If you're one of the many marketers or business owners who invest heavily in email marketing, you are legally required to have a Privacy Policy that outlines what you do with your subscribers' personal data. Neglecting to follow legal requirements for email marketing can lead to severe penalties.
In this article, we'll go over why a Privacy Policy with relevant email marketing clauses is necessary and give relevant examples along the way.
We'll also provide a sample email marketing Privacy Policy template so that you can get a clear idea about what's necessary to comply with industry guidelines and best practices.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
-
At Step 1, select the Website option or App option or both.
-
Answer some questions about your website or app.
-
Answer some questions about your business.
-
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
- 1. What is a Privacy Policy and is One Required?
- 2. Why Clauses for Email Marketing Should Be in Your Privacy Policy
- 3. What Laws Govern Email Marketing Practices?
- 3.1. CalOPPA
- 3.2. The CAN-SPAM Act of 2003
- 3.3. CASL
- 3.4. GDPR
- 3.5. EC Directive Regulations 2003
- 4. Data Collection and Email Marketing
- 5. Email Marketing Unsubscribe and Privacy Clause Examples
- 6. Offer an Opportunity to Unsubscribe
- 7. Displaying Your Email Marketing Privacy Policy
- 8. Email Marketing Legal Compliance Checklist
- 9. Download Sample Email Marketing Privacy Policy Template
- 9.1. More Privacy Policy Templates
What is a Privacy Policy and is One Required?
A Privacy Policy is a legal document or legal statement that discloses important information to your users regarding their personal information:
- What personal information you collect from your users. Personal information can any data that can be used to identify an individual, such as email addresses, mailing addresses, location data, or a user's first and last name.
- Why you collect this personal information
- How you use this personal information and allow any third parties to use the information
A Privacy Policy is required by law in a number of different countries.
Why Clauses for Email Marketing Should Be in Your Privacy Policy
The same privacy laws that cover a company's data collection, use, storage, security, sales, sharing, and deletion in regards to websites and overall marketing practices, and which are proliferating worldwide in an effort to protect consumer privacy, also impact a company's email marketing practices.
As email marketing continues to increase in popularity, it is more important than ever for companies to ensure that they are respecting the privacy of their customers.
If you press the rewind button and go back in time a bit, you might remember that email marketing wasn't much more than direct mail-lite in the past. By and large, it was just a bunch of, "Hello, so and so, please buy our stuff."
Fast forward to today, and email marketing has become a lot more sophisticated. Of course, it's still all about getting people to buy "stuff," but really, the entire process has become a way for companies to collect more data, refine their marketing campaigns, and increase ROI.
For instance, you can use email to collect information, such as missing demographic data. You can also learn more about your subscribers' devices using web beacons or track your subscriber's online activities when they open emails and click links.
In fact, you can use the email marketing process to collect much of the same kinds of data as your website or app gathers. Because of that, there is an intrinsic danger to your subscriber's privacy.
Numerous laws govern what businesses can do with the personal data of their users, and email addresses are considered personal data. Running afoul of these laws can result in significant fines such as the $57 million Google GDPR fine for the inappropriate processing of user data.
At the heart of most data processing laws is consent, and it isn't enough to simply inform subscribers that you ​send emails to consenting recipients.
As previously mentioned, the process of email marketing involves many of the same kinds of personal data collection as other types of marketing practices. Thus, email marketing will likely need to show up repeatedly in your Privacy Policy.
For instance, some of the clauses where you should mention email marketing include the following:
- What personal information you collect
- How you collect personal information
- Why you collect personal information
- How long you store personal information
- How you secure personal information
- Under what circumstances you share personal information
- With whom you share personal information (if you share)
- Automatic data collection methods and cookies
- A separate email marketing clause (for information on unsubscribing and opting-out)
The bottom line for the moment is that your email marketing campaign should have its own section in your Privacy Policy. Transparency is critical, and being as forthcoming about collecting and processing data like email addresses is essential.
You can't presume that just because someone is aware of one of your marketing activities, and has given consent for data collection in connection with it (i.e., "send me that free report"), that their consent encompasses every other email marketing activity in which you engage (i.e., promotional emails).
What Laws Govern Email Marketing Practices?
Different laws govern email marketing in different countries. The most important ones are Europe's General Data Protection Regulation (GDPR), The California Online Privacy Protection Act (CalOPPA), the CAN-SPAM Act of 2003, Canada's Anti-Spam Legislation (CASL) and more.
These laws regulate the manner in which you:
- Collect email addresses
- Store email address
- Request consent to collect and process email addresses
- Share email addresses
- Delete email addresses
Additionally, these laws apply to all the other personal information you collect.
