The Ultimate Email SPAM Law Collection - 28 Countries Included

When companies step out to the global scene, many difficulties arise. SPAM law is one of them.

As an email marketer, your best interest is to bring relevant content to your clients. To earn their trust, the content also has to be in a presentable format and with a clear message.

Yet, even if you have the best intentions, some countries might have tricky regulations in place. When failing them, you may be subject to high fines or even criminal penalties.

Thus, this article aims to help you out while you draft your international email marketing strategy.

But first things first.

Note: This masterpiece was written by Anna A. Alexi a content genius from Hungary.

Why SPAM matters?

Currently, SPAM accounts for 56% of all email traffic, according to Statista. SPAM emails cause many serious problems. Excessive email traffic, unrecoverable labor costs, and server overloads are some of them.

However, this is only the tip of the iceberg. SPAM messages are particularly dangerous. Due to their perceived anonymity, SPAM is an effective tool for fraudulent activities. The most common examples are delivering malware, and stealing confidential data.

That is why governments apply strict regulations when it comes to email. When drafting the law, unsolicited commercial activities (advertisement spamming) or crime activities (stealing confidential data) often fall under the same regulation. Thus, it is exceptionally important to abide by the rules in your country of operation, to keep you away from severe penalties.

Before we jump right into the serious matters, let’s define some key concepts to make the digestion of this slightly legal text easier!

Key concepts in SPAM law

There is one very important matter when it comes to sending emails around to strangers, and that is:

Do they want to receive your emails?

If yes, you’ve got the green light.

If not, you might be breaching their privacy that is a criminal offense in some countries.

Opt-out vs. opt-in approach

There are two widely used approaches to gain consent from future recipients of your commercial emails.

The opt-out approach assumes that consent is given until it’s revoked, e.g. by unsubscribing from a mailing list.

The opt-in approach links consent to a particular action. For example, signing up for a mailing list and accepting to receive newsletters. This can happen in two forms: explicit and implicit consent.

Explicit consent

Explicit consent, also known as express or direct consent, gives the individual or business the right to deal with personal data. Consent can be acquired in written or oral form. However, both forms require you to keep a record of consent collection.

A typical example of email marketing is a website registration form. Ideally, you provide customers with a check-box to consent to sign up for your newsletter.

When the opt-in process has one step, so only a registration form is filled out, we talk about simple opt-in. When the registration has to be confirmed via a link sent to the acquired email address, we talk about double opt-in.

Implicit consent

Implicit consent, also known as inferred or indirect consent, is usually derived from your current actions and circumstances.

The best example is when a commercial transaction took place, the recipient purchased something from you. Thus, you can assume that the client is interested in similar products or services in the future.

The exact boundaries for both types of consents are defined in the country laws.

SPAM laws by country

We gathered high-level information on country laws from over 20 countries. In each section you will find the following information:

• Which legislation applies for spamming?
• What are the key requirements of the ruling?
• Which sanctions to expect when breaching the law?

North American SPAM laws

USA – CAN-SPAM Act (2003)

The federal Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM), enacted in 2003, prohibits sending commercial electronic messages (CEMs). Unless they comply with the following requirements.

• Content-wise:
• Make the commercial nature of your email clear for the recipient (unless prior consent is obtained),
• Your email must have an accurate header,
• The subject line has to be relevant to the offer in the body of the message, and
• A label shall indicate adult content.
• State a valid physical address of yours, and
• Provide a cancellation option that is processed within 10 days.

One thing that separates the CAN-SPAM act from similar legislation in the EU, Canada or Australia, is its opt-out approach.

You are free to contact individuals or businesses without prior consent. As long as you abide by above-mentioned requirements and don’t use unlawful means to collect email addresses. An example for unlawful means is using an automated email generator.

Finally, be careful with who you hire to handle your email marketing. The responsibility is shared by the company that sends the messages and the one whose product is promoted. In case of breaching the law, fines can go up to USD 16 000 per violation per individual email.

