It’s become incredibly important for businesses to pay close attention to how they manage personal information. Whether you send emails to recipients in other countries or not, it’s worth being aware of the email laws in other locations and how they impact your own strategy. Here are the current email marketing regulations for countries around the world.
Australia’s Spam Act of 2003 covers all messaging originating from Australia and those targeting an Australian address, prohibiting any unsolicited commercial emails. Australia requires all emails to include contact information (to identify the sender), and a functional unsubscribe feature (which businesses have to honour within 5 working days).
Emails in Australia can only be sent if the account holder has provided permission, which can be given as express consent or (in limited circumstances) as implied consent. Under the Spam Act, you can’t use scraped email lists or web scraping software.
Some organisations are exempt from the legislation, such as charities, educational institutions and government bodies. Penalties for businesses who don’t adhere to these rules are equal to $180 each, with a maximum penalty of $1,800,000 per day.
🇦🇺 For more information, check out this guide: email marketing regulations in Australia.
Belgium has two laws governing email marketing – the outre-Quiévrain law and EU GDPR. When combined, these laws cover all aspects of email marketing. Marketing emails are required by law to clearly identify the sender’s name, mailing address and identification.
Belgium requires businesses to only send marketing emails to people who have provided explicit consent to receive them, whether that’s via a double opt-in or checking an explicit checkbox when they subscribed.
Companies in Belgium are also required to have a data security officer, who is responsible for maintaining and enforcing data security standards. While fines for breaching the regulations are determined on a case-by-case basis under outre-Quiévrain law, under GDPR the maximum fine is €20 million or 4% of global turnover, whichever is higher.
Lei Geral de Proteção de Dados Pessoais (LGPD) governs email marketing in Brazil and came into effect in 2020. The LGPD comprises 65 articles which cover the rights of data subjects, how that personal data is collected and processed.
The LGPD states that all emails need to include the name and contact information of the sender, and a clear unsubscribe option.
Unsolicited communications are illegal unless carried out on one of two legal grounds: consent or controller’s legitimate interest. However, the latter is vague and not recommended.
The Email Marketing Self-Regulation Code (CAPEM) is a project undertaken by ISPs. While not legally binding, it does provide basic rules to protect internet users and asks marketers to provide an opt-out link in every email, which is good practice to follow.
Non-compliance with Brazil’s guidelines will result in a warning, a simple fine of up to 2% of the prior financial year’s revenue up to a total of 50 million BRL per infraction, or a daily fine of the same maximum total.
🇧🇷 For more information, check out this guide: email marketing regulations in Brazil.
The Canadian Anti-Spam Law regulates email marketing in Canada. It comes into effect regardless of where you are in the world (if you’re messaging Canadian residents). All emails sent to recipients in Canada have to contain your name, the person on whose behalf you’re sending, your physical mailing address and contact information. They also have to have an unsubscribe link that should be easy to action.
In order to legally email a subscriber, you must have consent which can be implied or expressly given. Pre-checked checkboxes are not allowed in order to gain express consent – it must be freely given.
Under the CASL, non-compliance can result in severe penalties. These include:
- Administrative Monetary Penalties (AMPs): fines of up to $1 million for individuals/up to $10 million for corporations per infraction.
- Vicarious liability: corporate directors can be found to be liable for the wrongful acts of a corporation or organisation, and the corporation can be found to be liable for the wrongful acts of its employees.
- Private rights of action: individuals can sue another individual or organisation for damages if they can prove actual harm or loss after receiving an unsolicited and unwanted commercial electronic message (CEM). An individual cannot sue an organisation if the Canadian Radio-television and Telecommunications Commission (CRTC) has already taken action against it.
🇨🇦 For more information, check out this guide: email marketing regulations in Canada.
The Regulations of Email Services (RES) outline email marketing rules in China. These rules are stricter than the CAN-SPAM Act in the U.S. The RES requires marketers to ensure recipients are aware they’re receiving promotional content by including “AD” in subject lines. Emails also cannot violate the Regulations of Telecommunication in the People’s Republic of China, which means politically sensitive or mature content is strictly prohibited.
Under the RES, senders must have consent from recipients before sending emails, but the opt-in methods aren’t specified. Email marketers in China are advised to follow the same consent methods that are outlined in the CAN-SPAM Act. Recipients must also have an easy way to opt-out from receiving communications.
If marketers are found to violate the RES, they can face fines of up to CNY 10,000. In instances where illegal content is involved, these fines can reach CNY 30,000.
There are two laws in Denmark governing email marketing – the Denmark Marketing Practices Act and the EU GDPR. Under these laws, all marketing emails have to provide clear identification of the sender’s name, mailing address and a clear identification of the sender.
Since Denmark follows GDPR, companies are required to have a data security officer to manage and enforce their data security standards.
