Are you Legal? Getting GDPR and Spam Laws compliant



Before you start sending any emails to a list you're going to need to familiarize yourself with rules, regulations and laws as well as choose a software to use for emailing and contact management.

The software you choose will make sure you're in compliance as well as give you valuable insights and data and tools.

The United States CAN-SPAM Act of 2003 has certain requirements every email marketer needs to follow in order to be legal. 

Here is the break down of the main 3 laws/rules & regulations you need to be aware of...

CAN-SPAM Act of 2003


  • A visible and operable unsubscribe mechanism is present in all emails.

  • Consumer opt-out requests are honored within 10 business days.

  • Opt-out lists also known as Suppression lists are used only for

  • compliance purposes.


  • Accurate "From" lines

  • Relevant subject lines (relative to offer in body content and not

  • deceptive)

  • A legitimate physical address of the publisher and/or advertiser is

  • present. PO Box addresses are acceptable in compliance with 16 C.F.R.

  • 316.2(p) and if the email is sent by a third party, the legitimate physical

  • address of the entity, whose products or services are promoted through

  • the email should be visible.

  • A label is present if the content is adult.


  • A message cannot be sent through an open relay

  • A message cannot be sent without an unsubscribe option.

  • A message cannot be sent to a harvested email address

  • A message cannot contain a false header

  • A message should contain at least one sentence.

  • A message cannot be null.

  • Unsubscribe option should be below the message.

To read the full requirements of the CAN-SPAM Act of 2003 please click here.


Besides the CAN-SPAM Act, as of May 25, 2018 you will also need to be in compliance with the GDPR (General Data Protection Regulation).

The GDPR is a new set of laws that governs how you communicate, interact with and store prospect and customer data for any of the 750 MILLION people and 1 BILLION email accounts that are associated with European member states.

Non-compliance with GDPR can lead to fines of up to €20 Million or 4% of a brand’s total global annual turnover (whichever is higher).

They will be relying heavily on consumers to report breaches, and will likely focus their efforts on the most serious violations.


  • The right to be forgotten.You will have to delete all the data of an individual requesting this.

  • The right to object. Individuals can say no to certain data use such as profiling for marketing purposes.

  • The right to rectification. Individuals can have incomplete data completed.

  • The right of access. Individuals will have the right to know what data is being processed and how and individuals can transmit their data from one organization to another without hindrance. (source: regulation pdf)

  • And the right to data portability

The GDPR is making sure your subscribers have the right to know what you are up to with their personal data.

The GDPR defines personal data as "Any information that could be used, on its own or in conjunction with other data, to identify an individual."

So any data you store on anyone that opt-ins to your list from the EU will need to be properly protected. This means that even a phone number stored on its own or a social media ID without an associated name or address may fall under the regulation.

The way you process their data is also under the regulation. Anything you do with their subscribers data after you get someone to sign up is considered processing:

"GDPR considers ‘processing’ as ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction." [1]

In order to be able to do any type of processing with their data, you need unambiguous, or explicit permission to do so. You need to tell your subscribers EXACTLY what you're going to do with data.

Are you going to add them into a campaign which tracks which links they click on? You need to tell them. Adding tags to email opens? You need to tell them. Tracking email opens? You need to tell them. Offering certain products based on behaviour or sites they visit? You need to tell them.

How do you tell them? What you're doing with their data can be added into your Privacy Policy Page or Terms & Conditions Page.

The most important part is that you need to get them to consent to your terms and conditions and have proof that they have done so.

You need "unambiguous" and "explicit" consent or permission as mentioned in the official regulation documentation. The type of consent you need will depend on the data you are collecting from your subscribers. The GDPR says..

“On the final outstanding issues that were discussed intrilogue, the following balance was achieved. The way in which consent is to be given by data subjects remains “unambiguous” for all processing of personal data, with the clarification that this requires a “clear affirmative action”, and that consent has to be “explicit” for sensitive data.”

If you are handling sensitive data, you need explicit consent to process that data. If you are handling personal data you need unambiguous consent.

What does that even mean in plain English? Field Fisher, Privacy, Security and Information Law Specialists have said the following about consent in regards to the GDPR...

"If someone says “Yes, I agree” or ticks an unchecked box to say “I consent”, they have indicated their consent through an affirmative action. Not only that, but they have done so through an explicit affirmative action - sufficient to satisfy the consent requirements for both ordinary personal data AND sensitive personal data processing."

