Data privacy laws like GDPR and CCPA may have faded from the headlines, but their enforcement is very much a reality. In recent years, some very high-profile companies have faced fines into the hundreds of millions (US $) for failure to meet legal guidelines involving data processing, consumer consent, and not offering proper opt-out mechanisms, just to quote a few examples.
Your organization may not be at enormous risk, but even the smallest companies who collect and process customer data, and who communicate with those same contacts, need to pay close attention to the basic rules that govern today’s data collection and (especially) email communications.
Are your Web forms and email campaigns in compliance? If you work with an outside agency, are they taking the necessary steps to ensure that campaigns they design, execute, or manage on your behalf meet all relevant guidelines? Here’s a handy 8-point checklist that covers most of the basics:
Note: this article is not intended as legal advice, and marketers should consult with legal counsel to ensure compliance with relevant privacy regulations.
1. Obtain Explicit Consent (GDPR, CASL)
– Ensure contacts have opted in via clear, affirmative action.
– Maintain records of consent, including timestamps and source.
2. Provide Clear Opt-Out Mechanism (CAN-SPAM, CASL, GDPR, CCPA)
– Include a clear, visible “one click” unsubscribe link in every email
– Honor opt-out requests within 10 business days (CAN-SPAM) or immediately (GDPR, CASL).
3. Include Required Sender Identification (CAN-SPAM, CASL, GDPR)
– Display a valid company name, physical address, and contact details.
– Avoid misleading sender names or subject lines.
4. Segment & Respect Regional Regulations
– Identify recipient location to apply appropriate compliance rules (e.g., GDPR for EU, CCPA for California).
– Implement geo-fencing or data tagging in CRM for legal segmentation.
5. Limit Data Collection & Processing (GDPR, CCPA)
– Collect only necessary personal data and use it for stated purposes.
– Provide a clear privacy policy link detailing data usage.
6. Enable Data Subject Rights Requests (GDPR, CCPA)
– Allow contacts to request access, correction, or deletion of their data.
– Implement a process for responding to requests within legal timeframes.
7. Avoid Third-Party List Purchases (GDPR, CASL, CAN-SPAM)
– Send emails only to contacts acquired through compliant means.
– Validate list sources and confirm compliance before use.
8. Monitor & Document Compliance Efforts
– Keep an audit trail of email campaigns, consent records, and policy updates.
– Regularly review compliance with internal and agency teams
On a related note, if you work with an email marketing agency, who is ultimately accountable for compliance with data privacy regulations—you or the agency?
A Data Privacy Checklist for Email Marketers Share on XOpinions vary on this point, but most authoritative sources, including industry associations and regulatory bodies, argue that advertisers (clients)—not their agencies—are ultimately accountable for compliance with data privacy laws. Here are two key reasons:
* The advertiser (client) is typically classified as the data controller, meaning they determine the purpose and means of processing personal data. Agencies, as service providers, are usually considered data processors who act on behalf of the client. The controller is most often the party legally responsible for ensuring lawful data collection and use, including email communication.
* Agencies act as agents, not decision-makers. Because agencies don’t own customer data or determine the purpose for which it’s collected, and because that collection often pre-dates the agency’s relationship with the client, it is the advertiser (client) who must ensure that consent, lawful processing, and data usage policies are followed.
None of this should suggest that an agency partner bears no responsibility for compliance. An effective agency does everything reasonably possible to ensure that the campaigns they design and execute for the client meet all necessary guidelines. As ever, communication is key. This checklist can be a good starting point for ensuring that you and your agency share the same expectations and standards.