Business emails and the law
Understanding email and the law will help your business avoid ruinous financial penalties and legal problems...
We are a team of writers, experimenters and researchers providing you with the best advice with zero bias or partiality.This article was co-authored by:
Email is still one of the most accessible marketing channels available to small businesses. And, with tools like CRM software allowing you to create eye-catching emails and then send them, en masse, to targeted lists of contacts, email marketing in 2021 has never been so easy, effective, and affordable.
Affordable, that is, until you end up on the wrong side of the law, and have to pay a hefty fine. We’ve compiled this guide to help you avoid doing just that – so read on to find out how you can navigate the tricky relationship between business emails and the law in the UK.
Email compliance regulations
According to Gov.uk’s page on marketing and advertising, you can only send marketing emails to customers who:
- Have consented to electronic mail from you
- Or, have bought a similar product or service from you in the past, and you provide a simple way to opt out in every marketing message you send them. This is sometimes known as a ‘soft opt-in’
You must not disguise or conceal your identity, and must provide a valid contact address so the customer can opt out or unsubscribe.
Marketing emails to businesses fall under similar rules. Like customers, sole traders and some partnerships are treated as individuals, meaning they can’t be contacted unless they’ve consented.
However, you can send an unsolicited email to any corporate organisation, limited liability partnership, or government body. But remember: if you’re messaging individuals with personal corporate email addresses, there may be GDPR considerations.
For example, if you’re sending an email to firstname.lastname@example.org, Jo has the right to object to their personal data being used for marketing purposes.
Many of us have received emails with a disclaimer at the bottom of the page. These disclaimers are often very “legal” sounding and are designed to protect the sender from legal action.
The reality is that the courts will probably not uphold the disclaimer but it might help your case.
Most disclaimers cover breaches of confidentiality, propagation of viruses, contractual claims and employee liability. Some disclaimers seem to go on forever!
There’s no one-size-fits-all disclaimer, as what you disclaim will depend on the nature of your business.
If you think it’s necessary to include a disclaimer in your business emails, seek legal advice on its effectiveness.
Alternatively, you can look into sending your emails with a CRM system. This software helps you automate GDPR compliance by automatically adding a footer (that contains the essential information you need to satisfy your legal responsibilities) to the bottom of your emails. If you accidentally delete it, the system will remind you – or add it in again before you hit ‘send'.
Explore our guide to the best CRM systems for small businesses, or get in touch with them now. Simply click one of the thumbs below to get started on your CRM journey, and begin comparing quotes from leading suppliers.
Legal requirements for email footers
The most recent legislation – the UK Companies Act 2006 (amended 2007) states that any private or public limited company, or a Limited Liability Partnership, must include the following:
- Company name
- Company registration number
- Place of registration (e.g. Scotland or England & Wales)
- Registered office address (which may be different from the office you trade from)
All business emails must now contain this data, whether a director or a dogsbody. If you are a sole trader, the requirement does not apply.
It’s sensible to create a legally sound template footer that can used company-wide. Here's an example of a footer you're expected to include at the bottom of each commercial email you send:
Monitoring email traffic
As an employer you are able to monitor email traffic to and from your business, to ensure security and protect your business. But you need to let people know…
A typical statement would be:
The specific monitoring of employee emails is subject to a raft of legislation out of the scope of this article. Again, if this is an issue for you then take legal advice or you may find yourself in hot water with the authorities.
GDPR and email
It hit a lot of companies that relied on vast email databases hard.
According to the official GDPR website, personal data is…
An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
It is, of course, possible to use some of this information without individuating someone. Problems arise when you collect a combination of information that clearly identifies someone.
As fines for the most severe GDPR breaches can amount to €20 million (£17.6 million), or 4% of global annual turnover (whichever is higher), best practice is to err on the side of caution.
Have an audit performed of your whole digital marketing strategy, including:
- Privacy notices
- Customer and prospect data
- The service providers you use for data storage, processing and marketing
CRM software is available from as little as £10 per user, per month, with some free options available, too. CRM software can help you create, personalise, and send emails in bulk, all while ensuring you remain GDPR-compliant.
According to the Information Commissioner, current legislation does not apply to ‘legacy lists’. This includes:
- Any addresses you had at 31 October 2003
- That has been contacted in the last 12 months
- That was collected in compliance with contemporary law
- That haven’t told you to stop contacting them
Once again, if you don’t have an in-house legal team, seek council from a qualified professional.