Canada – Anti-Spam Legislation (2014)

Among the different country legislation, Canada has a well-thought-out and a rather rigorous approach to handle unsolicited commercial messages. Canada’s Anti-Spam Legislation of 2014 (CASL) prohibits individuals and businesses from sending CEMs to Canadians without consent.

The law also prohibits:

• To alter transmission data in electronic messages without express consent
• To install computer programs on a computer system or network of information by malware, spyware or viruses hidden in SPAM emails. This also comes under the violation of federal law.

There are three requirements that all emails have to fulfill to comply with the law.

• Explicit or implicit consent, opt-in approach,
• Clear identification of the sender and its contact information in the message, and an
• Option to unsubscribe must be available in each email and shall be processed within 10 days.

It is important to note that the CASL does not only apply to individuals and businesses living or operating in Canada. Anyone contacting people within Canada falls under the legislation. Therefore, federal agencies can report cases to the respective countries, which also have similar SPAM legislation.

Finally, fines for breaching the law can go up to the considerate amounts of CAD 1 million for individuals and CAD 10 million for businesses.

An outstanding case in Canada is that of Compu-Finder. The company received a CAD 1.1 million fine in 2015 for not having consent from recipients and using a mal-functioning opt-out mechanism.

Australia – Spam Act of 2003

Australia’s Spam Act of 2003 prohibits the sending of unsolicited commercial electronic messages. The legislation covers all messages originating from Australia or targeting an Australian address.

To lawfully reach people and businesses with commercial emails you are required to have:

• Explicit or implicit consent, opt-in approach
• Clear identification of the sender and its contact information in the message, and an
• Option to unsubscribe in each email that shall be processed within 5 days.

In lead generation, email address list purchasing is allowed. You might want to check the validity of those lists, though. Yet, it is your responsibility to make sure that consent was obtained via lawful address collection means. E.g. address-harvesting software or lists using such software are strictly forbidden.

Some organizations are exempt from consent regulation, such as government bodies, registered charities and political parties. Nevertheless, the same rules apply to third-party contractors who send out emails on your behalf.

Fines go up to AUD 2.1 million.

New Zealand – Unsolicited Electronic Messages Act 2007

The legislation in New Zealand is defined by the Unsolicited Electronic Messages Act 2007. Being fairly similar to the Australian model, it prohibits spamming with a New Zealand link (messages sent to, from or within the country).

• Explicit or implicit consent is needed, opt-in approach
• List purchasing is possible but records of consent must be available.
• Clear identification of the sender and its contact information in the message, and an
• Option to unsubscribe must be available in each email and shall be processed within 5 days.

Fines for businesses go up to NZD 500 000. In some cases, companies are bound to pay compensation for any loss suffered. Or, pay damages equal to the profit earned sending the SPAM.

It is interesting to note that SPAM can be a single message and does not necessarily have to come in bulk to qualify as unsolicited.

European SPAM laws

European Union – E-Privacy Directive (2002)

In the EU, the Privacy and Electronic Communications Directive 2002, or better known as E-Privacy Directive, gives guidance for the member states on how to protect citizens from SPAM.

As all directives, the E-Privacy Directive outlines general rules that member states are free to adapt to their local legal system. Hence, different SPAM law regulations are in place for all member states.

Article 13 of the Directive prohibits to use email addresses for marketing purposes. Unless,

• Explicit or implicit consent is acquired from the recipient, opt-in approach
• Clear identification of the sender and its contact information are in the message, and an
• Option to unsubscribe is available in each email.

Penalties are always determined by member states.

The significant differences between member state regulations demanded a more harmonized approach. Thus, the regulatory bodies decided to tighten up the laws on collecting, handling and recording of private data. The outcome is the GDPR.

The GDPR

The General Data Protection Regulation (GDPR), due to its nature, is legally binding in all countries and will be legally enforceable from May 25, 2018, onwards.

The Regulation applies to all individuals and businesses in the EU. Regardless of where the sender is based, anyone who acquires email addresses and sends emails to subscribers in the EU falls under the law.

