What Small Businesses Need to Know About Email Marketing Compliance

What Small Businesses Need to Know About Email Marketing Compliance

There are loads of regulations small businesses need to keep track of in order to remain compliant with laws. An area that can easily be overlooked is email marketing, which has its own set of rules that require adherence to. Anti-spam and privacy regulations are laid out by the Federal Communications Commission (FCC), an independent Government agency that “regulates interstate and international communications by radio, television, wire, satellite and cable in all 50 states, the District of Columbia and U.S. territories” according to the website. Small businesses that engage in email marketing have a responsibility to adhere to these guidelines—otherwise they risk tarnishing their reputations, losing contracts with email service providers (ESPs), even getting slapped with heavy fines. The following email marketing best practices should be reviewed and implemented to stay compliant with U.S. laws.


Passed in 2023, the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act “bans false or misleading header information and prohibits deceptive subject lines. It also requires that unsolicited commercial email be identified as advertising and provide recipients with a method for opting out of receiving any such email in the future,” according to the Federal Trade Commission (FTC). Violating this act has a stiff penalty for businesses – up to $50,120 for each separate email that’s in violation of the law. Adhering to the Act isn’t complex, but you’ll want to ensure you’re following these main requirements as laid out by the FTC:

  1. Email headers cannot contain false or misleading information. The “From,” “To,” and “Reply To” lines, plus and any routing information included in the message, need to be accurate and clearly identify the party sending the message.
  2. No deceptive subject lines—these need to clearly indicate the content of the email being sent.
  3. Clearly indicate the promotional email message is an ad. 
  4. Include your valid, physical address. Recipients need to be informed of your postal address, which could be a current street address, registered post office box, or a private mailbox that’s been registered “with a commercial mail receiving agency established under Postal Service regulations.”
  5. Let folks know how they can opt-out of getting your emails. This could be a link and language in the footer that simply allows customers to “unsubscribe” from all future emails from your business. You can offer options that let recipients opt out of only certain types of emails, as well. 
  6. Address opt-out requests quickly. Per the FTC website, “any opt-out mechanism you offer must be able to process opt-out requests for at least 30 days after you send your message.” You’ll have 10 business days to honor someone’s opt-out request, and you are not permitted to charge any opt-out fees or require any “personally identifying information” outside of an email address. 
  7. If another company is helping you with email marketing, you need to monitor them as well. Just because they’re sending your messages out doesn’t take away your responsibility to adhere to the law.

California Consumer Privacy Act (CCPA) 

Updated in early 2023, the California Consumer Privacy Act (CCPA) aims to provide consumers with more control over the personal information businesses are collecting about them. It’s applicable to any business or for-profit entity that collects consumers’ personal data, does business in California, and does meets at least one of these thresholds, per Wikipedia: “Has annual gross revenues in excess of $25 million; buys, receives, or sells the personal information of 100,000 or more consumers or households; or earns more than half of its annual revenue from selling consumers’ personal information.” This Act is stricter than CAN-SPAM, as email marketers must adhere to the following requirements in order to remain compliant:

  1. Customers need to be informed before or when you are collecting personal information, which includes an email address. You must tell them how you’ll be using this information and provide a link to your company privacy policy.
  2. Customers need to be notified of their CCPA rights.
  3. Allow folks to opt out of sharing/selling their personal information.
  4. Allow customers to unsubscribe from your marketing emails.
  5. Ensure safeguards are implemented to protect a customer’s personal information, including email addresses.
  6. Get the data collection and privacy policies of any third-party vendors you work with who have access to your customer data, and reference them in your privacy policy.
  7. Ensure your email marketing platforms and software are equipped with CCPA compliance tools.
  8. Review the Purpose Limitation within the CCPA, and only send emails in line with the original purpose the customer opted into when they elected to receive messages from your business.
  9. Immediately stop sending emails—and let all third parties know—as soon as a customer unsubscribes or asks your business to delete their information.

As a small business owner, it’s critical that you stay current and compliant with all the latest rules and regulations. You can count on ARF Financial to keep you up to speed, plus you can always visit the Small Business Administration’s (SBA) website for the most important information your business should know. From filing requirements to licenses and recertifications, the SBA houses a treasure trove of content to keep you running right.