Business emails and the law

Understanding email and the law will help your business avoid ruinous financial penalties and legal problems...

Our experts

We are a team of writers, experimenters and researchers providing you with the best advice with zero bias or partiality.
Written and reviewed by:

Our independent reviews are funded in part by affiliate commissions, at no extra cost to our readers.

Email is still one of the most accessible marketing channels available to small businesses. And, with tools like CRM software allowing you to create eye-catching emails and then send them, en masse, to targeted lists of contacts, email marketing in 2024 has never been so easy, effective, and affordable.

Affordable, that is, until you end up on the wrong side of the law, and have to pay a hefty fine. We’ve compiled this guide to help you avoid doing just that – so read on to find out how you can navigate the tricky relationship between business emails and the law in the UK.

Please remember, however, that this guide does not constitute legal advice. Legislation is constantly changing (the GDPR, or General Data Protection Regulation, is a testament to that), so we can only present legal information at its highest level. We therefore strongly recommend that you seek the help of qualified legal advice, as we can't provide this.

What we can do, though, is help get you a good deal on CRM software that'll streamline and supercharge your email marketing. Most CRM systems also offer features allowing you to implement GDPR-aligned processes, while automatically adding compliant footers to your emails.

To get started comparing quotes from leading CRM software providers, simply provide us with a few details about your business. We'll ask about the kind of email marketing features you'll need, how many users will require access to the system, and what (if any) contact management software you're currently using.

Or, you can check out some of our top recommendations for GDPR-compliant CRM systems that can help keep your business safe and complaint below.

Email compliance regulations

According to Gov.uk’s page on marketing and advertising, you can only send marketing emails to customers who:

  • Have consented to electronic mail from you
  • Or, have bought a similar product or service from you in the past, and you provide a simple way to opt out in every marketing message you send them. This is sometimes known as a ‘soft opt-in’

You must not disguise or conceal your identity, and must provide a valid contact address so the customer can opt out or unsubscribe.


B2B regulations

Marketing emails to businesses fall under similar rules. Like customers, sole traders and some partnerships are treated as individuals, meaning they can’t be contacted unless they’ve consented.

However, you can send an unsolicited email to any corporate organisation, limited liability partnership, or government body. But remember: if you’re messaging individuals with personal corporate email addresses, there may be GDPR considerations.

For example, if you’re sending an email to jo.worker@corporate.co.uk, Jo has the right to object to their personal data being used for marketing purposes.


Email disclaimers

Many of us have received emails with a disclaimer at the bottom of the page. These disclaimers are often very “legal” sounding and are designed to protect the sender from legal action.

The reality is that the courts will probably not uphold the disclaimer but it might help your case.

Most disclaimers cover breaches of confidentiality, propagation of viruses, contractual claims and employee liability. Some disclaimers seem to go on forever!

There’s no one-size-fits-all disclaimer, as what you disclaim will depend on the nature of your business.

Disclaimer Example 1

“IMPORTANT: This message is intended for the addressee only and may contain private and confidential information or material which may be privileged. If this message has come to you in error you must delete it immediately and should not copy it or show it to any other person.”

Disclaimer Example 2

“This email is sent on behalf of XXXX and its associated companies (“XXX”) and is strictly confidential and intended solely for the addressee(s).  If you are not the intended recipient of this email you must: (i) not disclose, copy or distribute its contents to any other person nor use its contents in any way or you may be acting unlawfully;  (ii) contact XXX immediately on XXXX quoting the name of the sender and the addressee then delete it from your system. XXX has taken reasonable precautions to ensure that no viruses are contained in this email, but does not accept any responsibility once this email has been transmitted.  You should scan attachments (if any) for viruses. XXX. Registered in England no.XXX  –  Registered Office(s): XXX”

If you think it’s necessary to include a disclaimer in your business emails, seek legal advice on its effectiveness.

Alternatively, you can look into sending your emails with a CRM system. This software helps you automate GDPR compliance by automatically adding a footer (that contains the essential information you need to satisfy your legal responsibilities) to the bottom of your emails. If you accidentally delete it, the system will remind you – or add it in again before you hit ‘send'.

