The Emarsys Deliverability Policy Requirements is a best-in-breed combination of relevant ISP and legal requirements which allows our clients to send with confidence to any recipient in the world.
Our membership of organizations such as M3AAWG, CSA and Return Path, and our experience with ISPs which operate globally (and have factored in local regulations into their requirements), allows us to benefit from their efforts to ensure sending compliance on a global level and to pass this on to our clients.
The following are some of the many laws and requirements that senders comply with. We have tried to group the content as logically as possible for you below, including links to relevant sources.
Please note that these excerpts have been listed (and sometimes translated) to give you point of reference only. They do not constitute legal advice!
You should consult with qualified legal counsel regarding your compliance with any of the laws or requirements listed below.
Contents
1. The different deliverability requirements
US law, EU law and regional laws specific to the German-speaking regions of Europe (DACH) vary in terms of scope and requirements, but since these laws apply to the location where the email is opened, which is hard to predict, it is important to assume that they all apply.
1.1. Opt-in vs. opt-out enforcement models
In the US, the most recognizable anti-spam law is the CAN-SPAM Act, which is based on opt-out requirements. This means that although no consent is required to send emails, opt-out requests must be honored within ten working days. Our policy requirement to be able to opt-out within two clicks without additional user input aligns, with and is primarily based on, CAN-SPAM. Violation of the provisions of the CAN-SPAM act are subject to fines of up to $16,000 for each email sent in violation of the law.
EU law, on the other hand, is mainly focused on a clear opt-in required before sending can commence. Every recipient must have clearly opted-in to receive marketing messages. In the CSA directive for permissionable email marketing, based on German law, it states that opt-in must be "clear, conscious, unequivocal and separate." In addition to EU-wide laws, regional laws also apply, such as the Law on Electronic Communication in Austria (TKG).
Because the Emarsys sending infrastructure is physically located in Austria, all clients sending via this infrastructure are subject to the TKG for any list bigger than 50 recipients (Article 107 §2). Violations to the TKG are prosecuted by the national data protection authority (DSB). In the past, Emarsys has been instructed to provide contact details from clients to the Ministry of Internal Affairs (BMI).
In Austria, as in Germany, there is one exception where it is possible to send emails without an explicit prior consent: in the case of an existing business relationship. Specifically: "where the product offer is similar to any of the products previously purchased."
In Canada, the Canadian Anti-Spam Law (CASL), has been in effect since July 2014, and uses an opt-in model similar to that in Europe. The only exception to requiring explicit opt-in is in the case of a previous business relationship. CASL differentiates between "explicit" and "implied" consent, and in its basic principles is similar to German law. What is more surprising about it is the fact that CASL violations are punishable by fines of up to $10 million per violation, and prosecutions are based on the location of the recipient not sender.
In March 2015, the first CASL fine of $15,000 was issued to Plenty of Fish, a Canadian dating site. US-based companies are strongly recommended to be CASL compliant. Bilateral agreements between the US and Canada are good grounds for CASL fines in the US.
|
ISP / Law |
Acceptable opt-in type |
Unsubscribe requirements |
|---|---|---|
| AOL |
|
|
| CAN-SPAM Act 2003 |
Based on opt-out |
Clear information included in all communication on how to unsubscribe. |
| EU Privacy Directive |
Previous consent required,does not specify what level of opt-in is required. |
Unspecified. Once consent is revoked the unsubscribe request needs to be honored immediately. |
| Gmail |
|
|
| Spamhaus |
Double opt-in (required) |
|
| Yahoo! |
|
Quick turnaround needed regardless of request method. |
1.2. ISP-level requirements
Being legally compliant is only part of the deliverability story. The goal is to reach the inbox of all recipients that sign up, which means that marketers need to be compliant with ISP policies and regulations. The most used metrics by ISPs for email filtering are complaint rate and hard bounce rate. Hard bounces are sends to invalid email addresses. High complaint and hard bounce rates are indicators of indiscriminate sending practices.
