Learn how to protect your business, meet legal obligations, and build trust with your audience through clear privacy policies and compliance with evolving regulations. From GDPR requirements on Facebook and LinkedIn ads to crafting compliant email marketing strategies, this guide covers the essentials to keep your campaigns lawful and effective.
Resources / Guides / Social Media and Email Marketing Compliance
Published by Usercentrics
10 mins to read
Sep 26, 2024

Email marketing laws: What to know to be compliant

Compliant email marketing doesn’t require a law degree, but you do need a functional understanding of the laws that apply to your business. It’s your responsibility to be aware of these laws, build trust with your customers, and ensure your marketing efforts don’t put your organization at risk. 

We’ll begin with an overview of key global electronic communications regulations that affect email marketing. Then, we’ll cover each region’s applicable regulations and how you can put these into practice. Lastly, we’ll share some tips regarding compliant email marketing campaigns.

Email Marketing Laws Bookmark

An overview of global email marketing laws

Global email marketing laws evolve constantly, so it’s important to stay up-to-date. The table below outlines some of the key regulations to be aware of. Some of these explicitly address email marketing, such as the CAN-SPAM Act, while some only tangentially affect email marketing, such as HIPAA.

RegionRegulationRequired consentData rightsFines
USACAN-SPAM ActOpt outRight to access, rectify, erase, restrict processingUp to USD 51,744 per violation
CanadaCASLExpress or implied consentRight to withdraw consentUp to CAD 10 million per day
EUGDPROpt inRight to be informed 
Right to access, rectify, erase, restrict processing, port data, object, withdraw consent, complain 
Rights in relation to automated decision making		Up to EUR 20 million or four percent of global turnover, whichever is higher
USAHIPAAOpt inRight to access and amendUp to USD 1.5 million per year
IndiaDPDPOpt inRight to access, correct, erase, withdraw consent, address grievances, nominate a substituteUp to INR 2,500,000,000
BrazilLGPDOpt inRight to access, confirm, correct, anonymize, delete, port data, revoke consent, right to be informedUp to 2 percent of revenue or BRL 50 million
SingaporePDPAOpt inRight to access, correct, port data, give and revoke consentUp to SGD 1 million
UKPECROpt in (with limited exceptions)Same as GDPR Up to GBP 20 million or four percent of global annual turnover, whichever is higher
South KoreaPIPA Opt inRight to be informed, access, rectify and delete, port dataUp to KRW 30 million
Australia SPAM ActExpress or inferred consentRight to privacy, right to unsubscribeUp to AUD 220,000 per day
1 In some cases, legitimate interest can be a legal basis for email marketing, but it is case-specific and should be analyzed closely by your organization if you want to rely on this basis.

The email marketing laws you need to be aware of

Let’s take a quick trip around the world to briefly discuss the main data protection regulations that apply to email marketing.

EU and UK

GDPR (EU)

The European Union General Data Protection Regulation (GDPR) is one of the most comprehensive data laws, and it aims to give more control to individuals. Many other global regulations are based on the GDPR, which has significant implications for marketing activities, including email marketing.

  • Consent required: The GDPR requires consent-based marketing and has specific requirements for obtaining consent. Consent must be obtained through an unambiguous, confirming action. It must be voluntary, informed, and freely given. 
  • User rights: The following ten data subject rights inform the GDPR:
    • the right to be informed
    • the right to access
    • the right to rectification
    • the right to erasure
    • the right to restrict processing
    • the right to data portability 
    • the right to object 
    • the right to withdraw consent 
    • the right to make complaints
    • rights in relation to automated decision making and profiling
  • Penalties for noncompliance: Up to EUR 20 million or four percent of global turnover, whichever is higher.

PECR (UK)

After Brexit, the UK passed a version of the GDPR called the UK-GDPR. It mostly remains the same as the EU version, but contains updates to cover areas of domestic law. The Privacy and Electronic Communications Regulations (PECR) and the Data Protection Act should be used alongside the UK-GDPR. The PECR provides specific rules for electronic mail marketing communications and protecting personal data.

  • Consent required: As with the GDPR, consent must be knowingly and freely given, clear, and specific. It involves a clear positive action, and the person must understand what they’re consenting to. An opt-in box is the best way to do this.
  • User rights: The same as the GDPR, but with additions to rights related to automated individual decision-making.
  • Penalties for noncompliance: Fines can reach up to GBP 20 million or four percent of global annual turnover, whichever is higher. 

North and South America

CAN-SPAM Act (USA)

The Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act) of 2003 established commercial email requirements for the USA. Its specific email rules include avoiding misleading header information or deceptive subject lines, identifying the message as an ad, and telling recipients where you’re located.