GDPR clarifies that an affirmative action signalling consent may include checking a box on a website, ‘choosing technical settings for information society services,’ or ‘another statement or conduct’ that clearly indicates consent to the processing. ‘Silence, pre-ticked boxes, or inactivity,’ however, is not adequate.
– James Koons

"The GDPR demands that the recipient is provided with adequate information on how their data will be used. For example, if you intend to profile someone’s data to determine what offers they receive, you must now tell your customer that is how you intend to use the data and give them the opportunity to object." – Tim Roe

So you DON'T have to double-opt all your contacts (but I would highly reccommend it as an extra precaution to cover yourself legally).

You DO however HAVE to get them to agree to your terms and conditions, and be clear and transparent in what those conditions are.

They need to be in an easy to read information format, and tell them again exactly what you will be doing with their personal and sensitive data.

The biggest issue with the GDPR is making sure your being transparent and have permission.

You also will have to get ALL your EXISTING EU subscriber data up to the new GDPR standards.

If you currently have EU subscribers that are not up to the GDPR standards for consent, and you can't provide proof of it - you will NOT BE ABLE TO LEGALLY EMAIL THEM.

"There is no allowance for data captured before GDPR. Once the GDPR comes into play, if you don’t have sufficient consent, you won’t be able to legally process the data. It’s time to bring all of your customers’ data and business processes up to the correct standard."   – Tim Roe

For the full GDPR Requirements please click here.

Last  but not least, there's CASL. The Canadian Anti-Spam Legislation. If you are sending emails within Canada you should familiarize yourself with this one as well.

To send a commercial electronic message to an email address, you need to have the recipient's consent, to identify yourself, to offer an unsubscribe mechanism and to be truthful.

CASL Compliance

  • Consent: You must have a form of valid consent. Whether that's express or implied. You must keep track/proof of how you obtained consent.

  • Identification: Clearly identify yourself and your organization. You must include your mailing address. You must also include a phone number for accessing an agent or a voice messaging system, an email address, or a web address for you or the person on whose behalf you are sending the message.

  • Unsubscribe mechanism: Provide an unsubscribe mechanism that is functional for 60 days. See examples of acceptable unsubscribe mechanisms.

  • Truth in advertising: Your messages must not be false or misleading. They must not have false or misleading sender information, subject matter information, URLs and/or metadata.

For full CASL requirements please click here.


Quick & Painless Overview of the GDPR with Karen Taggert 👇

Want more awesome legal advice from Karen?

Check out Karen's Facebook Page Here

Also Her BizLaw VIP Club is incredible! I'm a member myself. Check that out here.


GDPR Mythbuster Webinar Replay 👇



The GDPR is coming...what now? with Jen Gardiner

Inbox Besties with Kate Doster Podcast



GDPR For Entrepreneurs: What You Need to Know

Online Marketing Made Easy with Amy Porterfield Podcast



One of the biggest hiccups with the GDPR will be getting subscribers added to your list for weekly emails. I've been using the below strategies since January and it hasn't had an effect on my list growth.

Below is a screenshot of my list growth for the beginning of May.

Some days I had over 60 people subscribing. I run a simple $5 a day Facebook ad to my highest converting lead magnets as well as I use Pinterest.

I'm not doing anything special for these people to join my list.

Email Contact Growth

Using these strategies also hasn't affected engagement rates. They're on average between 50-60%.

Email Engagement Rate


Here is an example confirmation email that I would use for a workshop/webinar sign-up. I'm telling them exactly what I will be sending them with their confirmation. Notice though I don't mention weekly emails.

After they confirm they would like to be added to the webinar they receive a welcome email with their webinar details. Within that email I ask if they'd like to be added to my weekly emails on X Y Z.

GDPR Compliant Webinar Confirmation Email

Here is an example of the confirmation email for lead magnets. The GDPR specifically states you can't add people to your list anymore from the EU if they sign up for your lead magnet. They have to give separate consent for the weekly emails.

With this email I'm killing 2 birds with one stone. If you look at the first sentence, I'm providing the lead magnet without them having to confirm. I state in the second sentence they can grab it by clicking the hyperlink.

The next few emails talk about my weekly emails and other emails I send out and if they'd like to receive them they can click the confirm button to be added to my list.

The key with this is making it clear they can grab the lead magnet without confirming.

GDPR Compliant Lead Magnet Delivery Email

As I come across more GDPR compliant strategies that work I will be adding to this blog post.



Resources Cited

 Nicholas Vollmer, PrivazyPlan - Get your Data Protection on Course (2018, May 5). Article 4 EU GDPR Definitions  [Blog post]. Retrieved from