Which are the best CRM systems to support with GDPR and email compliance?
We’ve already seen how a CRM system can help you take full advantage of your email database while remaining on the right side of legal and GDPR regulations.
But which CRM systems are the best at helping small businesses remain compliant when sending emails?
We’ve conducted extensive research into CRM and GDPR features to find out and save you a few headaches.
If you want to be double sure you’re not going to unwittingly breach data regulations, Zoho CRM’s GDPR compliance features will put your mind at ease.
After a double opt-in mechanism, which asks customers to consent to their data being uploaded into your CRM after they fill in a webform, Zoho automatically captures essential customer data from multiple sources and stores it securely in their record.
You can then categorise your customers based on one of six lawful reasons for data collection – legitimate interest, consent, performance of a contract, legal obligations, vital interest, or public interests – and mark whether specific information is sensitive or not to automatically prevent it from being processed when doing mail outs or performing other actions.
Customers also have access to the Customer Portal, so they can view their info, update it, and ask for all of it to be removed under ‘Right to be Forgotten’.
Finally, Zoho uses what it claims is one of the most robust data protection systems going: Advanced Encryption Standard (AES), which encrypts your customers’ data while it’s being stored and while it’s in transit.
You can take a look at Zoho's site for a better idea of their GDPR compliance and other features.
Freshworks CRM is a fully GDPR-compliant CRM system, though its tools for helping you stay on the right side of the law are less automated than rivals.
What they mostly boil down to is an option to include ‘opt-in’ checkboxes for web forms and email, with a customisable section in which you can include further details on why you’re collecting their data and how it will be stored. Freshworks’ in-built phone also gives you the option to turn off call recording during outgoing calls.
You can then disable sending emails to particular contacts who have chosen not to opt-in so there’s no risk of inadvertently sending an unsolicited email to someone in a mass mail-out.
HubSpot enhanced its platform with tons of new compliance functionality when GDPR came in.
When you sign up with HubSpot, you can automatically enable all GDPR compliance features across your account from settings. This will ensure you only send marketing emails to contacts who you have a legal basis to communicate with, and automatically turn on unsubscribe links for all emails.
All webforms are GDPR compliant with a lawful basis notice and communication consent checkbox.
Additionally, if you’re using the HubSpot Sales extension, there’ll be banners on all your contact records alerting you of whether or not a contact has a lawful basis for processing their data or not.
Befitting its status as one of the first names in CRM, Salesforce has a comprehensive security offering that will help you keep your data and your customers’ data safe. It also allows you to easily delete all of a contact’s records based on a single customer request.
Shield Platform Encryption is available as an add-on subscription with all Salesforce’s Enterprise, Performance, and Unlimited plans. It provides extra-secure protection by allowing you to encrypt a variety of fields, files, and attachments stored in the Salesforce platform, so that all data is protected when not in use and when being transmitted over a network.
Aide from that, Salesforce has a dizzying number of certificates to prove its compliance credentials. You can view all of these on its website.
Rather than offering GDPR-compliant specific features, Sendinblue has simply ensured that its system is fully compliant with the regulation by allowing you to easily respond to any customer wishing to exercise their right over their personal data.
On its handy GDPR advice page, Sendinblue advises you to brush up on how to access, modify, and delete customer data, and to make sure the wording of any forms clearly states how information will be used and that the user agrees to the terms.
However, it does advise seeking legal counsel, as the information on its advice page cannot be taken as legal advice.
The automated approach to GDPR taken by other suppliers is clearly superior – especially for busy small business owners who just want to know that it’s all taken care of – but we’d say there’s something to be said for having a more hands on approach with your own compliance and security.
Remember, CRM software is an extremely valuable tool for small businesses running email campaigns.
As well as storing and segmenting invaluable customer information, CRM software allows you to send highly targeted and personalised marketing emails instantly. And, crucially, a CRM system can help you communicate in a way that is compliant, and entirely safe in the eyes of the law.
To start comparing different CRM systems, and get quotes from leading cloud-based CRM providers, let us help. Simply furnish us with a few details about your business' requirements, and we'll match you with supplier best-suited to your specific needs. The form itself takes about 30 seconds to complete, and all quotes are completely free.