Please describe any laws addressing email communication or direct marketing?

Data Protection & Cyber Security

Russia Small Flag Russia

Direct marketing communications are governed by both advertising and data protection laws, which set out similar rules in this regard. Direct marketing communications with the data subject are only allowed if the data subject has provided his/her prior opt-in consent (no exceptions in this regard).

Practically speaking, such consent may be obtained with use of tick-box or a “Subscribe” button, provided that such tick-box or button are not bundled with other consents (e.g. acceptance of Terms of Use or general consent to processing of PII as described in the Privacy Policy) and the tick-box is not pre-ticked. Otherwise, Russian regulators may say that consent was not freely given by the data subject.

Each marketing communication shall contain a link in order to unsubscribe from further receipt of such marketing communications or, alternatively, information on how the recipient can unsubscribe.

Once the data subject unsubscribes (withdraws his/her consent) from marketing communications, the data controller shall immediately terminate direct marketing communications and processing of PII for this purpose – the laws do not set out any grace period in this regard.

Brazil Small Flag Brazil

Although there is no legal rule concerning spam, the Internet Steering Committee ( provides a guideline of good practice to avoid spam, as follows:

  • To send e-mails only to customers who have opted for registration in the mailing list;
  • Do not use third-party disclosure lists, or buy them from mailing lists sellers;
  • Do not reuse disclosure lists, i.e. do not send e-mails to customers registered on mailing lists from another service, even if they are from the same company;
  • To respect customers’ options given by registration forms, in writing or online;
  • To respect a consumer’s option to be unsubscribed from the mailing list;
  • Do not start the first contact with customers by e-mail, i.e. sending the first e-mail without prior authorization characterizes the practice of spam.

Additionally, Brazil has a Self-Regulation Code for E-mail Marketing Practice signed by representative entities of marketing companies, internet service providers and consumers, which permits soft opt-in only if there is evidence of previous commercial relationship between the sender and recipient. In this case, the express consent is not required but an option to "opt-out" must be provided. The sender must provide its opt-out policy and inform the deadline for removal of the recipient’s e-mail address from the data base, which may occur within two business days if it is requested by the “unsubscribe link” or within five business days if it is requested by other means. Also, the Brazilian Advertising Self-Regulatory Council reflects well the need to apply to advertisements on the Internet the same policy adopted for ‘conventional’ advertisements.

Lastly, it bears mentioning that Law 13.226/2008, enacted by the State of São Paulo, creates a registration list for blocking telemarketing calls with the purpose of preventing companies making marketing calls not authorized by the consumer.

Argentina Small Flag Argentina

Section 27 of the Data Protection Law provides that personal data may be used to determine consumer profiles for marketing purposes, provided that such data is gathered from sources accessible to the public or the data subject voluntarily provided the information or consented to its use.

However, Decree No. 1158/01 allows for the collection, processing and assignment of personal data for marketing purposes without the consent of the data subject as long as the data subject is identified only by their belonging to groups based on their preferences or behavior and the personal data is limited to that which the marketer needs to make an offer.

Moreover, Rule No. 4/2009 of the Data Protection Authority requires the following:

  • Data subjects must be able to opt-out of this type of communication, and be expressly and clearly informed of their right to do so.
  • The communication must contain a clear and visible notice to the effect that it is an advertisement, and a transcription of provisions of the Data Protection Law and Decree No. 115/01. In the case of an email its heading must contain the term “Advertisement” (in Spanish, “Publicidad”).
  • The owner of the database must have a mechanism in place that allows for the exercise of the data subject’s right to opt out.

Bulgaria Small Flag Bulgaria

In addition to the general rules established with the GDPR, Bulgarian legislation establishes a general opt-in regime for sending unsolicited commercial communications to natural persons and a general opt-out regime for sending such communications to legal persons, and consists of the following laws:

  • The E-Commerce Act: Contains provisions related to the regime of unsolicited commercial communications, namely:
    - Unscolicited commercial communications cannot be sent to natural persons without their prior consent (Article 6, para. 4 E-Commerce Act).
    - Unscolicited commercial communications have to be clearly distinguishable as such at the very moment of their receipt by the recipient (Article 6, para. 1 E-Commerce Act).
  • The E-Communications Act: Contains provisions related to the regime of direct marketing communications, namely:
    - Sending direct marketing and advertising communication is allowed solely in case prior consent has been obtained (Article 261, para. 1 E-Communications Act).
    - In case electronic contact details have been obtained in the context of a provision of goods or services, these contact details may be used for sending marketing and advertising communications for similar goods or services (Article 261, para. 2 E-Communications Act).
    - The communication must allow for a clear identification of the sender and shall contain a valid email address where a request for unsubscription could be sent (Article 261, para. 5 E-Communications Act).
  • The Consumer Protection Act: Contains provisions related to the regime of unsolicited business communications, namely:
    - Sending unsolicited commercial communication to consumers is prohibited unless they have provided their prior consent.

Switzerland Small Flag Switzerland

The collection of e-mail addresses for marketing purposes is governed by the FADP. As the e-mail address is not a sensitive personal data, the FADP does generally not require the consent of the data subject. Furthermore, profiling for marketing purposes is also governed by the FADP (see above Question 24).

The FADP is, however, superseded by art. 3 para. 1 lit. o of the Federal Statute on Unfair Competition with respect to e-mail marketing. It sets out that an individual acts unfair "who sends or causes to be sent mass advertising without a direct link to a requested content by telecommunications, without first obtaining the consent of the customer, indicating the correct sender or indicating a possibility of refusal without any problems and free of charge; anyone who receives contact information from customers when selling goods, works or services and indicates the possibility of refusal does not act unfairly if he sends mass advertising for his own similar goods, works or services to these customers without their consent."

As a general rule, Swiss law requires therefore an informed opt-in for sending e-mail marketing and the recipients must be informed about their right to withdraw at any time. As an exemption, marketing e-mails may be sent to existing customers without an opt-in. However, the sender must have informed the recipients prior to sending the first marketing e-mail about their withdrawal right. It is not sufficient if the withdrawal right is solely mentioned in the marketing e-mail.

Art. 3 para. 1 lit. o Unfair Competition Act does not specify the format of the consent. It is, however, clear that the consent must be documented as the burden of proof is with the sender. Due to that burden of proof, it is often recommended that a double opt-in be implemented, i.e. the user registers for the newsletter, receives an e-mail with an activation link, and must confirm the registration / consent by using the link.

In case of an infringement of art. 3 para. 1 lit. o Unfair Competition Act, the recipient has two options:

  • Civil law proceeding, i.e. he / she can ask the civil court to prohibit the further sending of e-mails. He / she may also ask for damages. However, it might be rather difficult to prove an effective financial damage.
  • More common is a criminal complaint with the competent criminal authorities. Intentional infringement of art. 3 para. 1 lit. o Unfair Competition Act is sanctioned with prison of up to three years or a monetary penalty. The sanction will always be a monetary penalty. The penalty amount is dependent on the specific circumstances, i.e. severity of the infringement, first-time infringement vs. repeated infringer, etc.

Spain Small Flag Spain

In Spain, the law that regulates email communications and direct marketing via electronic means is Law 34/2002, which requires prior consent of the recipient or the existence of a previous contractual relationship between the parties. These rules apply not only to communications whose recipients are natural persons, but to any kind of recipient, even communications sent to a legal person’s electronic address.

Moreover, article 23 of the Spanish data protection law (LOPD) imposes an obligation to consult advertising exclusion lists before any direct marketing campaign. This consultation will not be necessary when the data subject gave their consent to the Controller for receiving this kind of communications.

