Email Marketing is Global 

With the continued growth and evolution of digital marketing, the discipline of marketing has needed to take a more global perspective. With a wide variety of channels consumers can engage with from anywhere at any time, marketers have the ability to reach a worldwide audience more easily and cost-effectively than ever before. But, with this extended reach come challenges, including language and cultural differences, along with different laws and regulations that set guidelines for marketing to people from different parts of the world. 

In the United States, email marketers know that they must understand and comply with The CAN-SPAM Act of 2003, which created a clear set of guidelines for using email as a marketing channel. Outside the U.S., various countries and regions have passed their own laws and regulations that impact how marketers can send marketing email to recipients in those parts of the world. 

If you need clarification on what the CAN-SPAM Act means to you and your email marketing campaigns, Contact Us Today – we would be happy to review this important legislation with you.

International Email Regulations

Email can be a highly effective marketing channel for campaigns running in multiple countries, however, it’s important to understand that regulations impacting email marketing can vary significantly from one country to another.  Outside of the U.S. and CAN-SPAM, perhaps the most significant law to understand is the General Data Protection Act (GDPR) in the European Union.  GDPR is a much broader law, impacting marketing channels well beyond email.  But, it’s impact on email is significant, as it sets requirements for both receiving prior permission to email recipients as well as rules for responding to opt-out requests.  

GDPR Compliance

With GDPR on many marketers’ minds, we have developed a brief overview of our current positioning under the new regulation, as your trusted vendor and partner.

For some time, OPTIZMO has been deeply involved in understanding our role and responsibilities under the new set of rules. After several consultations and evaluations, the consensus of our lawyers, the IAB, and other noted data privacy and protection groups is that OPTIZMO will in fact be categorized as a U.S. based data processor.

This is an important distinction for us, as the service provided to each of our clients may be used in whatever way they choose to deploy it. As always, opt-out links and mailer access keys are distributed only to partners of a clients’ choosing. Processed opt-out data will only be retained for the period during which we are engaged with a client, and it will be used solely for the purposes directed by the client and as required under CAN-SPAM, EU, or any other regionally applicable email compliance laws.

We have undertaken a full gap analysis, remediation phase, and will update our service agreements and other documentation for those clients who require GDPR-specific language.

The good news for OPTIZMO and all of our partners is that we have historically been doing almost all of what is required for GDPR readiness, both procedurally, and in the technologies we utilize around processing activities such as encryption and data movement. The majority of our GDPR initiatives include updating service agreements and documentation, and creating a few key records required under GDPR. We are also certifying under Privacy Shield, which is a fantastic all-around set of standardized criteria for responsible handling of data (not just from the EU), to further cement our position.

Protecting personal data is a shared responsibility between data controllers and their processors. However, the responsibilities of a processor like OPTIZMO vary greatly from those of controllers, which is how most of our clients will be categorized under GDPR. An important first step toward helping our clients is ensuring they are familiar with the requirements of data controllers under GDPR. While our best recommendation will be to consult legal experts of your own, please let us know if we can be of assistance in this area. We will also be posting more GDPR related content to our website and social media feeds for your reference.

As your trusted data processor, OPTIZMO is committed to providing you and all of our partners and clients with as many tools and documents as possible to help support your compliance with GDPR. We will also continue to strengthen our ability to facilitate and support your overall GDPR readiness in the future.

*Nothing in this statement should be taken as legal advice. We encourage you to become familiar with the actual text of the regulation and also obtain legal advice as to how GDPR may impact your business.

GDPR is NOT just for companies in the EU.

The General Data Protection Regulation (GDPR) went into effect on May 25, 2018. Despite a lot of coverage in various industry publications there remains quite a bit of confusion or a lack of understanding as to how the regulation will impact the digital marketing industry in the EU and also in other countries, like the U.S.

First, let’s dispel a myth – that GDPR only impacts companies in the EU. This is FALSE. GDPR expressly impacts any company that collects data on users who are in the EU. This means, if a company simply has a website with visitors from EU countries, then it needs to understand how it can gather, store, and utilize that data in a manner compliant with GDPR. The GDPR includes provisions for imposing extensive fines on companies that do not comply with the rules.

So, what exactly is GDPR?

GDPR introduces a variety of obligations on data Controllers and Processors in a number of areas. It strengthens the rules for gaining user consent when obtain ‘personal data’ and ‘sensitive personal data’ which must be specific, granular, and auditable. In addition, it further defines how companies may use this data and how that use must be in line with the consent received from the user.

What are the personal data requirements?

The regulation requires that persona data be:

  1. Processed lawfully, fairly, and transparently in relation to individuals
  2. Collected for specified, explicit and legitimate purposes and not be processed in a manner incompatible with those purposes
  3. Adequate, relevant, and limited to what is necessary for the intended purposes
  4. Accurate and any inaccuracies corrected without delay
  5. Kept in a format that permits identification of the data subjects for no longer than necessary
  6. Processed in a manner that ensures appropriate security

Learn more about Personal Data here.

What happens if a company is non-compliant with GDPR?

