Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update for 2024. #29

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 18 additions & 21 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,34 +1,32 @@
# Email marketing regulations around the world (updated for 2023)

As the world becomes increasingly connected, the email marketing regulation landscape becomes more and more complex. Whether or not you operate directly in different countries, it's good practice as an email marketer to know which laws and regulations apply to your subscribers, wherever they are in the world. In recent years, keeping on top of new legislation has been challenging – most notably in Europe, with the introduction of GDPR (General Data Protection Regulation).

The team at [EmailOctopus](https://emailoctopus.com/?utm_source=github) have compiled this guide to make things easier. Our aim is to create a space where the email marketing community can keep each other up-to-date about regulations around the world, so it's easier for us all to be aware of new legislation, as and when it's implemented.

## At a glance

For more detail about a country's legislation, click the country name.

| Country| Legislation | Content required| Opt-out required| Consent required | Penalties|
| ------------- | ------------- | ------------- | ------------- |------------- | -------------|
| [Australia](/country/australia.md) | Spam Act 2003 | Name, contact information| Yes| Implied consent if you have a previous business relationship. Otherwise, explicit | Up to $1.8m AUD per day |
| [Belgium](/country/belgium.md) | outre-Quiévrain law, GDPR | Name, mailing address, clear identification of the sender | Yes | Explicit consent | Up to €20m, or 4% annual global turnover – whichever is higher |
| [Brazil](/country/brazil.md) | LGPD | Name, contact information | Yes | Implicit consent via soft opt-in where an existing commercial or social interest can be demonstrated (effectively legitimate interest) | 2 percent of the revenue from Brazil, up to R$50 million per infraction |
| [Canada](/country/canada.md) | CASL | Name, mailing address, contact information| Yes| Implied consent if you have a previous business relationship. Otherwise, explicit | Up to $10m CAD per violation |
| [China](/country/china.md) | Regulations on Internet Service | Name, email address | Yes | Explicit consent | 10,000-30,000 yuan per email |
| [Denmark](/country/denmark.md) | Danish Marketing Practices Act, GDPR | Name, mailing address, clear identification of the sender | Yes | Explicit consent | Up to €20m, or 4% annual global turnover – whichever is higher for GDPR violation; Danish government will impose an additional fine which is to be decided by the governing body |
| [Finland](/country/finland.md) | Electronic Communication Services Act, GDPR | Name, mailing address, clear identification of the sender| Yes| Implied consent if you have a previous business relationship. Otherwise, explicit | Up to €20m, or 4% annual global turnover – whichever is higher |
| [Germany](/country/germany.md) | Federal Data Protection Act, GDPR, Telemedia Act | Name, mailing address, clear identification of the sender| Yes| Implied consent if you have a previous business relationship. Otherwise, explicit | Up to €20m, or 4% annual global turnover – whichever is higher |
| [Hong Kong](/country/hongkong.md) | The Unsolicited Electronic Messages Ordinance | Clear identification of the sender | Yes | Implied consent | Up to $1,000,000 and imprisonment for up to 5 years on conviction on indictment |
| [Iceland](/country/iceland.md) | GDPR | Name, mailing address, clear identification of the sender | Yes | Explicit consent | Up to €20m, or 4% annual global turnover – whichever is higher for GDPR violation |
| [Australia](/country/australia.md) | Spam Act 2003 | Name, contact information| Yes| Implied consent if you have a previous business relationship. Otherwise, explicit | Up to 1.8m AUD per day |
| [Belgium](/country/belgium.md) | outre-Quiévrain law, GDPR | Name, mailing address, clear identification of the sender | Yes | Explicit consent | Up to 20 million EUR, or 4% annual global turnover – whichever is higher |
| [Brazil](/country/brazil.md) | LGPD | Name, contact information | Yes | Implicit consent via soft opt-in where an existing commercial or social interest can be demonstrated (effectively legitimate interest) | 2 percent of the revenue from Brazil, up to 50 million BRL per infraction |
| [Canada](/country/canada.md) | CASL | Name, mailing address, contact information| Yes| Implied consent if you have a previous business relationship. Otherwise, explicit | Up to 10 million CAD per violation |
| [China](/country/china.md) | Regulations on Internet Service | Name, email address | Yes | Explicit consent | 10,000 - 30,000 CNY per email |
| [Denmark](/country/denmark.md) | Danish Marketing Practices Act, GDPR | Name, mailing address, clear identification of the sender | Yes | Explicit consent | Up to 20 million EUR, or 4% annual global turnover – whichever is higher for GDPR violation; Danish government will impose an additional fine which is to be decided by the governing body |