Explore our guide to the best CRM systems for small businesses, or get in touch with them now. Simply click one of the thumbs below to get started on your CRM journey, and begin comparing quotes from leading suppliers.


Legal requirements for email footers


Failure to include certain details in your email footer could land your business fines of up to £1,000.

The most recent legislation – the UK Companies Act 2006 (amended 2007) states that any private or public limited company, or a Limited Liability Partnership, must include the following:

  • Company name
  • Company registration number
  • Place of registration (e.g. Scotland or England & Wales)
  • Registered office address (which may be different from the office you trade from)

All business emails must now contain this data, whether a director or a dogsbody. If you are a sole trader, the requirement does not apply.

It’s sensible to create a legally sound template footer that can used company-wide. Here's an example of a footer you're expected to include at the bottom of each commercial email you send:

Smallbutgettingbigger is a limited company registered in England and Wales. Registered number: 1234567. Registered office: The High House, 72 Claire Road, Leatherhead, Surrey KT21 5JU.


Monitoring email traffic

As an employer you are able to monitor email traffic to and from your business, to ensure security and protect your business. But you need to let people know…

A typical statement would be:

“Smallbutgettingbigger Ltd may monitor email traffic data and also the content of email for the purposes of security and staff training.”

The specific monitoring of employee emails is subject to a raft of legislation out of the scope of this article. Again, if this is an issue for you then take legal advice or you may find yourself in hot water with the authorities.


GDPR and email


General Data Protection Regulation (GDPR) came in guns blazing in May 2018, updating existing data protection regulation to protect individuals in the digital age.

It hit a lot of companies that relied on vast email databases hard.

According to the official GDPR website, personal data is…

An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

It is, of course, possible to use some of this information without individuating someone. Problems arise when you collect a combination of information that clearly identifies someone.

As fines for the most severe GDPR breaches can amount to €20 million (£17.6 million), or 4% of global annual turnover (whichever is higher), best practice is to err on the side of caution.

Have an audit performed of your whole digital marketing strategy, including:

  • Privacy notices
  • Customer and prospect data
  • The service providers you use for data storage, processing and marketing

CRM software is available from as little as £10 per user, per month, with some free options available, too. CRM software can help you create, personalise, and send emails in bulk, all while ensuring you remain GDPR-compliant.

Email lists

According to the Information Commissioner, current legislation does not apply to ‘legacy lists’. This includes:

  • Any addresses you had at 31 October 2003
  • That has been contacted in the last 12 months
  • That was collected in compliance with contemporary law
  • That haven’t told you to stop contacting them

Once again, if you don’t have an in-house legal team, seek council from a qualified professional.


Which are the best CRM systems to support with GDPR and email compliance?

We’ve already seen how a CRM system can help you take full advantage of your email database while remaining on the right side of legal and GDPR regulations.

But which CRM systems are the best at helping small businesses remain compliant when sending emails?

We’ve conducted extensive research into CRM and GDPR features to find out and save you a few headaches.

Zoho CRM

Zoho CRM logo
  • Mark sensitive info to automatically prevent it being processed
  • Uses Advanced Encryption Standard to encrypt customer data at all times
Visit Zoho CRM

If you want to be double sure you’re not going to unwittingly breach data regulations, Zoho CRM’s GDPR compliance features will put your mind at ease.

After a double opt-in mechanism, which asks customers to consent to their data being uploaded into your CRM after they fill in a webform, Zoho automatically captures essential customer data from multiple sources and stores it securely in their record.

You can then categorise your customers based on one of six lawful reasons for data collection – legitimate interest, consent, performance of a contract, legal obligations, vital interest, or public interests – and mark whether specific information is sensitive or not to automatically prevent it from being processed when doing mail outs or performing other actions.

Customers also have access to the Customer Portal, so they can view their info, update it, and ask for all of it to be removed under ‘Right to be Forgotten’.

Finally, Zoho uses what it claims is one of the most robust data protection systems going: Advanced Encryption Standard (AES), which encrypts your customers’ data while it’s being stored and while it’s in transit.

