Privacy laws around the world give individuals extensive rights over their personal data. These regulations apply to organizations that process personal data of residents in regulated jurisdictions and meet certain thresholds. Different privacy laws have different scopes—some apply globally while others are jurisdiction-specific. If your organization processes data from residents of regulated regions, compliance with applicable privacy laws is mandatory. This guide covers key privacy requirements and how to implement them in your email program.

Scope and Applicability of Privacy Laws

Privacy laws typically apply to organizations that: (1) collect personal information from residents in regulated jurisdictions; (2) meet certain revenue or data volume thresholds; (3) buy, sell, or share personal information above specified thresholds; or (4) buy, sell, or share personal information for purposes of profiling. If any of these apply, you must comply with applicable privacy laws. These requirements extend to email data collection and processing.

Consumer Rights

Privacy laws give individuals key rights, typically including: (1) right to know what personal information is collected, used, and shared; (2) right to delete personal information that you have collected from them; (3) right to opt out of the sale/sharing of their personal information; (4) right to non-discrimination for exercising their rights. You must implement ways for individuals to exercise these rights—typically a 'Privacy' page with request forms.

Privacy Notice and Disclosure

You must provide a privacy notice at or before collection of personal information. The notice must disclose: what information is collected, purposes of collection, consumer rights, how to exercise rights, and whether you share information with third parties. The notice must be clear and accessible. Update your privacy policy to cover all required disclosures under applicable privacy laws.

Opt-Out from Sale/Sharing

If you sell or share California consumer data with third parties, you must provide a clear, conspicuous 'Do Not Sell My Personal Information' or 'Opt-Out of Sale of My Information' link on your website. Clicking this link must allow consumers to opt out. In many cases, email engagement data (who opened/clicked emails) may be considered 'sharing' that triggers opt-out requirements.

Request Response Requirements

When a consumer requests to know what data you have about them, to delete their data, or to opt out, you have 45 calendar days to respond (extendable to 90 days). You must verify the consumer's identity before honoring requests. You must not discriminate against consumers for exercising their rights.

Vendor Management

If you use third-party vendors to send email (such as a managed email delivery platform), applicable privacy laws require that you have a contract limiting vendors' use of personal information. The contract must prohibit vendors from selling or using personal information for any purpose other than what you've requested. Document your vendor agreements and ensure they include all required clauses under applicable privacy laws.