October 2020 - Email Marketing | Email | Data Protection & Privacy

How Not to Get Your Fingers Burned When Sending Commercial Emails

The legal team of the CSA Complaints Office looks at the importance of consent, documentation, and opting in and out for senders of commercial emails.

How Not to Get Your Fingers Burned When Sending Commercial Emails

© ogichobanov | istockphoto.com

In 2019, 96 percent of the complaint cases at the Certified Senders Alliance (CSA), a certified-IP listing project to ensure the quality and compliance of commercial emailing, ended in a notification to the sender, which means that one or more aspects of the email in question violated the CSA criteria. Around two-thirds of these were in connection with legal issues.

The legal violations that were subject to notification in 2019 can be broken down into issues related to insufficient permission data (46%), consent declaration (24%), the imprint (16%), the opt-out notice (10%), and other issues (4%).


Why is it essential to document consent?

Why exactly are issues with the documentation requirements for consent to the receipt of commercial emails a problem? Often senders run into issues because they cannot prove when and where they received consent to use a specific email address. The burden of proof of consent is on the sender and can result in fines (in Europe, these are issued by data protection authorities) or notifications (issued by the CSA/the eco Complaints Office) if documentation of consent is incomplete or missing.

In practice, that means – to be on the safe side – consent must be confirmed using a double-opt-in (DOI) procedure. The DOI email should include the date, time, and source (e.g., online form) of the consent, the text of the declaration of consent, and a confirmation request. It should not include any form of advertising.

Understanding consent

Consent must be active (e.g., no pre-selected checkboxes), separate, free (genuine free choice), informed (what will happen to the user’s data?), precise, and must include a notice on how to revoke consent.

What exactly is meant by ‘precise’ has been the subject of numerous recent court rulings. Take, for example, providing information about sponsors. In some cases, sponsors can be other companies that will also be able to access the data provided by that particular record of consent – however, only a small number of sponsors (up to eight – to stay on the safe side) can be included as recipients of the data. The short list of sponsors can be confirmed with just one click; they don’t need one each.

Another stumbling block is often how precisely an industry has to be designated. Car accessories and baby food are usually considered precise enough, but German courts have criticized designations such as financial services and pension funds. At the CSA, we recommend being as exact as possible.

Live collection of email addresses – ensuring documentation of consent

When collecting addresses live, e.g., at a stand in a shop, it is worth collecting email addresses electronically. Then there is explicit consent and no mistakes can be made in manually mistyping addresses. These addresses should be confirmed by promptly sending a DOI email. In the past, courts have reprimanded the first use of email addresses months after they were first collected. Likewise, DOI emails should ideally be sent within a few hours of the person first signing up, e.g., for a newsletter. Two weeks later is too late.

The cost of not having consent

Documenting consent effectively really is crucial. It avoids complaints, avoids fines, and also ensures that the sender’s good reputation is maintained. The penalties can be very high: recently, Woolworths had to pay a fine of over AUD 1 million in Australia for sending emails without consent, and even continuing to send them after customers had complained or withdrawn consent. This year, a German health insurance company sent emails without consent to ‘merely’ approx. 500 people and were fined EUR 1.24 million.

Who’s responsible for proving (the lack of) consent?

How can the CSA be sure, when it is investigating a complaint, that the consent documented is authentic? The burden of proof lies with the sender, and here is where the necessity of documenting consent becomes clear. The CSA checks complaints about emails received without consent by forwarding the proof of consent provided to CSA by the sender to the complainant. The complainant can then comment on the authenticity of that proof.

Senders should also make sure they don’t just track and record when and where they collected an email address, but also the original text of the declaration of consent (e.g., on an online form) and any other data required to authenticate the consent (e.g., encryption keys). Terms of service or privacy policies, however, are not part of this documentation of consent. Everything the owner of the email address has agreed to should be in the declaration of consent.

If the sender has acquired addresses from another source, then the sender is still the party that is subject to the burden of proof and must be able to provide opt-in data to the CSA, if required to do so. Therefore, the source must provide the sender with all of the necessary documentation of consent.

Single-opt ins are not accepted by the courts, as there aren’t enough data points to identify the person providing consent, e.g., on a website. Saving an IP address is not sufficient.

When consent is not necessary – a customer relationship as a further legal basis

Another legal basis for sending marketing emails is the existence of a customer relationship. If an email is sent to an existing customer, a separate declaration of consent is not required, as long as specific legal requirements are fulfilled. 

These are: 

  1. A current customer relationship,
  2. The promotion of similar products or services only, and
  3. The opt-out notice must be included when collecting the data as well as in every subsequent email (and, of course, no previous opt-out from the recipient!).

The existing relationship must be based on a completed (and paid) sale. A customer who has put items into a shopping basket and hasn’t actually completed the purchase is not considered to be an existing customer.

Can consent and an existing customer relationship be combined?

Even though it is theoretically possible to send a newsletter based on an existing customer relationship, despite no explicit consent being given, it can lead to confusion and perhaps irritation if a newsletter is sent after, for example, an online purchase, even though the customer did not tick the checkbox subscribing to the newsletter.

This is best avoided by putting a statement concerning the use of data based on the customer relationship next to the newsletter consent request. That way, the data subject is clearly informed right from the start and can either request a newsletter or other advertising explicitly or choose to opt-out from further marketing emails based on the customer relationship.