ISP policies and legal requirements both share the same goal: to prevent the transmission of unwanted, unexpected, and irrelevant email, while ensuring that recipients can easily access opt-out mechanisms.
2. Requirements by ISP/region
The following section includes excerpts from a selection of international organizations, and how they specify requirements relating to email transmission.
The following texts have been translated from the original for your convenience. However, the original version is the only binding legal text and should be referred to as the sovereign source for all matters of liability and compliance.
2.1. Opt-in requirements
2.1.1. AOL
- Ensure that you only send mail to users who specifically requested it. It’s not advisable to purchase mailing lists or subscribe users by having an opt-in checkbox automatically checked on your website.
- It’s preferable to have a double/confirmed opt-in process. When users subscribe to your mailing list, send them an email asking them to click to confirm their opt-in. This will reduce the number of people who sign up from fake email addresses.
- When users subscribe for your mailing list, tell them what mail to expect, how often to expect it, and what it will look like. Set recipient expectations clearly.
2.1.2. EU Directive on Privacy and Electronic Communications (2002/58/EC)
User consent is also required in a number of other situations, including:
- Before unsolicited communications (spam) can be sent to them. This also applies to short message services (SMSs) and other electronic messaging systems.
- Before information (cookies) is stored on their computers or devices or before access to that information is obtained, the user must be given clear and full information, among other things, on the purpose of the storage or access.
2.1.3. Gmail
Each user on your distribution list should opt to receive messages from you in one of the following ways (opt-in):
- Through an email asking to subscribe to your list.
- By manually checking a box on a web form, or within a piece of software.
We also recommend that you verify each email address before subscribing them to your list.
The following methods of address collection are not considered 'opt-in' and are not recommended:
- Using an email address list purchased from a third-party.
- Setting a checkbox on a web form or within a piece of software to subscribe all users by default (requiring users to explicitly opt-out of mailings).
2.1.4. Spamhaus
Legitimate opt-in for bulk email requirements is specified as being "Confirmed Opt-in" or "COI" in the legitimate bulk email industry, also known as "Verified Opt-in" or sometimes "Double Opt-in".
2.1.5. Yahoo!
- Use and honor an opt-in method of subscription for your mailing list. Make sure subscribers have actively verified their intent to receive your mailings.
- Honor the frequency of the list's intent. Don't start sending daily emails to subscribers of your monthly mailing.
2.2. Privacy policy requirements
2.2.1. EU Directive on Privacy and Electronic Communications (2002/58/EC)
Providers of electronic communication services must secure their services by at least:
- Ensuring personal data are accessed by authorized persons only.
- Protecting personal data from being destroyed, lost or accidentally altered and from other unlawful or unauthorized forms of processing.
and
EU countries must ensure the confidentiality of communications made over public networks, in particular they must:
- Prohibit the listening, tapping, storage or any type of surveillance or interception of communications and traffic data without the consent of users, except if the person is legally authorized and in compliance with specific requirements.
- Guarantee that the storing of information or the access to information stored on user’s personal equipment is only permitted if the user has been clearly and fully informed, among other things, of the purpose and been given the right of refusal.
2.2.2. Return Path requirements
Legally registered, established businesses are sound, secure companies. Certified sender mailing programs must belong to this type of business.
To prove this, certified sender businesses must:
- Be legally registered
- Have a physical address
- Have been operational for a minimum of one year
- Be verifiable by a third-party source such as [yourstate].gov or WhoIS.com
Also, certified business entities (brand parent companies) must also be legally registered…
2.3. Registration data requirements
2.3.1. EU Directive on Privacy and Electronic Communications (2002/58/EC)
EU countries must ensure the confidentiality of communications made over public networks, in particular they must:
- Guarantee that the storing of information or the access to information stored on user’s personal equipment is only permitted if the user has been clearly and fully informed, among other things, of the purpose and been given the right of refusal.