Chile Small Flag Chile

Currently, private entities can create and maintain data bases for purposes of sending marketing and promotional emails, provided that provided that are collected from publicly accessible sources, and it is required for direct response to commercial communications or marketing, or direct sale of goods or services. Though, any individual may require that his/her information be deleted in this case, either permanently or temporarily.

Therefore, under the law, electronic marketing is protected in the sense of establishing that no authorization is required for electronic marketing when the information comes from sources available to the public. In addition, Law No. 19,496 on the Protection of Consumer Rights contains a provision regarding marketing by email (also known as spam). In that case, every advertising or promotional communication sent by email shall specify the subject, the identification of the sender and a valid email address to which the recipient can request the suspension of the advertising communication, which will remain banned from then on (opt-out). Providers of direct promotional or marketing communications to consumers via mail, fax, telephone calls or messaging services shall indicate an expedited way the addressees may request the suspension thereof.

Germany Small Flag Germany

Article 21 of the GDPR regulates the right of data subjects to object to direct marketing concerning them at any time.

§ 7 UWG (Act Against Unfair Competition) and Art. 13 ePrivacy Directive 2002/58/EG regulate advertising via e-mail (and other channels). Although the UWG is not technically data protection law, however, § 7 UWG can be understood as implementation of the ePrivacy Directive. In general advertising via e-mail without prior express consent is defined as unreasonable harassment and is therefore prohibited. However, under certain conditions direct email marketing within existing customer relationships is possible according to paragraph 3 of the § 7 UWG. These cumulative conditions are:

  • the customer has provided his email address to an enterprise in connection with the sale of goods or services,
  • the enterprise uses the address for directly marketing its own similar goods or services,
  • the customer has not objected to the use and
  • the customer is clearly informed when the address is collected and each time it is used that he can object to the use at any time without costs other than the transmission costs according to the basic tariffs.

India Small Flag India

The transmission of voice calls and SMS using telecommunication services is governed by the Telecom Commercial Communications Customer Preference Regulations, 2018 ("Regulations").

The Regulations govern transmission of the following kinds of commercial communications51 - promotional,52 transactional53 and service SMS / calls and unsolicited commercial communications ("UCC").54

For the present context, the Regulations provide that: -

(a) Any commercial communication sent which is neither as per the consent nor as per the preference(s) of the recipient, as registered pursuant to the Regulations, is considered as UCC. The Regulations prohibit any person from sending UCC.

(b) Notwithstanding the above, a person may send promotional communication only after obtaining registration with an access provider and to such customers who have either provided their consent or have chosen to receive such communications.

The Regulations only govern communications via phone and SMS. They presently do not regulate email communications.

Having said the above, the Draft E-Commerce Policy, amongst other aspects, contemplates consumer protection and for the present purpose provides that: -

(a) unsolicited commercial messages on various platforms including emails need to be regulated; and

(b) a legal framework in this regard will be developed.

51 - "Commercial communication" is defined in the Regulations to mean "any voice call or message using telecommunication services, where the primary purpose is to inform about or advertise or solicit business for
(a) goods or services; or
(b) a supplier or prospective supplier of offered goods or services; or
(c) a business or investment opportunity; or
(d) a provider or prospective provider of such an opportunity".

52 - "Promotional messages" is defined in the Regulations to mean "commercial communication message for which the sender has not taken any explicit consent from the intended Recipient to send such messages".

53 - "Transactional message" is defined in the Regulations to mean "a message triggered by a transaction performed by the Subscriber, who is also the Sender’s customer, provided such a message is sent within thirty minutes of the transaction being performed and is directly related to it. Provided that the transaction may be a banking transaction, delivery of OTP, purchase of goods or services, etc."

54 - "Unsolicited commercial communication or UCC" is defined in the Regulation to mean "any commercial communication that is neither as per the consent nor as per registered preference(s) of recipient, but shall not include:
(i) Any transactional message or transactional voice call;
(ii) Any service message or service voice call;
(iii) Any message or voice calls transmitted on the directions of the Central Government or the State Government or bodies established under the Constitution, when such communication is in Public Interest;
(iv) Any message or voice calls transmitted by or on the direction of the Authority or by an agency expressly authorized for the purpose by the Authority."

