Receiving (and usually deleting) unsolicited marketing emails have become commonplace for anyone with an email address. In fact, many people have multiple email addresses, having to move to a different address as their inboxes fill with headache-inducing quantities of spam. In amongst this deluge of unsolicited messages are phishing emails - for internet savvy users nothing more than a nuisance, but for those not so experienced, a real threat.

Of course, modern email clients can detect many unsolicited messages and file them accordingly, and this gives new impetus to email marketers - to target effective demographics and to stand out within a busy inbox or spam folder. However, marketing companies and strategists would be wise to remember the legal restraints which govern the sending of unsolicited emails and the use of personal data.

We are going to look more closely at The Spam Act 2003 implemented by the Australian Government back in 2003, as well as the EU GDPR legislation passed by the European Union in 2018. Before you launch any kind of email campaign it’s crucial to make sure you are operating within the parameters of the law.

What is The Spam Act 2003?

The Spam Act prohibits companies from sending unsolicited commercial messages to individuals and provides a guide to sending legitimate ones. It also aims to tackle address harvesting tactics (which were being used widely at the time by marketing companies). Breaching the act incurs civil penalties and injunctions. The Act applies to all forms of spam, particularly email, phone and SMS spam. It covers messages with links to Australia, meaning any message that originates in Australia, and is sent anywhere, or any message that is sent to Australia from anywhere - though the latter is understandably harder to enforce. However, such regulations in other regions, such as the GDPR (see below) also apply to messages which may be going into or out of Australia.

How does this affect email marketing?

To stay compliant with The Spam Act you must have permission from the recipient of the message before you send it. Permission can be expressed or inferred.

Express permission means that someone will have looked at your website and filled in a subscription form, ticked a box or interacted in another way with your company, either face to face or over the phone. This does disrupt the old fashioned style of lead email marketing campaigns - you cannot send an email asking for permission as this contravenes the law.

Inferred permission is a little bit more of a grey area, in that you can infer permission from someone interacting with your company, if they are a current customer, or if the campaign deals with something relevant to a service or product they have purchased from you in the past. Individuals will also have to opt-out of any further commercial communications - although it is the company’s responsibility to make it clear and easy to unsubscribe in each communication. It’s also required by law to clearly identify your company as the sender, even if the message may have been carried by a third party. In short, the solution for email marketers is, don’t buy bulk mailing lists and send emails to unsuspecting business owners offering your products and services. Also remember, you may not, under The Spam Act, use or supply address harvesting software, nor may you use or supply a list of email addresses provided by address harvesting software.

What is GDPR?

General Data Protection Regulation (GPDR) was introduced by the European Union in May 2018 to apply a uniform code on data protection and privacy for all citizens of the EU. It also addresses the transfer of personal data outside of the European Union and the European Economic Area (EEA). The act is a significant tightening of data laws.

The main reason that GDPR was introduced was to focus on the protection of the individual - individual empowerment and protection, rather than exploitation.

What Does This Mean for Marketing Companies?

Put simply, this means that companies are now required to build in privacy settings into their digital products and websites – and have them switched on by default. Companies are also required to undertake privacy impact assessments and audit their processes to constantly improve both their handling of data and their responses to data breaches. As this is a regulation rather than a directive, it means crippling financial penalties for those who try to operate outside it.

Though the implications of GDPR might seem quite full-on, the reality is that marketing companies will need to tighten up on data permission, data access, and data focus.

Data permission meaning that customers and partners need to opt-in physically to permit you to contact them. You now cannot operate on assuming permission, and pre-ticked boxes are most definitely out. Storing data and using it for future marketing campaigns is also out - a clear cut violation of the regulation.

Data access refers to the famous ‘right to be forgotten’ ruling - this could be managed by simply linking an ‘Unsubscribe’ button to a customer profile. It’s your responsibility to make sure your customers can easily access their data and then remove their consent for its use, should they choose to.

Data focus - this is really to cut down on extraneous details which you may choose to seek from your customers. GDPR means that you must be able to justify your collection and processing of personal data. In practice, this often means simply whittling down your requests - keep to the basic requirements and forget about anything unnecessary.

Email marketers are the hardest hit of all by this new regulation, but the penalties for non-compliance, even if you can prove it was a mistake, are severe. Introducing measures to ensure your mail-out lists are 100% based on opt-ins, providing easy unsubscribe links and linking those unsubscribes to customer data is now a legal requirement. And forget about buying email lists - this is now strictly forbidden.

As an email marketer, it is your responsibility to make sure that your communications fall in line with the compliance laws and regulations. Make this your number one priority, then you can focus on snappy copy and great branding without worrying about a hefty fine.