Recommended Best Practices for Email Marketing

Task Force on Spam
Working Group on Validating Commercial Email
May 2005

PDF Version [PDF 198KB]
To read the PDF version you need Adobe Acrobat Reader on your system.

Overview
Recommended Best Practices
Appendix I: Technical Tips for Electronic Marketers
Appendix II: Sample Letter of Compliance with the Personal Information Protection and Electronic Documents Act
Glossary

Overview

As part of the federal government's Task Force on Spam, the Working Group on Validating Commerical Email has developed a set of best practices for email marketing. These best practices will help Canadian organizations adopt spam-free marketing techniques and will make it clear that spam plays no legitimate role in Canadian marketing.

Most responsible organizations already follow industry codes or have adopted best practices. In Canada, organizations are guided by the Canadian Marketing Association's Code of Ethics and Standards of Practice, which includes guidelines for email marketing and the online collection of data for marketing purposes. Members of Canadian Survey Research Council organizations that conduct online surveys are also developing a uniform code of practice.

This document brings together a set of best practices drawing upon existing codes in order to provide all with a basis to using email for commercial or marketing purposes.

Increasingly, Internet service providers (ISPs) and email service providers (ESPs) are looking for ways to stop spam by using filtering, black and white lists. As a result, they are inadvertently blocking legitimate email messages before they reach their intended recipients. Organizations are encouraged to adopt the best practices cited here as a way to ensure that their own legitimate email messages reach their intended recipients.

These best practices are not legally binding, but are intended to complement existing Canadian laws that govern spam, privacy, email marketing and marketing to children. For example, the Personal Information Protection and Electronic Documents Act (PIPEDA), which came into full force throughout Canada in January 2004, establishes the obligations of those who collect, use and disclose personal electronic-mail addresses. Other relevant federal acts include the Competition Act, the Telecommunications Act and the Criminal Code of Canada. Organizations should make themselves aware of these laws and govern their activities accordingly.

The best practices, along with explanatory notes and illustrative examples, are outlined in the following sections.

Recommended Best Practices

1. Marketing email should only be sent to recipients who have provided their consent to receive such information.
   
   

This best practice directly relates to the sending of unsolicited commercial email for the purposes of soliciting goods and/or services. If organizations have not obtained the express consent of recipients prior to sending these types of email messages, then they are sending spam.

If the organization has an existing business relationship (see glossary) with the intended recipient, it is sufficient to rely on implied consent. Under existing Canadian law, where an individual has entered a contest, made a donation, or registered online for a product, newsletter, etc.; has provided their email address as part of the transaction; and has been provided with the opportunity to opt out of receiving further marketing email messages, and has not done so, the organization has the implied consent to email the individual. When using this form of consent, the marketer should explain to the intended recipient why they are receiving the email. In the follow-up communications, the organization must provide the individual with an opportunity to opt out of receiving further marketing emails (see Best Practice #2).

Organizations should not send email marketing messages to recipients who have indicated they do not wish to receive email messages from the organization. While an organization may send email messages during an existing business relationship, they must honour an individual's request to be removed from email marketing lists at any time. This can be accomplished by providing an opt-out opportunity in every message sent (see Best Practice #2).

There is an exception for sending email messages outside of an existing business relationship, or to a customer whose file has become inactive. If the organization has service, warranty or product-upgrade information, or if there are health and safety issues related to a product purchase, the organization may send email messages to its customers. Organizations should use discretion in doing so, however, as customers may view this email as spam if the organization uses it as an opportunity to up-sell or cross-sell products.

2. In all marketing email, recipients must be provided with an obvious, clear and efficient email or web-based means to opt out of receiving any further business and/or marketing email messages from the organization.
   
   

In all email messages to current customers, organizations must include an opportunity for the recipient to opt out. This opportunity should not be buried in the email message and must, at minimum, be website- and/or email-enabled. The language used should be as simple as: "If you no longer wish to receive marketing offers from this organization, please click here or email info@ABCcompany.com."

The process for opting out should be simple and straightforward, and organizations should confirm by email that the opt-out request has been or will be followed through without requiring further action by the consumer.

In Canada, the industry best practice for telephone or mail do-not-contact files is to honour opt-out requests for a three-year period. After that time, organizations may re-contact individuals with marketing offers. However, because of the sensitivities associated with email communications, and the problems caused by spam, organizations should honour an email opt-out request as final and remove that individual from their marketing lists until such time as the individual opts to receive email messages again.

3. The internal process used to obtain consent should be clear and transparent. Organizations should keep records of the type of consent obtained from recipients so that email lists can be scrubbed prior to campaign broadcasts.
   
   

Organizations should ensure that they have the means to honour opt-out requests on a timely basis and to scrub their lists accordingly.

In addition, an internal process should be in place that records proof of consent, including the date, time, originating Internet protocol (IP) address and location (including URL), where the address collection occurred and whether consent was obtained via another medium (e.g. business card, contest form, telephone, verbal communication or credit card [e.g. through a paying subscription to a list]). Organizations should be able to provide this information to a recipient upon request.

4. Every email marketing communication should clearly identify the sender of the email. The subject line and body text in the communication should accurately reflect the content, origin and purpose of the communication.
   
