As the world becomes increasingly connected, the email marketing regulation landscape becomes more and more complex. Whether or not you operate directly in different countries, it's good practice as an email marketer to know which laws and regulations apply to your subscribers, wherever they are in the world. In recent years, keeping on top of new legislation has been challenging – most notably in Europe, with the introduction of GDPR (General Data Protection Regulation).
The team at EmailOctopus have compiled this guide to make things easier. Our aim is to create a space where the email marketing community can keep each other up-to-date about regulations around the world, so it's easier for us all to be aware of new legislation, as and when it's implemented.
For more detail about a country's legislation, click the country name.
| Country | Legislation | Content required | Opt-out required | Consent required | Penalties |
|---|---|---|---|---|---|
| Australia | Spam Act 2003 | Name, contact information | Yes | Implied consent if you have a previous business relationship. Otherwise, explicit | Up to $1.8m AUD per day |
| Brazil | LGPD | Name, contact information | Yes | Implicit consent via soft opt-in where an existing commercial or social interest can be demonstrated (effectively legitimate interest) | 2 percent of the revenue from Brazil, up to R$50 million per infraction |
| Canada | CASL | Name, mailing address, contact information | Yes | Implied consent if you have a previous business relationship. Otherwise, explicit | Up to $10m CAD per violation |
| China | Regulations on Internet Service | Name, email address | Yes | Explicit consent | 10,000-30,000 yuan per email |
| Germany | Federal Data Protection Act, GDPR, Telemedia Act | Name, mailing address, clear identification of the sender | Yes | Implied consent if you have a previous business relationship. Otherwise, explicit | Up to €20m, or 4% annual global turnover – whichever is higher |
| India | None at present | None | No | Consent is not required | None |
| Japan | Regulation of Transmission of Specified Electronic Mail | Name, mailing address | Yes | Implied consent if you have a previous business relationship, otherwise explicit consent required | Up to JPY 30 million for businesses; or JPY 1 million or 1 year imprisonment for individuals |
| Singapore | Spam Control Act 2007 | Name, email address | Yes | Explicit consent, via a minimum of soft opt-in | $25 SGD per email, up to $1 million |
| South Africa | Electronic Communications and Transactions Act | Name, email address | Yes | Minimum of implied consent | Fines (no limit) or up to 12 months imprisonment |
| United Arab Emirates | Unsolicited Electronic Communications Policy | Name, mailing address | Yes | Implied consent | Fines of up to AED 10 million |
| United Kingdom | UK GDPR, PECR, DPA 2018 | Name, mailing address | Yes | Explicit consent, via a minimum of soft opt-in | Up to €20m, or 4% annual global turnover – whichever is higher |
| USA | CAN-SPAM | Name, mailing address, contact information | Yes | Prior consent is not required | Up to $16,000 per violation |
Explicit consent gives the individual or business the right to deal with personal data. Consent can be acquired in writing or verbally. Generally speaking you'll need to keep a record of consent collection.
A typical example in email marketing is a website registration form. Some legislations will require that you include a check-box to allow customers to consent to receiving your newsletter.
- Soft opt-in: When you've collected an email address as part of another process, such as a purchase flow, and can reasonably assume the customer will be happy to receive further communications. However, you must have given them a clear chance to opt out – both when you first collected their details, and in every future message you send.
- Single opt-in: A one step opt-in, so only a registration form is filled out.
- Double opt-in: A multi-step opt-in, so the registration is confirmed via a link sent to the acquired email address.
Implied consent, also known as inferred consent, is usually derived from actions and circumstances, often a previous purchase or enquiry.
The best example is during online shopping. Imagine a customer has just bought a games console from your online store. You may assume that the client is interested in games and wish to contact them after their initial purchase with other similar products. If you haven't specifically asked to contact this user again (via a checkbox or similar), this is called implied consent.
The exact boundaries for both types of consent are defined in the specific country laws.
This guide is a community resource which is open to edits from members of the public. Information may be inaccurate and shouldn't be taken as legal advice – always consult a local lawyer before carrying out email marketing in any region.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent