Email marketing is a powerful tool, but at the same time it has its own legal pitfalls. In this article, I'll give you an overview of some important points to keep in mind.

In the previous parts of this article series, we have already dealt with possible formats and areas of application for email marketing, as well as setting up a good concept. You've also learned how to properly increase your reach. Now it's time for the part where you learn about email marketing law.

To whom may I send what?

An important topic in email marketing law is the keyword "consent": If you want to send emails about your offers and activities as an agency or freelancer, you can only do so if the recipients have actively consented. You must be able to prove that they have consented. More on this in a moment.

As a rule, you do not need explicit consent for messages to existing customers that are directly related to the purchased product or service. For example, someone has signed a maintenance contract with you and now you are adding new services to this offer. In this case, you are usually allowed to communicate this to the respective customers without their having specifically agreed to it.

In this case, it is important that these e-mails actually revolve solely around the existing customer relationship and nothing else. Otherwise, the e-mail could slip into the realm of advertising - nothing is possible without the consent of the recipient. A seemingly harmless reference to another offer, for example in the footer of your e-mail, can already be too much. So make sure to keep these emails clean.

If you absolutely want to advertise a new offer to your existing customers, this may also be possible without explicit consent, provided it is similar enough to the existing product or service. A regulation on this can be found in Section 7 (3) of the Unfair Competition Act (UWG). You should seek professional advice here.

Note: Existing customers must also have the option of unsubscribing completely from such e-mails. Then only transactional emails remain, for example when a purchase is made.

Obtain legally compliant consent

Consent is only valid if it is both conscious and voluntary and the person knows what he or she is consenting to.

For a newsletter, for example, it is recommended that you explain as comprehensively as possible, in clear, simple terms, what the entry in the distribution list means. This includes, among other things, an indication of the frequency of the newsletter, an overview of possible content, how you measure success, and how a person can unsubscribe.

You don't hide this explanatory text somewhere on a subpage if you want the consent to stand up in court. It is also important to know that if you want to increase the frequency of your newsletter, for example, you may have to obtain renewed consent. 

An alternative to registration by form is a checkbox in the order process, with which a person also registers in the distribution list. In principle, this is fine as long as this checkbox is not checked in advance: In this case, a person could claim to have overlooked it - and there is no conscious consent.

Another problem is when you haven't sent any messages to a mailing list for a long time. Of course, this happens in the stress of everyday life: you set up a newsletter, diligently collect readers for it, and then you don't have time to take care of it. The larger this time gap becomes, the more likely it is that the consent has lapsed again. However, there are no clear legal requirements in this regard. The LG Munich considered about 17 months between registration and the first advertising e-mail to be too long. The Federal Court of Justice, on the other hand, stated that consent "does not expire merely due to the passage of time" (ruling dated February 1, 2018, file number III ZR 196/17).

However, a long silence is also problematic without legal consequences: Many recipients may have forgotten in the meantime that they had subscribed and mark your e-mail as spam. This can have a negative impact on your delivery rate.

Another note: If a person cancels a purchase, no contractual relationship has been established and therefore it is highly problematic to write to them. Some services and tools offer such features that allow you to realize lost sales after all. From an entrepreneur's point of view, they seem to make a lot of sense. In this country, however, they pose a considerable risk of a warning notice, unless you have obtained explicit consent to send such a message.

Correct registration via double opt-in

One challenge with consent is that you don't have 100% proof that someone is who they say they are. Just because someone knows an email address and puts it on a mailing list doesn't mean that email address belongs to that person.

That's why the double opt-in procedure, which you surely know, has become established: After the entry, a message is sent to the relevant address. In this message, you usually have to click on a link to complete the process.

You must document this double opt-in in such a way that you can prove it in court in case of doubt. The good news is that practically all modern email marketing services and tools now make use of this procedure or at least have it as an option. But make sure that it is (correctly) activated.

Tip: When registering, make it clear that you are only subscribed to the newsletter after the link in the confirmation email has been clicked. Ideally, you should ask your users to check their email inbox immediately after signing up. It is quite possible that this email ends up in spam and is then forgotten.

