Foundations of Data Privacy in Email Marketing – Litmus

Email marketers are responsible for protecting their subscribers’ data. In a world where privacy is ever-evolving, it’s important to be on top of privacy matters—and that means having a strong understanding of the privacy basics.

In four lessons, we cover data privacy in email marketing as it stands today, plus tips on how to future-proof the privacy of your email program. Whether you’re new to email marketing or need a refresher—we made it easy for you to get informed and prepare for the future.

The evolving landscape of data privacy

The landscape of email privacy is continuously evolving, driven by factors like technology, consumer expectations, and changes in regulation. Email marketers use tools that rely on data—like segmentation and dynamic content—and with the growing demand for personalization, it’s important to be up to speed on the latest data privacy regulations in order to foster (and uphold) brand trust.

Importance of email privacy laws

Email privacy laws establish guidelines for fair and responsible data use. These laws are designed to:

• Protect subscribers from unsolicited emails
• Ensure transparency about data collection and usage
• Give individuals control over their personal information

For brands and businesses, following these laws reduces the risk of legal issues. More importantly, it helps build trust in their brand. This is especially important today, as artificial intelligence (AI) becomes more common and people are looking for more human-centric marketing.

Current state of email privacy laws

To understand today’s email privacy laws, it’s helpful to start with a bit of history. Let’s explore some key events in email marketing from the past few years that have shaped the industry.

• 2021: Apple’s Mail Privacy Protection (MPP) comes into effect on September 20, 2021.
• 2022: Generative AI sees it’s biggest boom with the release of ChatGPT and DALL-E 2.
• 2023: Apple introduces Link Tracking Protection (LTP) as part of its iOS 17 release on September 18, 2023.
• 2024: Gmail and Yahoo institute new deliverability rules starting February 2024.

Looking back, you’ll see that every year brings something new to the mix. And as technology advances, so do privacy measures. Major tech players such as Apple, Google, and Yahoo are continually adapting to better protect their users. For example, Apple’s introduction of Mail Privacy Protection (MPP) marked a major shift towards a more privacy-focused approach, emphasizing user control—a change to which email marketers have had to evolve with.

Understanding key email privacy laws

What privacy laws should all email marketers know and understand? Let’s take a closer look at four governing laws.

Controlling the Assault of Non-Solicited Pornography And Marketing (CAN-SPAM) Act

The CAN-SPAM Act is a United States federal law designed to combat spam. The Federal Trade Commission (FTC) defines it as:

A law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations.

CAN-SPAM requires businesses and brands to, among other things:

• Include a working unsubscribe link in every marketing email sent
• Honor opt-out requests within 10 business days
• Include their mailing address in every email they send
• Never use misleading or deceptive sender names, subject lines, or email copy
• Never attempt to conceal their identity or the fact that they’re sending advertising

Canadian Anti-Spam Legislation (CASL)

Another anti-spam law is CASL. Enforced in Canada, it’s known as one of the world’s strictest anti-spam laws. The law sets clear requirements for sending a marketing email—also referred to as commercial electronic message (CEM).

The Office of the Privacy Commissioner of Canada defines it as: 

A federal law dealing with spam and other electronic threats. It is meant to protect Canadians while ensuring that businesses can continue to compete in the global marketplace.

The Canadian Radio-television and Telecommunications Commission (CRTC) shares three general requirements for sending a commercial electronic message (CEM):

• Obtain consent
• Provide identification information
• Provide an unsubscribe mechanism

General Data Protection Regulation (GDPR)

Now onto data privacy laws. These specify how an individual’s data should be collected, stored, and shared with third parties.

In 2018, GDPR—the European Union’s privacy law—came into effect. (And after Brexit, the UK created its own UK GDPR.)

To keep email consent compliant with EU and UK GDPR. you should:

• Provide the option to unsubscribe in every email
• Get consent from a positive opt-in (not pre-ticked boxes)
• Keep consent requests separate from other terms & conditions
• Make it easy for people to withdraw consent
• Keep evidence of who consented, when, and how
• Review your consent practices and existing opt-ins

California Consumer Privacy Act (CCPA)

In 2018, California passed the CCPA, which came into effect in 2020.

