6 Things You Need to Know about Anti-spam Law and Opt-ins

6 Things You Need to Know about Anti-spam Law and Opt-ins

Feb 7, 2017
6 Things You Need to Know about Anti-spam Law and Opt-ins

Ever received an unwanted email from a company you never requested info from and wondered where the heck they got your email address from? What is the legal standpoint on protecting the recipient? Especially in the age of GDPR!

It happens to me so much, especially here in the US, with unwanted emails or phone calls from companies offering their financial services, software or any other kind of things I don’t want or need. Well, the good news is that countries all around the world have already realized it is necessary to do something about it and protect their citizens from receiving unwanted emails/phone calls/text messages. But, as with most good news, it comes with bad news too. I have to say that sometimes it can be very complicated to keep up with all those rules, regulations, and laws governments around the world come up with. What is allowed in one country doesn’t necessarily have to be ok in another, and vice versa. For example, in country A, using pre-checked boxes under online forms to express the recipient’s consent to receiving commercial messages is not allowed, whereas, in country B, it is.

This two-part article will provide you with answers to some of the most common questions we hear from our customers regarding international email laws. Disclaimer: Although this article is designed as a guide to help make sure your email marketing activities comply with the law, do check with current legislation, as laws change every day.

1. If I send messages outside my country, do I need to comply with the local laws of the countries my subscribers are based in?

Yes, along with your national anti-spam law, you must comply with international regulations based on where your subscribers come from. So, for instance, your company is based in Canada but does business within the United States and United Kingdom as well. Not only do you need to make sure you comply with Canadian anti-spam regulations but with American and British ones too. 

2. Do I need to get approval from the people I am going to email?

This depends highly on where your potential subscribers come from. Once again, imagine your company is based in Canada but your addresses are from the US or UK. According to anti-spam law in the US, you don’t need to have prior consent from the users you are going to email. However, on the other hand, under local law, it is necessary to get approval from Canadian and British recipients. To make things less complicated, isn’t it easier to implement an opt-in process that leaves the decision about whether to start receiving your commercial emails in the hands of the user? 

Now, let’s take a look at what different countries have to say about emailing people with/without their prior consent. 

United States

Under the CAN-SPAM act, the sender of commercial email messages does not have to obtain prior permission from its recipients. With this being said, marketers can use publicly available sources of information on the Internet to obtain details about those they want to email (unless those sources explicitly prohibit the use of their email addresses).


According to Canada’s anti-spam legislation, it is possible for marketers to send commercial email messages to people that gave them “express” or “implied” consent.
By “express” consent, the law understands subscribers as those that clearly expressed (orally or in a written form) their approval for receiving commercial email messages from you. It could be by ticking the box “I want to receive monthly newsletters” or providing their email addresses in a newsletter subscription form.
One important thing you should know is that these consent requirements are currently under a three-year transition period that concludes on July 1, 2017. Once this period is over, marketers may only email people that have given their “express” consent, which means those that have taken an action to opt-in. Marketers all around the world now run “express consent campaigns” that should allow them to convert “implied consent” subscribers to “express consent” ones.

EU Member states

Article 13 of the Directive on Privacy and Electronic communications (EC Directive) clearly states that commercial emails can only be sent to recipients that have previously opted-in (ticked a box, fill out an email address…). On the other hand, if a user has previously purchased a product or a service from the company, this existing business relationship may also be considered as their consent. You just need to make sure that the possibility to opt-out during the purchase process is in place.
One thing you should know is that the EC Directive specifies only the minimum that needs to be done by each EU member state. Countries such as Germany have transposed it into their national legislation in a much stricter way than what the EC Directive orders.


According to Spam Act 2003, a sender must not send unsolicited commercial electronic messages that were either sent from Australia or were delivered to a computer located in Australia. Under this law, it is possible for marketers to send commercial electronic messages to those that gave their “express” consent (see the explanation above for Canada’s anti-spam law) or their consent can be deduced from existing business or another relationship between the recipient and the sender. The law also covers so-called “designated commercial messages” where no prior consent is required.

Now, even though having prior consent is not mandatory everywhere (e.g., U.S., Brazil, Argentina, Russia), letting people actively opt in is always a better and safer option for your business. This way, you make sure your emails are only delivered to those that really want to hear from you, otherwise, they would not provide their email address to you in the first place, probably?

Sending emails to users that have never heard about you and did not sign up for your emails can result in lower open rates, higher unsubscription rates, a database of subscribers that changes a lot over time, and bad sender reputation as people will report your messages as spam. Quality over quantity—this is what you should keep in mind.

3. Are pre-checked boxes under my online forms enough to express a user’s consent to subscribe to my newsletter?

Again, this depends on where you are planning to send your commercial messages. In plenty of countries, such as the United States, it is OK to use pre-checked boxes to add people to the mailing lists automatically (see the example on the right), in others, users must actively check off the boxes to express their consent to opt in.

