Email marketing has become regulated throughout the world and across email client platforms. Wherever you are operating from and whichever customer segment you are targeting, chances are you are affected by email regulations and particularly email privacy policies.

In this blog post, we will cover the most important and recent email privacy policies and laws that you should pay attention to.


The General Data Protection Regulation is a privacy and security law set up by the European Union. In 2018, all organizations based in the EU or targeting EU citizens or residents were legally required to comply with GDPR laws.

GDPR’s basic goal is to protect personal data and conserve people’s privacy rights. Any practice that your company does that comes against these two principles will, in one or another, breach GDPR.

Any organization (company, non-profit or other) that handles the personal information of European Union citizens or residents. This also applies to companies and charities based outside of the EU, targeting customers inside the EU.

The main components of GDPR include:

  • Security and privacy of data
  • Data retention
  • SPAM emails

Security and privacy of personal data

Article 5 of GDPR: Personal data should be:

  1. Processed lawfully, fairly, and in a transparent manner
  2. Collected for specified, explicit, and legitimate purposes (and not processed outside of these purposes)
  3. Processed in a manner that ensures appropriate security of personal data (protection against unlawful processing, accidental loss, destruction, or damage…)

👉 You can, but are not obligated to encrypt the data you collect about your subscribers. Encryption is the practice of encoding messages (emails) and information. This will guarantee that one else, besides authorized parties, can read the information in question.

Data retention

Article 5. e of GDPR: “Personal data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed”.

👉 Set up an email retention policy that will allow you to reduce the volume of data your employees have stored in their inboxes. The more email data you store, the more you are at risk of liability in case of a security breach.

Article 17. Right to erasure or the right to be forgotten
Which stipulates that the data subject has the right to demand the erasure of their personal data and that the controller has the obligation to erase personal data without undue delay.

👉 Unsubscribing people who ask for it is easy and efficient using an ESP. However, it’s not enough. You must ensure that you also delete all the personal information you have stored about your subscriber, in a permanent manner.


Article 6. Lawfulness of processing: Personal data (such as an email address) can only be used if the data subject has “given consent to the processing of his personal data”.

Recital 32. Conditions for consent: “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her.”

Article 7. Conditions for consent: “The controller shall be able to demonstrate that the data subject has consented to processing of his or her data”

And “ The data subject shall have the right to withdraw his or her consent at any time” and “It shall be as easy to withdraw as to give consent”.

Article 8. Conditions applicable to child’s consent in relation to information society services: If the child is below 16 years (13 years old in some member states), personal data processing is only lawful if the “consent is given or authorized by the holder of parental responsibility over the child.”

👉 You should adapt your opt-in forms and email campaigns to comply with GDPR laws.

GDPR friendly forms

  • Highlight explicit consent checkboxes.
  • Don’t precheck the consent boxes.
  • Enable double opt-in.

GDPR friendly emails

  • Add an unsubscribe link in the footer of your emails.
  • Add a sentence at the end of your emails reminding your subscribers why they are receiving your emails (how they subscribed).


The CAN-SPAM Act, or the Controlling of Assault of Non-Solicited Pornography and Marketing Act, is a set of laws established in 2003 with the aim to regulate the standards of sending commercial emails.

Very similar to the email regulations enumerated in the GDPR, the CAN-SPAM ACT focuses on transparency, accountability, and personal data protection.

CAN-SPAM ACT Compliance

Here’s what you need to do to be CAN-SPAM ACT compliant:

  • Don’t use deceptive subject lines
  • Identify the message as an ad if the receiver hasn’t opted in.
  • Tell recipients where you are located (address, PO box,…)
  • Tell recipients how to opt-out from future emails from you (unsubscribe link or email reply). You can’t ask for more personal information from people who want to unsubscribe.
  • Opt subscribers out as soon as they request it (within 10 business days of receiving the opt-out request). We recommend using an ESP’s unsubscribe merge tag that will automatically unsubscribe people.
  • Once a subscriber has opted out of your emails, don’t sell or transfer their personal information (email addresses).