| [Finland](/country/finland.md) | Electronic Communication Services Act, GDPR | Name, mailing address, clear identification of the sender| Yes| Implied consent if you have a previous business relationship. Otherwise, explicit | Up to 20 million EUR, or 4% annual global turnover – whichever is higher |
| [Germany](/country/germany.md) | Federal Data Protection Act, GDPR, Telemedia Act | Name, mailing address, clear identification of the sender| Yes| Implied consent if you have a previous business relationship. Otherwise, explicit | Up to 20 million EUR, or 4% annual global turnover – whichever is higher |
| [Hong Kong](/country/hongkong.md) | The Unsolicited Electronic Messages Ordinance | Clear identification of the sender | Yes | Implied consent | Up to 1 million HKD and imprisonment for up to five years on conviction on indictment |
| [Iceland](/country/iceland.md) | GDPR | Name, mailing address, clear identification of the sender | Yes | Explicit consent | Up to 20 million EUR, or 4% annual global turnover – whichever is higher for GDPR violation |
| [India](/country/india.md) | None at present | None | No| Consent is not required | None |
| [Ireland](/country/ireland.md) | Irish Data Protection Act 2018, GDPR | Name, mailing address, clear identification of the sender | Yes | Explicit consent | Up to €20m, or 4% annual global turnover – whichever is higher for GDPR violation; Irish government will also impose a fine up to EUR 250,000 per message sent by a company and an individual may be fined up to EUR 50,000 per message |
| [Israel](/country/israel.md) | Communications Broadcasting Law | Name, mailing address, contact information | Yes | Explicit consent, otherwise the recipient has given its contact details when purchasing a service or product, or when negotiating such purchase (specified for general advertising which includes marketing emails) | Fine of up to ILS 202,000 |
| [Japan](/country/japan.md) | Regulation of Transmission of Specified Electronic Mail | Name, mailing address | Yes | Implied consent if you have a previous business relationship, otherwise explicit consent required | Up to JPY 30 million for businesses; or JPY 1 million or 1 year imprisonment for individuals |
| [Singapore](/country/singapore.md) | Spam Control Act 2007 | Name, email address | Yes | Explicit consent, via a minimum of soft opt-in | $25 SGD per email, up to $1 million |
| [South Africa](/country/south-africa.md) | Electronic Communications and Transactions Act | Name, email address | Yes | Minimum of implied consent | Fines (no limit) or up to 12 months imprisonment |
| [United Arab Emirates](/country/uae.md) | Unsolicited Electronic Communications Policy | Name, mailing address | Yes | Implied consent | Fines of up to AED 10 million |
| [United Kingdom](/country/uk.md) | UK GDPR, PECR, DPA 2018 | Name, mailing address| Yes| Explicit consent, via a minimum of soft opt-in | Up to €20m, or 4% annual global turnover – whichever is higher |
| [USA](/country/usa.md) | CAN-SPAM | Name, mailing address, contact information| Yes| Prior consent is not required | Up to $16,000 per violation |
| [Ireland](/country/ireland.md) | Irish Data Protection Act 2018, GDPR | Name, mailing address, clear identification of the sender | Yes | Explicit consent | Up to 20 million EUR, or 4% annual global turnover – whichever is higher for GDPR violation; Irish government will also impose a fine up to 250,000 EUR per message sent by a company and an individual may be fined up to 50,000 EUR per message |
| [Israel](/country/israel.md) | Communications Broadcasting Law | Name, mailing address, contact information | Yes | Explicit consent, otherwise the recipient has given its contact details when purchasing a service or product, or when negotiating such purchase (specified for general advertising which includes marketing emails) | Fine of up to 202,000 NIS |
| [Japan](/country/japan.md) | ASCT, Anti-Spam Act | Name, mailing address | Yes | Implied consent if you have a previous business relationship, otherwise explicit consent required | Up to 1 million JPY or 1 year of imprisonment |
| [Singapore](/country/singapore.md) | PDPA, Spam Control Act 2007 | Name, email address | Yes | Explicit consent, via a minimum of soft opt-in | 25 SGD per email, up to 1 million SGD |
| [South Africa](/country/south-africa.md) | ECTA, CPA, PPIA | Name, email address | Yes | Minimum of implied consent | Fines (no limit) or up to 12 months imprisonment |
| [United Arab Emirates](/country/uae.md) | RUEC | Name, mailing address | Yes | Implied consent | Fines of up to 10 million AED |
| [United Kingdom](/country/uk.md) | UK GDPR, PECR, DPA 2018 | Name, mailing address| Yes| Explicit consent, via a minimum of soft opt-in | Up to 20 million EUR, or 4% annual global turnover – whichever is higher |
| [USA](/country/usa.md) | CAN-SPAM | Name, mailing address, contact information| Yes| Prior consent is not required | Up to $51,744 per violation |
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Up to $51,744 per violation |

USD?