The maximum fine for non-compliance, under GDPR, is €20 million or 4% of the annual global turnover of the company – whichever is higher. Additionally, the Danish government will also impose a fine which is determined by the governing body.
As Finland is part of the European Union, it follows the GDPR for email marketing. However, they also have the Act on Electronic Communication Services which implements the E-Privacy Directive. All marketing emails need to clearly identify the sender’s name, mailing address and have a clear identification of the sender.
Marketing emails can be sent to those who have provided explicit consent to receive these communications. Emails are also permitted if the recipient has not explicitly opted out and you have gained their contact details through the sale of a product or service.
Since Finland follows the GDPR, businesses are required to have a data security officer to manage and enforce their data security standards.
Under the GDPR, the maximum fine is €20 million or 4% of the annual global turnover of the company – whichever is higher. The Office of the Data Protection Ombudsman is the governing body who safeguards rights and freedoms where personal data processing is concerned. Finland may also issue a separate penalty based on the Act on Electronic Communication Services.
Germany issues some of the strictest email marketing laws in the world, which are defined by the Federal Data Protection Act, the GDPR and the Telemedia Act. Under these laws, all emails have to include contact information and clear identification of the sender via a legal notice. This has to contain the following:
- The name of the sender and company name, where relevant
- Authorised representatives for legal entities
- Full postal address of the sender (P.O boxes are not permitted)
- Sender’s telephone number, fax number or an electronic contact form
- Sender’s email address
- Any commercial, association, partnership or cooperative register numbers
- Name of the personal or publisher legally responsible for the content
- Where relevant, the sender’s VAT ID number or business ID number
This information can be linked to in the email but has to be directly accessible and permanently available. Subject lines also must be free of spam words such as ‘free’ or ‘offer’.
The Federal Data Protection Act and the German Act Against Unfair Competition require marketers to have clear consent from recipients unless they are an existing customer. All consent, whether implied or explicit, has to be collected via a double opt-in method. Germany also requires companies to have a data security officer.
Germany may issue large fines for non-compliance, but the Information Commissioner’s Office (ICO) has stated it will not make maximum fines the norm. Under the GDPR, the maximum fine is €20 million or 4% of annual global turnover – whichever is larger.
The Unsolicited Electronic Messages Ordinance came into effect in 2007 and regulates emails in Hong Kong. This states that all marketing emails have to have a clear identification of the sender.
These emails can only be sent to those who have provided implied consent to receive communications.
The maximum fines that can be levied in the event of non-compliance or a data breach are $1,000,000 and up to 5 years imprisonment. These depend on the regulating body and the scale of the breach.
Iceland relies entirely on the EU GDPR to regulate email marketing. This means that all emails sent for marketing purposes have to include the sender’s name, mailing address and have clear identification of the sender.
In line with the GDPR, Iceland requires all companies to have a data security officer to enforce and maintain data security standards.
The maximum fine that can be levied is up to €20 million, or 4% annual global turnover – whichever is larger. The supervisor authority in Iceland is the Data Protection Authority or Persónuvernd.
India has no specific legislation governing email marketing, though a draft bill is intended to be tabled in 2023 which borrows heavily from the GDPR. However, under the Information Technology Act 2000, there is a restriction on publishing ‘obscene’ content in electronic form.
🇮🇳 For more information, check out this guide: email marketing regulations in India.
There are two laws in place governing email marketing in Ireland – the Irish Data Protection Act 2018 and the EU GDPR. All emails sent for marketing purposes need to clearly identify the sender, including their name and mailing address.
In line with the GDPR, Ireland requires all companies to have a data security officer to manage and enforce digital security standards.
The maximum fine available is up to €20 million, or 4% annual global turnover – whichever is higher. The Data Protection Commissioner is the supervisory authority here. Additionally, the Irish government will also impose a fine up to EUR 250,000 per message sent by a company, and an individual may be fined up to EUR 50,000 per message.
Israel uses Section 30A of the Communications Broadcasting Law to govern email marketing. This dictates that marketers cannot send an ad via fax, email or SMS without having explicit consent from the recipient. Marketing emails must clearly highlight that they are for advertising purposes and include the name, address and contact details of the sender. Recipients must have an easy way to unsubscribe from these emails.
Emails can only be sent to recipients who have provided explicit consent, but they can also be sent marketing emails if they’ve shared their contact information when buying a service or product, or when negotiating such a purchase.
Possible fines depend on the severity of data breach and could reach up to ILS 202,000. Recipients of spam email may also seek damages, which in a civil court could be as much as ILS 1,000 per message sent by the advertiser to the recipient.
Unsolicited emails are regulated by the Act on Specified Commercial Transactions (ASCT) in Japan, and the Act on the Regulation of Transmission of Specified Electronic Email (Anti-Spam Act). Japan requires marketing emails to include the sender’s email address or website and an opt-out option.