2.4. Confidentiality
2.4.1. German Federal Data Protection Act
Persons employed in data processing shall not collect, process or use personal data without authorization (confidentiality). On taking up their duties such persons, in so far as they work for private bodies, shall be required to give an undertaking to maintain such confidentiality. This undertaking shall continue to be valid after termination of their activity.
2.4.2. UK Data Protection Act
§7. Right of access to personal data.
(i) Subject to the following provisions of this section and to sections 8, 9 and 9A, an individual is entitled
c) to have communicated to him in an intelligible form -
(ii) any information available to the data controller as to the source of those data.
2.5. List hygiene requirements
2.5.1. Gmail
- Automatically unsubscribe users whose addresses bounce multiple mailings.
- Periodically send confirmation messages to users.
- Include each mailing list they are signed up for, and offer the opportunity to unsubscribe from those in which they are no longer interested.
2.5.2. Spamhaus list hygiene recommendations
Maintenance - Keep your list current! Remove unsubscription requests and bounces promptly, as close to real-time as possible, no later than the same day. Mail the list at regular intervals. Unmailed lists provoke high complaint rates when they reactivate, even from truly opt-in addresses. Addresses "churn" over time, that is, they are abandoned or re-used. For most commercial lists, mail at least once per week and remove any address with three sequential bounces, or with sequential bounces for more than two weeks.
and
Bounce processing - Respect what the recipient's server tells you. SMTP "5xy" codes mean "No!" Bouncing your mail off the filters but showing up in the logs, or resuming spamming after filter rules come down, is a sure-fire way to really annoy server operators and mailbox owners alike. Addresses being converted to spamtraps will typically reject (5xy) all deliveries for about six months... you certainly don't want those on your list so make sure they bounce off.
2.5.3. Yahoo!
- Monitor hard and soft bounces as well as inactive recipients. Persistent emails to these addresses will get your connections deferred.
- Consider sending a reconfirmation email to inactive subscribers periodically, or just remove them entirely.
- Sending email to users who are not reading them, or who mark them as "spam," will hurt your delivery metrics and reputation.
2.6. Sender authentication mechanisms
The following section simply lists which ISP uses which kind of mechanisms.
| ISP |
Feedback loop / authentication requirements |
Certification |
|---|---|---|
| Gmail | DKIM SPF MX – allows mail to be received More info |
|
| Yahoo! |
DKIM SPF MX – allows mail to be received More info |
Return Path |
| Hotmail / Outlook |
DKIM SPF MX – allows mail to be received |
Return Path |
| AOL |
DKIM MX – allows mail to be received More info |
Return Path |
2.7. Unsubscribe requirements
2.7.1. AOL
- Provide an obvious and visible unsubscribe process in your mail.
- Make it easy for users to unsubscribe from your mailing list.
- Ensure the unsubscribe process is easy to use; such as a one-click unsubscribe web page.
- Users should not have to log into a website in order to unsubscribe.
- Process unsubscribes immediately
2.7.2. CAN-SPAM Act 2003
INCLUSION OF IDENTIFIER, OPT-OUT, AND PHYSICAL ADDRESS IN COMMERCIAL ELECTRONIC MAIL- (A) It is unlawful for any person to initiate the transmission of any commercial electronic mail message to a protected computer unless the message provides:
(i) clear and conspicuous identification that the message is an advertisement or solicitation;
(ii) clear and conspicuous notice of the opportunity under paragraph (3) to decline to receive further commercial electronic mail messages from the sender; and
(iii) a valid physical postal address of the sender.
2.7.3. Gmail
A user must be able to unsubscribe from your mailing list through one of the following means:
- A prominent link in the body of an email leading users to a page confirming his or her unsubscription (no input from the user, other than confirmation, should be required).
- By replying to your email with an unsubscribe request.
2.7.4. Spamhaus
Unsubscription must work, promptly. And for all the bulk mail you're sending to that address. It must work via email (include correct info in headers) and many subscribers also appreciate a web link included in message body. Sign up for feedback loops, and consider that abuse reports may indicate more serious problems than can be fixed by simply unsubscribing the reporting address. Some jurisdictions also require unsubscription via snail mail. Basically, if someone wants off your list, help them with their request no matter how they ask.
