As businesses grow and expand their reach internationally, compliance becomes increasingly important. Email compliance is an essential element of any successful long term marketing strategy; but complying with various anti-spam laws across different customer groups and geographic locations can be complicated, and raises lots of questions. Who is it applicable to? What are the types of consent? When do I have to comply? Where does it apply? Why is it so complicated? How do I stay on the right side of anti-spam regulations?
These are all good questions. Let’s dive into the important components of anti-spam compliance.
WHO do these rules apply to?
Anti-spam legislation is intended to protect the citizens and residents of each individual country with specific anti-spam legislation. Regardless of where your company is, you need to ensure you’re following the governing legislation in the country of the recipient(s) on your email distribution list.
The laws protect the people of a given country, not the geographic location itself, nor the location they happen to be in at the time you obtain their email. For example, if an Australian is at an event in New York when their email is captured, their IP address might indicate they are in the US; however, you may still be bound to respect the legislation of their country of residence.
If your business is sending marketing emails, you will likely have to comply with multiple laws and regulations that reflect the global nature of your list.
WHAT are the types of consent?
When a person fills out a form on your website, and clicks the box saying that they wish to opt-in to marketing emails, this is called Explicit Consent.
If a person provides you with their email address, under the context of being interested in learning more about your product, this falls into the category of Implied Consent.
In the US, you are allowed to market to people until they ask you to stop; Consent is opt-OUT based. When email marketing to people in Canada, you need their consent; Consent is opt-IN based.
WHEN do I have to get consent?
The timing and duration of permission depends on the type of consent you acquire.
If a person gives explicit consent and opts in to receiving communications, you are welcome to send them marketing emails. This consent does not ever expire, unless they tell you otherwise.
Timelines on implied consent get a bit trickier. For example, if a person visits your website and fills out an inquiry form regarding one of your products, they have implied that they are interested in receiving more information about that product. Though they have not explicitly told you they agree to receive marketing emails from you, they have asked you to give them information and provided you with their contact info. It is implied that you are welcome to send them marketing content. This consent expires after 6 months from the moment they filled out the form – or if they unsubscribe. Whichever happens first.
Another type of implied consent is when a person becomes a customer. This consent expires 2 years from the date of purchase. Though the person has not directly agreed to receive marketing materials from you, they have given you their email address and purchased from you, which implies they are interested in this company, and want to receive marketing materials from you. They may unsubscribe at any time.
When a person unsubscribes, they are revoking their consent. Regardless of how that consent was obtained, or when it expires, you are obligated to discontinue sending them marketing emails. Unsubscribing must be easy and all emails must include an unsubscribe link.
It should be noted that non-marketing emails, or operational emails are different and do not fall under the same regulations. An operational email is an email that does not include any marketing content, and has a very specific purpose – for example: Product release notes, account renewal, change of processes, or invoices.
WHERE do these rules apply?
More than 30 countries have anti-spam legislation in effect. For our purposes, we’ll briefly review the Canadian and American laws.
Canada’s Anti-Spam Legislation (CASL) was introduced in 2009 to combat spam, and also improve business integrity surrounding email marketing best practices. In 2014, the legislation went into full effect, which meant the grandfathering rules had expired, and all communications with any person residing in Canada needed to comply. In short: you may only contact people who want to be contacted, or risk fines. (CASL violations can result in regulatory penalties up to $10 million per violation for an organization.)
The US follows CAN-SPAM which was not created in response to business marketing email spam, but to combat inappropriate unsolicited emails from the dark web. This legislation is the most lenient, as it does not require any consent whatsoever prior to sending out marketing materials, but requires that you stop sending them emails when they unsubscribe. Certain parts of the United States have implemented more stringent data privacy legislation, like the California Consumer Privacy Act.
In other international markets, regulations and requirements vary depending on the country. For example, if you are sending marketing emails to a citizen of Germany, they require double opt in. If you send a campaign to a Canadian, you need to abide by CASL and be able to prove Explicit or Implied consent. When marketing to Australians, you need to follow the ACMA.
WHY is this so complicated?
So, if everything is about just getting consent – why does it seem so complicated?
It really boils down to one thing. Proof. You need to be able to prove the opt-in. Obtaining consent to send marketing messages is useless if you cannot prove your due diligence, and that you have the data to back it up. Consent needs to be captured, it needs to be documented, it needs to be referenceable, and most importantly, it has to be actionable.
Regardless of where your business is located or who you are marketing to, anti-spam requirements will continue to protect the consumers and the technology used to spot and block non-compliant emails will continue to get more sophisticated. Being proactive, and adopting opt-in based consent practices now will help ensure that you do not lose large portions of your marketable database when new laws are implemented in the future.
So…HOW do I stay on the right side of Anti-Spam Compliance?
- Develop anti-spam compliance strategy for your business. You will want to consult with your legal team to determine your level of risk, what you need to adhere to, and what data you should be collecting.
- Include an unchecked marketing opt-in check box on every form, inviting the person to opt in to receive marketing content from your company.
- Document and capture when a person opted in, how they opted in, IP address, what type of consent was provided, and when that consent will expire.
- Stay away from untrusted lists, or other sources of data where you cannot confirm how/if consent was obtained. Refrain from marketing to anyone who has not opted in.
- Include an unsubscribe link in the footer of every email that provides the receiver with the option to opt-out quickly and easily. Ensure that when a person does unsubscribe, that they no longer receive any marketing content from you.
By implementing these email compliance best practices, your organization will be well-positioned to connect with your customer base who truly wants to hear from you, provide value and nurture those relationships.
Lauren Harrison is a Director of Marketing Automation at CloudKettle
Have Questions About Email Automation?
Have questions about Email Automation? Reach out today! CloudKettle’s team is made up of several email automation and marketing specialists.
Not ready to speak with a consultant? Sign up for our newsletter! We send out a monthly recap of our latest Salesforce Marketing Cloud content, including articles on preference and consent management, actionable insight on Marketing Cloud optimization for enterprises, and more.