You can take a look at Zoho's site for a better idea of their GDPR compliance and other features.


Freshworks CRM

Freshworks CRM logo
  • Opt-in checkboxes on all webforms
  • Automatically disable email sends to contacts who have opted out
Visit Freshworks CRM 

Freshworks CRM is a fully GDPR-compliant CRM system, though its tools for helping you stay on the right side of the law are less automated than rivals.

What they mostly boil down to is an option to include ‘opt-in’ checkboxes for web forms and email, with a customisable section in which you can include further details on why you’re collecting their data and how it will be stored. Freshworks’ in-built phone also gives you the option to turn off call recording during outgoing calls.

You can then disable sending emails to particular contacts who have chosen not to opt-in so there’s no risk of inadvertently sending an unsolicited email to someone in a mass mail-out.


HubSpot

HubSpot logo
  • Automatically enable all GDPR compliance features on your account
  • Banners on all contact records alerting you of their status
Visit HubSpot

HubSpot enhanced its platform with tons of new compliance functionality when GDPR came in.

When you sign up with HubSpot, you can automatically enable all GDPR compliance features across your account from settings. This will ensure you only send marketing emails to contacts who you have a legal basis to communicate with, and automatically turn on unsubscribe links for all emails.

All webforms are GDPR compliant with a lawful basis notice and communication consent checkbox.

Additionally, if you’re using the HubSpot Sales extension, there’ll be banners on all your contact records alerting you of whether or not a contact has a lawful basis for processing their data or not.


Salesforce

salesforce logo
  • Shield Platform Encryption protects data at all times
  • Easily delete all customer records based on a single request
Visit Salesforce 

Befitting its status as one of the first names in CRM, Salesforce has a comprehensive security offering that will help you keep your data and your customers’ data safe. It also allows you to easily delete all of a contact’s records based on a single customer request.

Shield Platform Encryption is available as an add-on subscription with all Salesforce’s Enterprise, Performance, and Unlimited plans. It provides extra-secure protection by allowing you to encrypt a variety of fields, files, and attachments stored in the Salesforce platform, so that all data is protected when not in use and when being transmitted over a network.

Aide from that, Salesforce has a dizzying number of certificates to prove its compliance credentials. You can view all of these on its website.


Sendinblue

  • A fully GDPR-compliant platform
  • Easily action any customer request to remove, amend or receive their data
Visit Sendinblue 

Rather than offering GDPR-compliant specific features, Sendinblue has simply ensured that its system is fully compliant with the regulation by allowing you to easily respond to any customer wishing to exercise their right over their personal data.

On its handy GDPR advice page, Sendinblue advises you to brush up on how to access, modify, and delete customer data, and to make sure the wording of any forms clearly states how information will be used and that the user agrees to the terms.

However, it does advise seeking legal counsel, as the information on its advice page cannot be taken as legal advice.

The automated approach to GDPR taken by other suppliers is clearly superior – especially for busy small business owners who just want to know that it’s all taken care of – but we’d say there’s something to be said for having a more hands on approach with your own compliance and security.


Next steps

Remember, CRM software is an extremely valuable tool for small businesses running email campaigns.

As well as storing and segmenting invaluable customer information, CRM software allows you to send highly targeted and personalised marketing emails instantly. And, crucially, a CRM system can help you communicate in a way that is compliant, and entirely safe in the eyes of the law.

To start comparing different CRM systems, and get quotes from leading cloud-based CRM providers, let us help. Simply furnish us with a few details about your business' requirements, and we'll match you with supplier best-suited to your specific needs. The form itself takes about 30 seconds to complete, and all quotes are completely free.


Startups.co.uk is reader-supported. If you make a purchase through the links on our site, we may earn a commission from the retailers of the products we have reviewed. This helps Startups.co.uk to provide free reviews for our readers. It has no additional cost to you, and never affects the editorial independence of our reviews.

Written by:

Leave a comment

Leave a reply

We value your comments but kindly requests all posts are on topic, constructive and respectful. Please review our commenting policy.

Back to Top