China Small Flag China

The Advertising Law of the People's Republic of China (《中华人民共和国广告法》) (the “Advertising Law”) is the fundamental law that regulates advertising. Depending on the direct marketing means – email, telephone call, SMS, or pop-up ad on websites – statutes and regulations on particular means, such as the Interim Measures for Administration of Internet Advertising (《互联网广告管理暂行办法》), Administrative Provisions on Short Message Services (《通信短信息服务管理规定》), may apply. In terms of email marketing, the sender shall obtain consent or request of the recipient and the sender shall also disclose its true identity, contact details and the opt-out method in such advertisements distributed via electronic means.68

68 - Advertising Law. § 43, 44.

Indonesia Small Flag Indonesia

Until to date, only direct marketing via mobile network is being regulated. MCI Regulation No. 9 of 2017 regarding Content Providing Services Operation on Cellular Mobile Network (“MCI Regulation 9/2017”) stipulates that Content Providers may only offer content via a Network Operator, to the potential subscribers that have granted opt-in consent. In the event there are users who have expressed their objection or rejection, the Network Operators are prohibited to transmit such content.

Email communication and direct marketing via online platforms are yet to be regulated under Indonesian legislations. Although there is no specific provision, through the general principle of consent, the relevant Data Subject may repudiate the consent over the use of his/her Personal Data for marketing purposes.

Portugal Small Flag Portugal

Law 46/2012 on the processing of personal data and protection of privacy in electronic communications that implemented the ePrivacy Directive rules the sending of unsolicited communications for direct marketing purposes, through the use of automated calling and communication systems without human intervention (automatic calling machines), facsimile machines or electronic mail, including SMS (Short Message Service), EMS (Enhanced Message Service) and MMS (Multimedia Message Service) as well as through other kinds of similar applications.

Pursuant this Law, sending email for marketing purposes is subject to the prior and explicit consent of the recipient (whenever the recipient is a natural person) except for those recipients with whom the sender has, in the past, sold goods or provided services similar to the ones intended to be promoted and provided that:

a) By the time of the sale or the provision of services the recipients’ contacts were collected, and they were informed, in accordance with the Data Protection Laws, that their contacts would be used for marketing purposes; and

b) At that time as well as in each subsequent communication, they were given the opportunity to opt-out, free of charge and in an easy manner.

Regardless the above, Companies that intend to send e-mail marketing to natural persons are required to keep, on their own or through representative bodies, an up-to-date list of the natural persons that consented to receive this type of communications, as well as of those who did not opt-out afterwards.

Sending e-mail for marketing purposes to legal persons is allowed until they opt-out or they register themselves in a National Opt-Out List for Legal entities. Companies that intend to send e-mail marketing to legal persons are required to consult this List on a monthly basis at

Moreover, it is not allowed sending electronic mail for marketing purposes which, disguise or conceal the identity of the sender on whose behalf the communication is made, without providing a valid address to which the recipient may opt-out or encourage recipients to visit websites which do not comply with these rules.

United Kingdom Small Flag United Kingdom

Marketing activities using personal data have to comply with the Data Protection Act 2018 (DPA 2018) and Privacy and Electronic Communications Regulations (PECR).

Where personal data is processed for the purposes of direct marketing, the data subject has an absolute right to object to the processing. This right should be explicitly brought to the attention of the data subject at the time their data is collected and presented clearly and separately from any other information.

Where the data subject objects to processing for direct marketing purposes, the business should not continue to process the data for such purposes (including any profiling relating to such direct marketing).

In addition under PECR there are rules governing marketing by certain methods. For example, electronic messages marketing (such as by email) and text marketing can only be sent to customers with their consent unless the soft-opt in applies. There are also rules relating to telephone marketing which requires the number to be screened against the Telephone Preference Service.

