Compliance And You
While sending emails seems harmless, the regulatory environment surrounding email use has gotten tighter in recent years. While following common sense is an excellent starting point, it’s still a good idea to have some general knowledge of email archiving and compliance laws, both for your own nation and, if applicable, internationally. Let’s cover the basics of what is email compliance so you can send emails with confidence.
This article will give you a brief overview of email compliance issues in today’s business world, but it is not intended to be a complete and thorough overview. Laws do change rapidly, and all laws are subject to interpretation. Also, laws do vary between different cities, states, and countries. While we believe the information in this article is current and accurate as of the time it’s written, we can’t guarantee its accuracy. We advise that if you have any specific questions or concerns, you consult with an attorney specializing in this field.
When done right, cold emails can be a surprisingly effective way to generate solid leads. But is this spam? Let’s consider what a well-crafted cold email looks like.
- Are targeted and personalized to a specific person
- Build trust and rapport
- Builds value; has a clear value proposition
- Discloses the identity of the sender
- Has a clear and relevant subject line
- Generally aren’t a ‘hard sell’; a good cold email is more about catching the recipient’s attention so they desire more information.
Cold emails are not very spammy at all, are they? But are they legal? Experts say yes. There’s nothing illegal about emailing a contact, even if you’ve never communicated with them or don’t know them. Networking between professionals is not a crime, and most people wouldn’t consider it to even be a gray area. But there are still a few things to consider. You still must comply with applicable laws or face hefty fines.
Well-written cold emails are definitely not spam, as to be effective they should be personalized, use rapport-building techniques, and offer clear value. However, to stay on the right side of the law, let’s review the CAN-SPAM Act in the US, and touch on some key international laws.
The CAN-SPAM Act
The Controlling the Assault of Non-Solicited Pornography And Marketing (CAN-SPAM) Act of 2003 established U.S. standards for commercial email and gave the Federal Trade Commission the right and responsibility to enforce those standards. The law has been criticized for not being tough enough on spam e-mail and preempting tougher state-level anti-spam legislation. It also sharply limits the ability of consumers to file lawsuits relating to email spam and has been inconsistently enforced. However, it does open up violators to hefty fines if they are found to be in violation.
While the CAN-SPAM act applies to emails intended to promote or advertise commercial products or services, it does exempt transactional/relationship messages, which seems to exempt cold sales email. Regardless, you can stay on the right side of the law by ensuring the following:
- For automated emails, a visible and operable unsubscribe method is present and requests are processed within ten business days of receipt.
- The “From” line in the header must be accurate.
- Subject lines must be relevant to the content, that’s why you need to know how to start your email properly.
- A legitimate physical address should be included.
- Adult content is properly labeled.
- Messages should be at least one sentence.
- Advertisements must be labeled as such
This does not apply to recipients who have opted-in to receive emails, or between people that already have a business relationship.
Some other nations have tougher laws and require that companies receive express permission to email, anyone, without a pre-existing relationship. While individual cold emails for sales purposes may or may not run afoul of those laws, it’s best to use caution if in doubt.
The EU General Data Protection Regulation (GDPR)
The GDPR is arguably the most comprehensive reform involving internet privacy and data security in this century. This law applies to organizations in the EU and any email sent to citizens and residents of the EU, even from international companies. The GDPR is enforced much more stringently than the CAN-SPAM act, with proof of compliance required.
- You need consent to email commercial advertisements.
- You need proof of that consent and you need a clear paper trail of that data, as the burden of proof is on your organization to prove you had consented to email, someone.
- You need a valid reason to email, someone, unless you’ve received consent.
The GDPR also mandates clear privacy policies and stringent data gathering and security measures. Even encrypted data is covered by these measures; any information that can be used to identify an individual is covered by GDPR. You need to consider whether the data you gather on leads and customers is actually necessary or relevant to your interactions with them, you must ensure the data is secure, and you must expunge that data when consent is declined or when it’s no longer needed.
One important difference between CAN-SPAM and GDPR comes into play with follow-up email tools or lead nurturing sequences. Both laws allow cold emails, but under GDPR follow up email strands may require explicit consent. There are some nuances to this; for organizations that do a lot of business with the EU, it may be worth consulting with a lawyer to ensure you’re on the right side of the law.
As discussed in the section on GDPR, email security is another important field for your organization to ensure compliance with applicable laws and regulations. These laws may vary widely, but a few general guidelines will keep you on the right side of the law.
Confidential personal data should be identified, and access should be restricted to those who have a need for it. While not all laws are as stringent as the GDPR, on a general level complying with the GDPR will ensure compliance with other laws. This applies to everything from names to phone numbers to payment and bank information.
It is your organization’s responsibility to ensure data is secure and does not leak. Using secure email providers and following cybersecurity best practices is a must in order to minimize legal exposure. End-to-end encryption and utilization of proper antivirus and anti-malware software are important steps to take to ensure that data is protected and secured. It’s also critical that your organization has clear training and policies for protecting sensitive data and using it appropriately, especially since user error is one of the biggest causes of data breaches. The best anti-malware software in the world is rendered useless if an employee is manipulated or fooled into letting bad actors have access to sensitive data or internal computer networks (these are known as ‘social engineering’ attacks in the information security field.)
In many cases, email must be archived for later retrieval if deemed necessary by regulatory agencies or for internal or external audits. Relevant email messages should be kept, indexed, and be accessible for whatever period is mandated by applicable laws and regulations. It’s generally considered a good idea to utilize email archiving solutions that back up and encrypt archived emails.
Email archiving and compliance can be critically important in the event of an audit or in legal matters down the line, especially in industries with specific regulatory frameworks. For example, publicly-traded businesses are often required to archive emails to comply with the Sarbanes-Oxley Act, and financial institutions must comply with the strict regulatory framework provided by the Gramm-Leach-Bliley act.
The Health Insurance Portability and Accountability Act of 1996 (Also known as HIPAA) is a federal law that, among other things, mandates strict national standards to protect sensitive patient health knowledge from being disclosed without patient consent. HIPAA compliant email is important as this law is strictly enforced and opens up those found to be in violation of it to severe penalties.
Individually identifiable health information has very strong protections under HIPAA. Of the five most commonly reported issues leading to fines or legal action, three are applicable to email compliance:
- Misuse and/or disclosure of patient health information
- Inadequate protection of health information/data
- No safeguards of electronically protected health information.
For businesses and organizations working in health care and health care-adjacent fields, maintaining HIPAA compliance is crucial. If your organization works with patient data, a demonstrated capability to handle HIPAA requirements can be an asset in your sales campaign.
Email archiving and compliance laws and regulations can be complicated, but complying with them doesn’t have to be for most businesses, especially for the sales team. A good rule of thumb is, when in doubt, always err on the side of the more stringent regulation.
When sending a cold email, follow this checklist and you’ll be in compliance with most laws in most countries, although it’s important to reemphasize that laws do vary and there’s no substitute for a consultation with an attorney that specializes in this field.
Email Compliance Checklist – Individual email:
- Do you have a valid purpose for your email, or has the recipient consented to receive emails? If they’ve consented, is that properly documented?
- Have you identified yourself in the email, including accurate info in the ‘from’ section of the header and address information in the body of the email?
- Is there a clearly identifiable way to unsubscribe from or decline future emails?
- Do you have a clear subject line and message that are relevant to each other?
- If your email is a solicitation or advertising, is it labeled as such?
- Have you properly secured customer data?
If you’ve answered all these questions affirmatively, you’re good to go in most situations. So don’t be afraid to get out there and excel with your cold sales campaign!