The ASCT requires marketers to obtain advance consent from recipients, and proof of consent must be kept for three years following the last email. While there’s no set time period for opt-out of unsubscribe requests to be honoured, no further emails can be sent once the recipient has opted out.
In the event of non-compliance, Japan imposes a fine of up to JPY 1,000,000 or one year imprisonment.
Singapore relies on two laws to regulate email marketing: the Personal Data Protection Act (PDPA) and the Spam Control Act. The PDPA governs the collection, use and disclosure of personal data by organisations and the Spam Control Act manages unsolicited commercial communications sent electronically.
There are strict guidelines regarding content for emails in Singapore. All marketing emails have to be truthful and not deceitful in any way and comply with the principles of fair competition. Subject lines must include the words “advertisement” or “AD” and the content also needs to align with Singapore’s family values. Senders are required to include their contact information and a link or email address for recipients to unsubscribe. Any unsubscribe requests must be honoured within 10 working days.
Under the PDPA, subscribers have to provide consent to receive emails and Singapore’s regulations encourage marketers to require subscribers to provide acknowledgement or a signature stating they’re happy to receive emails. Implied consent, including pre-checked boxes, are deemed acceptable as a form of consent.
The PDPA also requires email marketers to have policies in place to comply with relevant regulations and have a method to handle complaints relating to the handling of personal data.
If found to be in violation of these rules, the PDPA can issue fines of up to S$10,000 or imprisonment for a maximum of three years. Businesses or individuals can also be fined S$25 per unsolicited email to a total of S$1 million, under the Spam Control Act.
There are several regulations in place in South Africa, including The Electronic Communications and Transactions Act (ECTA) 2002, the Consumer Protections Act (CPA) 2008 and the Protection of Personal Information Act (PPIA) 2013.
All email campaigns need to include an opt-out or unsubscribe option and there needs to be a way for recipients to request the source of how the sender gained their personal contact details.
The PPI Act prohibits sending emails without clear consent from the subscriber.
This can be obtained in the context of a sale of products or services, as long as the recipient has a reasonable opportunity to object to providing consent when the information is collected. Violations and breaches of the ECT Act can incur a fine of up to 1 million rand or imprisonment of up to one year.
The United Arab Emirates’ Telecommunications Regulatory Authority (TRA) uses the Regulation on Unsolicited Electronic Communication (RUEC) to handle spam regulations. The UAE requires email senders to provide their recipients the circumstances under which they collected personal data, if it’s requested.
This regulation requires senders to have a minimum of implicit consent before sending emails.
The RUEC requires senders to retain records of how personal data is collected, processed and used, and penalties of up to AED 10 million can be imposed by the TRA if RUEC regulations are violated.
As a result of Brexit and the UK’s removal from the EU, GDPR in the UK ceased to protect the data rights of UK citizens as of 2021. Since then, the UK has implemented its own version of GDPR known as the UK GDPR. The Privacy and Electronic Communications Regulations (PECR) is also in place to define the permissions to send email marketing campaigns.
All emails have to include a valid postal address and clearly identify the sender. Furthermore, if the email is intended to sell a product or service, this must be made clear in the email along with the conditions attached to that promotional material.
Marketing emails can’t be sent unless consent has been obtained, whether explicit or implied in nature. Any unsubscribe requests must be processed within 28 days. Under the soft opt-in rule, companies can email their own customers legally. However, prospective customers and new contacts can’t be emailed without consent.
In the event of a breach or violation, large maximum fines of up to €20 million, or 4% annual global turnover – whichever is higher – can be issued.
🇬🇧 For more information, check out this guide: email marketing regulations in the UK.
The USA has relatively lax email marketing regulations, with its main legislation being the 2003 CAN-SPAM Act. All emails under these guidelines have to include a valid postal address and subject lines must accurately reflect the content of the email. If there’s no prior consent to contact the recipient, the message must clearly state that it’s promotional in nature.
Unlike many other legislations, CAN-Spam works on an opt-out basis. This means there’s no need to gain consent to contact subscribers in the U.S., but it must be easy for people to opt-out and requests have to be actioned within 10 business days.
Legislation in the U.S. can vary by state, such as the CCPA which is enforced in California. It’s important that email marketers stay away from the regulations in the state where their recipients are based.
Under the CAN-SPAM Act, enforced by the Federal Trade Commission (FTC), civil penalties up to $16,000 per violation can be issued. There’s no private right of action here, but the CAN-SPAM Act can be enforced by other federal agencies such as the Federal Communications Commission (FCC).
🇺🇸 For more information, check out this guide: email marketing regulations in the US.
As you can see, email marketing regulations vary from destination to destination. But a common thread between them all shows that it’s important that senders prioritise transparency and honesty when sending out email campaigns. Gaining consent and using double opt-in methods where possible can help alleviate any uncertainty and ensure recipients know what they’re signing up for.
💡 For more information on compliance, check out this email marketing compliance checklist for marketers.