## Explicit vs implied consent and other key terms

Expand All @@ -49,5 +47,4 @@ The best example is during online shopping. Imagine a customer has just bought a
The exact boundaries for both types of consent are defined in the specific country laws.

## Note

This guide is a community resource which is open to edits from members of the public. Information may be inaccurate and shouldn't be taken as legal advice – always consult a local lawyer before carrying out email marketing in any region.
2 changes: 1 addition & 1 deletion country/australia.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ You cannot use harvested or scraped lists in Australia. Under the spam legislati
Some organisations are exempt from the legislation. These include registered charities, educational institutions (only when sent to current or former students), government bodies and registered political parties. These messages must relate to goods or services offered by the exempt organisation.

## Penalties
According to the ACMA, the penalty units referred to in the Spam Act are currently equal to $180 each. For example, the penalty under section 25(5)(b) of the Spam Act for a company with a previous record of spamming and who sent two or more spam messages on a given day without consent is a maximum fine of 10,000 penalty units. This equates to a maximum penalty of $1,800,000 per day.
According to the ACMA, "the penalty units referred to in the Spam Act are currently equal to $180 each. For example, the penalty under section 25(5)(b) of the Spam Act for a company with a previous record of spamming and who sent two or more spam messages on a given day without consent is a maximum fine of 10,000 penalty units. This equates to a maximum penalty of 1,800,000 AUD per day.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was a direct quote from the ACMA website. Did you mean to remove the quotation marks, and if it is a quotation mark should we be changing the currency format?

In any event we should be consistent here.


## Additional reading
- [ACMA: Spam industry obligations](https://www.acma.gov.au/theACMA/spam-industry-obligations)
Expand Down
13 changes: 3 additions & 10 deletions country/belgium.md
Original file line number Diff line number Diff line change
@@ -1,27 +1,20 @@
# Belgium

Belgium has 2 laws that govern email marketing and other forms of electronic marketing. These are outre-Quiévrain law and EU GDPR. Both laws combined cover all aspects of electronic marketing in Belgium.
Belgium has two laws that govern email marketing and other forms of electronic marketing; the outre-Quiévrain law and EU GDPR. Both laws combined cover all aspects of electronic marketing in Belgium.

## Content required

All emails sent for marketing purposes should have a clear identification of the sender name, mailing address and a clear identification of the sender. The law requires you to have these as compulsory data to be mentioned in your marketing emails.

## Consent

You can only send marketing emails to those who have provided explicit consent to receive marketing emails from you.

This can be either by having a double opt-in or by checking an explicit checkbox while subscribing.

## Notable exceptions or requirements

Belgium requires that companies have a data security officer. The person is in charge of maintaining and enforcing data security standards.

## Penalties

The maximum fine available under the GDPR is up to €20 million, or 4% annual global turnover – whichever is higher. Though this is the maximum fine and "Data Protection Authority" will govern this.

Also the fine under outre-Quiévrain law will be decided on a case to case basis.
The fine under outre-Quiévrain law is decided on a case to case basis.
The maximum fine available under the GDPR is up to 20 million EUR, or 4% annual global turnover – whichever is higher.

## Additional reading

- [EU-GDPR Official Legal Text](https://gdpr-info.eu/)
6 changes: 3 additions & 3 deletions country/brazil.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
# Brazil
A legislation called Lei Geral de Proteção de Dados Pessoais (LGPD) took effect in September, 2020. Due to the Coronavirus pandemic, delays to the effective date postponed the measure several times. Penalties became enforceable on August 1, 2021, and data subjects and public authorities could enforce their rights starting on September 18, 2020. The LGPD is made up of 65 articles. Articles 17-22 deal with the rights of data subjects, those whose data is collected and/or processed, so mainly individuals or natural persons. It has 10 legal bases for the processing of personal data, four more than the GDPR.
A legislation called Lei Geral de Proteção de Dados Pessoais (LGPD) took effect in September 2020, with penalties becoming enforceable from August 2021. The LGPD is made up of 65 articles. Articles 17-22 deal with the rights of data subjects, those whose data is collected and/or processed, so mainly individuals or natural persons. It has 10 legal bases for the processing of personal data, four more than the GDPR.

## Content required
All emails should include name and contact information. Emails should also include a clear unsubscribe/opt-out option. There's no clear mention of time period defined to unsubcribe the email.
All emails should include name and contact information. Emails should also include a clear unsubscribe/opt-out option. There's no clear mention of the time period necessary to process an unsubcribe.