CalOPPA
The California Online Privacy Protection Act (CalOPPA) is the first comprehensive law in the United States to require commercial websites and online services to post a Privacy Policy.
CalOPPA requires that any person or company whose website collects personally identifiable information from Californian consumers must feature a conspicuous Privacy Policy stating exactly what information is collected and with whom it is shared. This includes tracking of online visits for marketing purposes.
The law applies to email marketing because it requires:
- A Privacy Policy, and
- Transparency about what kinds of personal data your app or website collects
To comply with the law's requirements, it's necessary for you to include a statement within your Privacy Policy that you collect email addresses and whether you share them with third parties or not.
You must also ensure that you provide subscribers with a means of opting out of your email marketing campaigns.
The CAN-SPAM Act of 2003
The CAN-SPAM Act establishes regulations for commercial email, including what information must be included in an email message, the types of messages that are prohibited, and how to unsubscribe from commercial emails.
The CAN-SPAM Act was passed in response to concerns about the increasing amount of spamming and other deceptive marketing practices. The law establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violators.
To be more specific, CAN-SPAM contains seven requirements that marketers must adhere to in order to avoid unsolicited email spamming.
- Be honest and transparent in your header (including from, to, and routing information)
- Do not be deceptive in your subject lines
- Disclose the email as an advertisement
- Provide your physical postal address in the body
- Give instructions for opting out
- Honor opt-out requests within ten business days
- Ensure processors or third parties comply with CAN-SPAM
Of these CAN-SPAM requirements, only the fifth actually has any bearing on your Privacy Policy. You'll need to provide information about how subscribers can opt-out in your Privacy Policy and your emails themselves.
CASL
CASL, or Canada's anti-spam legislation, protects consumers and businesses from misusing digital technology, including spam and other electronic threats. It also aims to help companies stay competitive in a global, digital marketplace.
CASL covers "Commercial Electronic Messages" (CEM), which is a bit broader than simply applying to emails. For example, it also covers instant messages, text messages, and social media messages that are related to commercial activities.
CASL, like the GDPR, touches on consent. You must meet the requirements for implied consent, such as (making a purchase, donation, gift, providing volunteer time or resources, providing an email address, or publishing an email address).
If you do not meet the conditions of implied consent, you must obtain express consent from subscribers. This requires either a written agreement or an oral agreement from the subscriber stating that they consent to receive digital communications from your business.
GDPR
The GDPR is a privacy and security law passed in the EU. It affects companies outside of the EU, so long as they target or collect data related to people there.
The GDPR protects your customer's personal information from mishandling by businesses collecting private data. Personal Data under the GDPR refers to any piece of information that could be used personally (e.g., name, I.D. numbers, location details), which can identify someone either on its own or when put together with other pieces of data (like their website browsing history or email address).
However, the regulation covers more than just email addresses. It applies to all types of electronic communication.
With that said, email marketers have to understand that they must abide by super strict consent requirements if they're doing business within the E.U.
The GDPR states that any consent given must be "clear, affirmative actions." In other words, your subscribers only consent when they take a positive action, such as clicking an appropriately worded link or ticking a box.
You must also pay particular attention to your data processing efforts since you can only collect email addresses when the following criteria are met:
- You must have a specific and lawful reason for processing personal information
- You must only use personal information for the reasons you state within your Privacy Policy
- You must provide a way for subscribers to update and remove inaccurate or outdated information, and
- You must delete personal information when you no longer need it
Each of these issues needs to be covered in your GDPR Privacy Policy, and you must actively manage any email subscription lists you have.
You also have to remember that the GDPR gives your subscribers the right to object to you processing (using) their personal data. That means even if they've already provided you with consent, such as filling out a form and providing you with their email address, they have the right to withdraw that consent at any time.
You have to let them know they have that right and ensure that you're able to provide them with any data you've collected as well as a means for them to ask you to stop using it.
Most websites collect email addresses through web forms.
These web forms should have two main components to them: a form of clickwrap, and a link to your Privacy Policy.
Ensure that all of your email subscribers have opted-in and provided consent to be contacted. A fail-proof way to do this is with a double opt-in system.
With this system, when a member signs up, they receive an initial email to confirm that they do in fact want to receive emails from you:
The best way of implementing clickwrap is to include a checkbox so that you can confirm that your users have agreed to your legal agreements:
Here's an example of what this looks like, from Timberland UK:
You can see that Timberland has a clearly labeled checkbox and link to its Privacy Policy at the bottom of the form. By requiring users to click the box and also click "Sign Me Up," it's absolutely clear that people intend to sign up for the newsletter and are agreeing to the terms.