According to the State of California Department of Justice, the CCPA was instituted to give consumers more control over the personal information that businesses collect about them.

This law secures privacy rights for California consumers:

• The right to know about the personal information a business collects about them and how it is used and shared
• The right to delete personal information collected from them (with some exceptions)
• The right to opt-out of the sale of their personal information
• The right to non-discrimination for exercising their CCPA rights

Disclaimer: This blog post provides a high-level overview about CAN-SPAM, CASL, GDPR, and CCPA, but is not intended, and should not be taken as legal advice. Please contact your attorney for advice on email marketing regulations or any specific legal problems.

Data collection and management

In email marketing, navigating data collection and management is essential for compliance and building trust with your audience. Let’s break down the fundamental steps to collecting, storing, and managing subscriber data.

Forms of consent

Do you know the different forms of consent in email marketing? There’s two types: explicit consent—sometimes referred to as express consent—and implicit consent—also known as implied or inferred consent.

Explicit consent is when a person has clearly agreed (orally or in writing) to receive marketing emails from your brand. Examples include:

• Clicking a checkbox on a form
• Confirming through double opt-in (DOI)
• Opting-in through written consent

Implied consent is when a person has not directly signified that they want to receive marketing emails from you, but have provided their email address over a course of normal business communication.

Below are examples of implied consent, instances where an individual has not explicitly agreed to receive marketing emails from the business or brand:

• Collecting customer information from checkout
• Collecting emails from a “Contact Us” form
• Signing up for gated content or resources

Keep in mind that implied consent jurisdiction varies by country. When implied consent is allowed, it is usually restricted to a specific time frame or under a set of circumstances.

Collecting email permission

Email marketing is based on permission. This means you should only send emails to individuals who have explicitly opted in to receive them.

There are two approaches to email permission:

• Single opt-in (SOI). A subscription process where a new email address is added to your mailing list without requiring the owner of that email address to confirm definitively that they knowingly and willingly opted in.

• Double opt-in (DOI). A subscription process where a new email address is only added to your mailing list after the email address owner clicks a confirmation link in an opt-in confirmation request email that’s sent to them after they opt in via a form or checkbox. Sometimes referred to as confirmed opt-in (COI).

Which should you opt for? Like most things in email: it depends—and it’s ultimately up to you to decide.

Opting out

Ensuring that subscribers can easily unsubscribe is important to comply with CAN-SPAM, CASL, GDPR, and CCPA. You must ensure all marketing emails you send contain an unsubscribe link—also known as the right to opt-out.

Dive deeper into the dos and donts of unsubscribe links.

Storing and deleting subscriber data

Managing subscriber data goes beyond mere collection and storage—it also means respecting and actioning on subscriber rights, such as the right to access and the right to be forgotten (as outlined in data privacy laws like the GDPR and CCPA).

Note the distinction between unsubscribing and exercising the right to be forgotten (aka deleting every data point you have on that individual). Make sure you have at least one clear method for subscribers to request their data be deleted, such as through a specific section of your website, an email, or a customer service contact option. Once a request is received, act on it efficiently, removing all associated data from your systems.

Building an email program with privacy laws in mind

Keeping privacy laws top of mind is not just about compliance—it’s a crucial part of building trust with your subscribers and ensuring the success of your email marketing program.

Regular data hygiene

If data hygiene isn’t baked into your routine, make sure it is! Set aside time every few weeks or so to ensure you’re practicing good data hygiene to keep your deliverability and overall email health up.

 This includes:

• Checking your list for inactive subscribers
• Removing any invalid emails
• Removing duplicates

Regular data hygiene ensures that your emails reach the right audience, reducing the chance of complaints (e.g. being marked as spam) and enhancing the overall effectiveness of your email marketing program. 

Email authentication protocols

When setting up a new email program, one of the first things an email marketer should do is ensure email authentication protocols are set up correctly.

SPF, DKIM, and DMARC are three essential protocols most email marketers are familiar with, but recent times have seen Brand Indicators for Message Identification (BIMI) rise in importance, earning support from major inboxes like Gmail, Yahoo, and Apple—some of the most widely used email clients.