## Consent
The sending of unsolicited communications must be done based on one of the two legal grounds for processing: consent, and controller's legitimate interest.
Expand All @@ -21,6 +21,6 @@ According to LGPD, non-compliance will result in the following sanctions:
- Daily fine, subject to the total maximum referred above.

## Additional reading
- [Brazils General Data Protection Law](https://usercentrics.com/knowledge-hub/brazil-lgpd-general-data-protection-law-overview/)
- [Brazil's General Data Protection Law](https://usercentrics.com/knowledge-hub/brazil-lgpd-general-data-protection-law-overview/)
- [Thomson Reuters: Data protection in Brazil](https://uk.practicallaw.thomsonreuters.com/4-520-1732)
- [LGPD entra em vigor sem multa; veja 6 pontos detalhados para ficar de olho](https://www.uol.com.br/tilt/noticias/redacao/2020/09/19/lgpd-entra-em-vigor-sem-ter-fiscalizacao-ativa-ou-multa-entenda-o-que-muda.htm?cmpid=copiaecola)
4 changes: 2 additions & 2 deletions country/canada.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# Canada
The Canadian Anti-Spam Law regulates email marketing in Canada, and has been in effect since July 1 2014. Wherever you are in the world, if you send email marketing messages to Canadian residents, you will need to comply with CASL.
The Canadian Anti-Spam Law (CASL) regulates email marketing in Canada, and has been in effect since July 1 2014. Wherever you are in the world, if you send email marketing messages to Canadian residents, you will need to comply with CASL.

## Content required
All emails sent to Canadian recipients must contain the following:
Expand Down Expand Up @@ -33,7 +33,7 @@ If you are collecting an email address as part of a sign-up or purchase flow, th
## Penalties
The penalties under CASL can be quite severe. They include:

- Administrative Monetary Penalties (AMPs) consisting of fines of up to $1 million for individuals and up to $10 million for corporations per violation.
- Administrative Monetary Penalties (AMPs) consisting of fines of up to 1 million CAD for individuals and up to 10 million CAD for corporations per violation.
- Vicarious liability. This means that corporate directors can be found to be liable for the wrongful acts of a corporation or organization, and the corporation can be found to be liable for the wrongful acts of its employees.
- Private rights of action. This means that after July 1 2017 individuals can sue another individual or organization for damages after proving actual harm or loss after receiving an unsolicited and unwanted commercial electronic message (CEM). An individual cannot sue an organization if the Canadian Radio-television and Telecommunications Commission (CRTC) has already taken action against it.

Expand Down
6 changes: 3 additions & 3 deletions country/china.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
# China
China's email marketing regulations are set out in the Regulations of Email Services (RES). The regulations are far more restrictive than the USA's CAN-SPAM Act.
China's email marketing regulations are set out in the Regulations of Email Services (RES). These regulations are far stricter than those seen in other countries.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Far stricter than which countries? It doesn't appear to immediately be more strict than the GDPR, but is more than the Indian and USA legislation. Should we be specific here or just remove it – ensuring it's factual.


## Required content
The RES requires email marketers to make sure recipients are aware they are receiving promotional content but putting “AD” in their subject lines. Email content must not violate the Regulations of Telecommunication in the People's Republic of China. In general, this means that politically sensitive or mature content is prohibited. This includes advertisements for pornography, firearms, gambling, tobacco and illegal drugs. Senders must also ensure they provide contact information to ensure recipients are able to unsubscribe.
The RES requires email marketers to make sure recipients are aware they are receiving promotional content but putting "AD" in their subject lines. Email content must not violate the Regulations of Telecommunication in the People's Republic of China. In general, this means that politically sensitive or mature content is prohibited. This includes advertisements for pornography, firearms, gambling, tobacco and illegal drugs. Senders must also ensure they provide contact information to ensure recipients are able to unsubscribe.

## Consent
The RES requires consent before sending emails can be sent, however the opt-in methods are not specified. It is recommended to follow the same consent measures as stipulated in the CAN-SPAM Act.
Expand All @@ -11,7 +11,7 @@ The RES requires consent before sending emails can be sent, however the opt-in m
Recipients must be able to opt-out from receiving emails.

## Penalties
Violations of the RES are subject to fines of up to CNY 10,000. For cases that involve illegal content, fines can be up to CNY 30,000. The penalties are enforced through a report-based system, where consumers file an official complaint about illegal email activity.
Violations of the RES are subject to fines of up to 10,000 CNY. For cases that involve illegal content, fines can be up to 30,000 CNY. The penalties are enforced through a report-based system, where consumers file an official complaint about illegal email activity.

## Additional reading
- [Do the New Anti-Spam Regulations in China Apply to You?](https://www.b2bemailmarketing.com/2006/04/do_the_new_anti.html)
Expand Down
Loading