According to these countries (amongst them, e.g., Canada, Germany and Australia), you cannot presume consent with a pre-checked box. Users need to perform a positive and conscious action to opt in (see the example on the left). This approach definitely weighs quality over quantity—on one hand, your email list will grow more slowly, but on the other, it will contain subscribers that really want to hear from you.


The most extreme scenario would be to ask users to check off the box (take a “positive action”) if they don’t want to start receiving commercial electronic messages. In my opinion, this is very misleading behavior, and I am sure nobody wants to grow their mailing lists this way.

4. Am I required to implement a double opt-in confirmation process?

With single opt-in, a new email subscriber can start receiving commercial messages immediately after entering their email address into the sign-up box. Double opt-in, on the other hand, requires that the subscriber confirms he/she is the owner of the email address. This is usually done by clicking a special link in an email message delivered after the email address is provided in the sign-up form.

Now, both approaches do have their pros and cons.

  • Single opt-in allows you to grow your email lists quicker, but you need to be aware that the list may contain plenty of fake or misspelled addresses. In the worst case scenario, you can be reported as a spammer because someone’s email address was entered without his/her consent.

  • Double opt-in allows you to create a healthier mailing list that will lead to lower unsubscription rates and better sender reputation. On the other hand, your email list will probably not grow as it would with the single opt-in.

I am sure that you get why double opt-in process is highly recommended BUT it is not mandatory under any international law. While working on this text, I have come across articles claiming that Germany is the only country that requires a double opt-in confirmation process, but according to Certified Senders Alliance, this does not seem to be correct. “There is no statutory obligation to use the double opt-in process,” they state.

5. What type of information can I ask for in my sign-up forms?

The number and type of fields you include in your sign-up forms depends on what type of business you are and what information you’d like to collect about your subscribers.

Typically, you require their email address, right? J Additionally, you can ask for your subscriber’s first and last name, which can be useful if you want to do some FirstName personalization. But... be careful about whether to make those fields mandatory because one day, you could send an email starting “Hello I don’t want to give my name”.

Currently, there is no law that would prohibit you from collecting any data you want in your sign-up forms. Possibly the closest to making changes to this approach are Germany, Austria, and Switzerland. According to the guidelines for marketers released by Certified Senders Alliance, it should not be necessary to ask for more information than the email address. Any additional data may be given on a voluntary basis but not required.

6. How long can I email people that gave me their consent for?

When considering the period during which you can send commercial emails to your subscribers, you should always keep in mind whether the user gave you express or implied consent.

Express consent is not time-limited, and you can email users until they unsubscribe.

Now, even though there is no such law that would prevent you from emailing subscribers that actively opted in, there is one thing I would recommend: Periodically check your mailing list and remove unengaged subscribers, so you keep your database clean. There is no point continuing to email those that have not interacted with you (opened, clicked links, or replied to your emails) in the last X months. If removing sounds too drastic, you can try running special email campaigns to engage unengaged subscribers. I am sure you have already received messages saying “We miss you” or “We are unsubscribing you”, both aimed at unengaged subscribers with one common goal: make them feel like they want to get in touch with you again. I just love the way Banana Republic tried to win me back. “Are we in the right inbox?” That is a heck of a subject!

Now, unlike express consent, implied consent should generally be time-limited. Most of the anti-spam laws that I looked into do not speak about the period of validity of consent at all, but there are exceptions. One of the exceptions is Canada’s anti-spam legislation which says that the implied consent expires 24 months after the relationship between you and the user was initiated (by the purchase of goods, etc.). It seems to be a reasonable time-frame.

Another thing to consider is whether to start emailing users whose consent you got some time ago but you have not actually used their email addresses for any email marketing activity so far. German Certified Senders Alliance mentions in its guidelines for marketers that consent not used for more than one and a half years should no longer be valid. That makes make sense, right? Once they have provided the email address, people only expect to hear from you now, not in a year from now when you have already been forgotten.

Now, we are at the end of this first part of the article. I hope it provided you with some useful information on how the subscription process should look and what you need to do in order to comply with email opt-in laws. In the next article, you will hear about what the law has to say about handling unsubscription requests and what type of information your commercial emails must contain. Looking forward to it!

I would love to know your experience, both positive and negative, as either the iniator or recipient of email marketing. What steps did you take to avoid being perceived as spam? Did they work? Or maybe you made a faux pas. What was the result? What did you do to rectify it?

Or maybe you got bombarded with emails that either didn’t allow you to opt out, or ignored this step when you did. How did you finally manage to stop them?

Disclaimer: The purpose of this article is to provide you with a general overview of anti-spam laws around the world. It should not be interpreted as legal advice. We recommend contacting your lawyers for legal guidance on specific cases.

If you are interested in the issues that regulations such as GDPR raises, check out how Kentico 11's Data Protection app can make compliance much easier.

More by this author

We're sorry, but your browser is currently not supported. Try using our website in other browsers like the new Microsoft Edge, Google Chrome, or Mozilla Firefox.
Should you have any query or want to report any issue, feel free to send us an email to support@kentico.com.