  • Consent required: Opt out. Unsubscribe mechanisms must be able to process requests for at least 30 days after you send a message. You must honor opt-out requests within ten business days.
  • User rights: The right to access, rectify, erase and restrict processing.
  • Penalties for noncompliance: Each separate email in violation of the Act is subject to penalties of up to USD 51,744.

CASL (Canada)

Canada’s Anti-Spam Legislation (CASL) regulates commercial electronic messages. The Personal and Electronic Documents Act (PIPEDA) contains additional privacy regulations for emails and address harvesting.

  • Consent required: Express consent, and in some cases, implied consent. Express consent must be given through an opt-in mechanism. Implied consent is allowed under certain conditions.
  • User rights: Respect user requests to unsubscribe within ten business days.
  • Penalties for noncompliance: Up to CAD 10 million per day for an organization.

HIPAA (USA)

The Healthcare Insurance Portability and Accountability Act (HIPAA) regulates Protected Health Information (PHI) in the USA. The HIPAA Privacy Rule enables individuals to control whether any health information can be used for marketing purposes. The law defines “marketing” as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” For example, if a hospital wishes to email any past or current patients about its new cardiac unit, they must abide by these Privacy Rules (5 CFR 164.501, 164.508(a)(3), HIPAA Privacy Rule).

  • Consent required: Opt in consent is required.
  • User rights: Individuals have rights to access and request corrections to health information, receive notifications about how information is used and shared, make decisions on specific information sharing and file complaints if they believe their rights are violated or their information is mishandled.
  • Penalties for noncompliance: Various levels, up to USD 1.5 million per year or ten years of imprisonment.

LGPD (Brazil)

The LGPD, Brazil’s Lei Geral de Proteção de Dados Pessoais (General Data Protection Law), has many similarities to the GDPR. It is used alongside the Email Marketing Self-Regulation Code (CAPEM), a voluntary initiative that sets out basic rules and good practices for email marketers.

  • Consent required: Consent must be voluntary, specific and informed. A soft opt in is allowed in some cases.
  • User rights: The same as the GDPR but with broader rights regarding automated decision-making.
  • Penalties for noncompliance: Fines up to BRL 50 million or two percent of a company’s annual revenue in Brazil, per violation.

Asia and Oceania

DPDP (India)

The Digital Personal Data Protection Act, 2023 (DPDP) was introduced to provide regulations for digital personal data processing. It follows the Information Technology Act of 2000, which aims to provide a legal framework to regulate electronic commerce and cybercrime, but which was criticized and challenged for restrictions to free speech, as well as the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules of 2021.   

  • Consent required: The DPDP Act requires Data Fiduciaries (similar to a ‘Controller’ in the GDPR) to obtain consent and provide notices explaining how and why personal data is processed, how people can exercise their rights, and the Data Protection Officer’s contact details. Consent must be freely given, specific, informed, unconditional, and unambiguous. It must be provided through clear affirmative action and is limited to data that is necessary for the specified purpose.
  • User rights: Under the DPDP Act, data principals have the right to request correction of their personal data, the right to erasure, the right to withdraw consent, the right of grievance redressal, and the right to nominate someone to exercise rights on their behalf in the case of death or incapacity.
  • Penalties for noncompliance: The DPDP Act prescribes penalties up to INR 2,500,000,000.

PDPA (Singapore)

Singapore’s Personal Data Protection Act (PDPA) predates the GDPR. The related Spam Control Act of 2007 aims to control unsolicited electronic commercial communications. Strict guidance for email marketing in Singapore dictates that email marketing campaigns must be truthful and comply with the principles of fair competition, as well as align with Singapore’s family values. The Spam Control Act requires senders to include specific information in emails.

  • Consent required: You must inform users about the intended processing and the purposes of processing. Users can withdraw consent at any time. Implicit consent, including pre-checked boxes, is an allowed form of consent.
  • User rights: The right to give and revoke consent, the right to access, the right to correct data, and the right to data portability.
  • Penalties for noncompliance: Up to ten percent of the organization’s annual turnover (of an organization with a turnover of more than SGD 10 million), or SGD 1 million, whichever is higher.

PIPA (South Korea)

South Korea’s Personal Information Protection Act (PIPA) is considered one of the strictest data privacy regulations in the world. PIPA includes prescriptive requirements through all stages of the data handling lifecycle.

  • Consent required: Explicit consent is required, with a few exceptions.
  • User rights: The right to be informed, the right to access, the right to rectification, the right to erasure, the right to object/opt out, the right to data portability, the right not to be subject to automated decision-making
  • Penalties for noncompliance: Up to KRW 30 million. If a data breach is caused by the data controller’s intentional act or negligence, they may be liable for up to five times the damages suffered.

