Here’s a quick review of the legalities involved with collecting Personally Identifiable Information (PII). At one time, having solid records of informed consent to send commercial email to people was not required by law. However, in many cases, it is now.

There are email and data protection regulations across at least 77 different countries, and they are all different. We strongly recommend consulting legal counsel before undertaking any data collection. The following four data protection laws are the best known at this time.

CAN-SPAM, United States

Marketers MUST comply with this federal regulation to legally send marketing email: violators can and have been successfully sued by the FTC. For more information about CAN-SPAM, see these links:

Canada’s Anti-Spam Legislation (CASL), Canada

See the CASL Guide for more information or read the text of the law. Senders MUST comply with CASL if you send email to:

  • a Canadian domain
  • a Canadian user
  • or is transmitted through Canada

General Data Protection Regulation (GDPR), Europe

The General Data Protection Regulation 2016/679 is a regulation in EU law regarding data protection and privacy for all individual citizens of the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas. Enacted on May 25, 2018, it is a very complex regulation; violations of this regulation can carry some severe fines. When building an email marketing campaign involving anyone residing in the EU, you should always consider it. For more information, please consult:

The California Consumer Privacy Act (CCPA)

This was enacted in 2018 and took effect on January 1, 2020, and applied to Californian consumers. This legislation gives CA consumers the following rights:

  • The right to know what personal information is collected, used, shared, or sold, both as to the categories and specific pieces of personal information;
  • The right to delete personal information held by businesses and by extension, a business’s service provider;
  • The right to opt-out of the sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt-in consent, with a parent or guardian consenting for children under 13.
  • The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.

For more in-depth information please visit State of California – Department of Justice – Office of the Attorney General.

 The final word on laws around PII: CONSULT A QUALIFIED LAWYER.

Now it’s time to take a look at how to set up and configure your email program, starting with the necessary steps to take to avoid looking like a spammer!




Get the basics right, and inbox placement will follow –’s deliverability story

13 May 2022

Blog's, Alice Cornell, Director of Email Deliverability, shares some true gems of real-world experience in email deliverability and explains how achieved consistent inbox placement once they got the basics nailed down.

How to avoid looking like a spammer when setting up marketing emails

15 February 2022

Best practice

Here are pointers to help you distinguish yourself from miscreants who send spam. Because you don't want is to be perceived as a spammer.

Authentication and encryption for email

15 February 2022

Best practice

One of the first steps to ensuring good domain/IP reputation and consequently successful email deliverability is authentication and encryption - it helps receivers "trust" your email. This article provides a clear overview of what's required including SPF, DKIM and DMARC.