Opting in and opting out

The importance of opt-out notices in marketing emails

Issues with opt-out notices (or the lack thereof) account for one-tenth of the legal violations of the CSA requirements. There are, however, precise requirements for when, where, and how to include an opt-out notice. It must be included with the consent declaration (in direct proximity, not at the bottom of the page or a link away; it can be linked to in a Terms of Service text, however it must be easy to find). Precise information on how to revoke consent must be provided and must be as simple and easy as opting in, so ideally with just a click of a button. An opt-out option can be used at any time with future effect (obviously you cannot opt out of emails you have already received).

The same applies to transactional emails in some cases: If it can be categorized as advertising, then it must include an opt-out notice (and requires consent to be sent in the first place).

There are different requirements related to opt-out notices when the permission is based on a customer relationship. An opt-out notice must be provided both when collecting data and when using said data. What is specific to the customer relationship scenario is that the following phrase must be included in the notice: “without incurring costs other than transmission costs at base tariffs”. This is required by the ePrivacy Directive and is backed up by court decisions. Saying you can opt out for free or at no cost is not sufficient. This wording is not required for emails sent based on consent; however, it does no harm and covers all bases.

A double opt-out? – Damned if you DOO

A double opt-out is something brands ask for as they are worried about accidental opt-outs, e.g., when a newsletter is forwarded, and the new recipient opts out and unsubscribes the original subscriber. However, while a double opt-in is highly recommended, a double opt-out is most definitely not. While not illegal in all cases, customers are often annoyed by receiving a second email asking them to confirm their opt-out, and they just mark the email as spam. This ends up impacting negatively on the sender’s reputation.

Another common request from brands is to use a “confirmed opt-out,” sometimes combined with information on the option to re-subscribe. However, depending on the formulation, this might be interpreted as advertising and is therefore prohibited. Even if the formulation is neutral enough not to be considered advertising, it may still irritate recipients and end up being marked as spam with the knock-on effect on reputation.

Note that the opt-out must be implemented after five working days at the latest, according to the CSA Rules. 

The small print

Imprint (or legal notice, footer)

Around a sixth (16%) of the violations of the CSA’s legal requirements in 2019 complaints cases were related to imprints, the legal information provided at the end of an email identifying the sender.

The purpose of an imprint is to make the relevant entity (legally) identifiable. Usually, the following details are required:

  • Legal structure/company type, with relevant registry entries
  • Contact details, including the physical address and – most importantly – an email address and a valid phone number or link to an electronic contact form
  • Sales tax ID number, etc., if applicable in your country

The full text must be provided, not merely linked to. The information must be easy to find and be easily recognizable as the imprint.

The further contents of the imprint are dictated by local law, not by the CSA, as the local legal requirements differ from country to country. For example, German law requires that the business’ commercial registration number be included in the imprint (Impressum). Other jurisdictions may not require this.

Here is an example of eco’s imprint (which is fully compliant with German law):

eco – Association of the Internet Industry 
(eco – Verband der Internetwirtschaft e.V.)
Lichtstrasse 43h, 50825 Cologne, Germany
Email: info@eco.de
Phone: +49 221 – 70 00 48-0
Association Registered in Cologne, Germany – Reg. Nr. 14478
Value Added Tax Number: VAT-ID: DE 182676944
Executive board: Oliver Süme (Chair), Klaus Landefeld (Vice-Chair), Felix Höger, Prof. Dr. Norbert Pohlmann 
CEO: Harald A. Summa 
Managing Director: Alexander Rabe

The CSA recommendations for imprints consider the most common requirements worldwide. Make sure that you include all elements required by your own jurisdiction.



Astrid Braken is an attorney and has been the Legal Counsel for the Certified Senders Alliance (CSA) since 2019. After her legal training, she worked for different representatives of the German Bundestag and for associations in the telecom sector. At the CSA, she is responsible for legal issues at the CSA and does the legal checks during the certification process.  She regularly writes legal articles for the CSA on the subject of email marketing and she advises CSA senders on legal matters.

Sebastian Fitting is an attorney and joined the eco Complaints Office team in 2013. In addition to working on reports about illegal or harmful Internet content and complaints about unwanted commercial email, he serves as the law enforcement liaison for the Complaints Office, which he also represents in other cooperative projects. Sebastian has worked on publications and workshops about the legal framework for the CSA and on the CSA regulations regarding email marketing.

Alexandra Koch-Skiba has been registered as an attorney since 2005. During her legal education, she specialized in criminal law and the law of the protection of minors. As the Head of eco’s Complaints Office, she is in charge of the hotline’s management and of supporting the report handling, in particular in regard to legal issues. She represents the hotline on the European and national levels, e.g. at European networks, when liaising with law enforcement and other relevant stakeholders, and at events. Moreover, she represents eco on topics related to youth protection on the Internet.

Peter-Paul Urlaub is an attorney and a legal consultant at eco’s Complaints Office. His most recent degree at the University of Oldenburg specialized in legal aspects in IT and Internet compliance. At the Complaints Office, his responsibilities are ISP relations and training new staff, in addition to report handling. He is also responsible for technical compliance and innovation.  Additionally, Peter-Paul is currently the Treasurer of and the Complaints Office’s representative at INHOPE, the global umbrella organization for complaints hotlines.