If you run a business, chances are that you want to make more sales by keeping your customers informed about new promotions, company updates, changes to your offerings and more through email marketing. Email marketing includes the sending of commercial or sales messages through email to customers or potential customers. While such practices may be commonplace, it is crucial that you keep in mind the fact that email marketing comes with quite a few compliance requirements. In this article, we will discuss one of these requirements, namely the Privacy Policy requirements for email marketing so that you can send emails without risking the heavy fines and even lawsuits.
Table of Contents
Does email marketing collect Personally Identifiable Information (PII)?
The first step in determining your privacy obligations is to figure out whether the collection of PII is taking place as PII is protected under a number of privacy laws. PII is generally defined as “any information that could identify a specific person.” For example, websites that engage in email marketing often have email newsletter sign up forms that collect names and email addresses, which are examples of PII. In addition, PII collected through other forms such as contact forms, eCommerce forms and account creation forms that are used for email marketing is also protected under multiple privacy laws.
Which privacy laws establish Privacy Policy requirements for email marketing?
Since anyone from anywhere can submit their PII to sign up for email marketing, a variety of privacy laws can apply to this practice. The following privacy laws require websites that engage in email marketing to have a comprehensive Privacy Policy:
- California Online Privacy and Protection Act of 2003 (CalOPPA);
- California Privacy Rights Act (CPRA);
- Nevada Revised Statutes Chapter 603A;
- Delaware Online Privacy and Protection Act (DOPPA);
- Delaware Personal Data Privacy Act (DPDPA – effective January 1, 2025);
- Virginia Consumer Data Protection Act (VCDPA);
- Colorado Privacy Act;
- Utah Consumer Privacy Act (UCPA);
- Connecticut SB6;
- Iowa SF262 (effective January 1, 2025);
- Indiana SB5 (effective July 1, 2026);
- Tennessee Information Protection Act (TIPA – effective July 1, 2025);
- Montana Consumer Data Privacy Act (MCDPA – effective October 1, 2024);
- Texas Data Privacy and Security Act (TDPSA – effective July 1, 2024);
- Oregon Consumer Privacy Act (effective July 1, 2024);
- NJ SB332 (effective January 16, 2025);
- New Hampshire SB 255 (effective January 1, 2025);
- Kentucky HB15 (effective January 1, 2026);
- Nebraska LB1074 (effective January 1, 2025);
- General Data Protection Regulation (GDPR);
- United Kingdom Data Protection Act (UK DPA);
- Personal Information Protection and Electronic Documents Act (PIPEDA);
- Quebec Law 25;
- Australia Privacy Act of 1988.
It is important to note that privacy laws have a very broad application, meaning that you do not need to be located in a particular state or country for those laws to apply to you. In addition, many privacy laws apply to businesses regardless of their revenue amount, the amount of PII collected or what is done with that PII. To determine what privacy laws apply to you, you will need to ask yourself the following questions:
- Whose PII are you collecting (i.e. who can provide their PII to me for email marketing)?
- Where do you do business?
- To whom do you offer goods or services?
- Who do you track online through services such as pixels, analytics, cookies or other trackers?
Lastly, privacy laws can apply the moment that you collect PII, regardless of whether you share it, sell it, or even use it.
Privacy Policy requirements for email marketing
Since privacy laws dictate what specific disclosures your Privacy Policy needs to contain, the first step in determining Privacy Policy requirements for email marketing is to determine which privacy laws apply to you. Once that is completed, you should pay particular attention to the following Privacy Policy sections with regard to email marketing:
What PII you collect
The first section of a Privacy Policy to pay particular attention to when it comes to email marketing is the section that describes the PII that you collect through your website. If you engage in email marketing, this section will need to disclose the fact that you collect names, email addresses, and any other PII that you collect.
What purposes you use PII for
The second section that your Privacy Policy should include is the purposes for which you use the PII that you collect. In this case, you should include that PII will be used for the purpose of email marketing.
The legal basis for processing PII
If certain privacy laws such as GDPR or the UK DPA apply to you, you will also need to disclose the legal basis for processing the PII. Due to the fact that these privacy laws prohibit the processing of PII unless an exception (otherwise known as a legal basis) applies, you will need to state the legal basis that you use for email marketing within your Privacy Policy. The most common legal basis for processing PII for email marketing is consent, where the individual voluntarily agrees to the processing of their PII for this purpose.
Who PII is shared with
The next Privacy Policy requirement for email marketing is to disclose who you share the PII with. While many businesses do not believe that they share PII, it is actually quite difficult to perform email marketing without sharing PII. For example, if the individual’s name and email address is input into a third party email marketing platform such as MailChimp or ConstantContact, that means that the PII is being shared with third party email marketing providers. In addition, if an email service provider such as Gmail or Yahoo is used to send or receive the emails, then that PII is being shared with the email service provider as well and this needs to be disclosed within the Privacy Policy.
Privacy rights
If certain privacy laws apply to you, then you will need to disclose the privacy rights that you provide to individuals, which may include the right to opt out of direct marketing such as email marketing. If this is the case, then you will need to provide a description of this right, as well as who it applies to, in your Privacy Policy.
How to exercise privacy rights
If you do need to provide the right to opt out of email marketing, you will also need to inform individuals how to exercise this right within your Privacy Policy. This may include providing your contact information, what information individuals will need to give to you to verify their identity, and how to designate an authorized agent to exercise privacy rights.
Need help with your Privacy Policy?
It is important that your Privacy Policy includes the disclosures that you are required to make by the privacy laws that apply to you and sufficient information for individuals to be able to determine what PII you collect, what is done with that PII, and what their privacy rights are. With over a dozen proposed privacy bills, you should also ensure that you keep your Privacy Policy up to date with any changes in legislation, which may affect your Privacy Policy disclosure requirements. Lastly, while the above article describes Privacy Policy requirements for email marketing, you should also ensure that you follow other privacy obligations such as allowing individuals to unsubscribe from email marketing and obtaining proper consent.
If you currently engage in email marketing but do not have a Privacy Policy in place or do not have a strategy to keep it up to date with changing legislation, make sure to check out the Termageddon Privacy Policy generator.