The Canadian anti-spam legislation is a set of regulations created in 2014 that mainly aims at reducing spam and phishing attempts.

Violating Canada’s Anti Spam Legislation can result in penalties going up to $10 million.

CASL’s main components focus on:

  • Obtaining express or implied consent to send out marketing emails
  • Allowing people to opt-out if they desire

Obtaining consent from subscribers

This means that you can’t send emails to email addresses that you found online or bought from email list providers.

Express consent is when a person has clearly agreed to receive emails from your business, either verbally or in writing. This can occur through an opt-in form or a checkbox in your forms.

Implied consent is applied mostly when there is an established business relationship between the person to whom emails are being sent and the business. For example, if a person has made a purchase from an eCommerce website, they have implicitly consented to receive emails.

👉 Make sure to create CASL friendly subscription forms. Don’t precheck consent boxes and don’t mix mandatory consent boxes with optional marketing email consent boxes.

Allowing people to opt-out

Like GDPR and CAN-SPAM ACT, CASL highlight’s the subscribers’ right to opt-out from all marketing and promotional emails if they wish.

👉 You have to honor this request and unsubscribe people from your emails within 10 business days, or as we have previously recommended, instantly using an ESP.

Apple Mail Privacy Policy

Apple Mail Privacy Protection Policy has come into effect starting from September 2021. The giant’s privacy policy update gives Apple Mail users the option to hide their online activity and IP address.

The email privacy policy activated on iOS15 and iPadOS15 shows subscribers a pop when they open their Apple Mail App.

The pop up gives users the choice to either:

  • Protect Mail Activity: Hide IP address and privately load all remote content.
  • Don’t Protect Mail Activity: Show IP address and load any remote content directly on your device.

The option selected will be saved and synched up with all other Apple products the subscriber owns (with their Apple ID).

How Apple’s Mail Privacy Policy affects email marketing

It will become progressively harder to track open rates and the time of opens.

Since Apple Mail will load your email content prior to someone opening your emails, you’ll start seeing skewed email open rates (largely inflated).

This basically means that email campaigns that rely heavily on email open rates will become somewhat obsolete;

  • email segmentation based on the last emails opened.
  • automated campaigns triggered by opens.
  • email A/B tests to see which subject line gets the most opens.

Because of MPP, you will also lose track of where your subscribers are located and which device they are using.

What to do to adapt to Apple’s MPP

You can adjust your emailing practices and adapt it to Apple’s latest Mail Privacy Policy. Here’s what you can do:

  • continue the same practices for non-Apple Mail users (campaigns and automation based on open rates, etc)
  • update your email automation with triggers different from open rates (click-through rates, or last campaign sent)
  • update your email marketing reporting to include more engagement metrics such as click rates.

The email law and privacy checklist

Regardless of where your company is based, or where your target customers are located, you are in some way or another concerned by GDPR, CAN-SPAM Act, CASL laws, and definitely by Apple Mail’s Privacy Policy.

The way you design and send out emails should be framed to respect all laws and regulations. Cover all your bases to decrease your liability risk and protect your subscriber’s personal data.

Opting in

  • Only send emails to consenting subscribers.
  • Don’t precheck consent boxes in your forms.
  • Separate optional consent boxes from mandatory ones.
  • Enable double opt-in if possible.

Opting out

  • Always include an unsubscribe link in your emails
  • Unsubscribe people immediately upon their request.

Email management

  • Separate Apple Mail users from non-Apple mail users.
  • Update your email preferences center and promote it.
  • Keep track of when/how subscribers are opting in and out.
  • Always use an ESP to send bulk marketing emails.
  • Segment your email lists by location if possible.
  • Protect your customers’ personal data and encrypt it.

Email content

  • Identify the sender (your name or company name) accurately in all emails.
  • Remind customers why they are receiving your emails.
  • Use accurate subject lines.
  • Add your company address or PO box information in the footer of your emails.
  • Don’t send spammy content: No image-only email, no raw links. Opt for a well-coded HTML email design that balances text and images.