When companies step out to the global scene, many difficulties arise. SPAM law is one of them.
As an email marketer, your best interest is to bring relevant content to your clients. To earn their trust, the content also has to be in a presentable format and with a clear message.
Yet, even if you have the best intentions, some countries might have tricky regulations in place. When failing them, you may be subject to high fines or even criminal penalties.
Thus, this article aims to help you out while you draft your international email marketing strategy.
But first things first.
Currently, SPAM accounts for 56% of all email traffic, according to Statista. SPAM emails cause many serious problems. Excessive email traffic, unrecoverable labor costs, and server overloads are some of them.
However, this is only the tip of the iceberg. SPAM messages are particularly dangerous. Due to their perceived anonymity, SPAM is an effective tool for fraudulent activities. The most common examples are delivering malware, and stealing confidential data.
That is why governments apply strict regulations when it comes to email. When drafting the law, unsolicited commercial activities (advertisement spamming) or crime activities (stealing confidential data) often fall under the same regulation. Thus, it is exceptionally important to abide by the rules in your country of operation, to keep you away from severe penalties.
Before we jump right into the serious matters, let's define some key concepts to make the digestion of this slightly legal text easier!
There is one very important matter when it comes to sending emails around to strangers, and that is:
Do they want to receive your emails?
If yes, you've got the green light.
If not, you might be breaching their privacy that is a criminal offense in some countries.
There are two widely used approaches to gain consent from future recipients of your commercial emails.
The opt-out approach assumes that consent is given until it's revoked, e.g. by unsubscribing from a mailing list.
The opt-in approach links consent to a particular action. For example, signing up for a mailing list and accepting to receive newsletters. This can happen in two forms: explicit and implicit consent.
Explicit consent, also known as express or direct consent, gives the individual or business the right to deal with personal data. Consent can be acquired in written or oral form. However, both forms require you to keep a record of consent collection.
A typical example of email marketing is a website registration form. Ideally, you provide customers with a check-box to consent to sign up for your newsletter.
When the opt-in process has one step, so only a registration form is filled out, we talk about simple opt-in. When the registration has to be confirmed via a link sent to the acquired email address, we talk about double opt-in.
Implicit consent, also known as inferred or indirect consent, is usually derived from your current actions and circumstances.
The best example is when a commercial transaction took place, the recipient purchased something from you. Thus, you can assume that the client is interested in similar products or services in the future.
The exact boundaries for both types of consents are defined in the country laws.
We gathered high-level information on country laws from over 20 countries. In each section you will find the following information:
The federal Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM), enacted in 2003, prohibits sending commercial electronic messages (CEMs). Unless they comply with the following requirements.
One thing that separates the CAN-SPAM act from similar legislation in the EU, Canada or Australia, is its opt-out approach.
You are free to contact individuals or businesses without prior consent. As long as you abide by above-mentioned requirements and don't use unlawful means to collect email addresses. An example for unlawful means is using an automated email generator.
Finally, be careful with who you hire to handle your email marketing. The responsibility is shared by the company that sends the messages and the one whose product is promoted. In case of breaching the law, fines can go up to USD 16 000 per violation per individual email.
Among the different country legislation, Canada has a well-thought-out and a rather rigorous approach to handle unsolicited commercial messages. Canada’s Anti-Spam Legislation of 2014 (CASL) prohibits individuals and businesses from sending CEMs to Canadians without consent.
The law also prohibits:
There are three requirements that all emails have to fulfill to comply with the law.
It is important to note that the CASL does not only apply to individuals and businesses living or operating in Canada. Anyone contacting people within Canada falls under the legislation. Therefore, federal agencies can report cases to the respective countries, which also have similar SPAM legislation.
Finally, fines for breaching the law can go up to the considerate amounts of CAD 1 million for individuals and CAD 10 million for businesses.
An outstanding case in Canada is that of Compu-Finder. The company received a CAD 1.1 million fine in 2015 for not having consent from recipients and using a mal-functioning opt-out mechanism.