In general, the Regulation imposes stricter conditions than the E-Privacy Directive. The rules on seeking, collecting and recording consent come with higher penalty fees.

• When collecting data, explicit consent is required. It must be “freely given, specific, informed and unambiguous”. Silence, pre-checked boxes, and inactivity won’t work, as it is the case in many member states today.
• You must inform subscribers about the purpose of collecting their data. For example, if a user leaves her email address when downloading a white paper from your site, you cannot use the email address. Unless you explicitly state in the registration form that the email is collected for marketing purposes.
• Consents shall be recorded. Plus a data protection officer shall be appointed where the core activity relates to processing private data.

The Regulation also works retroactively, meaning it concerns data collected in the past. If you cannot prove the consent of your current recipients, you cannot email them anymore.

Not only the requirements but also the sanctions will be standardized. Breaching the law obliges organizations to pay a maximum of 4% of annual global turnover or EUR 20 Million, whichever is greater.

Depending on how severe the law is in the country of your operations, you have to count with significant additional work to make sure you manage your users’ data according to the GDPR.

However, before we rush so fast forward into 2018. Let’s see which legislation you should comply with, in Europe today!

United Kingdom – Data Protection Act (1998)

When it comes to consent the legislation in the UK on electronic messaging is between the US and the European models. It is regulated by the Data Protection Act 1998 and the Privacy and Electronic Communications Regulations 2003 (EC Directive) that require:

• Explicit or implicit consent from the recipient, but pre-checked boxes are allowed,
• Clear identification of the sender and its contact information in the message, and an
• Option to unsubscribe in each email that is executed within 28 days.

In general, the UK also takes an opt-in approach. However, not only the conclusion of sales but negotiation over a product/service is also enough as proof of consent. Moreover, direct marketing emails sent to workplace emails can be sent without consent. As long as they offer an opt-out possibility.

Breach of law is a criminal offense subject and fines go up to GBP 500 000.

France

In France, Article 22 of the “Loi du 21 juin 2004 pour la confiance dans l’économie numérique” provides legal boundaries for spamming.

• Explicit consent from the recipient is required, opt-in approach,
• Clear identification of the sender and its contact information in the message, and an
• Option to unsubscribe must be available in each email. Nonetheless, the deadlines to execute an opt-out depend on the case.

The highest amount of fine is EUR 750 per individual email.

Germany

The German regulation is defined by the Federal Data Protection Act, the Act against Unfair Competition, and the Telemedia Act. In terms of strictness, it is very close to the GDPR.

• Explicit or implicit consent has to be gained in a double opt-in registration,
• Records of consent information must be stored.
• Clear identification of the sender (in the form of a legal notice) and its contact information must be included in each email,
• An option to unsubscribe must be available in each email, and
• Unlike other countries, Germany also requires that companies have a data security officer. The person is in charge of maintaining and enforcing data security standards.

Fines can go up to EUR 4,000 per individual email.

Plus, there are a handful of special restrictions when you send commercial emails in Germany.

• Tell-a-friend, viral emails are not allowed. You cannot ask your clients to forward your emails to friends and acquaintances.
• Strict rules apply to the content of the emails. E.g. the subject line cannot contain words like “free”, “no charge”, “offer”, “sex”.
• Although in general, it is not illegal to buy email lists, the regulation is so strict that it may be easier to compile a list yourself.

The jurisdiction on spamming in the DACH countries (Germany, Austria, and Switzerland) is fairly similar. Germany being the strictest. Therefore, if you plan on reaching all German-speaking countries in Europe, you make no mistake if you abide by the German law.

Austria

In Austria, spamming is regulated by the Austrian Telecommunications Act 1997 and the Federal Act against Unfair Competition 2007. As opposed to the strict German system, Austria takes a more relaxed approach.

• Inferred consent is valid in principle, opt-in approach, however,
• Clear identification of sender, legal notice, and an
• Option to cancel subscription still remains a must.

