International Email Marketing Regulations​

Marketing with email campaigns has become a common practice for most companies, but as the world has become more digital, the regulations for digital marketing have become more strict. In fact, many may not realize that sending a commercial email can be considered SPAM and illegal to do, especially when the recipient of said email is located in another country. Most countries have set out their own regulations in regards to combatting SPAM and unsolicited emails, so it’s crucial to know the rules before sending any commercial emails to different regions.

These regulations come in many different forms, some countries have entire laws and acts dedicated to it, while others briefly mention it in other large bills. There are a few different names that these regulations are called, but the most common are anti-spam laws and data protection laws.

Some of the strictest regulations are in Canada with Canada’s Anti-SPAM Legislation (CASL), and in the European Union with the General Data Protection Regulations (GDPR). These two regulations have become the standard in many ways, and many countries are following suit with regulations that fall in line with these two.

As mentioned, many of these regulations are designed to protect personal data and information, and while sending a commercial email seems harmless, it could actually be against the law if the right steps haven’t been taken. Email addresses are pretty much universally considered personal data, which means that contacting and storing email addresses is equivalent to processing personal data, and must be done in accordance with the regulations for where the person receiving the email is located.

There are various penalties for not following these regulations, and some fines can get pretty hefty. In fact, the fines imposed for not following the rules of the GDPR, for example, can reach up to €20 million for more serious infringements.

The map below shows some of the different regulations around the world by country. Click on each highlighted country for a more in depth look at the specific rules regarding unsolicited commercial emails.

Australia

The Australian Privacy Principles are the regulations which cover email marketing in the country. The general requirements for direct marketing communication, are to obtain consent and provide a simple way for the recipient to not receive further communications. There are some other exceptions to the rules and the definition of consent is fluid depending on the circumstances.

Read the Australian Privacy Principles

Brazil

The Brazilian General Data Protection Law (LGPD) is the main regulation regarding commercial email in Brazil and follows similar guidelines as the GDPR of the EU. The main difference between the two is that the LGPD’s justification for processing someone’s personal data is “to protect credit”. If a company is compliant with the GDPR, it will effectively be compliant with the LGPD as well.

Read the Brazilian General Data Protection Law

Canada

Canada has some of the strictest regulations in the world when it comes to email marketing, as set out in the CASL (Canada’s Anti-Spam Legislation). The main focus of the CASL is to prevent spam and unsolicited CEMs (Commercial Electronic Messages). In order to send a CEM in Canada, you must do three things:

  1. Obtain Consent
  • Consent can be both express and implied. For B2B CEMs, consent can be implied if there is an existing business relationship with the recipient of the message from:
    • A purchase by the recipient within the past two years, or
    • A contract between the organization and the recipient currently in existence or which expired within the past two years
  1. Provide Identification
  • You must clearly identify yourself or your organization as the sender of the CEM.
  1. Provide an Unsubscribe Mechanism
  • All CEMs sent in Canada must contain an unsubscribe mechanism in the message.

Read the Canadian Anti-Spam Legislation

Costa Rica

The General Telecommunications Law provides the right for citizens to not receive unsolicited information and gives them the right to opt out of receiving commercial email.

Read the General Telecommunications Law of Costa Rica

Dominican Republic

The Anti-Spam law in the Dominican Republic expresses that people have the right to not receive unsolicited commercial emails, and also must be able to opt out of receiving further emails. However, if there has been any commercial relation with a customer, then a company has a right to send them offers. These emails must be clearly labeled as “advertising” and clearly identify the sender.

Read the Dominican Republic Anti-Spam Law

European Union

The General Data Protection Regulation (GDPR) is the set of regulations that cover email marketing in the EU.  The GDPR is known as the toughest privacy and security law in the world and is enforceable outside of the EU, meaning that any US companies that process data from anyone in the EU must comply with the regulations. Violating the GDPR can lead to harsh fines of up to 20 million euros.

When processing personal data such as an email address, it must be lawful, fair, and transparent. You must also have a legitimate purpose to process data, and only store and process the minimal amount of data for the specified purpose. Processing must also be done in a way to ensure security, integrity, and confidentiality.

In order to process data, you must have one or more of the following:

  • Unambiguous consent
  • It is necessary to enter into a contract
  • It is necessary to comply with a legal obligation

When it comes to email marketing, the biggest factor to consider is consent of the parties you are sending the marketing materials to, and they must have the ability to unsubscribe or stop receiving marketing materials. If you are storing and processing any other personal data, then the regulations become much stricter.  

Read the General Data Protection Regulation for the EU

India

The PDP (Personal Data Protection) Bill was proposed in 2019 and will likely come into effect in the tail end of 2021. It is largely inspired by the GDPR, which has become the standard in data protection around the world. The scope and regulations of the PDP are very similar to the GDPR with the same basic requirements. Currently, it is not in effect.

Read the Indian Personal Data Protection Bill

Jamaica

Jamaica does not have any laws specific to commercial email and spam.

Japan

The Act on the Protection of Personal Information (“APPI”) regulates privacy protection issues in Japan and the Personal Information Protection Commission (“PPC”), a central agency acts as a supervisory governmental organization on issues of privacy protection. The APPI applies to any business that processes data of people in Japan, so is extraterritorial in its reach. Businesses must have a privacy policy in place and safeguard a subject’s data.

The basic requirements for sending a commercial email in Japan are to obtain prior consent, have a legitimate reason to send communications, provide proper identification of the sender, and provide an opt out mechanism for the receiver of the message.

Read the Act on the Protection of Personal Information for Japan

Kuwait

Kuwait does not have any laws specific to commercial email and spam.

