Most business owners think they know what they’re doing when it comes to ensuring their email policies and practices are compliant with current laws. In fact, most are now focused on implementing some of the more advanced email features such as encrypting emails using TLS or automating their email marketing campaigns against targeted lists of high-priority customers.
However, as you probably know, email compliance is not as easy as simply reading the regulations every couple of years. New legislation and recommendations come out every year, and today's businesses have to contend with a patchwork of different compliance codes across multiple countries and jurisdictions.
Additionally, email compliance is not just about sticking to the law. Research shows that 75% of most businesses’ intellectual property is contained in their email and messaging systems, so securing your business data means that you need to pay particular attention to your email system.
In this article, we'll give you a quick rundown of how to build a compliant email system, discuss the recent legislation relating to email compliance, and tell you what you need to do to keep your email system legal. We'll then scan the horizon for upcoming legislation that will have an impact in this area.
Get The Basics of Email Compliance Right
Wherever your business is based, and wherever your customers live, achieving email compliance necessitates that you have a fully-featured email system in place. This system should also offer you the administrative flexibility to filter incoming mail, manage the storage of attachments, and manage your email signature and disclaimer.
Zoho Mail does just that. We’ve built the system so managers can centrally administer the content, attachments, storage, disclaimers, and signatures of outgoing mail. That means that when working through the lists below, you can easily set your Zoho Mail settings to ensure compliance. Specifically, our email control panel lets you easily create GDPR-compliant and HIPAA-compliant email policies, control your organization's receiving and sending parameters, and monitor everything with detailed audit logs.
Zoho Mail also offers a huge level of control over incoming mail. For instance, you could set up an email-subject restriction to block incoming email with the word "drug" in the subject line.
Zoho Mail also helps you achieve compliance when it comes to the storage and encryption stipulations built into many pieces of email legislation. Our servers ensure your data is always secure and accessible. We respect your privacy, which is why we fully encrypt your data and will never sell it to advertisers. GDPR compliance and enhanced security measures, like 2FA, EAR, S/MIME, and TLS, add extra protective layers to your data.
1. Email compliance: a moving target
Many politicians worldwide seem extremely keen to regulate emails more closely. For the last decade, lawmakers in the US, Canada, and the EU have been discussing how to limit the number of unsolicited emails their citizens receive and how to regulate the way that companies store and process this data. On the flip side, some governments in the Middle East and Asia actively track and censor email communications of their citizens.
Because laws like this take some time to draft and enact, the past few years have seen a huge spike in the number of regulations that affect email marketing campaigns. The first of these actually came way back in 2003, in the form of the CAN-SPAM Act in the United States, but this regulation was quite limited in its scope. Since then, we’ve seen the introduction of Canada’s CASL in 2014, the EU’s GDPR in 2016, and most recently the CCPA in California in 2018.
All of these laws aim to place restrictions on the way companies use data, and this has a huge effect on email campaigns. Most of them—but particularly the CCPA and GDPR—put into place rigorous regulations on the data companies can collect and how they can use it.
Compliance with these pieces of legislation is important for at least three reasons. First, companies can incur sizeable fines if they are found to be non-compliant. Second, failing to achieve compliance can result in substantial negative media coverage, and over 90% of consumers will always research a company’s reviews and reputation before buying from them or using their products. Third, these laws also represent a set of best-practice guidelines that can protect your own company against data theft and hackers.
2. Making Your Systems Compliant
Of course, email compliance is not just about making statements about how you handle customer data; you also need to ensure your systems are working in the way you have declared they are.
Let's assume, for the sake of brevity, that your systems were compliant as of the beginning of 2019. What do you need to do now?
Here's a list of what you should put in place now:
You should segment your marketing list to identify individuals who are not in the US, and who have not explicitly opted-in to your mailings. You are no longer allowed to send emails to this group, so either block them from your marketing communications, or seek their consent to be included.
Second, be aware that the GDPR is retroactive, so any information you collected on EU citizens (ever) needs to be deleted. If you are in doubt, delete this information anyway, since the GDPR is so restrictive that even emailing these people to ask them where they live is a violation of it.
Third, make sure that any email or website forms you are using have an explicit opt-in box. "Implied consent" is no longer good enough to reach compliance: instead, each form should have a check-box that is clearly labelled "subscribe to email newsletters" or similar.
Another change you should make, albeit one that is not directly related to email compliance, is to install a cookie consent management tool. There are many such tools available depending on what CMS and marketing automation tools you use, and most (good) marketing automation software offers such tools. However, if you don’t have a marketing automation system (or don’t like the options yours has) there are tools like Cookie Consent to manage this functionality on your site.
Not only will these steps ensure your email campaigns are compliant with the current legislation, they will also position you to comply with any future legislation.
3. Making Your Emails Compliant
Companies in 2020 face a difficult challenge when it comes to complying with international legislation, not least because each law and set of recommendations requires them to implement different working practices.
Businesses who use email marketing services in particular will need to take action to be compliant with existing privacy regulations. While it may seem convenient to some to just avoid using email services entirely due to the large number of regulations you must follow, considering that email marketing services are seven times more effective at generating sales than through LinkedIn, Facebook, and Twitter put together, it’s definitely worth it to take action to be compliant.
The best approach is to simply comply with the most far-reaching existing privacy legislation. As of 2020, that’s the GDPR. This means if you are GDPR compliant, you are compliant with the other laws that govern email outreach.
Here, then, is a list of what you need to do when communicating with customers over email:
1. Explicitly tell your customers when you are collecting their data
2. Provide a list of all the systems and tools that you are using to process and store it
3. State what you are using this data for
4. Provide a statement and agreement that you are not collecting their data for reselling purposes, and will refuse any offer to do so
5. Provide any individual with access to their data upon request
6. Delete all of the information you have collected on them if they ask you to
In order to be compliant with the CCPA, you must require parental consent for data collection of minors (but note that the definition or “minor” varies between the various pieces of legislation). Also, when sending email over public wifi networks, use both a firewall and virtual private network (VPN). The best VPN services encrypt your connection do not log any traffic data or email communications
In practice, putting all of these statements in an email footer is not ideal for most companies. Not only would that make every email you send impractically long, but your contacts are unlikely to read it. One solution to this is to put all of this information in an email attachment, but if you do this then make sure it doesn’t look like a phishing attempt, or it will fall foul of your customers' spam filters.
In reality, therefore, the best approach for most companies will be to provide a link in their emails to a portion of their website containing all of the information above.
4. Data and Consent
Ultimately, email compliance in 2020 is about carefully managing the data you hold on your customers and ensuring you are following good email deliverability practices along with the best possible security practices for email marketing.
Putting a consent and data management system in place might take you some time, but this investment will be worth it. Given the speed with which governments are passing new laws about email marketing, you should ensure that you are in the best position possible to comply with whatever new legislation comes next.
Gary Stevens is the CTO of Hosting Canada, a website that provides expert reviews on hosting services and helps readers build online businesses and blogs. Besides, Gary is also a full-time blockchain geek, a front end developer, and a volunteer working for the Ethereum Foundation as well as an active Github contributor.