Unsolicited Email Marketing – Ensuring compliance worldwide

In today’s interconnected world, businesses increasingly depend on email marketing to effectively expand and engage their international customer base. However, when sending unsolicited emails internationally, balancing data protection obligations and the requirements of local laws is crucial for maintaining compliance. This article delves into best practices, outlines the most appropriate legal bases, and examines the risks associated with direct marketing.

Best Practices and the Most Appropriate Legal Basis

The most secure legal basis for sending unsolicited email marketing communication is obtaining explicit consent from recipients, as required by Article 6 para. 1 lit. a of the General Data Protection Regulation (GDPR). An example of unsolicited email marketing communication is sending promotional material or newsletters. In the case of newsletters or promotional material a double opt-in process is recommended, where users confirm their subscription to the emailing list through a confirmation email, ensuring their voluntary consent.

• Clear Consent Request: The subscription form should clearly inform users about what they are consenting to (e.g. receiving newsletters).
• Double Opt-in: After subscribing to the emailing list, users should receive a confirmation email to verify their identity and confirm their subscription.
• Opt-out Options: Every email must contain a visible and free unsubscribe link that allows users to easily withdraw consent at any time.

For businesses sending emails internationally, obtaining explicit consent is often the safest route. Consent should also cover any additional data collection or tracking (e.g., monitoring whether the email was opened or links were clicked), which requires separate consent.

Risk-Based Approach & Legitimate Interest

While explicit consent remains the most robust and recommended legal basis for email marketing, businesses may, under certain circumstances, rely on legitimate interest to send unsolicited email communications. This approach inherently carries greater risk due to the use of this legal basis as an exception under very specific legal requirements.

Relying on legitimate interest requires a careful risk-based assessment, and even when permissible, businesses must ensure that they meet specific legal requirements in each country to remain compliant with data protection obligations.

The legal basis of legitimate interest should be used only when:

• The recipient’s email address is obtained in the context of a sale.
• The marketing content relates to similar products or services.

• Marketing emails must identify clearly the sender (company name, address, etc.). The identity of the sender must not be concealed or misleading.
• Marketing communications must be identified clearly as advertisements. Recipients should not have to open the email to realize it is a promotional one.

• The recipient is given a clear opportunity to opt-out of further communication easily, free of charge, and at any time.

In addition, companies should consult local opt-out registries where individuals can sign up to avoid receiving unsolicited marketing emails. For example, Germany and France maintain such registers, and companies must check these lists before sending any promotional material.

Businesses using legitimate interest should perform a balancing test to assess whether their interests in sending the marketing communications outweigh the recipient’s rights and expectations. Another risk mitigation strategy is to target recent customers (e.g., those who made a purchase in the last two years) to ensure relevance. Lastly, the local laws of each country should be reviewed in order to check for additional requirements or the case that the local law is not allowing the exception of legitimate interest.

Non-compliance with data protection laws, especially those related to unsolicited emails can result in significant fines. For example, in Spain a company recently was fined 3,000 euros by the Spanish Data Protection Agency (AEPD) for continuing to send marketing emails despite several opt-out requests.

Key takeaways

To ensure compliance regarding unsolicited direct marketing strategies worldwide:

• Always ensure that a lawful legal basis for the processing of personal data is obtained.
• Respect opt-out requests and ensure no further emails are sent to users who have withdrawn consent.
• Regularly review and audit your marketing practices to ensure compliance with both data protection and competition law.

For businesses engaged in international newsletter distribution, compliance with data protection laws is paramount. Whether relying on explicit consent or legitimate interest, companies must remain transparent, respect user rights, and understand the specific requirements of each country. While legitimate interest offers flexibility, it carries risks, and businesses should implement safeguards such as clear opt-out mechanisms and a regular evaluation of their marketing practices as well as of the local laws.