Australia’s Spam Act of 2003 prohibits the sending of unsolicited commercial electronic messages. The legislation covers all messages originating from Australia or targeting an Australian address.
To lawfully reach people and businesses with commercial emails you are required to have:
In lead generation, email address list purchasing is allowed. Yet, it is your responsibility to make sure that consent was obtained via lawful address collection means. E.g. address-harvesting software or lists using such software are strictly forbidden.
Some organizations are exempt from consent regulation, such as government bodies, registered charities and political parties. Nevertheless, the same rules apply to third-party contractors who send out emails on your behalf.
Fines go up to AUD 2.1 million.
The legislation in New Zealand is defined by the Unsolicited Electronic Messages Act 2007. Being fairly similar to the Australian model, it prohibits spamming with a New Zealand link (messages sent to, from or within the country).
Fines for businesses go up to NZD 500 000. In some cases, companies are bound to pay compensation for any loss suffered. Or, pay damages equal to the profit earned sending the SPAM.
It is interesting to note that SPAM can be a single message and does not necessarily have to come in bulk to qualify as unsolicited.
In the EU, the Privacy and Electronic Communications Directive 2002, or better known as E-Privacy Directive, gives guidance for the member states on how to protect citizens from SPAM.
As all directives, the E-Privacy Directive outlines general rules that member states are free to adapt to their local legal system. Hence, different SPAM law regulations are in place for all member states.
Article 13 of the Directive prohibits to use email addresses for marketing purposes. Unless,
Penalties are always determined by member states.
The significant differences between member state regulations demanded a more harmonized approach. Thus, the regulatory bodies decided to tighten up the laws on collecting, handling and recording of private data. The outcome is the GDPR.
The General Data Protection Regulation (GDPR), due to its nature, is legally binding in all countries and will be legally enforceable from May 25, 2018, onwards.
The Regulation applies to all individuals and businesses in the EU. Regardless of where the sender is based, anyone who acquires email addresses and sends emails to subscribers in the EU falls under the law.
In general, the Regulation imposes stricter conditions than the E-Privacy Directive. The rules on seeking, collecting and recording consent come with higher penalty fees.
The Regulation also works retroactively, meaning it concerns data collected in the past. If you cannot prove the consent of your current recipients, you cannot email them anymore.
Not only the requirements but also the sanctions will be standardized. Breaching the law obliges organizations to pay a maximum of 4% of annual global turnover or EUR 20 Million, whichever is greater.
Depending on how severe the law is in the country of your operations, you have to count with significant additional work to make sure you manage your users' data according to the GDPR.
However, before we rush so fast forward into 2018. Let’s see which legislation you should comply with, in Europe today!
When it comes to consent the legislation in the UK on electronic messaging is between the US and the European models. It is regulated by the Data Protection Act 1998 and the Privacy and Electronic Communications Regulations 2003 (EC Directive) that require:
In general, the UK also takes an opt-in approach. However, not only the conclusion of sales but negotiation over a product/service is also enough as proof of consent. Moreover, direct marketing emails sent to workplace emails can be sent without consent. As long as they offer an opt-out possibility.
Breach of law is a criminal offense subject and fines go up to GBP 500 000.
In France, Article 22 of the “Loi du 21 juin 2004 pour la confiance dans l’économie numérique” provides legal boundaries for spamming.
The highest amount of fine is EUR 750 per individual email.
Fines can go up to EUR 4,000 per individual email.
Plus, there are a handful of special restrictions when you send commercial emails in Germany.
The jurisdiction on spamming in the DACH countries (Germany, Austria, and Switzerland) is fairly similar. Germany being the strictest. Therefore, if you plan on reaching all German-speaking countries in Europe, you make no mistake if you abide by the German law.
In Austria, spamming is regulated by the Austrian Telecommunications Act 1997 and the Federal Act against Unfair Competition 2007. As opposed to the strict German system, Austria takes a more relaxed approach.