The soft-opt in applies where the details are collected in the context of a sale or a negotiation for a sale and (a) the marketing relates to the same/similar goods/services as those purchased or negotiated; (b) the customer is given the opportunity to opt-out at the time of the purchase or negotiation and in every communication thereafter; and (c) the marketing comes directly from the contracting entity/controller who has sold or is negotiating for the sale of the goods/services ie the same entity. The marketing must relate to similar products or services and the marketing recipient must be given a simple means of refusing marketing at the time their data is collected.

When relying on consent to market a business should specify the different methods they want to use eg by email, by text, by fax, by phone or by recorded call. In addition it must ask for specific consent if it wants to pass details to other companies, and it must name or describe those companies in detail.

A business should also keep clear records of consent, and keep a ‘do not contact’ list of anyone who objects, opts out or withdraws their consent.

At the time of writing, a new E-Privacy Regulation is currently being prepared which will impact the above.

Sweden Small Flag Sweden

Apart from the GDPR’s rules on processing of personal data, the Swedish Marketing Act (sw. Marknadsföringslag (2008:486)) is applicable when sending direct marketing. Most of the Swedish Marketing Act’s rules on direct marketing only apply to marketing to natural persons (i.e. individuals and private companies, as they are not legal entities). Direct marketing business-to-business (except private companies), including where a person is contacted in his or her occupational role, is however mainly regulated by ethical rules.

According to article 19 of the Swedish Marketing Act marketing via electronic communication (i.e. e-mail, fax, SMS, MMS or an automatic calling device or any other similar automatic system for individual communication) to natural persons without prior consent is prohibited. An exception exists in the case of contact information that was received by the natural person in connection with a purchase or service, if the following requirements are fulfilled:

  • such natural person has not objected to the use of the e-mail address information for marketing purposes by means of e-mail;
  • the marketing pertains to the trader’s own, similar products; and
  • the natural person has been clearly and explicitly provided the opportunity to object, simply and without charge, to the use of such information for marketing purposes when it is collected and in conjunction with each subsequent marketing communication.

Further, article 20 of the Swedish Marketing Act stipulates that marketing via email shall at all times contain a valid address to which the recipient may send a request that the marketing practice cease. This provision apply in respect of marketing to both natural persons (individuals and private companies) and legal persons.

A trader may use other methods of individual remote communication than those referred to in article 19 unless the natural person clearly objects to the use of such methods.

Recipients that do not want to receive advertisement by post can attach a sticker to their mailbox and/or front door declaring “No advertising please” or a similar statement. In addition, “Nix-Telefon” and “Nix addresserat” are two lists individuals who does not want to receive direct marketing via phone or physical post can registered at.

Greece Small Flag Greece

Marketing purposes justify processing of personal data -in principle- on the basis of data subject’s consent. According to Law 3471/2006, as further explained in Directive 2/2011 of the HDPA and by way of a derogation, e-mail details which were lawfully obtained within the context of products or services sales or any other transaction, can be used for direct marketing of similar products or services of the supplier or in order to serve similar purposes, even when the recipient of such e-mail has not previously provided one’s consent, under the condition that it is provided to the latter in an explicit and distinct way the possibility to easily opt-out, free of charge to the collection and use of one’s details either upon the collection of the data or in any other message received, in case where the user had not initially disagreed to such use.

In Directive 2/2011 of the HDPA certain provisions further explain and clarify how consent provided by electronic means within this context fulfills the conditions of validity. Amongst others and with regards to consent for receipt of emails through internet certain examples are provided as guidance. Data controllers should confirm that the user has access to this email address, either through an initial informative email to the email submitted as contact email, which contains certain information such as the purpose, the origin and all relevant information etc. Another option is the double opt-in which is recommended in cases where the consent provided also includes receipt of further services by the user, such as subscription to a webpage with password and username. In this scenario, certain details such as identity and origin of the sender should be included, in the initial confirmation email, along with the activation of consent for instance through an email to a specific address of the data controller, or through a respective URL. Validity of consent depends on activation of consent by the user. Withdrawal of consent should be possible. In this case, new confirmation of the user’s access to the email is not required. Such consent should be recorded in a safely manner for purposes of evidence. Withdrawal of consent should be always available either via email or hyperlink.