EC Directive Regulations 2003
Under the Privacy and Electronic Communications (EC Directive) Regulations 2003, your email recipients must have opted in (whether by express opt-in or implied opt-in), and you must allow them to opt out at any time.
You must never hide your identity when you send marketing emails, and if you are marketing on behalf of another company or organization you must not conceal their identity either.
To market to someone who isn't already a customer, you must offer them a chance to opt in explicitly.
Here's an example from Apple that shows an explicit option for customers to opt-in to Apple's marketing emails:
If you have purchased a database of email addresses from a third party, these people will not be considered "customers," and you must ensure that those people have opted in to receive your marketing emails. If it is unclear, do not send them marketing emails as you may be in breach of the law.
For individuals, UK anti-spam law also includes something called a soft opt-in. This basically means that in some circumstances, you can treat a customer as if they have consented to receive emails from you, even though they haven't actually done so.
There are a number of rules that you need to follow to comply with the soft opt-in allowance under the law:
- First, you need to have obtained the customer's email address "in the course of the sale of negotiations for the sale of a product or service," which means that the person has to be already a customer.
- Second, you can only direct market to those people in respect of "similar products and services." This means that if your customers signed up to receive travel newsletters from you, you can't send them advertisements for scented candles. However, if they are expecting travel newsletters they would reasonably expect you to send them hotel deals, rental car packages, or cheap flights.
- Third, the recipient of your email marketing must have been given a method of refusing the use of her/his contact details at the time they were initially provided.
-
The final requirement of the UK anti-spam law is that the recipients of the email marketing must be given the opportunity to opt out in every subsequent email they receive. The unsubscribe option must be easily visible and displayed on every email.
The easiest way to do this is to include a clear link at the bottom of your emails and make it a part of all of your templates.
Here's an example from BabyCentre UK of where the "Unsubscribe" link is placed in a marketing email:
You can include a link to the account preferences page where they can choose to unsubscribe from email marketing. You can see above in the BabyCentre example that there is also a link to "manage your email subscriptions."
Remember that the legal opt-in and opt-out rules only apply to individuals. You can contact a corporate body without them needing to explicitly opt in.
Be careful, though: sole traders and some partnerships are considered to be individuals rather than corporate bodies.
Also, remember that it's good business sense to keep a "do not email" list of companies and individuals that have objected to your emails, and make sure that they are removed from your marketing lists.
On the privacy front, the Data Protection Act prohibits you from allowing a third party to gain access to personal data you collect from your users on one hand.
On the other hand, you can supply third parties with your users' personal information in these cases:
- When the user asks somebody else (for instance, their solicitor) to get personal information for them
- When your business outsources the personal information processing, such as payroll or customer mailing
- When police or public authorities require it as part of an investigation
If you outsource your email marketing to third parties, such as MailChimp, that will collect, use and store personal information from your users, your business is responsible for that personal information, including its control.
Data Collection and Email Marketing
Through successful email campaigns, you can collect vast amounts of data. For example:
- Email addresses (and other data like locations, names, date of birth) at sign-up
- Data collection from inside the email (missing data from sign-up), and
- Behavior tracking (across your website, in emails, and on the internet)
Privacy experts and regulations such as the GDPR see data collection via email marketing as a double-sided coin. On one side, you may collect more data than you need, which privacy experts warn against, especially if you don't have a legitimate use for it.
On the other hand, if you use personal information correctly, you can send more targeted and precise emails to your customers. This is the goal of legislation like the GDPR.
However, as mentioned several times already, you need to be transparent about it all.
When you create your web form, add a checkbox that clearly states that your user wants to receive particular types of information or contact from you.
Here's an example of a text message delivery update subscription form that asks users to check a box that shows they agree to receive text messages:
If you offer a variety of types of emails or communications, you can include multiple checkboxes or methods for opting in so that users can select to receive different types of promotional emails from you:
Email Marketing Unsubscribe and Privacy Clause Examples
The following examples demonstrate best practices for email marketing and legal requirements for Privacy Policies.
Note how The Epoch Times provides a prominent link to unsubscribe from its mailing list in this example from one of its email newsletters:
Additionally, see how a method is provided for subscribers to manage their email preferences below:
The Epoch Times Privacy Policy lists the following types of personal information the publication collects from users. Note the references to emails within it and the transparency about how the email addresses collected are used:
Fight Aging! is another organization that sends out email newsletters. Note how it lets users know in its Privacy Policy who has access to collected emails and the uses of those email addresses and even email contents can be used:
Note how Digital Kickstart lets users know how it shares personal information, in this case, email addresses and more, with third parties. Although it doesn't specifically mention email addresses, you know the company shares them with third parties because it shares personal data given when "registering for an account or service" as seen in the clause below.