Should you fail to fulfill the requirements, you are bound to pay a penalty of up to EUR 37 million.

Switzerland

In Switzerland, the Federal Law against Unfair Competition 2007 and the Telecommunications Law – 2003 Amendment set the legal framework for electronic messaging. The regulation is closer to German laws in severity and requires:

• Explicit consent from recipients, preferably with double opt-in registration.
• Furthermore, businesses always have to state in connection with processing clients’ personal data:
• the legality (Is the company authorized to acquire the data?)
• proportionality (Does the company really need all the data they ask for?)
• purpose (What does the company use the data for?)
• and security (Is the data protected from third parties?) of the case.
• Make sure, you clarify the commercial character of your email.
• Clear identification of sender, legal notice, and an
• Option to cancel subscription are also a must.

The Swiss law is particularly severe when it comes to penalties. Breaching the law is a criminal offense, and depending on the seriousness of the case you can face up to three years in prison or CHF 100,000.

Spain

The Spanish Act on Information Society Services and Electronic Commerce 2002 applies to individuals and businesses residing/operating in Spain and the EU and emailing Spanish citizens.

Individuals and businesses outside the EU fall also under the Spanish law. However, they are subject to international treaties and conventions as well.

The Spanish law takes a similar approach to the French legislation with small variations.

• Explicit or implicit consent is required. But pre-checked boxes are allowed to collect consent, opt-in approach.
• Clear identification of sender, contact information in each email and an
• Option to cancel subscription are also a must. The opt-out process has to be concluded within 10 days.

Fines are up to EUR 600 000.

Italy

In Italy, spam law is defined in the Italian Personal Data Protection Code 2003, which also takes a rather severe approach when it comes to penalties.

• Explicit or implicit consent is required, opt-in approach,
• Recording private information or
• Transferring personal data to third parties for marketing purposes shall be asked separately.
• Keep records of consents given is a must.
• Clear identification of sender, contact information in each email and an
• Option to cancel subscription are a must. The opt-out process has to be concluded within 10 days.

Breach of law is a criminal offense and penalties go up to three years of imprisonment and fines up to EUR 90 000.

The Netherlands

The Dutch legislation is specified in the Dutch Telecommunications Act 1998.

• Explicit or implicit consent is required when you message individuals or businesses in the Netherlands, opt-in approach.
• Unless legal persons publicly acknowledge that they want to receive unsolicited CEMs and provide an email address for it, or
• **No prior consent is required from subscribers outside of the EU **. As long as the sender abides by the laws of that country.
• Keep records of consents given is a must.
• Clear identification of sender, contact information in each email and an
• Option to cancel subscription are a must. The opt-out process has to be concluded within 30 days.

An interesting fact in the Netherlands is that also charities fall under the law.
Fines go up to EUR 450 000.

Belgium

In Belgium, the Law of March 11, 2003 requires:

• Explicit or implicit consent from recipients, opt-in approach,
• Except if you message generic email addresses such as info@…, they can be opt-out only.
• Keeping records of consents given is a must.
• If you process the personal data of your subscribers, you are obliged to report to the Commission for the Protection of Privacy,
• The commercial character of the message has to be clear,
• Clear identification of sender, contact information in each email, and an
• Option to cancel subscription are a must. The length of the opt-out process depends on the case.

Fines are up to EUR 50 000.

Norway

The Marketing Control Act 2009, and the Electronic Commerce Act 2003 define SPAM regulation in Norway. They require the following:

• Explicit or implicit consent from recipients, opt-in approach,
• The commercial character of the message has to be clear,
• If prices or discounts are mentioned in the email, special regulations apply.
• Clear identification of sender, contact information in each email, and an
• Option to cancel subscription are a must.

Law infringement is subject to fines and/or imprisonment of up to 6 months unless a stricter penal provision applies.

Turkey

With the Regulation of Electronic Commerce 2014 No 6563, Turkey took a step towards a more secure and transparent e-commerce environment.