Imprint in all emails

You need a legally compliant imprint not only on your website, but also in your e-mails. Here, too, it is best to seek the advice of a professional. In general, the imprint should fulfill the same task: It must be clear who has sent an e-mail and how this person or organization can be contacted. A link to the website imprint can be sufficient, but is generally not considered as secure as a complete imprint, for example in the footer of every email.

The complex topic of data protection

Data protection regulations such as GDPR have also added a little more complexity to e-mail marketing. For example, the principle of data economy applies: You may therefore only make the mandatory field in a newsletter form what you actually need to send the e-mails. This will normally be the e-mail address alone. All other information must be voluntary.

By the way, it is also better from a user experience perspective to keep the registration form as simple as possible. Otherwise, interested parties may feel overwhelmed.

Another aspect is that you will usually use a service provider to send your emails. This can be a simple service like Amazon SES or a comprehensive service like Sendinblue or CleverReach. Logically, these service providers can only send your emails if you provide them with the relevant addresses of your recipients. And for that, you need an order processing agreement. Sounds complicated, but it should only take a few clicks. The only important thing is that you actually make these clicks. 

At this point, providers with headquarters in the USA, such as MailChimp, have an additional problem. One reason is that the "Privacy Shield" agreement between the EU and the USA has been declared invalid and there is still no successor. This means that the USA is no longer considered a "safe third country". Some providers try to get around this by offering to host data only in Europe for European customers. However, this is not considered sufficient by some data protection experts, since US authorities can also access information outside the USA due to the Cloud Act.

Here, too, only a specialist can help. Or, in case of doubt, you can rely on providers from the EU.

In all of this, note that the information about data protection also belongs in your privacy policy and not just on the registration page for the newsletter. Here you must inform in the required depth about the collection and processing of data.

Content design

As mentioned above, what you can and cannot advertise via email depends on the type of consent. Another important point: you must not design your promotional messages to look like a personal email. You must not disguise who the sender is and that the message has a commercial background.

By the way, you should also make sure to keep double opt-in messages and autoreplies completely factual. Even the company's advertising claim in the footer can be too much here.

Performance measurement allowed or not?

Another stumbling block is the popular measurement of success: this includes, for example, how many readers open an e-mail (open rate) and how many click on a link in it (click rate). In addition to the pure number of subscribers, these are important metrics for assessing the success of your own activities.

It should be noted that the opening rate is becoming less and less meaningful. For example, Apple's e-mail applications can prevent the opening of the e-mail from being reliably measured in order to protect the privacy of the users . Other people may have taken appropriate measures themselves or read the e-mails on their company PC, which is secured in this respect.

But these measurements can also be problematic from a legal perspective. This is especially true if they are not only carried out generally, but individually per reader. In this way, e-mail services want to show which subscribers are particularly interested and which are not. E-mail marketers react to this with special offers to "reactivate" readers.

In order to be allowed to collect such data, however, the readers must be aware of this. You should therefore mention clearly and comprehensively when registering that you are carrying out such a performance measurement. And on the other hand, it is also important to provide a good reason why this is necessary at all. A standard formulation that can often be read, for example, is that the measurements help to improve the newsletter and align it with the interests of the readership. Whether such a reference and this justification will stand up in court, however, is another matter.

By the way, you must also obtain such consent for performance measurement from existing customers. This also applies if they did not have to expressly consent to receiving your e-mail as described above.

Conclusion on the subject of e-mail marketing law

One of the most popular responses to questions in the email marketing legal field is, "It depends."

Some things are clearly regulated because they can be derived directly from the legal text. For example, there is no doubt that an e-mail address is personal data and that you must comply with the provisions of GDPR .

Other points, however, are open to interpretation. Relevant judgments can then provide insights and serve as guidance. However, not every judgment immediately means that the decision made there always and everywhere applies. Perhaps it will be overturned by a higher court. Or in your particular case, a small but important detail is different - and the result is different. Here you are moving in legal gray areas and need professional advice in case of doubt.

A general guideline can be to act in the interest of your readers and customers. You can also ask yourself: What do I want from a company when it comes to handling my own data?

Unfortunately, even this is not a hundred percent protection against warnings. But the probability should at least be lower.

If you want to read up on the subject in more detail, I recommend this article by lawyer Jan Lennart Müller.