Mexico

Mexico’s Anti-Spam laws are set out in the Mexican Federal Consumer Protection Law (FCPL). However, according to FCPL’s preamble, its scope is limited to unsolicited commercial messages originating in the Mexican territory. With that being said, it’s good practice to follow the rules when possible.

The FCPL prohibits any unclear or deceptive sales or marketing strategies. It also requires that commercial messages or advertising sent to consumers must contain the name, address, telephone and, where applicable, the e-mail address of the provider, and of the business that sends the publicity on behalf of providers. Additionally, recipients must have the ability to opt-out of receiving any further communications from the sender.

Read the Mexican Federal Consumer Protection Law

New Zealand

The Privacy Act 2020 and its Information Privacy Principles govern how agencies collect, use, disclose, store, retain and give access to personal information. The Act gives the Privacy Commissioner the power to issue codes of practice that modify the operation of the Act in relation to specific industries, agencies, activities or types of personal information. It’s more of a case-to-case basis in New Zealand, but sticking with best practices of obtaining consent, providing identification, and providing a way to unsubscribe form further communications should keep a company covered when it comes to sending commercial emails. 

Read New Zealand’s 2020 Privacy Act

Nigeria

The NDPR is the regulation which covers commercial emails in Nigeria. The regulation is in line with the GDPR, with some of its own unique requirements for more in-depth data processing. The main requirements of the NDPR for sending commercial emails are to obtain consent, provide identification of the sender, and stop sending emails to the receiver upon their request.

Read the Nigerian Data Protection Regulation

Panama

With respect to email advertising, Panamanian law requires that all commercial emails:

  • State that they are commercial communications
  • Include the name of the sender
  • Set forth the mechanism through which the recipient may choose not to receive any further communications from the particular sender
  • These requirements apply to other promotional offers as well.

Read Panama’s Personal Data Protection Laws

Philippines

The Data Privacy Act of 2012 is the collection of regulations that covers commercial emails in the Philippines. The main requirements for sending a commercial email are to obtain consent and have a legitimate reason to store and contact the email address of the receiver.

Read the Data Privacy Act of 2012 of the Philippines

Qatar

The regulations on Email Marketing in Qatar are similar to the CASL but they do not go as in depth. The basic requirements for marketing via email in Qatar are to obtain consent, provide proper identification of the sender, identify that it is for marketing purposes, and provide an unsubscribe mechanism.

Read Qatar’s Personal Data Privacy Law

Russia

The Russian Law on Advertising No. 38-FZ, is the set of regulations that cover email marketing in Russia. The basic requirements are to obtain clear consent before sending a commercial email to a recipient in the country, and to immediately stop sending communications upon their request.

Read the Russian Law on Advertising No. 38-FZ

Saudi Arabia

Electronic marketing is regulated by the Communications and Information Technology Commission (CITC) through the Regulation for Reduction of SPAM in Saudi Arabia. It is generally a good practice to obtain prior consent, provide proper identification, and provide an unsubscribe mechanism in any promotional messages. Although the Regulation for Reduction of SPAM applies to promotional messages sent within the Kingdom, it is still important to follow the regulations while sending messages to a recipient in the Kingdom.

Read the Saudi Regulation for the Reduction of SPAM

South Africa

The Protection of Personal Information Act (POPIA) is the piece of legislation that covers email marketing. The basic rules are that to send an unsolicited email communication, a company must obtain consent, provide an unsubscribe mechanism, and provide proper identification of the sender.

Read the South African Protection of Personal Information Act

South Korea

The Personal Information Protection Act (PIPA) is the main regulation that covers data protection. The main requirements for sending a commercial email are to obtain consent, provide a way for the recipient to opt-out of further communications, provide identification of the sender, and to make sure there is a legitimate reason to send an email or offer to a certain email address.

Read the South Korean Personal Information Protection Act

Thailand

On 28 May 2019, the Personal Data Protection Act (PDPA) became law in Thailand. The PDPA is very similar to the EU’s GDPR, but there are a few differences. However, if a company is compliant with the GDPR, they will effectively be compliant with the PDPA in Thailand as well. In order to process data, companies must obtain consent and provide an unsubscribe mechanism for subjects to withdraw consent at any time.

Read the Personal Data Protection Act of Thailand

United Arab Emirates

There are no general laws that cover electronic marketing in UAE, however there is the Unsolicited Electronic Communications Regulation put out by the Telecommunications Regulatory Authority (TRA). The regulations are aimed at telecommunication licensees to prevent SPAM through their networks. SPAM is defined by the TRA as “Marketing Electronic Communications sent to a Recipient without obtaining the Recipient’s Consent”, so it is important to obtain consent before sending any marketing materials via email to a recipient in the UAE.

Read the Unsolicited Electronic Communications Regulations of the U.A.E.

United Kingdom

The Privacy and Electronic Communications Regulations (PECR) is the main set of rules for email marketing in the UK. The aim of the PECR is to restrict direct marketing communications and prevent spam. In order to send a direct marketing email in the UK, one must obtain consent, and provide clear identification of the sender, as well as provide a simple way for the receiver to opt out of further communications.

Read the Privacy and Electronic Communications Regulations for the UK

United States

The CAN-SPAM Act is the set of regulations that cover commercial emails in the United States. There are 7 main requirements set forth by the act for sending commercial emails to a recipient in the US.

  1. Don’t use false or misleading header information
  2. Don’t use deceptive subject lines
  3. Identify the message as an ad
  4. Tell recipients where you’re located
  5. Tell recipients how to opt out of receiving future email from you
  6. Honor opt-out requests promptly
  7. Monitor what others are doing on your behalf

Read the CAN-SPAM Act