The law covers a wide range of privacy protection areas in the digital sphere:

• Electronic communications,
• Liabilities of service providers,
• Contracts concluded electronically,
• Handling of the information provided to consumers, and
• Unsolicited electronic messages.

The regulation in Turkey requires:

• Consent from recipients, opt-in approach, except:
• In B2B emailing, and
• For receivers who were in the system prior to law enforcement
• Purchasing lists is possible but consent from recipients needs to be (re)verified.
• Clear identification of the sender and its contact information in the message, and an
• Option to cancel subscription are always available. They have to be free-of-charge and executed within three days.

Fines range from TRY 1,000 to TRY 15,000. For repeat offenders, it is up to 10 times the individual fine (currently TRY 1000).

Additionally, Turkey recently introduced the [Law on the Protection of Personal Data No 6698] 2016. It defines concepts such as “personal data”, “sensitive data” and “explicit consent”. Also, it regulates the acquisition, handling and storing of such data.

The Data Protection Law is a major step for Turkey towards aligning its legislative framework with the EU Data Protection Directive. However, the law is still far less complex and detailed than the GDPR.

Asian SPAM laws

As we leave the Western World, regulations regarding spamming, and in general handling of personal data, become loose. Countries like Russia, China, India and a couple of Latin American states reject to join global initiatives. One notable example is the Convention on Cybercrime, adopted by the European Council in 2001. ratified by 52 countries worldwide.

These countries constitute the cradle of global spam and malware activities. Therefore, very interesting to examine.

Russia

It is well known in the digital world that one of the worst types of spam comes from Russia. Content ranges from basic ads to malicious viruses. In most cases, Russian SPAM is able to cripple both users and Internet Service Provider (ISP) networks.

For long the only regulatory instrument was the Russian Civil Code (art. 309). It addresses spam issues in the form of contracts between the ISP and the user. Plus it develops codes of “good practice” for any business relationship. Yet, its scope is very broad and it does not impose any restraining force.

Lately, there have been several attempts to impose an antispam legislation in Russia.

• The Antispam project, initiated by UNESCO IFAP (Information for All Programme) National Committee of Russia, aims to draft an antispam legislation with an opt-in approach.
• The draft Federal Act on Regulation of Russian Segment in the Internet proposed that the receiver should have the right to refuse unsolicited information, and should have an option to block such emails free-of-charge. Furthermore, such information shall be precisely and unambiguously identified as unsolicited.
• Another draft proposed is the Federal Act on Electronic Commerce that would require
• the sender to make the commercial nature of the messages clear.
• In case of regular, unsolicited emailing, it imposes administrative fines of three to five months of monthly salary, and * a compensation for any losses caused.
• Fines are likely to increase for repeated administrative infringement.

Finally, the Russian Federal Law on Personal Data and the Federal Law on Advertising, enacted in 2006, were the first real attempts to impose boundaries to sending bulk emails. The latter guarantees that

• The commercial nature of the email is always clearly stated, already in the subject line,
• Consent is needed from the recipient, and
• At the recipient’s request, all distribution of ads shall be immediately stopped.

Nevertheless, regulations are rarely enforced. Due to many exceptions such as political proclamations, market research reports, private announcements, etc.
Furthermore, the text is poorly drafted and very ambiguous. For example, the concept of SPAM is not clearly defined. Or how the operator or the sender should prove that they have the recipient’s consent.

Rules of the Internet Use

In contrast to the soft state regulation, an informal organization the Open Forum of Internet – Service – Providers (OFISP) issued a document, the Rules of the Internet Use. It imposes rather hard, self-control measures on ISPs.

• Obvious and unambiguous consent must be given from the addressee to receive bulk emails.
• Option to cancel subscription shall be assured immediately and free-of-charge.
• Dissemination of the addressee’s information is forbidden.

The Rules of the Internet Use is based on the rules of business. Thus, breaking it means breaking the civil legislation of the Russian Federation. This provides ISPs with the right to end a contract with spammers and revoke Internet access from them.