2.7.5. Yahoo!
Honor unsubscribe requests quickly.
2.8. Regional data protection requirements
2.8.1. German Federal Data Protection Act Data Controller Information Requirements
In so far as automated processing procedures are subject to obligatory registration, the following information is to be furnished:
- Name or title of the controller.
- Owners, managing boards, managing directors or other lawfully or constitutionally appointed managers and the persons placed in charge of data processing.
- Address of the controller.
- Purposes of collecting, processing or using data.
- A description of the groups of data subjects and the appurtenant data or categories of data.
- Recipients or categories of recipients to whom the data may be transferred.
- Standard periods for the erasure of data.
- Any planned data transfer in third states.
2.9. Campaign-specific recommendations
2.9.1. AOL add to address book / safe senders list
Send your email from a consistent email address and advise your users to add that address to their address books or contacts list. Mail sent to users with your address in their address book or contacts will be delivered to their inbox with images and links enabled.
3. Certification benefits
Emarsys is a member of the following organizations and by following our policy standards our clients can ensure that they comply with some of the most thorough requirements in the world, which is designed to keep them safe while sending mail at volume.
3.1. CSA / Return Path certification
Return Path’s Certification program is the industry’s most recognized and valued certified whitelist. Getting on the whitelist helps ensure better inbox placement with major mailbox providers like Yahoo, Microsoft, AOL and others.
On average, 17% of promotional emails never reach the inbox, landing in spam folders or getting blocked. That means losing out on opens, clicks and ultimately revenue, impacting the success or failure of your email programs. Don’t take that risk. Partner with Return Path to optimize email visibility and increase revenue by getting more email delivered.
4. Sender score
The Sender Score is a rating by Return Path that identifies your sender reputation and shows you how mailbox providers view your IP address. It is a number between 0 and 100 and is like a bank running your credit score to gauge your credit history.
Sender reputation is an indication of the trustworthiness of an email sender’s IP address. Mailbox providers take a lot of metrics into consideration to determine your sender reputation including spam complaints, mailing to unknown users, industry blacklists, and more.
5. Further reading
For more information about policies, laws, and receiver requirements that might affect your email marketing efforts, please visit the links below.
- The Spamhaus Project: http://www.spamhaus.org/whitepapers/mailinglists/
- M3AAWG (Messaging Malware Mobile Anti-Abuse Working Group): https://www.m3aawg.org/
- Can-Spam Act 2003 http://www.legalarchiver.org/cs.htm or https://www.gpo.gov/fdsys/pkg/PLAW-114publ38/html/PLAW-114publ38.htm
- CSA (Certified Senders Alliance) Conditions of Participation: https://certified-senders.eu/
- CSA eco Guidelines Directive: https://certified-senders.eu/wp-content/uploads/2014/03/Marketing-Directive.pdf
- Word to the Wise: https://wordtothewise.com/isp-information/
- The Definition of "Spam": http://www.spamhaus.org/definition/
- Responsible Mailing Lists -vs- Spam Lists: http://www.spamhaus.org/whitepapers/mailinglists/
- Permission Pass - How to rescue your mailing list: http://www.spamhaus.org/whitepapers/permissionpass/
- What is the right way to send bulk e-mail. http://www.spamhaus.org/faq/section/Marketing FAQs#214
- "Role Accounts" & "Feedback Loops": http://www.spamhaus.org/faq/section/ISP Spam Issues#119
- Email Marketing Best Practice Document: M3AAWG Sender Best Common Practices
- EU Data Protectin Directive (Directive 95/46/EC): http://searchsecurity.techtarget.co.uk/definition/EU-Data-Protection-Directive
- 10 Tips for Better Online Privacy Policy & Privacy Practice Transparency: https://www.priv.gc.ca/resource/fs-fi/02_05_d_56_tips2_e.asp