Email marketing regulations around the world (opens in new tab)

(github.com)

70 pointsjonathanbull3y ago28 comments

28 comments

I live in Canada and I find it ridiculous that email without consent is illegal, phone calls without consent is illegal, but sending physical mail is perfectly fine. It makes me sad the amount of trees that must be cut down, shipped to a factory, processed into paper (with some hash chemicals), shipped to the printer, printed then shipped to me. Only to be thrown into the recycling unopened to be shipped to the recycling plant, then reprocessed to start the cycle over. It is just disgusting waste.

madsbuch3y ago

This is just a clear indication that it should have some cost to send a message, otherwise people (mis)use it until the legislators need to stop it attention robbery.

nitwit0053y ago

This is a big reason why advertisers loved newspapers. Getting a newspaper subscription is paying to have ads delivered to your home.

kevincox3y ago

Well there is some cost to send a message. These are being sent via Canada Post. The problem is that the cost isn't high enough.

1 more reply

mig393y ago

Ironically, spam e-mail, phone, and SMS is perfectly legal if it comes from a politician or political party. No consent necessary.

It's literally the only spam I get on my phone.

canadiantim3y ago

phone calls without consent are illegal in Canada?

legitster3y ago

This is missing out a lot of subtleties that a legal team might care about.

I have been a part of multiple companies trying to make a "harmonized" global opt-in policy: basically figure out any set of marketing preferences where we could get away with collecting information without first knowing the user's country - even if that meant more conservative marketing opt-ins.

In each case, we could never figure out a single-method for collecting explicit opt-in that worked worldwide. The standout countries always being some combination of South Korea, Germany, Russia, or Brazil.

nerdo3y ago

CAN-SPAM is unenforced afaict. You can still take action against bad actors by signing up with old abandoned email address(es) though. ISP's will have converted them into spam traps and will subtract a higher amount from their sender reputation.

legitster3y ago

CAN-SPAM is still somewhat enforced. The problem is the type of spam it targeted is now sent from foreign bad actors and there's not much they can do to enforce it.

deathanatos3y ago

Is it?

E.g., recruiter spam, in particular. And I don't mean of the "are you interested in this job?" variety. I mean in the "can we hawk some candidates to you, that you can hire and they pay us for?" variety.

I am not involving in candidate sourcing in my company, period. These emails are directed to me, individually. Some claim to be American companies, and seem to have a "legit" web presence, if shady marketing tactics, and some seem to have no web presence and seem super shady, e.g., "we index heavily on the intangibles/DNA of a candidate; their Intelligence (EQ/IQ)". No mailing address, no unsubscribe link, no prior consent, all of which TFA claims CAN-SPAM requires.

"Survey" requests (American, no unsub link, no mailing address in email, no prior consent), "zero trust cloud access" company (American, no mailing address in email, no prior consent), … etc.

1 more reply

lbriner3y ago

GDPR (EU and UK) is much more nuanced than this makes out. For example, there are a number of legal bases that can be used to process someone's personal data.

For example, "Legitimate Interest" can be used if there is a reasonable way that the usage could be foreseen like sending a "How did we do" email after somebody buys something. Unfortaunately, this is not well-defined in the regulations so, for example, one company I came across got my information from Linked In, sold it to other businesses and those directly contacted me to sell something on the basis that the vacuuming company had a "legitimate interest" in selling my data i.e. it's how they made their money.

wokkel3y ago

It's pretty well defined for the Netherlands and "making your money" as a legitimate interest could result in a hefty fine. Imho rightfully so.

calny3y ago

Additionally, individual US states have started passing laws on data privacy, and these laws sometimes impact email marketers who do business in those states. For instance, California has the CCPA (recently amended by the CPRA), and Colorado, Connecticut, Utah, and Virginia recently passed their own laws. Still, credit to OP for raising awareness of data privacy issues.

margorczynski3y ago

Additionally I would say it creates a barrier for entering the market by small companies and startups. The idea is good but the execution is kinda off I would say, but that's usually how it goes with politicians and bureaucrats.

legitster3y ago

At our company, we are actually required to timestamp and enumerate the legitimate interest on all new marketing leads.