Looking into the future. The interest of Russian email marketers is also to grow their business. Sending relevant and well-designed content to their recipients will soon be inevitable. Therefore, they slowly approach global standards.

China

The Chinese antispam legislation is defined by the Measures for the Administration of Internet email Services 2006 and the Consumer Rights Protection Law 2013. It applies to all emails sent to Chinese residents and to those who received emails while being in Chinese territory. The requirements for lawful emailing are the following:

• Explicit consent is required, opt-in approach, and
• The permission has to be verifiable and recorded for audit.
• The commercial nature of the email must be clear

• Subject line must contain the word “ad” in English or the Chinese equivalent.

• The identity or origin of the sender may not be intentionally concealed or forged.
• The email must provide valid contact methods including the sender’s email address. Recipients can then send their refusal to receive further emails, which must be valid for 30 days.
• Content:

• Any type of message that contains any type of advertisement falls under the law,
• If there is any external link in the email, there must also be a written guarantee that the message does not contain any spyware. Although the situation of images or thumbnail icons is not clear.

Particular restrictions apply to content in China. They are vaguely defined by Article 57 of the Regulation on Telecommunications. Obvious examples are politically sensitive topics but also everything that is deemed obscene.

Fines go from CNY 10 000 to CNY 30 000 per individual email.

Despite having strict regulation and high fines, there hasn’t been so far any reasonably high profile case. Hence, spamming remains a major problem in China.

Even so, before you engage in email marketing activities in China, make sure to check the very dynamic list of blacklisted keywords. Once you get on the other side of the Great Firewall of China, there is no way back

India

There is no regulation on spamming or data protection in India.

Only the Information Technology Act 2000, section 79 and 43a suggest that an intermediary dealing with personal data has to pay a compensation, in case it fails to protect the data. As well as, under section 67 punishment can be imposed if obscene content is published or transmitted via electronic means.

Penalties include fines up to INR 500 000. Or in case of a second or consecutive conviction, a fine up to INR 1000 000 and up to five years of imprisonment apply.
However, the law is defined very broadly and is only rarely enforced in email marketing cases.

Vietnam

Since according to Statista, Vietnam is the source of most SPAM in the world, it is worth to take a look at its legislation.
The relevant regulations are Decree No. 90/2008/ND-CP 2008 on anti-spamming and Decree No. 77/2012/ND-CP supplementing and amending the formerly mentioned regulation.
The main principles of sending advertising emails are the following:

• Explicit consent is needed, opt-in approach.

• Purpose and scope of use of the email addresses must be stated.

• Clear identification of the sender and its contact information in the message, and

• Advertising emails may only be sent from the electronic addresses and system prescribed by the Ministry of Information and Communications
• The Ministry of Information and Communications shall receive copies of such messages.

• The content must be conformable with law provisions on advertising,

• The subject line must match the content,
• The commercial nature of the email has to be clear, and
• Messages with the same content shall not be sent within 24 hours unless otherwise agreed with the receiver.

• Cancellation of subscription shall be available in each email and executed immediately upon request.

Fines vary between VND 10 000 000 and VND 50 000 000. Except for misusing the name or email address of another organization or individual that amounts to VND 60 000 000 to VND 80 000 000. In severe cases, temporal or permanent suspensions from emailing or advertising activities also apply.

South Korea

The Act on Promotion of Information and Communication Network Utilization and Information Protection (Network Act) defines the South Korean spam legislation. All businesses and individuals residing in South Korea fall under the legislation. Plus foreign organizations, if their domain is Korean, or if they conduct business or promotional activities in South Korea. The provisions are as follows:

• Explicit consent is required and must be renewed every 2 years, opt-in approach,

• Implicit consent is accepted up to 6 months after conclusion of sales
• Purchasing lists is possible but consent from recipients needs to be (re)verified.

