marketing requirements.

Securiti’s Consent Management Platform (CMP) simplifies the management of first-party & third-party consent, enabling organizations to effectively capture and manage user consent for email marketing. It enables businesses to implement clear and granular consent mechanisms, track consent records, and ensure compliance with laws like GDPR, CAN-SPAM, CASL, etc. This helps organizations comply with global consent requirements for email marketing campaigns.

Securiti’s Data Security Posture Management (DSPM) detects and prioritizes the remediation of data security vulnerabilities. Organizations can gain full visibility of the security posture of data assets across cloud data systems and leverage granular data insights to assess risk and prioritize remediation of any misconfigurations. This helps keep email marketing data safe from unauthorized or illegal access or disclosure.

Securiti’s Privacy Centre enables organizations to easily comply with a myriad of complex and evolving global privacy regulations while building trust with users. It enables organizations to offer notice and choice to consumers regarding tracking technologies on an online platform and empowers them to opt-in or opt-out for different processing purposes.

Securiti’s Data Subject Requests (DSR) automation enables organizations to fulfill data subject access requests by securely collecting data subject requests, verifying requestors’ identities, fulfilling requests, sharing encrypted responses with data subjects, and keeping all records in one place. This enables organizations to respond to DSRs in an efficient and timely manner.

By leveraging Securiti’s automation modules, companies can streamline their email marketing compliance efforts, mitigate risks, and build trust with their audience.

Request a demo to witness Securiti in action.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


More Stories that May Interest You

At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.


Gartner Cool Vendor Award Forrester Badge IAPP Innovation award 2020 IDC Worldwide Leader RSAC Leader CBInsights Forbes Security Forbes Machine Learning G2 Users Most Likely To Recommend