Empowering preference centers

Preference centers are a great way to meet the needs of your subscribers. They allow subscribers to manage what they want to hear from you and how often (not to mention help build first-party data).

You preference center should include a universal unsubscribe button that offers a way for people to unsubscribe from all of your emails. This should be easy for them to find, which will offer a better subscriber experience as well as help you stay compliant.

Preparing for the future of email privacy

You can always count on the fact that privacy measures will continue to evolve in email privacy. It’s an ever-changing field, which is precisely why it’s so crucial to proactively safeguard your email program. By taking steps to privacy-proof your email program, you’re not just keeping up with the times; you’re ensuring a secure and trustworthy environment for your subscribers.

Here are some steps you can take to prepare for the future of email privacy.

Changing sender requirements

In case you missed it, as of February 2024 Gmail and Yahoo have implemented stricter regulations for bulk email senders. Now, senders who send more than 5,000 emails daily to Gmail or Yahoo addresses are required to comply with a newly established set of guidelines.

Good news: these “new” rules aren’t necessarily new. Essentially it means that email authentication will now be a must. Specifically, bulk senders must:

• Use security protocols like DKIM, SPF, and DMARC to authenticate your emails 
• Implement one-click list-unsubscribe
• Honor unsubscribes within two days
• Maintain a spam complaint rate under 0.3%

Something to note: Gmail and Yahoo are two of the most popular email clients. It’s best to ensure you have all the above in place to protect your email deliverability and keep your emails out of spam. (Bonus points if you have BIMI setup!)

Phase out of third-party cookies

Despite repeated delays, the much-anticipated phase out of third-party cookies is finally commencing, according to Google at least. The tech giant unveiled its plans in late 2023 to test a novel feature named Tracking Protection. This feature aims to curb cross-site tracking and officially rolled out on January 4, 2024.

The silver lining is that email is the perfect place for building first-party data! First-party data, simply put, is data collected directly from your audience through your channels. But this definition doesn’t capture why first-party data is so important for email marketers to build. 

First-party data highlights the crucial role of consent, where customers inherently give you permission to learn more about them. As privacy regulations inevitably become stricter, the emphasis will be on having your own data.

Our advice? Shift your emphasis to a first-party data approach, if you aren’t doing it already.

Regulation of AI

The surge in generative AI’s popularity has ushered in an era of excitement and groundbreaking innovation. However, this technological advancement has also brought to light significant privacy concerns that remain unresolved for the time being, as policy makers race to develop regulation.

Marketers should anticipate the introduction of more stringent legislation aimed at regulating AI usage. Europe is at the forefront of establishing AI regulations, setting a precedent for how democratic societies can guide AI development to benefit the public interest. Meanwhile, the United States is also progressing in formulating policies to govern AI, indicating a global shift towards more accountable and ethical AI practices.

Keep your ear to the ground on the latest email marketing news to be up to speed on how to act and when. 

Evolving consumer privacy laws

In the United States, state-level legislation has traditionally governed the confidentiality of different data types or certain industry sectors, such as medical records, social security numbers, and student information.

The number of consumer privacy bills that were either considered or introduced in 2023 show the growing importance, with roughly 350 in 2023. Before 2023, five states had already implemented comprehensive consumer privacy laws. In 2023, this number grew as eight additional states enacted similar laws, all inspired by the European Union’s GDPR. This underscores the growing emphasis on the importance of consumer privacy.

Start Privacy-Proofing Your Company’s Email Program Today

By proactively safeguarding your program’s privacy, you’re laying a solid foundation for its future success. Want to get up to speed Regardless of your experience level in email marketing—from novice to expert—prioritizing privacy is essential. Get informed in just four lessons with Foundations of Email Privacy, designed to streamline your understanding and keep you informed.

Disclaimer: This guide provides a high-level overview about CAN-SPAM, CASL, GDPR, and CCPA, but is not intended, and should not be taken as legal advice. Please contact your attorney for advice on email marketing regulations or any specific legal problems.

Originally published on August 23, 2022 by Kimberly Huang. Updated on March 8, 2024.