(Note: The Privacy Shield Framework used to be an acceptable method for transfers of data. However, it was invalidated and has been replaced by the EU-U.S. Data Privacy Framework.)
It's not a requirement to include a link to your Privacy Policy in the email newsletter itself, but doing so is an easy method of making sure that users notice and have access to the legal agreement at all times.
Here's how Medium includes a link to its Privacy Policy at the bottom of every email newsletter it sends out:
It's a best practice to include a link to your Privacy Policy even on landing pages, web forms (usually near the email address field) and so on. Including a link to your Privacy Policy in every email that you send to users gives them plenty of opportunities to read it.
In the U.S., the California Business and Professions Code lists a few conditions in respect to Privacy Policies for your website, such as using the word "privacy" in the link's text that redirects to this legal page.
Here's an example of a standard footer you could include in an email newsletter that links to legal agreements as well as an unsubscribe link:
Booking.com collects personal information, including names, addresses, email address from its members that are passed to hotel owners when you book.
The "deals" emails Booking.com sends out contain a link to its Privacy Statement along with links to an FAQ, Customer Service page, unsubscribe link and a Manage Subscription link:
Here's how Medium includes a link to its Privacy Policy in emails it sends out:
In all the emails that Business Insider sends, it places links to Email Preferences and an "Unsubscribe" link, as well as to the Terms of Service agreement and Privacy Policy:
It's a very standard practice to place links to your legal agreements in your marketing emails, as these pages matter to your readers and they will look for them there.
Offer an Opportunity to Unsubscribe
Remember that you should always give users the chance to opt out or unsubscribe, even after they've subscribed. A standard way to do this is to include an "Unsubscribe" link in your email newsletters.
According to the CAN-SPAM Act, which spells out rules for commercial email and other commercial messages, you must provide a clear and conspicuous method of opting out of future communications in each of your communications.
CAN-SPAM sets out other requirements for commercial messages that can be viewed in the CAN-SPAM Compliance Guide document.
Here's how Entrepreneurs HQ Limited provides its unsubscribe link in every email and lets users know that by clicking it, they will be unsubscribed:
Here's an example of how Cision lets subscribers know they can unsubscribe by replying to the email in a certain way:
When the opt-out link is clicked by a user, the user must be given an easy way to unsubscribe from your email communications.
Here's another example of an unsubscribe field from Apple that simply asks a user to enter his email address twice and then click the "Unsubscribe" button as a confirmation. The link at the bottom lets the user unsubscribe from Apple's other newsletters that Apple may send to the user:
If you have an email newsletter, stay compliant with these legal requirements by creating a Privacy Policy that lets users know that you will be using their email addresses for emailing them your email newsletters.
Make sure the agreement is accessible and easy to read and understand, and that you provide users with a way to easily unsubscribe from your email newsletter.
Displaying Your Email Marketing Privacy Policy
Websites typically include a link to a Privacy Policy in the footer of the website where it can be easily noticed and accessed. Mobile apps can utilize in-app menus to display the policy.
Here's how ABC Fitness places its Privacy Policy link in the footer of its website:
Mobile apps typically provide a Privacy Policy through one of two ways: embedded directly within the app, or linked to a URL that forces open the mobile web browser to open to a specific URL where the page of that agreement is hosted.
Here's a standard example of a Privacy Policy and legal agreements link displayed within an app in a menu:
eBay's mobile app provides access to the Privacy Policy via a "Settings" menu within the app:
This URL linked from the app should be the same URL used on your website in the footer.
Now that you've seen some examples in action, let's look at a general overview of the best practices.
Email Marketing Legal Compliance Checklist
We've put together a checklist that to help you with compliance.
No matter where your company operates, it's likely that one of the major privacy laws in existence covers your email marketing activities. What that means for you is that you'll need to comply with relevant legislation.
You'll need to incorporate the following in your email marketing Privacy Policy:
- What personal information you collect (i.e., first names, last names, email addresses)
- How you use personal information (do you use subscriber's email addresses to provide updates on company activities? Do you send daily or weekly promotions?)