While exact fine amounts are related to the now severely a company fails to comply, but the regulation allows fines of up to 20 million Euros or 4% of a company’s annual global revenue, whichever is highest. This does not mean that fines of this magnitude will be imposed, but it creates the possibility that they could.

This is just a quick primer on some of the aspects of GDPR. We encourage you to become familiar with the actual text of the regulation and also obtain legal advice as to how GDPR may impact your business.

External links to more information on GDPR

If you want to learn more about GDPR, here are a few links to more in-depth details about the regulation.

As with any legal requirements, it is always recommended to get professional legal advice to ensure your email program is compliant with all relevant laws in different countries and regions

Additional Regional Regulations

Outside of the EU, many countries have enacted their own email marketing laws and guidelines.  

Canada

In Canada, the Anti-Spam Legislation of 2014 (CASL) creates requirements for email marketers and commercial mailers.

What are the some of the requirements?

  1. Opt-In is required (single or double) prior to sending marketing email
  2. A method to Opt-Out or unsubscribe from future mailings must be included
  3. Opt-Out requests must be processed and honored within 10 days
  4. Clear identification of the sender and appropriate contact information is required in every email

Learn more about CASL here.

Australia

The Spam Act of 2003 sets the guidelines for email marketing in Australia. 

What are the some of the requirements?

  1. Opt-In is required (single or double) prior to sending marketing email
  2. A method to Opt-Out or unsubscribe from future mailings must be included
  3. Opt-Out requests must be processed and honored within 5 days
  4. Clear identification of the sender and appropriate contact information is required in every email

The Australian Spam Act does allow for email address list purchasing in certain situations, related to lead generation. Some organization are also exempt from the Opt-In requirement, such as government agencies, registered charities, and political parties.

New Zealand

In New Zealand, the Unsolicited Electronic Messages Act 2007 sets the guidelines for email marketing. 

What are the some of the requirements?

  1. Opt-In is required (single or double) prior to sending marketing email
  2. A method to Opt-Out or unsubscribe from future mailings must be included
  3. Opt-Out requests must be processed and honored within 5 days
  4. Clear identification of the sender and appropriate contact information is required in every email

United Kingdom

With the UK leaving the EU, the Data Protection Act of 1998 is a law regulating email marketing. 

What are the some of the requirements?

  1. Opt-In is required (single or double) prior to sending marketing email – however, pre-checked boxes are specifically allowed
  2. A method to Opt-Out or unsubscribe from future mailings must be included
  3. Opt-Out requests must be processed and honored within 28 days
  4. Clear identification of the sender and appropriate contact information is required in every email

France

In France, the Loi du 21 juin 2004 pour la confiance dans l’économie numérique includes a set of guidelines for marketers to follow. 

What are the some of the requirements?

  1. Opt-In is required (single or double) prior to sending marketing email
  2. A method to Opt-Out or unsubscribe from future mailings must be included
  3. Opt-Out requests must be processed and honored within varied time frames, based on the situation
  4. Clear identification of the sender and appropriate contact information is required in every email

Germany

In Germany, the Federal Data Protection Act includes a set of specific guidelines for marketers to follow. 

What are the some of the requirements?

  1. Double Opt-In is required prior to sending marketing email
  2. A method to Opt-Out or unsubscribe from future mailings must be included
  3. Clear identification of the sender and appropriate contact information is required in every email
  4. Companies must retain a data security officer

Turkey

The Regulation of Electronic Commerce 2014 No 6563 creates rules for email marketers.

What are the some of the requirements?

  1. Opt-In is required (single or double) prior to sending marketing email (except in business-ti-business mailings or if recipient emails were collected prior to the law’s enforcement)
  2. A method to Opt-Out or unsubscribe from future mailings must be included
  3. Opt-Out requests must be processed and honored within 3 days
  4. Clear identification of the sender and appropriate contact information is required in every email

Russia

The Regulation of Electronic Commerce 2014 No 6563 creates rules for email marketers. 

What are the some of the requirements?

  1. Opt-In is required (single or double) prior to sending marketing email (with exceptions)
  2. A method to Opt-Out or unsubscribe from future mailings must be included
  3. Clear identification of the email as being commercial in nature

There have been varied initiatives to create additional email marketing and spam laws in Russia over the years.  

China

There are several laws in China that include antispam legislation, including the Measures for the Administration of Internet Email Services 2006 and The Consumer Rights Protection Law of 2013 

What are the some of the requirements?

  1. Opt-In is required (single or double) prior to sending marketing email
  2. A method to Opt-Out or unsubscribe from future mailings must be included
  3. Opt-Out requests must be processed and honored within 30 days
  4. Clear identification of the email as being commercial in nature in the subject line
  5. Identification of the email’s sender, with contact information

There have been varied initiatives to create additional email marketing and spam laws in Russia over the years. 

Other Countries

The list above only highlights a few countries and some of their laws regarding email marketing. Many countries in the EU have their own anti spam legislation that sits beside GDPR. 

There have been varied initiatives to create additional email marketing and spam laws in Russia over the years.