Email marketing can do wonders for your business — if you do it right.

It may surprise you, but there are various rules and regulations that come with sending emails. Sending emails is mostly all fun and games, but if you break anti-spam law or aren’t totally aware of what the regulations are, there could be serious repercussions that will ultimately affect your marketing capabilities. In certain cases, you may also find yourself facing hefty fines. This applies to US companies, EU companies and Canadian companies, as they also have the CASL or Canadian Anti-Spam Law.

Do we have your attention yet?

When we talk about email best practices, we’re often covering topics like nailing your subject lines and personalizing your content. But, keeping track of regulations is just as crucial. Here are the most important ones you need to know about to ensure you’re remaining compliant.


The CAN-SPAM Act applies to all commercial emails and lays out a number of distinct rules that must be followed in order to adhere. Failure to follow these rules can be costly — as much as $43,280 per email — so you certainly want to be sure to abide.

Fortunately, most of the rules laid out by CAN-SPAM Act of 2003 are part and parcel of general good email practices. They include:

  • Don’t use false or misleading identifying information in your “From,” “To,” or “Reply-To” fields.
  • Don’t use deceptive subject lines.
  • Do identify your email as an ad.
  • Do include your valid postal address, including but not limited to your street address.
  • Do give recipients a clear way to opt-out of your email and honor all opt-out requests.

These rules apply regardless of who’s sending emails on your behalf, so if you’re working with an agency to send out your electronic communication, verify they are aware of CAN-SPAM and following all regulations.

2. Permission-Based

Permission-based email marketing, also referred to as opt-in email marketing, was first defined in 1999, so it’s nothing new. It stipulates that you must get direct permission from a recipient before sending them an email, whether that be through a sign-up form on your website, a form to access a gated asset, or some other type of lead capture effort.

There’s a caveat, though, which is it’s not enough for someone to just provide you with an email address and their contact information. To cover your bases, have an opt-in box, or unsubscribe link that a prospect checks off before you reach out asn an email marketer. And never (we mean never) purchase email lists and send out unsolicited emails.

3. Opt-In and Opt-Out

This has been covered in the previous two rules, but it’s so important that it’s worth touching on one more time. You must have a recipient directly opt-in to receiving messages from you and allow them to easily opt-out. Failure to do so could mean you wind up on the email blacklist, meaning your messages will be de facto spam and will not make it to your recipients’ inboxes — even those who correctly opted in for your marketing emails.

4. Email Advertisements

Under CAN-SPAM, you must identify your email as an ad in a way that is both “clear and conspicuous.” You have flexibility in how you do this (old rules required it to be right in your subject line, yikes), but a statement must be in the email somewhere, and it must be obvious to your recipients.

5. Include Your Address

Here’s another CAN-SPAM requirement you might not be aware of if you haven’t heard it previously: any email you send out must include your physical address. Most businesses choose to include this in the footer of the email, though placement is up to you, it could even be in the header information.

6. General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a European data privacy law that applies to any company that is or may be messaging EU citizens. So, everybody.

You’ll want to familiarize yourself with the specifics, but in general, the GDPR holds that you must protect the data of your recipients as well as their vital interests and that you must get direct consent before collecting, processing, or otherwise using a recipient’s data in any way.

7. EU-US Privacy Shield

The EU-US Privacy Shield was an agreement that allowed for the transfer of personal data from the EU to the US; however, on July 16, 2020, it was struck down due to the inadequacy of United States data guidelines.

What does this mean for you? Well, for starters, if you were previously relying on the EU-US Privacy Shield for data compliance, you’ll need to scrap that and go back to full GDPR compliance (which, to be fair, you should have been doing anyway, even with the Privacy Shield in place). Use additional safeguards like the Binding Corporate Rules (BCRs) as well to further ensure that you are meeting all requirements around your use of data from the EU.

There is so much room to get creative with your email marketing and email campaigns, but it’s not worth deviating from the guidebook when it comes to the rules and regulations above. Email blacklists and steep fines, by the pesky ftc, can be the death of a small or medium-sized business and can hurt your brand’s integrity for years to come.