   

The identification of the sender and source of the email should be clearly and obviously specified and, whenever possible, placed above the fold (that part of the email that is visible without scrolling).

Example #1: Direct from organization to subscriber

Example #2: Third-party email service provider to subscriber on behalf of an organization

Even in cases where the content is accurately related to the subject line, organizations are cautioned against using subject lines that refer to "free offers" or "winning prizes." This is, in part, due to the fact that some spam filters use keywords such as these to signal that the message is spam.

Email messages should include the sender's main postal address. Canadian organizations are strongly encouraged to become familiar with the provisions in Canadian laws that address this issue, and with the related laws of other jurisdictions, such as Australia, the United States and the European Union.

5. Every email should provide a link to the sender's privacy policy. The privacy policy should explain the intended use and disclosure of any personal information that might be gathered through "clickstream" means or other website monitoring techniques.
   
   

Organizations are obliged under PIPEDA to adopt a significant degree of transparency in disclosing their personal-information gathering and handling practices. A privacy policy might include the type of information collected and/or used; whether information is disclosed to third parties; the use of "cookies" or other passive means of data collection; and security, accountability and enforcement procedures.

Organizations must make the information on their online information-gathering processes readily available in one comprehensive privacy policy on their websites. The privacy policy should also include an active link to an opt-out mechanism.

6. Marketers, list brokers and list owners should take reasonable steps to ensure that the addresses on their email lists were obtained with the proper consent.
   
   

Organizations, list brokers and list owners should share responsibility for sending email to recipients who have not given appropriate consent to receive these messages. Where an organization, list broker or list owner knew or should have known that the proper consent was not obtained, they could be accountable. Some examples of reasonable steps that an organization can take to ensure clean lists include:

• reviewing the privacy policy of the broker/owner of the list;
  
  
• reviewing the opt-in procedures used to obtain the email addresses;
  
  
• having the broker or owner sign a contract warranting that they have complied with the requirements of PIPEDA (see the sample at the end of this appendix).
  
  

7. Marketers should use a high degree of discretion and sensitivity in sending email marketing to persons under the age of majority, in order to address the age, knowledge, sophistication and maturity of this audience.
   
   

Organizations should refer to both the Canadian Marketing Association's Special Considerations in Marketing to Children and Teenagers, from its Code of Ethics and Standards of Practice (www.the-cma.org/consumer/ethics.cfm), and existing Canadian laws (see www.justice.gc.ca) for guidance on this issue.

The ways in which those under the age of majority perceive and react to email marketing communications are influenced by their age and experience, and the context in which the message is framed. For example, email marketing communications that are acceptable for teenagers will not necessarily be acceptable for younger children. There is no way to guarantee the age of any person who signs up to an email subscriber list. Organizations should, therefore, use discretion and sensitivity when marketing to those under the age of majority, and should seek to engage parental permission in such communications.

8. (a) When the content of an email is adult in nature the sender must — prior to sending the communication — verify that the recipient is of age to legally receive and view such content.

Adult content includes material of a sexually explicit nature and material related to gaming and gambling, tobacco, alcohol, firearms and other weapons.

1. (b) All email containing sexually explicit content should include the prefacing tag "SEXUALLY EXPLICIT" in the subject line.
   
   

For example, the subscriber may be required to provide a telephone number so the organization can verify that the recipient is of the age of majority. It is important to note that contracts with minors are not enforceable.

9. Organizations should have in place a complaint-handling system that is fair, effective, confidential and easy to use.
   
   

Any complaints from individuals regarding the use of their email address should be dealt with courteously and within a reasonable time frame.

10. Organizations may disclose the email addresses of existing customers to third-party affiliates or within a family of companies if:
    
    
    1. they have consent to do so;
       
       
    2. they are using the addresses for purposes consistent with their collection (i.e. for marketing related to the original purchase or to provide services related to that purchase);
       
       
    3. it is transparent to the recipient why they are receiving email communications; and
       
       
    4. there is an easy-to-use way to opt out of receiving further email communications.
       
       

Organizations may only disclose customers' email addresses to an affiliated third party or within a family of companies for cross-marketing purposes if they offer these customers an easy-to-use opt-out opportunity before disclosing the email address.

It must be transparent to customers why they are receiving additional, related marketing offers (e.g. under a company brand). The organization should not assume that customers understand a corporate relationship or structure.

For further guidance, organizations are advised to follow the best practices established by the Canadian Marketing Association in its Code of Ethics and Standards of Practice under Section E4.1.3 of the E-mail Marketing Communications compliance guide. The section states that "an individual's email address may not be disclosed to any third party (e.g. list rental company) without the express consent (more commonly known as opt-in or positive consent) of the individual. If you want to disclose email addresses to marketing partners or list brokers, you must obtain positive consent. Similarly, you need to ensure appropriate permission for the use of any email addresses your company may have acquired from others."

The CMA defines a "third party" as follows:

"Third party" refers to an organization corporately distinct from that with which the customer originally did business (list rental company), including an organization corporately related to the original organizations (or charity) or part of the same group, where the relationship would not be apparent to the customer. Third parties do not include data processors operating on behalf of the organization with whom the individual has established a business relationship.