- A statement about whether you share personal information with third parties (i.e., Google Analytics, Infusionsoft)
- How subscribers can opt out of your emails (i.e., writing to a specific postal or email address or by clicking a link to unsubscribe)
- A way for subscribers to contact you (whether about unsubscribing or something else)
- Whether you track email analytics, and if so, which ones
Your Privacy Policy should include information about what data you collect as part of your email marketing campaign. Additionally, you should explain how users can exercise their rights and withdraw consent to receive your emails and how long you will store the data before it is deleted. Failure to include these clauses puts you in violation of laws like GDPR, which come with hefty fines.
Consider mirroring the Privacy Policy of your email client with your own. Your responsibility is to ensure that you and any other individuals who process data on your behalf adhere to the law.
Include their policy and add a link in your own Privacy Policy to give your contacts a better understanding of the data you collect, use and store in your campaign. This will allow them to make informed decisions.
Keeping all of that in mind, remember that just collecting a customer's email address counts as collecting personal information. Doing so means that you're subject to a whole host of legal requirements depending on where you do business.
You should:
- Ensure that subscribers have access to your Privacy Policy at all times. This means before, during, and after subscribing to your email list. You can make sure that happens by including links to your Privacy Policy in your sign-up forms, your newsletters, and in the footer of your website.
- Specifically mention your use of email addresses and how you use them.
- Provide subscribers with a way to opt-out of your email marketing activities at any time. You should include that information in every email you send as well as within your Privacy Policy.
To comply with laws, the key things to remember when setting up your email marketing campaign are:
- Get consent. Make sure the people you're emailing have expressly or impliedly given consent for you to send email marketing material to them.
- Ensure that your subscribers are aware of and agree to your Privacy Policy when you originally obtain their email address, by using clickwrap methods.
- Ensure that your Privacy Policy covers all of the information you'll collect, what you will do with that information, how you keep it secure, and how your subscribers can update their details.
-
Be honest and clear with email headers and subject lines. While it might be tempting to write in the subject line of your email "URGENT, please respond!!" and then display a sale or promotion in the body of your email, this is annoying for your subscribers and it's not following the legal guidelines.
Have a look at these legal guidelines regarding the content of the emails of your email marketing campaign:
- The email header must relate to the content in the body of the email and not be deceptive
- A legitimate address of the sender must be displayed
- If adult content is comprised in the email it must be labeled accordingly
-
Include an "Unsubscribe" link in every email that you send, and honor requests promptly. The most common place to include the unsubscribe link is at the bottom of the email.
If you regularly send marketing emails, add the unsubscribe link to your email templates.
If you don't want to include an unsubscribe link in the email, you can include a link directing the subscriber to their "Preferences" page of their account (if they have one) where they can unsubscribe.
Download Sample Email Marketing Privacy Policy Template
Our Sample Email Marketing Privacy Policy Template will be available soon.
Generate a Privacy Policy in just a few minutes
More Privacy Policy Templates
More specific Privacy Templates are available on our blog.
Sample Privacy Policy Template | A Privacy Policy Template for all sorts of websites, apps and businesses. |
Sample Mobile App Privacy Policy Template | A Privacy Policy Template for mobile apps on Apple App Store or Google Play Store. |
Sample GDPR Privacy Policy Template | A Privacy Policy Template for businesses that need to comply with GDPR. |
Sample CCPA Privacy Policy Template | A Privacy Policy Template for businesses that need to comply with CCPA. |
Sample California Privacy Policy Template | A Privacy Policy Template for businesses that need to comply with California's privacy requirements (CalOPPA & CCPA). |
Sample Virginia VCDPA Privacy Policy Template | A Privacy Policy Template for businesses that need to comply with Virginia's VCDPA. |
Sample PIPEDA Privacy Policy Template | A Privacy Policy Template for businesses that need to comply with Canada's PIPEDA. |
Sample Ecommerce Privacy Policy Template | A Privacy Policy Template for ecommerce businesses. |
Small Business Privacy Policy Template | A Privacy Policy Template for small businesses. |
Privacy Policy for Google Analytics (Sample) | A Privacy Policy Template for businesses that use Google Analytics. |
Sample CalOPPA Privacy Policy Template | A Privacy Policy Template for businesses that need to comply with California's CalOPPA. |
Sample SaaS Privacy Policy Template | A Privacy Policy Template for SaaS businesses. |
Sample COPPA Privacy Policy Template | A Privacy Policy Template for businesses that need to comply with California's COPPA. |
Sample CPRA Privacy Policy Template | A Privacy Policy Template for businesses that need to comply with California's CPRA. |
Blog Privacy Policy Sample | A Privacy Policy Template for blogs. |
Sample Email Marketing Privacy Policy Template | A Privacy Policy Template for businesses that use email marketing. |
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.