• Subscribers must be informed about the purpose of collecting their data, and the duration of storing their data.
• The subject line must contain “advertisement” both in Korean and in English.
• Clear identification of the sender and its contact information shall be available in the message.
• An option to cancel subscription must be always available.

A fine for the negligence of the above-mentioned goes up till KRW 5 million.

Japan

The Regulation of Transmission of Specified Electronic Mail 2002 regulates spamming and data protection in Japan. While the Ministry of Internal Affairs and Telecommunications (MIC) is the main authority.

• Explicit consent is required, opt-in approach,

• Pre-checked boxes are allowed but not recommended,
• Implicit consent is accepted based on previous business relationship,
• Records must be kept of consents given.

• List purchasing is not possible,

• The address has to come from the recipient directly, or it has to be publicly available.

• Subscribers must be informed about the purpose of collecting their data, and the duration of storing their data.
• Clear identification of the sender and its contact information shall appear in the message, and an
• Option to cancel subscription must be always available.

Penalties always depend on the type of violation. Falsifying sender information can cost JPY 30 million for businesses, or JPY 1 million or 1 year of imprisonment for individuals. If a sender does not follow an order from the MIC, the same punishments apply.

On the western coast of the continent, an individual’s privacy is usually protected only by general provisions. Furthermore, such laws were not drafted with the digital age in mind. Thus, Middle Eastern countries lacked proper regulation on data protection and electronic communication.

United Arab Emirates

The UAE is one of the most developed countries in the Middle East. Still, it does not have an extensive regulation on spamming. The Telecommunications Regulatory Authority (TRA) issued the Unsolicited Electronic Communications Policy in 2010 that applies some general rules to control spamming by controlling telecommunication providers.

• Explicit or implicit consent from the recipient is always required, opt-in approach,
• Address harvesting is strictly forbidden, and
• Records of consent given must be kept.
• Providers should always try to reduce the transmission of SPAM through their network.
• An option to cancel subscription must be always available.

The TRA can impose administrative fines up to AED 10 million for violating the Telecommunication Law or its executive order.

South American SPAM laws

Brazil

Brazil is also known as one of the biggest SPAM diffusers. The main reasons are the lack of country regulation and minimal security measures applied by internet users. There is no law in place neither against SPAM, nor against online data theft.

Yet, not so long ago, the country’s federal government approved the Brazilian Civil Right Framework for the Internet. The new framework sets basic principles for data protection in the digital age.

Furthermore, there are several ongoing projects to protect consumers from SPAM.

The Self-Regulation Code for Email Marketing Practices is a project by ISPs. The same example as we have seen in Russia. The code is not legally binding, and the ISPs only agree voluntarily to participate. It contains basic rules to protect internet users and requires to include an opt-out link in every communication sent. Blocking the sender’s domain name applies as possible sanction.

The Consumer Protection Code aims to put boundaries on spamming.

• It prohibits unsolicited commercial emails sent
• Without consent or prior business relationship,
• To people who previously requested not to receive them, or
• If the recipient is registered with an anti-spam system.
• The regulation requests a simple and safe way to cancel subscription, free of charge.
• It shall be recorded how the user’s data was obtained,
• After an opt-out request, the sender is required to immediately stop the communication, and
• The sender also must not share users’ information or data under any circumstances.

Argentina

The regulation in Argentina is defined in the Personal Data Protection Law No. 25,326 (PDPL) and the Regulatory Decree 1558/2001.

When it comes to consent, there is a regulatory tension between the two standards. The PDPL favoring an opt-in and the Regulatory Decree an opt-out approach. The National Directorate of Personal Data Protection decided for an opt-out system. Thus, the rules are the following:

• The recipient must have the right to be removed from any database
• A data removal mechanism must be in place, and
• The right to unsubscribe is clearly stated by two transcripts in Spanish.
• Furthermore, the commercial nature of the message must be clear. The subject line must include “advertisement” and nothing else.

