104 lines
3.3 KiB
Markdown
104 lines
3.3 KiB
Markdown
# Email Compliance
|
|
|
|
Legal requirements for email by jurisdiction. **Not legal advice—consult an attorney for your specific situation.**
|
|
|
|
## Quick Reference
|
|
|
|
| Law | Region | Key Requirement | Penalty |
|
|
|-----|--------|-----------------|---------|
|
|
| CAN-SPAM | US | Opt-out mechanism, physical address | $53k/email |
|
|
| GDPR | EU | Explicit opt-in consent | €20M or 4% revenue |
|
|
| CASL | Canada | Express/implied consent | $10M CAD |
|
|
|
|
## CAN-SPAM (United States)
|
|
|
|
**Requirements:**
|
|
- Accurate header info (From, To, Reply-To)
|
|
- Non-deceptive subject lines
|
|
- Physical mailing address in every email
|
|
- Clear opt-out mechanism
|
|
- Honor opt-out within 10 business days
|
|
|
|
**Transactional emails:** Can send without opt-in if related to a transaction and not promotional.
|
|
|
|
## GDPR (European Union)
|
|
|
|
**Requirements:**
|
|
- Explicit opt-in consent (not pre-checked boxes)
|
|
- Consent must be freely given, specific, informed
|
|
- Easy to withdraw consent (as easy as giving it)
|
|
- Right to access data and deletion ("right to be forgotten")
|
|
- Process unsubscribe immediately
|
|
|
|
**Consent records:** Document who, when, how, and what they consented to.
|
|
|
|
**Transactional emails:** Can send based on contract fulfillment or legitimate interest.
|
|
|
|
## CASL (Canada)
|
|
|
|
**Consent types:**
|
|
- **Express consent:** Explicit opt-in (preferred)
|
|
- **Implied consent:** Existing business relationship (2 years) or inquiry (6 months)
|
|
|
|
**Requirements:**
|
|
- Clear sender identification
|
|
- Unsubscribe functional for 60 days after send
|
|
- Process unsubscribe within 10 business days
|
|
- Keep consent records 3 years after expiration
|
|
|
|
## Other Regions
|
|
|
|
| Region | Law | Key Points |
|
|
|--------|-----|------------|
|
|
| Australia | Spam Act 2003 | Consent required, honor unsubscribe within 5 days |
|
|
| UK | PECR + GDPR | Same as GDPR |
|
|
| Brazil | LGPD | Similar to GDPR, explicit consent for marketing |
|
|
|
|
## Unsubscribe Requirements Summary
|
|
|
|
| Law | Timing | Notes |
|
|
|-----|--------|-------|
|
|
| CAN-SPAM | 10 business days | Must work 30 days after send |
|
|
| GDPR | Immediately | Must be as easy as opting in |
|
|
| CASL | 10 business days | Must work 60 days after send |
|
|
|
|
**Universal best practices:** Prominent link, one-click when possible, no login required, free, confirm action.
|
|
|
|
## Consent Management
|
|
|
|
**Record:**
|
|
- Email address
|
|
- Date/time of consent
|
|
- Method (form, checkbox)
|
|
- What they consented to
|
|
- Source (which page/form)
|
|
|
|
**Storage:** Database with timestamps, audit trail of changes, link to user account.
|
|
|
|
## Data Retention
|
|
|
|
| Law | Requirement |
|
|
|-----|-------------|
|
|
| GDPR | Keep only as long as necessary, delete when no longer needed |
|
|
| CASL | Keep consent records 3 years after expiration |
|
|
|
|
**Best practice:** Have clear retention policy, honor deletion requests promptly, review and clean regularly.
|
|
|
|
## Privacy Policy Must Include
|
|
|
|
- What data you collect
|
|
- How you use data
|
|
- Who you share data with
|
|
- User rights (access, deletion)
|
|
- How to contact about privacy
|
|
|
|
## International Sending
|
|
|
|
**Best practice:** Follow the most restrictive requirements (usually GDPR) to ensure compliance across all regions.
|
|
|
|
## Related
|
|
|
|
- [Email Capture](./email-capture.md) - Implement consent forms and double opt-in
|
|
- [Marketing Emails](./marketing-emails.md) - Consent and unsubscribe requirements
|
|
- [List Management](./list-management.md) - Handle unsubscribes and deletion requests
|