I think the issue is here that GDPR is a fairly poorly written cudgel of a law, and regulators are really only using it to go after larger foreign tech companies. Smaller, local companies can get away with much more malfeasance because it would be such a pain to enforce.

arlort3y ago

> really only using it to go after larger foreign tech companies

The big notable cases are against large tech companies, but most of the fines and procedures involve local entities

helloguillecl3y ago

Question: How do I prove to the authorities that a subscriber has given consent?

I imagine that an attribute on my "users" table is not enough?

marcosdumay3y ago

In any reasonable law, you would prove that your procedures require consent before you start sending the emails. If you have to prove things about a specific user, you are already on unreasonable land.

(But then, I have no idea what places have reasonable rules. I have never seen any with this specific failure for email, but IANAL and I haven't looked much.)

helloguillecl3y ago

Actually this sounds like common law to me. But yes, this should be enough to me.

However, if I consent to a User Agreement, do you really think they keep a copy of the specific version of the User Agreement I accepted?

1 more reply

dbg314153y ago

“Double Opt In” is the way to go.

They sign up, then you send them an email and track when they hit the “I approve” link.

cuu5083y ago

Watch out, if you get a HTTP GET request on the approve link, it could be the mail provider scanning for malware, not the user. You may need triple opt in :-)

butz3y ago

We probably need a similar list of all different privacy laws.

brianjking3y ago

Wowwww, thank you!

j / k navigate · click thread line to collapse

28 comments

kevincox3y ago

madsbuch3y ago

This is just a clear indication that it should have some cost to send a message, otherwise people (mis)use it until the legislators need to stop it attention robbery.

nitwit0053y ago

This is a big reason why advertisers loved newspapers. Getting a newspaper subscription is paying to have ads delivered to your home.

kevincox3y ago

Well there is some cost to send a message. These are being sent via Canada Post. The problem is that the cost isn't high enough.

1 more reply

mig393y ago

Ironically, spam e-mail, phone, and SMS is perfectly legal if it comes from a politician or political party. No consent necessary.

It's literally the only spam I get on my phone.

canadiantim3y ago

phone calls without consent are illegal in Canada?

legitster3y ago

This is missing out a lot of subtleties that a legal team might care about.

nerdo3y ago

legitster3y ago

CAN-SPAM is still somewhat enforced. The problem is the type of spam it targeted is now sent from foreign bad actors and there's not much they can do to enforce it.

deathanatos3y ago

Is it?

"Survey" requests (American, no unsub link, no mailing address in email, no prior consent), "zero trust cloud access" company (American, no mailing address in email, no prior consent), … etc.

1 more reply

lbriner3y ago

GDPR (EU and UK) is much more nuanced than this makes out. For example, there are a number of legal bases that can be used to process someone's personal data.

wokkel3y ago

It's pretty well defined for the Netherlands and "making your money" as a legitimate interest could result in a hefty fine. Imho rightfully so.

calny3y ago

margorczynski3y ago

legitster3y ago

At our company, we are actually required to timestamp and enumerate the legitimate interest on all new marketing leads.

arlort3y ago

> really only using it to go after larger foreign tech companies

The big notable cases are against large tech companies, but most of the fines and procedures involve local entities

helloguillecl3y ago

Question: How do I prove to the authorities that a subscriber has given consent?

I imagine that an attribute on my "users" table is not enough?

marcosdumay3y ago

(But then, I have no idea what places have reasonable rules. I have never seen any with this specific failure for email, but IANAL and I haven't looked much.)

helloguillecl3y ago

Actually this sounds like common law to me. But yes, this should be enough to me.

However, if I consent to a User Agreement, do you really think they keep a copy of the specific version of the User Agreement I accepted?

1 more reply

dbg314153y ago

“Double Opt In” is the way to go.

They sign up, then you send them an email and track when they hit the “I approve” link.

cuu5083y ago

Watch out, if you get a HTTP GET request on the approve link, it could be the mail provider scanning for malware, not the user. You may need triple opt in :-)

butz3y ago

We probably need a similar list of all different privacy laws.

brianjking3y ago

Wowwww, thank you!

j / k navigate · click thread line to collapse