As the world becomes increasingly connected, the email marketing regulation landscape becomes more and more complex. Whether or not you operate directly in different countries, it's good practice as an email marketer to know which laws and regulations apply to your subscribers, wherever they are in the world. In recent years, keeping on top of new legislation has been challenging – most notably in Europe, with the introduction of GDPR (General Data Protection Regulation).
The team at EmailOctopus have compiled this guide to make things easier. Our aim is to create a space where the email marketing community can keep each other up-to-date about regulations around the world, so it's easier for us all to be aware of new legislation, as and when it's implemented.
For more detail about a country's legislation, click the country name.
| Country | Legislation | Content required | Opt-out required | Consent required | Penalties |
|---|---|---|---|---|---|
| Australia | Spam Act 2003 | Name, contact information | Yes | Implied consent if you have a previous business relationship. Otherwise, explicit | Up to $1.8m AUD per day |
| Belgium | outre-Quiévrain law, GDPR | Name, mailing address, clear identification of the sender | Yes | Explicit consent | Up to €20m, or 4% annual global turnover – whichever is higher |
| Brazil | LGPD | Name, contact information | Yes | Implicit consent via soft opt-in where an existing commercial or social interest can be demonstrated (effectively legitimate interest) | 2 percent of the revenue from Brazil, up to R$50 million per infraction |
| Canada | CASL | Name, mailing address, contact information | Yes | Implied consent if you have a previous business relationship. Otherwise, explicit | Up to $10m CAD per violation |
| China | Regulations on Internet Service | Name, email address | Yes | Explicit consent | 10,000-30,000 yuan per email |
| Denmark | Danish Marketing Practices Act, GDPR | Name, mailing address, clear identification of the sender | Yes | Explicit consent | Up to €20m, or 4% annual global turnover – whichever is higher for GDPR violation; Danish government will impose an additional fine which is to be decided by the governing body |
| Finland | Electronic Communication Services Act, GDPR | Name, mailing address, clear identification of the sender | Yes | Implied consent if you have a previous business relationship. Otherwise, explicit | Up to €20m, or 4% annual global turnover – whichever is higher |
| Germany | Federal Data Protection Act, GDPR, Telemedia Act | Name, mailing address, clear identification of the sender | Yes | Implied consent if you have a previous business relationship. Otherwise, explicit | Up to €20m, or 4% annual global turnover – whichever is higher |
| Hong Kong | The Unsolicited Electronic Messages Ordinance | Clear identification of the sender | Yes | Implied consent | Up to $1,000,000 and imprisonment for up to 5 years on conviction on indictment |
| Iceland | GDPR | Name, mailing address, clear identification of the sender | Yes | Explicit consent | Up to €20m, or 4% annual global turnover – whichever is higher for GDPR violation |
| India | None at present | None | No | Consent is not required | None |
| Ireland | Irish Data Protection Act 2018, GDPR | Name, mailing address, clear identification of the sender | Yes | Explicit consent | Up to €20m, or 4% annual global turnover – whichever is higher for GDPR violation; Irish government will also impose a fine up to EUR 250,000 per message sent by a company and an individual may be fined up to EUR 50,000 per message |
| Israel | Communications Broadcasting Law | Name, mailing address, contact information | Yes | Explicit consent, otherwise the recipient has given its contact details when purchasing a service or product, or when negotiating such purchase (specified for general advertising which includes marketing emails) | Fine of up to ILS 202,000 |
| Japan | Regulation of Transmission of Specified Electronic Mail | Name, mailing address | Yes | Implied consent if you have a previous business relationship, otherwise explicit consent required | Up to JPY 30 million for businesses; or JPY 1 million or 1 year imprisonment for individuals |
| Singapore | Spam Control Act 2007 | Name, email address | Yes | Explicit consent, via a minimum of soft opt-in | $25 SGD per email, up to $1 million |
| South Africa | Electronic Communications and Transactions Act | Name, email address | Yes | Minimum of implied consent | Fines (no limit) or up to 12 months imprisonment |
| United Arab Emirates | Unsolicited Electronic Communications Policy | Name, mailing address | Yes | Implied consent | Fines of up to AED 10 million |
| United Kingdom | UK GDPR, PECR, DPA 2018 | Name, mailing address | Yes | Explicit consent, via a minimum of soft opt-in | Up to €20m, or 4% annual global turnover – whichever is higher |
| USA | CAN-SPAM | Name, mailing address, contact information | Yes | Prior consent is not required | Up to $16,000 per violation |
Explicit consent gives the individual or business the right to deal with personal data. Consent can be acquired in writing or verbally. Generally speaking you'll need to keep a record of consent collection.
A typical example in email marketing is a website registration form. Some legislations will require that you include a check-box to allow customers to consent to receiving your newsletter.
- Soft opt-in: When you've collected an email address as part of another process, such as a purchase flow, and can reasonably assume the customer will be happy to receive further communications. However, you must have given them a clear chance to opt out – both when you first collected their details, and in every future message you send.
- Single opt-in: A one step opt-in, so only a registration form is filled out.
- Double opt-in: A multi-step opt-in, so the registration is confirmed via a link sent to the acquired email address.
Implied consent, also known as inferred consent, is usually derived from actions and circumstances, often a previous purchase or enquiry.
The best example is during online shopping. Imagine a customer has just bought a games console from your online store. You may assume that the client is interested in games and wish to contact them after their initial purchase with other similar products. If you haven't specifically asked to contact this user again (via a checkbox or similar), this is called implied consent.
The exact boundaries for both types of consent are defined in the specific country laws.
This guide is a community resource which is open to edits from members of the public. Information may be inaccurate and shouldn't be taken as legal advice – always consult a local lawyer before carrying out email marketing in any region.