Sanctions include warnings, suspensions, fines from ARS 1 000 to ARS 100 000, and closure or cancellation of the file, register or database. There is precedent for applying fines for breaching the law. However, the authorities usually charge low amounts.
More serious penalties apply in case of violating data privacy. Disclosing data to third parties or insert false data in databases can imply 1 month to 2 years of imprisonment.

African SPAM laws

Internet penetration is the lowest in African countries when compared to the rest of the world. Therefore, regulations in general are quite loose, if any exist when it comes to spamming.

Morocco

Morocco is one of the few countries in North Africa having a data protection regulation. The Law n° 09-08 of 18 February 2009 has a specific section for electronic marketing. It requires:

• Explicit or implicit consent from the recipient, opt-in approach.
• Clear identification of the sender and its contact information in the message, and an
• Option to cancel subscription must be available.

Yet, the law only applies to businesses emailing individuals.

Nigeria

If you own an email address then you have certainly received at least one email from a Nigerian prince. These emails come in all shape and size with the most impossible stories you’ve heard in your life. Let’s see the SPAM regulation of the country, infamous for its scams.

The Nigerian [Cybercrime Act 2015] (https://cert.gov.ng/resources) is a recent legal, regulatory and institutional framework. It aims to overcome the country’s biggest threat phishing. Electronic fraud-related activities cost 0.08% of Nigeria’s GDP, which represents NGN 127 billion. (Deloitte)

The law defines the act of spamming as

an abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages to individuals and corporate organizations.

The law is rather strict. Punishment for spamming is three years of imprisonment and/or NGN 1 million. It defines spamming as an intent to disrupt the operations of a computer, and malicious or deliberate spreading of viruses or any malware.

There is no regulation on unsolicited commercial electronic messages yet.

The Republic of South Africa

In South Africa the following laws address the issue of spamming: the Consumer Protection Act, the Protection of Personal Information Act and the Electronic Communications and Transactions Act.

The Internet Service Providers’ Association (ISPA) is the main SPAM regulating authority. The legislation requires the following:

• Explicit or implicit consent from the recipient, opt-in approach.
• Furthermore, subscribers shall be informed about how their data was obtained,
• Clear identification of the sender and its contact information in the message, and an
• Option to cancel subscription must be available.

Sanctions can be fines (without limit) or in severe cases imprisonment for a period not exceeding 12 months.

The true effect of SPAM laws

Below you can see a graphic with the leading countries of origin for SPAM emails as of 2nd quarter 2017. Based on share of worldwide SPAM volume.

Countries like Vietnam, China and India are the countries with the most SPAM-bots in the world. This can be affected by many issues. The lack of good anti-virus software and proper ISP filtering are some of the main reasons for Asia having the worst botnet infestations.

The same problem goes for Russia. When the first botnets appeared five to ten years ago, Russia based cybercriminals attacked mostly other countries. Nevertheless, managing botnets comes with big money. So since law enforcement in cybercrime is not common practice in Russia, hackers realized: the country is an easy target.

Source: Statista

But what about the Western countries on the graph? Out of the top 10 worst spammers, four are from Europe and North America. It is surprising as data privacy legislation is common practice and has a long history. The US having the second highest SPAM volumes worldwide, can be due to its opt-out system. However, when Germany, with one of the strictest legislation in Europe, comes in fifth place, we might ask ourselves:

Is there a correlation between how severe is a country’s SPAM legislation and how actively it spams other countries?

In short, yes.

Yet, many other factors influence a country’s SPAM volume apart from legislation. Such as the power of authorities, law enforcement practice, security measures applied by ISPs and users, and the list goes on.

Key takeaway

Before you engage in email marketing activities abroad, make sure you are familiar with SPAM legislation in your countries of operation. Still, do not forget that this is not the only aspect you should investigate.

Disclaimer

This article provides a high-level overview of international email SPAM law. Thus, it should not be taken as legal advice. Please refer to the original regulations or contact an attorney for advice on email marketing regulations, or any other legal problems.

Note: This masterpiece was written by Anna A. Alexi a content genius from Hungary.