Turkey Small Flag Turkey

Electronic marketing communications are regulated under the Regulation on Commercial Communications and Electronic Commercial Communications, which is a separate regulation from the Law no. 6698. Direct marketing activities that are communicated to the receiver’s communication address (e.g. commercial emails or newsletters, text messages and outbound calls) fall within the scope of the regulation and they are bound to certain prior consent.

On the other hand, marketing communications that are not send to a telecommunication address, such as browser notifications or website pop-ups, are not regulated by the relevant regulation.

Austria Small Flag Austria

The sending of an e-mail - including text message (SMS) - is prohibited without the prior consent of the recipient if (i) the e-mail is sent for direct marketing purposes or (ii) it is addressed to more than 50 recipients. However, there are exceptions and/or further restrictions to this basic rule, which must be reviewed on a case-by-case basis.

France Small Flag France

Marketing activities using personal data have to comply with the French DPA 1978 as well as with the provisions of the Law No 575 of 21 June 2004 for confidence in the digital economy codified in the Postal and Electronic Communications Code.

Where personal data is processed for the purposes of direct marketing, the prior and express consent to receive emails communications from the data subject must be obtained. Such consent shall be freely given, and obtained clearly and separately from any other information.

However, there is an exception to this prohibition principle where the details of the recipient are collected directly from such person in the context of a sale or a provision of services and (i) the marketing relates to the same/similar goods/services as those provided ; (ii) the customer is given the opportunity to opt-out at the time of data collection and in every communication thereafter; and (iii) the marketing comes directly from the contracting entity/controller who has sold the goods/services.

In this respect, the CNIL recommends that prior consent be required through a tick box provided that this is not a pre-ticked box.

Where the data subject objects to processing for direct marketing purposes, the business should not continue to process the data for such purposes (including any profiling relating to such direct marketing).

In addition, the CNIL considers that every email communication shall contain the identity of the sender, and a simple mean to opt-out to receiving further email (for example through an hyperlink at the end of the email).

The CNIL adopts a more flexible approach where the email communications are sent between professionals. In this case, the prior consent requirement does not apply and it is sufficient to provide a simple information at the time where the data are collected since (i) a simple means to opt-out is provided (ii) the subject of the email communication is related to the profession of the person contacted.

At the time of writing, a new E-Privacy Regulation is currently being prepared which will impact the above.

United States Small Flag United States

In the U.S., federal and state laws limit and regulate the way in which companies communicate with individuals and other businesses for marketing purposes. In particular, these laws regulate the ways in which companies can call, text or fax consumers, as discussed in Question 3.

Telephone communications, including telemarketing calls, autodialed calls, prerecorded calls and text messages as well as fax communications, are regulated by the TCPA, the Telemarking Sales Rule and individual state laws. The rules pertaining to such communications differ according to the type of communication at issue, such as marketing versus nonmarketing communications.

Email communications are regulated by the federal Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM), which establishes requirements for sending unsolicited commercial email, including clearly identifying the email as a commercial email, and gives consumers the right to opt out of commercial email, including prompt compliance with any opt-out request. CAN-SPAM pre-empts state laws, except to the extent they prohibit fraud or deception. In short, TCPA is mostly an opt-in scheme, while CAN-SPAM takes an opt-out approach. Both require certain notices and disclosures and have various other requirements. Email communications may also be protected by ECPA and SCA, which together address interception and compelled disclosure of various electronic communications.

Updated: May 16, 2019