When it comes to getting the most marketing bang for the buck, email marketing is at the top of the list. A well-crafted email message will not only keep your audience engaged, but it will also generate valuable feedback that will enable you to fine-tune future campaigns.

Effective email marketing requires that you cut through the noise of crowded inboxes without being annoying or spammy. Marketers walking the tightrope between clickbait and conversion must also be aware of consumer protection laws prohibiting certain commercial practices. Bad email practices can cause customers to unsubscribe from your mailing lists and lead to fines and penalties.

Benefits of Email Marketing

The COVID-19 pandemic changed how consumers shop and spend. Post-pandemic, consumers are increasingly shopping online, spending more carefully, and reevaluating their brand loyalty.[1]

These trends are a mixed bag for businesses. On the one hand, there is an opportunity to capitalize on changing customer behavior. On the other hand, businesses are themselves recovering from the pandemic and marketing budgets are still lagging behind pre-pandemic spending.[2]

Businesses thus face the increased challenge of fostering loyalty with decreased budgets. One way to do more with less is to go with a tried-and-true tactic like email marketing. According to Litmus, email return on investment (ROI) is $36 for every $1 spent—higher than any other marketing channel.[3] HubSpot reports that in 2022, more than one-third of brands were planning to increase their email budget.[4]

Spending more on email marketing does not guarantee that your campaigns will be more effective. Companies should pay attention to metrics such as click-through rates, open rates, and conversion rates to gauge email marketing performance. HubSpot additionally recommends drilling deeper into metrics such as subscriber lifetime value and acquisition cost per subscriber. The more data you have about email campaigns, the more you can optimize your strategy and drive better results.

Are Unsolicited Emails Illegal?

Buying or renting email lists is generally a bad idea. Getting thousands of new prospects for relatively cheap may seem like a shortcut to marketing success, but it may not be the best strategy in the long run.

The best customer data (including email addresses) are the data that you personally collect from customers. This is known as zero-party data and first-party data. Second-party data, which you obtain from trusted industry partners, can also be valuable. Third-party data like rented lists can supplement first, second, and third-party data, but accuracy, credibility, and recency are risks.[5]

But is it illegal to email somebody you have not personally received an email address from? It may be, depending on where a customer lives. Under Europe’s General Data Protection Regulation (GDPR), which requires consumers to opt in to emails, purchased email lists are noncompliant and could lead to fines.

Here in the United States, there are no laws prohibiting the sale of email lists, although more states are adopting privacy legislation similar to Europe’s GDPR. However, state privacy laws present new obstacles for email marketers (more on that below).

In short, while it may not technically be illegal to send an unsolicited email to your US customers, getting permission from recipients is considered a best practice. Building your own email list takes more work than buying one, but your efforts will be rewarded with customers who have a genuine and organic interest in your offerings.


US law does not prohibit unsolicited emails, but it does regulate commercial email through the CAN-SPAM Act. The Act applies to all emails that are intended to advertise or promote a business product or service, including emails that promote website content.

Penalties can be up to $46,517 per noncompliant email, so before hitting “send,” businesses should make sure their marketing emails meet the following requirements:

  • No false or misleading email headers. The email’s “From,” “To,” Reply-To,” and routing information (e., originating domain and address) must accurately identify who is sending the message.
  • No deceptive subject lines. The email’s subject line must be in line with the content of the email message.
  • Identify the email as advertising. The email must inform recipients that you are selling something.
  • Provide location information. A valid physical postal address must be included in a marketing email.
  • Let recipients know how they can unsubscribe. Add a “clear and conspicuous” explanation of how recipients can opt out of future marketing emails.
  • Promptly honor opt-out requests. The CAN-SPAM act requires businesses to process opt-out requests for at least thirty days after the message is sent, and to honor opt-out requests within ten business days.
  • Keep tabs on marketing partners. If a third party handles your email marketing, that is not an excuse for not complying with the Act. You may be held legally responsible for marketing emails sent on your behalf.

The Federal Trade Commission enforces the CAN-SPAM Act and answers businesses’ frequently asked questions in its compliance guide.[6]

State Privacy Laws Can Affect Email Marketing

Consumer frustration with loose data privacy practices is driving major changes in how companies handle customers’ personal information. These changes are enshrined in laws popping up across the country and the world.

In 2023, state privacy laws are set to take effect in California, Colorado, Virginia, Connecticut, and Utah. They give consumers more power to protect their personal information and impose new obligations on covered businesses.

To be clear, not all companies must comply with laws like California’s Consumer Privacy Act (CCPA) and the forthcoming California Privacy Rights Act (CPRA). The CCPA, for example, only applies to businesses that meet revenue or user thresholds.[7]

But if the CCPA and similar laws apply to your business, your email marketing could be impacted. Unlike the GDPR in Europe, which requires opt-in consent, US privacy laws are opt-out regimes. That means that when a customer exercises their data privacy rights and opts out of email marketing, businesses must honor these rights—or risk penalties.

Companies that market to customers who live in states with a privacy law should be up to speed on the state’s legal requirements. Some steps that a company may need to take after receiving a customer’s opt-out request include

  • notifying all third parties with which the company shared the customer’s email address,
  • deleting the customer’s name and email address from company records, and
  • no longer using the customer’s email and other personal information.

It is recommended that businesses update their privacy policies, data strategies, security protocols, and third-party agreements before new privacy laws take effect. Meeting requirements in one state or country does not ensure compliance in another jurisdiction.

Do Not Let a Bad Legal Strategy Derail Your Marketing

Nothing can disrupt a marketing campaign more than a regulatory notice stating that you have violated the CAN-SPAM Act, GDPR, CCPA, or other law that affects email marketing.

Our attorneys can help your business implement and follow email marketing best practices that reduce costly legal risks. We can also provide legal defense if you are involved in antispam or privacy litigation. To get help now from our legal team, please contact us and schedule a meeting.


[1] The evolving consumer: How COVID-19 is changing the way we shop, McKinsey & Co., https://www.mckinsey.com/featured-insights/mckinsey-live/webinars/evolving-consumer-how-covid-19-has-changed-us-shopping-habits (last visited Dec. 19, 2022).

[2] Jenna Paton, Marketing budgets: how to do more with less (Sept. 5, 2022), Dotdigital, https://dotdigital.com/blog/marketing-budgets-how-to-do-more-with-less/.

[3] Email Marketing ROI: What leads to better returns? Litmus, https://www.litmus.com/resources/email-marketing-roi/ (last visited Dec. 19, 2022).

[4] Katrina Kirsch, The Ultimate List of Email Marketing States for 2022, Hubspot (Nov. 30, 2022), https://blog.hubspot.com/marketing/email-marketing-stats.

[5] The changing privacy imperatives for zero-, first-, second-, and third-party data, Didomi (Aug. 8, 2022) https://blog.didomi.io/en/zero-first-second-and-third-party-data.

[6] CAN-SPAM Act: A Compliance Guide for Business, Business Guidance Resources, Fed. Trade Comm’n (Jan. 2022),


[7] Calif. Consumer Priv. Act, Off. of the Att’y Gen., State of Calif. Dep’t of Just., https://oag.ca.gov/privacy/ccpa (last visited Dec. 19, 2022).