Should you fail to fulfill the requirements, you are bound to pay a penalty of up to EUR 37 million.
In Switzerland, the Federal Law against Unfair Competition 2007 and the Telecommunications Law - 2003 Amendment set the legal framework for electronic messaging. The regulation is closer to German laws in severity and requires:
The Swiss law is particularly severe when it comes to penalties. Breaching the law is a criminal offense, and depending on the seriousness of the case you can face up to three years in prison or CHF 100,000.
The Spanish Act on Information Society Services and Electronic Commerce 2002 applies to individuals and businesses residing/operating in Spain and the EU and emailing Spanish citizens.
Individuals and businesses outside the EU fall also under the Spanish law. However, they are subject to international treaties and conventions as well.
The Spanish law takes a similar approach to the French legislation with small variations.
Fines are up to EUR 600 000.
In Italy, spam law is defined in the Italian Personal Data Protection Code 2003, which also takes a rather severe approach when it comes to penalties.
Breach of law is a criminal offense and penalties go up to three years of imprisonment and fines up to EUR 90 000.
The Dutch legislation is specified in the Dutch Telecommunications Act 1998.
An interesting fact in the Netherlands is that also charities fall under the law.
Fines go up to EUR 450 000.
In Belgium, the Law of March 11, 2003 requires:
Fines are up to EUR 50 000.
Law infringement is subject to fines and/or imprisonment of up to 6 months unless a stricter penal provision applies.
With the Regulation of Electronic Commerce 2014 No 6563, Turkey took a step towards a more secure and transparent e-commerce environment.
The law covers a wide range of privacy protection areas in the digital sphere:
The regulation in Turkey requires:
Fines range from TRY 1,000 to TRY 15,000. For repeat offenders, it is up to 10 times the individual fine (currently TRY 1000).
Additionally, Turkey recently introduced the [Law on the Protection of Personal Data No 6698] 2016. It defines concepts such as “personal data”, “sensitive data” and “explicit consent”. Also, it regulates the acquisition, handling and storing of such data.
The Data Protection Law is a major step for Turkey towards aligning its legislative framework with the EU Data Protection Directive. However, the law is still far less complex and detailed than the GDPR.
As we leave the Western World, regulations regarding spamming, and in general handling of personal data, become loose. Countries like Russia, China, India and a couple of Latin American states reject to join global initiatives. One notable example is the Convention on Cybercrime, adopted by the European Council in 2001. ratified by 52 countries worldwide.
These countries constitute the cradle of global spam and malware activities. Therefore, very interesting to examine.
It is well known in the digital world that one of the worst types of spam comes from Russia. Content ranges from basic ads to malicious viruses. In most cases, Russian SPAM is able to cripple both users and Internet Service Provider (ISP) networks.
For long the only regulatory instrument was the Russian Civil Code (art. 309). It addresses spam issues in the form of contracts between the ISP and the user. Plus it develops codes of “good practice” for any business relationship. Yet, its scope is very broad and it does not impose any restraining force.
Lately, there have been several attempts to impose an antispam legislation in Russia.
Finally, the Russian Federal Law on Personal Data and the Federal Law on Advertising, enacted in 2006, were the first real attempts to impose boundaries to sending bulk emails. The latter guarantees that
Nevertheless, regulations are rarely enforced. Due to many exceptions such as political proclamations, market research reports, private announcements, etc.
Furthermore, the text is poorly drafted and very ambiguous. For example, the concept of SPAM is not clearly defined. Or how the operator or the sender should prove that they have the recipient’s consent.
Rules of the Internet Use
In contrast to the soft state regulation, an informal organization the Open Forum of Internet – Service – Providers (OFISP) issued a document, the Rules of the Internet Use. It imposes rather hard, self-control measures on ISPs.
The Rules of the Internet Use is based on the rules of business. Thus, breaking it means breaking the civil legislation of the Russian Federation. This provides ISPs with the right to end a contract with spammers and revoke Internet access from them.
