International Email Sending: Best Practices Explained

• Double opt-in is effectively required.
• Courts have ruled that companies must prove consent—and double opt-in is the best way to provide that proof.
• Failing to use double opt-in could expose businesses to legal risk, especially under German consumer protection law and the Telemedia Act.

• Similar to Germany, Austria follows a strict interpretation of consent.
• While not explicitly mandated in law, double opt-in is strongly recommended to prove permission was granted.

• Like Germany and Austria, Swiss laws strongly favor explicit consent.
• Double opt-in is not legally required, but it’s often expected as the industry standard

• GDPR (General Data Protection Regulation) requires clear and affirmative consent.
• Double opt-in is not mandatory, but it’s one of the safest ways to document valid consent.
• If a dispute arises, the burden of proof is on the sender.

• Requires express consent in most cases.
• Double opt-in is not legally required but is a highly recommended safeguard under CASL.
• Businesses must maintain detailed records of consent.

• Requires express consent in most cases.
• Double opt-in is not legally required but is a highly recommended.
• Businesses must maintain detailed records of consent.

Same as above: GDPR applies. Double opt-in is not mandatory, but can protect your business.

• Does not require opt-in at all (you can send the first email without prior consent).
• However, you must include an opt-out mechanism and honor unsubscribes promptly.
• Still, many U.S. businesses use double opt-in voluntarily for better deliverability and to build trust, this is considered a best practice (required by many ESPs as part of their contractual anti-spam policies).

• Requires explicit or inferred consent.
• Double opt-in is not legally required, but again, it’s safer when explicit consent is needed.

• Strict data localization laws (Federal Law No. 242-FZ).
• Personal data of Russian citizens must be stored and processed on servers physically located in Russia.
• Applies to any website or service targeting Russian users—even if the company is based abroad.

• Data localization laws under the Cybersecurity Law and PIPL (Personal Information Protection Law).
• Data collected in China—especially personal and important data—must be stored in China.
• Cross-border data transfers require security assessments or user consent.

• Proposed data protection laws (like the Digital Personal Data Protection Act 2023) include data mirroring or local storage requirements for sensitive personal data.
• Final implementation details still evolving, but India is trending toward stricter localization.

• Requires domestic hosting of data for apps, platforms, and services used by Iranian citizens.
• Generally limits use of international cloud services.

• Requires certain public sector and strategic electronic data to be stored domestically.
• Private companies may still host data offshore with government approval, but there are gray areas.

• Requires local data storage for payment and financial services.
• Broader personal data localization is debated but not yet mandated in general.

Law mandates storage of personal data of citizens on servers located in Kazakhstan.

• LGPD (Lei Geral de Proteção de Dados) does not require data localization, but imposes strict rules on international data transfer, which may affect cloud-based marketing tools.
• Transfers outside Brazil must be based on adequate protection or standard contractual clauses.

• Clear and concise language explicitly stating data will be stored out-of-country.
• Transfer of data outside of Japan must have adequate protection or standard contractual clauses.
• Recognizes EU as an adequate destination and has a mutual adequacy agreement with the EU and GDPR.

You must have a legal reason to collect and use someone’s email address. For email marketing, the most relevant bases are:

• Consent (most common): The person actively agreed to receive marketing emails.
  • Freely given
  • Specific
  • Informed
  • Unambiguous
  • Given via a clear affirmative action (e.g., ticking a box)
  • Legitimate interest (possible in B2B contexts): Must balance your business interests with the individual’s privacy rights and offer an easy opt-out.

What exactly constitutes consent and what type of data should you be collecting in the event you are asked to prove consent?

• Opt-in — not opt-out
  • Pre-ticked boxes or bundled consent are invalid.
  • You should document consent for each consent interaction:
  • Time
  • Date
  • Source
  • IP address
  • If targeting certain countries like Germany or Austria, double opt-in is required.

Every marketing email must include a clear and easy way to unsubscribe. Once someone unsubscribes, you must stop sending them emails immediately.

GDPR has clear definitions around transparency requirements when collecting subscriber information.

• When collecting an email, you must:
  • Inform users what you’ll do with their data
  • Link to your Privacy Policy
  • State how they can withdraw consent and how long their data will be retained

Once data is obtained, how you store that data is also governed by GDPR.

• Store personal data (like email addresses) securely
• Limit access internally
• Ensure your email service provider is GDPR-compliant (through a Data Processing Agreement)

A major consideration for companies when choosing ESPs/email platforms is where customer data will reside. Important to have your legal team engaged in those discussions early so considerations like cross-border data transfers can be considered.

• If your tools or platforms store data outside the EU:
  • You must use safeguards like Standard Contractual Clauses (SCCs) or verify they’re part of the EU-U.S. Data Privacy Framework
  • Inform users that their data may be transferred internationally

GDPR sets some strict requirements in data gathering, so know that they are serious about the paper trail as well.

• Keep a record or records of consent for each email subscriber
• Be prepared to demonstrate GDPR compliance if audited

Email subscribers have the right to:

• Access their data
• Correct inaccurate info
• Delete their data (“right to be forgotten”)
• Restrict processing
• Port their data to another service
• Object to marketing emails

Ensure your program has the ability to comply with these requirements before entering into a region.

Under GDPR, there’s no fixed time limit for how long you can keep consent for email marketing — but you must not keep it longer than necessary to legally conduct business, and it must only remain valid for as long as you rely on it.

Here’s what that means in practice:

• As long as you’re actively using it to send consented business communications to valid recipients (i.e., you’re sending emails, and the person hasn’t unsubscribed).
• Consent must be refreshed periodically if the subscriber has been inactive for a long time (e.g., hasn’t opened an email in 1–2 years).
• You must retain a record of consent for as long as you use it to conduct legal and lawful communications —this includes:
  • Who consented
  • When and how they consented (timestamp, form used, IP address)
  • What they were told at the time

• Strong guidance from CNIL (France’s data protection authority).
• Recommended not to send international emails late at night or early morning (typically before 6 AM or after 10 PM).
• Not an explicit legal ban, but violating these norms could be seen as intrusive and risky under GDPR and consumer protection laws.

• Similar to France. The Spanish Data Protection Agency (AEPD) recommends avoiding nighttime messaging.
• No hard law, but guidance encourages respectful hours (e.g., 8 AM–10 PM).

• Law 19.496 (Consumer Protection Law) prohibits sending commercial communications on Sundays and holidays.
• Also requires senders to respect business hours (though exact time windows aren’t strictly defined).

• The Garante (data authority) emphasizes avoiding intrusive times.
• While not enforced as a formal blackout, emails sent outside typical business hours can be viewed negatively and raise compliance risks under GDPR.

• There are no formal blackout hours under China’s anti-spam laws, but in practice:
  • SMS marketing is restricted between 9 PM and 8 AM.
  • While email is less regulated time-wise, the same general standards often apply to digital messaging.

• TRAI (Telecom Regulatory Authority of India) enforces blackout hours for SMS (9 PM–9 AM), but email marketing has no explicit timing restrictions.
• Best practice is to align email campaigns to respectful business hours (10 AM–8 PM).

• Japan’s Anti-Spam Law (Act on Regulation of Transmission of Specified Electronic Mail) does not specify time-based restrictions.
• But: Cultural & Business Norms Matter
  • Japanese culture places high value on etiquette and non-intrusiveness.
    • Avoid early mornings (before 8 AM)
    • Avoid late nights (after 9–10 PM)