Have you ever received an email from a royal prince “beseeching” you to help free him from prison? The prince promises a generous reward for your efforts, to the tune of $150,000. All you need to do is share your bank account number to receive your reward.
Much like the captured royalty scam emails from the early aughts, cybercriminals are still attempting to trick unsuspecting people into sharing their private information. But while governments worldwide have increased their efforts to protect the public with anti-spam laws, these regulations can significantly impact your brand’s email outreach efforts.
With email marketing revenue forecasted to hit almost $11 billion by the end of next year, brands now have the sometimes complicated balancing act of abiding by these laws while still effectively engaging consumers. Organizations must understand and comply with CAN-SPAM Act and GDPR rules and regulations to do so.
Don’t become the next captured prince. Here’s everything you need to know about email compliance laws.
What Is the CAN-SPAM Act?
The Controlling the Assault of Non-Solicited Pornography and Marketing Act, or CAN-SPAM Act, was implemented in 2003 throughout the United States to protect consumers from unwanted emails from brands. This protection makes no exception for B2B emails; the same rules still apply.
Intended to be business-friendly, the CAN-SPAM Act recognizes the differences between commercial and transactional emails. Whereas transactional emails are sent to individuals following a commercial transaction (think purchase confirmations and forgotten password resets), commercial emails contain non-essential messages that are normally used for marketing or promotional purposes.
While you don’t have to worry about CAN-SPAM email compliance if you respond to a customer’s email inquiries, you do need to be mindful when developing your email marketing strategies.
A brand’s emails must comply with the act’s content, sending, and unsubscribing guidelines. Among other things, the CAN-SPAM Act requires businesses to:
- Allow subscribers to opt-out by including a working unsubscribe link within every promotional email they send
- Honor a customer’s request to opt-out within 10 business days
- Include their physical address in every email
- Never be misleading or use deceptive subject lines or copy
It’s essential for all email marketers to ensure they are not violating any of the CAN-SPAM Act’s guidelines. Every email that violates the act can accrue penalties of up to $43,792.
What Is the GDPR?
Europe has its own laws when it comes to business spam emails. Called the General Data Protection Regulation (GDPR), the act implemented an integrated legal framework for data protection and privacy across all European Union member states (EU), as well as Norway, Iceland, Switzerland and Lichtenstein. Replacing the EU’s Data Protection Directive from 1995, the GDPR became effective on May 25, 2018. The law applies to brands that target EU data subjects by tracking online behavior or offering products or services.
The GDPR aims to give consumers more control over their personal data and requires businesses to reframe their thoughts around data privacy. Under the GDPR, personal data can include:
- IP addresses
- Biometric data and location
- Any other type of online information, such as salaries or what candidates people voted for
The GDPR doesn’t consider a brand’s database of customers’ first names personal data. However, if a third party uses that list of first names with other data to pinpoint individual identities, that information is considered to be personal data under the GDPR.
Under GDPR law, there are fundamental data subject rights all companies should be aware of:
- Companies must inform subjects about the collection methods and use of personal data.
- Contacts can request to view the personal data at any time or be transferred to another data controller.
- Inaccurate or outdated information can be updated by the contact.
- Contacts can ask for their personal information to be deleted.
- Contacts can request suppression of their personal data.
- Contacts can withdraw consent of their data or object to the processing of their data at any time.
- Contacts can object to company decisions that are made solely based on automated decision making based on profiling.
Businesses that breach GDPR regulations can face maximum penalties of $23 million, or 4% of their annual global turnover. For example, Google was slammed with a hefty fine due to acceptance of cookie tracking being easier than the refusal of cookie tracking.
How Brands Can Stay Compliant
So, how can your business remain compliant with both the CAN-SPAM Act and the GDPR while successfully growing its email contact list and engaging customers? Here are three do’s and don’ts to follow to ensure your compliance.
CAN-SPAM Compliance
1. DON’T Use Misleading or Deceptive Language
Never use deceptive subject lines or misleading copy within the body of your emails. While some brands might use clickbait to boost their email open rates, this violates email compliance regulations. Always be honest and use subject lines that accurately reflect your email content.
2. DO Tell Customers Where Your Company Is Located and How to Opt-out
Include your business’s physical location at the bottom of every email you send to customers. If you don’t have a physical mailing address, you can also include your P.O. box. Additionally, make it easy for customers to unsubscribe. Provide clear opt-out directions in all of your emails, as well as a working unsubscribe link. If you make it easy to subscribe to communications, it needs to be just as easy to unsubscribe to them.
3. DO Target the Right People
Email segmentation is paramount for compliance and efficiency. Bucket your email subscriber list into different categories, including demographics, past buying behavior, or common interests to ensure you’re sending the right messages to the right people.
More importantly, you want to have an email list of only the people who are relevant to your business’s offerings. For instance, if you sell dog food, you don’t want to collect email addresses of crazy cat ladies. Trust me, they are loyal until the end to their felines.
GDPR Compliance
1. DO Be Transparent With Contact Collection Practices
Each time you collect someone’s information, it should be in an informed, transparent way. The contact should know what they are signing up for, how you collected their information, and how their data is being processed.
2. DO Offer Privacy Policies and Notices
Each contact should have access to legal documentation that states how their information will and will not be used. Only process their personal information to a necessary extent based on the purposes they agreed to, and ensure all of their data is accurate and up to date. Inaccurate data can immediately put you at risk of regulation breaches.
3. DO Be Crystal Clear on Gaining Consent
Like many things in life, consent can’t be hazy. You need a resounding and enthusiastic, “Yes!” to collect contacts’ personal information. Be specific, clear, and have plain language immediately available (not buried in legal jargon) to let the user know what they are saying “Yes!” too. While a double opt-in process is not required for GDPR compliance, it’s a great practice and eliminates confusion on how a contact opted in.
4. DON’T Use Pre-Ticked Opt-In Options
When you immediately assume a contact wants to receive your communications with a pre-checked subscription or consent button, you’re using deceitful methods to gain consent for communications and use of their personalized data. As we said previously, the user needs to be the one to gain consent on their own volition—not be tricked into it.
Ensuring Your Regulation Compliance
If you don’t want your brand to become the next captured prince scam, it’s crucial to comply with CAN-SPAM Act and GDPR regulations. By being authentic and honest in communications and considering the overall user experience of your communications, staying compliant should be a breeze.
