Are You Emailing Customers? Make Sure to Protect Their Information

Protecting Your Customers' Privacy

Disclaimer: I am not an attorney, so please do not consider anything written here to be legal advice. For any questions regarding privacy laws or anti-spam laws, please contact an attorney.

Raise your hand if your inbox has been filled with privacy policy updates over the past couple months. (I’m raising both hands over here.) If you’re anything like me, you probably skimmed the subject line, clicked “Delete”, and didn’t give it a second thought.

But, if you collect your customers’ data and send them emails, you might want to pay a little more attention. There’s a reason your inbox was flooded with those emails – the European Union (EU) started enforcing their General Data Protection Regulation (GDPR) on May 25, 2018.

If you deal with anyone in the EU at all, I strongly recommend that you look into GDPR and make sure you’re compliant. For the rest of this post, however, I’m going to focus on the good ol’ US of A.

It’s Not as Simple as Clicking “Send”

When a customer gives you their email address or other personal data, they expect you to keep it private and treat it respectfully and fairly. If you don’t, you could lose your customers’ trust, or worse, you could get sued.

So, it’s important to keep an eye on any changes and updates to privacy laws and anti-spam laws to make sure you’re compliant.

Privacy Laws

When you collect your customers’ information (which is vital if you plan on ever communicating with them), it’s important that you set up a privacy policy. It’s so important that you’re required to post one if you have a commercial website (you can find our privacy policy at the very bottom of our site).

It’s important to let your customers know what information you’re gathering from them and why. Make sure that you’re fulfilling any promises you make to your customers.

Some states have their own privacy laws, so you’ll want to make sure you comply with those, too.

Anti-Spam Laws

The Federal Trade Commission (FTC) spells out some pretty specific requirements if your business emails anyone. You can find these requirements in the CAN-SPAM Act. If you violate the act, each separate email in violation could cost you up to $41,484. Non-compliance is not worth the risk.

The CAN-SPAM Act spells out seven main requirements:

Don’t Use False or Misleading Header Information

When you’re sending an email, your “From,” “To,” and “Reply-To” fields must accurately portray you. In other words, when we (Workful) sends you an email, you’ll always see “Workful” in the “From” field. You’ll never see your brother’s name, some other company, or anything else.

Don’t Use Deceptive Subject Lines

Your email subject lines should always reflect the content of your email. You can’t put “Free earrings” in the subject line if you have no intention of giving anyone free earrings.

Identify the Message as an Ad

The CAN-SPAM Act doesn’t really spell out what this means, so you don’t have to put “This is an ad” at the top of every email. But, you shouldn’t try to make the email seem like a personal email when you’re really trying to sell something.

Tell Recipients Where You’re Located

Your emails have to include your mailing address – whether it’s a street address or a post office box. The easiest way to do this? Put your address in the footer of your email.

Let Recipients Know How to Opt Out of Future Emails from You

Your recipients gave their information to you voluntarily, and they should be able to take it away just as easily. Any email you send should include a clear way for your recipients to opt out of any future messages from you.

A lot of email-marketing platforms, like Mailchimp, will automatically include a link in each email that will allow recipients to opt out with the click of a button. If you’re not using an email marketing platform, you can have a note at the bottom of every email telling people to respond with “Unsubscribe” to opt out of future messages from you.

Honor Opt-Out Requests Promptly

It’s not enough to give recipients the option to opt out of your emails; you have to actually take them off your list.

What does promptly mean? According to the FTC, it means that the opt-out method must process opt-out requests for at least 30 days after the message was sent. And, you must honor all opt-out requests within 10 business days.

Monitor What Others Do on Your Behalf

Does another company handle your email marketing? That’s fine; nothing illegal about that. However, you’re still legally responsible for complying with the CAN-SPAM Act, so make sure the company you hire is doing what they’re supposed to.

5 Quick Tips to Help You Protect Your Customers’ Information

Okay, now you know why you have to protect your customers’ information. But, how do you go about doing that? Here are five quick tips to get you started:

Conduct a Data Audit

Before you collect anymore customer data, take a look at what you already have. Review what information you’re collecting, what information you actually need to collect, and how you’re storing that information.

After you review how you’re storing the information, you should also look at who has access to the information. If only marketing needs the information, then why does John in shipping have access?

Don’t Collect What You Don’t Need

Now that you know what information you’re collecting, stop collecting any information you don’t need.

Maybe, you’re collecting birthdates because you might need them later. If you don’t need anyone’s birthdate now, stop asking for it.

The less information you have, the less you have to worry about in the case of a data breach (which can, unfortunately, happen).

Post a Privacy Policy

As we mentioned earlier, you’re required to post a privacy policy if you have a commercial website.

But now, you might have a couple of questions.

Where Should I Post My Privacy Policy?

It’s common for companies to post their privacy policy in their website’s footer (like we do).

But, you can be even more proactive by also including a link to the privacy policy on your email newsletter signup form. You can even have a checkbox for users to say they have read and accepted your policy before they can sign up for your newsletter.

What Should I Include in My Privacy Policy?

Now, you can’t post a privacy policy if you don’t have one. At the very least, your policy should include:

  • the kind of information you’re collecting,
  • why you’re collecting that information,
  • what you’ll do with the information,
  • how the information may be shared with other parties,
  • how the customer or subscriber can review and edit their own information,
  • the privacy policy’s effective date,
  • a description of any changes you’ve made to the policy, and
  • the dispute resolution procedures if the customer or subscriber has a problem with how their information is being used.

If you don’t know where to start, take a look at your competitors’ privacy policies and start there. You can also use a company like TRUSTe to help you create a privacy policy. I also strongly suggest you have an attorney review your policy.

Let Customers Complain

Did you notice the part where I said your privacy policy should include “the dispute resolution procedures if the customer or subscriber has a problem with how their information is being used?” No matter how airtight your privacy policy is, somebody out there is going to have a problem with it and claim you’re doing something with their information that you shouldn’t be doing.

So, you have to have a process in place to let them tell you about their issues with it. It can be as simple as giving them a specific email address or providing an online form to fill out. No matter what method you use, however, make sure you take each complaint seriously and respond to it professionally and calmly.

When in Doubt, Bcc

If you’re using a standard email client (like Outlook or Gmail), then be extra careful when you’re emailing multiple people at once.

If you’re not making an introduction, then use the blind carbon copy (Bcc) field, instead of “To” or “Cc”. When you use “Bcc”, the people you send the email to will not be able to see each other’s email addresses. If you don’t do this, then someone on that list could add those emails to their own email list and start spamming them – you didn’t do what you promised and keep their information private.


Privacy is a big deal. When you handle customers’ information, you should take privacy and anti-spam laws very seriously. Take the necessary steps to keep your customers’ information safe and secure, and only email them important and relevant information to avoid spamming them.

You may also like...