Spam Act (Australia)

Australia’s Spam Act regulates commercial email and other electronic messages with specific rules for email marketing and harvesting address lists. The Spam Act forbids unsolicited commercial emails and address-harvesting software, and stipulates that commercial emails must include specific information about the sender and contain a functional unsubscribe option. The Spam Act 2003 operates alongside the Privacy Act 1998.

  • Consent required: Consent is required before sending an email. Consent can either be express (explicit consent) or inferred.
  • User rights: The Spam Act aims to protect people’s right to privacy by forbidding spam. People have the right to know the identity of the sender and the ability to unsubscribe.
  • Penalties for noncompliance: Up to AUD 220,000 for repeat offenders.

What happens if you don’t comply with email marketing regulations?

You need to ensure compliance in every location where your business operates. If you don’t, you risk criminal and financial penalties and operational restrictions. You may also face investigations and audits that use up time and resources. 

You also risk longer-term damage that comes with breaking your audience’s trust. Part of that trust is about showing your audience that you respect their data privacy. Noncompliance and data breaches can jeopardize your marketing efforts and business reputation in both the short and long term.

How to keep your emails and marketing practices compliant

Navigating global laws and regulations is complex, especially because the digital world rarely stands still. Compliance is about heeding current regulations as well as keeping up with changes. Fortunately, there are tips, tools and technologies that can help.

  • Practice consent-based marketing: It’s important to understand when and how to use opt-in vs opt-out consent, as well as how to document consent.
  • Make it easy to unsubscribe: Generally, every marketing email must include an unsubscribe option. Honor unsubscribe and opt out requests promptly.
  • Be transparent: Many regulations require you to include business information and contact details in your emails and privacy policies. Be clear about your legal basis for processing data and explain why and how data is collected and stored.
  • Maintain and secure your data: Regularly clean and audit your mailing lists to remove inaccurate information and ensure data is safe and secure, and keep evidence of security measures. These practices also help you monitor campaign performance by tracking how many emails are actually being opened, and how many people are unsubscribing or withdrawing consent.
  • Use software to manage user consent and stay compliant: Leverage tools like Usercentrics CMP and Usercentrics Preference Manager to help you stay compliant across your global marketing efforts. Download our webinar on complying with multiple data privacy regimes.

The Usercentrics CMP delivers privacy-led marketing tools that help keep you compliant with global regulations without compromising customer experience. The personalized consent experience helps build audience trust, and uses geolocation to localize user experience and regulatory compliance. Thousands of legal templates make it easier to keep up as regulations change. 

What’s more, the Usercentrics Preference Manager can tailor interactions based on individual preferences and opt-ins. With the CMP you can also embed privacy policies, keep track of user consent choices, and store user consent data securely. 

Discover how Privacy-Led Marketing can refine your marketing strategy and improve ROI. Learn how to adjust your use of Google Ads and Analytics to meet privacy requirements, elevate marketing performance, and drive overall business growth.

Chapter 9 Finish guide

Discover how Usercentrics can help you handle user consent data efficiently and securely.

Learn more

Frequently asked questions

What are the rules of email marketing?

Email marketing regulations globally share common rules: explicit consent (like opt-in or double opt-in), clear identification of the sender, and easy opt-out mechanisms. Laws such as GDPR (EU), CASL (Canada), and others prioritize data protection, transparency, and user rights. For health data, HIPAA (USA) mandates confidentiality. LGPD (Brazil), PIPA (South Korea), and PECR (UK) align closely with these principles. Compliance ensures marketers handle data responsibly, protect privacy, and avoid penalties.

Is it illegal to send marketing emails without consent?

Yes, in most regions, sending marketing emails without consent is illegal. Regulations like GDPR (EU), CASL (Canada), PECR (UK), and SPAM Act (Australia) require explicit opt-in consent before sending marketing emails. In the USA (under CAN-SPAM), consent is not required, but there must be a clear opt-out option. Other laws like LGPD (Brazil) emphasize transparency and give recipients control over their data. Without consent, you risk violating these laws and facing penalties.

What are the opt-in laws for marketing emails?

Opt-in laws for marketing emails vary by region but generally require explicit consent. GDPR (EU), CASL (Canada), PECR (UK), and LGPD (Brazil) mandate an opt-in system where users give clear consent, often via double opt-in. In Australia and South Korea, similar opt-in requirements apply. The CAN-SPAM Act (USA) allows for implied consent but requires a clear opt-out mechanism. Opt-in laws aim to ensure that recipients have control over their data and consent to receiving marketing communications.

What is the rule of 7 in email marketing?

The “Rule of 7” in email marketing refers to the marketing principle that a potential customer needs to hear or see your message at least seven times before taking action, such as making a purchase. This rule emphasizes the importance of repeated exposure to build brand recognition and trust, ensuring that the message resonates with the audience over time. It guides marketers in structuring campaigns to maintain consistent, valuable communication without overwhelming the recipient.