Looking into the future. The interest of Russian email marketers is also to grow their business. Sending relevant and well-designed content to their recipients will soon be inevitable. Therefore, they slowly approach global standards.
The Chinese antispam legislation is defined by the Measures for the Administration of Internet email Services 2006 and the Consumer Rights Protection Law 2013. It applies to all emails sent to Chinese residents and to those who received emails while being in Chinese territory. The requirements for lawful emailing are the following:
Particular restrictions apply to content in China. They are vaguely defined by Article 57 of the Regulation on Telecommunications. Obvious examples are politically sensitive topics but also everything that is deemed obscene.
Fines go from CNY 10 000 to CNY 30 000 per individual email.
Despite having strict regulation and high fines, there hasn't been so far any reasonably high profile case. Hence, spamming remains a major problem in China.
Even so, before you engage in email marketing activities in China, make sure to check the very dynamic list of blacklisted keywords. Once you get on the other side of the Great Firewall of China, there is no way back
There is no regulation on spamming or data protection in India.
Only the Information Technology Act 2000, section 79 and 43a suggest that an intermediary dealing with personal data has to pay a compensation, in case it fails to protect the data. As well as, under section 67 punishment can be imposed if obscene content is published or transmitted via electronic means.
Penalties include fines up to INR 500 000. Or in case of a second or consecutive conviction, a fine up to INR 1000 000 and up to five years of imprisonment apply.
However, the law is defined very broadly and is only rarely enforced in email marketing cases.
Since according to Statista, Vietnam is the source of most SPAM in the world, it is worth to take a look at its legislation.
The relevant regulations are Decree No. 90/2008/ND-CP 2008 on anti-spamming and Decree No. 77/2012/ND-CP supplementing and amending the formerly mentioned regulation.
The main principles of sending advertising emails are the following:
Fines vary between VND 10 000 000 and VND 50 000 000. Except for misusing the name or email address of another organization or individual that amounts to VND 60 000 000 to VND 80 000 000. In severe cases, temporal or permanent suspensions from emailing or advertising activities also apply.
The Act on Promotion of Information and Communication Network Utilization and Information Protection (Network Act) defines the South Korean spam legislation. All businesses and individuals residing in South Korea fall under the legislation. Plus foreign organizations, if their domain is Korean, or if they conduct business or promotional activities in South Korea. The provisions are as follows:
A fine for the negligence of the above-mentioned goes up till KRW 5 million.
The Regulation of Transmission of Specified Electronic Mail 2002 regulates spamming and data protection in Japan. While the Ministry of Internal Affairs and Telecommunications (MIC) is the main authority.
Penalties always depend on the type of violation. Falsifying sender information can cost JPY 30 million for businesses, or JPY 1 million or 1 year of imprisonment for individuals. If a sender does not follow an order from the MIC, the same punishments apply.
On the western coast of the continent, an individual's privacy is usually protected only by general provisions. Furthermore, such laws were not drafted with the digital age in mind. Thus, Middle Eastern countries lacked proper regulation on data protection and electronic communication.
The UAE is one of the most developed countries in the Middle East. Still, it does not have an extensive regulation on spamming. The Telecommunications Regulatory Authority (TRA) issued the Unsolicited Electronic Communications Policy in 2010 that applies some general rules to control spamming by controlling telecommunication providers.
The TRA can impose administrative fines up to AED 10 million for violating the Telecommunication Law or its executive order.
Brazil is also known as one of the biggest SPAM diffusers. The main reasons are the lack of country regulation and minimal security measures applied by internet users. There is no law in place neither against SPAM, nor against online data theft.
Yet, not so long ago, the country’s federal government approved the Brazilian Civil Right Framework for the Internet. The new framework sets basic principles for data protection in the digital age.
Furthermore, there are several ongoing projects to protect consumers from SPAM.
The Self-Regulation Code for Email Marketing Practices is a project by ISPs. The same example as we have seen in Russia. The code is not legally binding, and the ISPs only agree voluntarily to participate. It contains basic rules to protect internet users and requires to include an opt-out link in every communication sent. Blocking the sender’s domain name applies as possible sanction.
The Consumer Protection Code aims to put boundaries on spamming.
The regulation in Argentina is defined in the Personal Data Protection Law No. 25,326 (PDPL) and the Regulatory Decree 1558/2001.
When it comes to consent, there is a regulatory tension between the two standards. The PDPL favoring an opt-in and the Regulatory Decree an opt-out approach. The National Directorate of Personal Data Protection decided for an opt-out system. Thus, the rules are the following:
Sanctions include warnings, suspensions, fines from ARS 1 000 to ARS 100 000, and closure or cancellation of the file, register or database. There is precedent for applying fines for breaching the law. However, the authorities usually charge low amounts.
More serious penalties apply in case of violating data privacy. Disclosing data to third parties or insert false data in databases can imply 1 month to 2 years of imprisonment.
Internet penetration is the lowest in African countries when compared to the rest of the world. Therefore, regulations in general are quite loose, if any exist when it comes to spamming.
Morocco is one of the few countries in North Africa having a data protection regulation. The Law n° 09-08 of 18 February 2009 has a specific section for electronic marketing. It requires:
Yet, the law only applies to businesses emailing individuals.
If you own an email address then you have certainly received at least one email from a Nigerian prince. These emails come in all shape and size with the most impossible stories you've heard in your life. Let's see the SPAM regulation of the country, infamous for its scams.
The Nigerian [Cybercrime Act 2015] (https://cert.gov.ng/images/uploads/CyberCrime(Prohibition,Prevention,etc)Act,_2015.pdf) is a recent legal, regulatory and institutional framework. It aims to overcome the country's biggest threat phishing. Electronic fraud-related activities cost 0.08% of Nigeria's GDP, which represents NGN 127 billion. (Deloitte)
The law defines the act of spamming as
an abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages to individuals and corporate organizations.
The law is rather strict. Punishment for spamming is three years of imprisonment and/or NGN 1 million. It defines spamming as an intent to disrupt the operations of a computer, and malicious or deliberate spreading of viruses or any malware.
There is no regulation on unsolicited commercial electronic messages yet.
The Internet Service Providers’ Association (ISPA) is the main SPAM regulating authority. The legislation requires the following:
Sanctions can be fines (without limit) or in severe cases imprisonment for a period not exceeding 12 months.
Below you can see a graphic with the leading countries of origin for SPAM emails as of 2nd quarter 2017. Based on share of worldwide SPAM volume.
Countries like Vietnam, China and India are the countries with the most SPAM-bots in the world. This can be affected by many issues. The lack of good anti-virus software and proper ISP filtering are some of the main reasons for Asia having the worst botnet infestations.
The same problem goes for Russia. When the first botnets appeared five to ten years ago, Russia based cybercriminals attacked mostly other countries. Nevertheless, managing botnets comes with big money. So since law enforcement in cybercrime is not common practice in Russia, hackers realized: the country is an easy target.
But what about the Western countries on the graph? Out of the top 10 worst spammers, four are from Europe and North America. It is surprising as data privacy legislation is common practice and has a long history. The US having the second highest SPAM volumes worldwide, can be due to its opt-out system. However, when Germany, with one of the strictest legislation in Europe, comes in fifth place, we might ask ourselves:
Is there a correlation between how severe is a country's SPAM legislation and how actively it spams other countries?
In short, yes.
Yet, many other factors influence a country's SPAM volume apart from legislation. Such as the power of authorities, law enforcement practice, security measures applied by ISPs and users, and the list goes on.
Before you engage in email marketing activities abroad, make sure you are familiar with SPAM legislation in your countries of operation. Still, do not forget that this is not the only aspect you should investigate.
This article provides a high-level overview of international email SPAM law. Thus, it should not be taken as legal advice. Please refer to the original regulations or contact an attorney for advice on email marketing regulations, or any other legal problems.