Login Sign Up
menu
« SES Articles & Guides

GDPR, CAN-SPAM, and CASL with AWS SES

3rd April, 2023
GDPR, CAN-SPAM, and CASL with AWS SES

The world of email marketing is governed by various laws and regulations designed to protect consumer privacy and prevent spam. As an Amazon Web Services (AWS) Simple Email Service (SES) user, it's essential to understand and adhere to these regulations to maintain a good sender reputation and avoid potential legal consequences. This comprehensive guide will delve into the General Data Protection Regulation (GDPR), the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM), and the Canadian Anti-Spam Legislation (CASL), offering insights on how to achieve email compliance when using AWS SES.

What is the General Data Protection Regulation (GDPR)

The GDPR is a European Union (EU) regulation that provides comprehensive privacy and data protection rights to individuals within the EU and the European Economic Area (EEA). The GDPR impacts email marketing in several ways, particularly regarding the collection, processing, and storage of personal data. As an AWS SES user targeting EU and EEA customers, it's crucial to adhere to the GDPR's requirements.

To comply with the GDPR, start by obtaining explicit and informed consent from your subscribers before adding them to your email list. This can be achieved through a double opt-in process, where users confirm their subscription through a confirmation email. Be transparent about the purpose of your email marketing and the type of content you will be sending. Additionally, provide an easy and clear method for recipients to withdraw their consent and unsubscribe from your email list at any time.

The GDPR also requires businesses to implement appropriate security measures to protect personal data. With AWS SES, you can take advantage of Amazon's built-in security features, such as encryption at rest and in transit, to help protect your subscribers' data. Ensure that you have a clear data retention policy in place and only store personal data for as long as necessary for the specified purpose.

What is the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)

The CAN-SPAM Act is a United States federal law that establishes rules for commercial emails and gives recipients the right to opt-out of receiving future messages. The Act applies to all commercial emails, including bulk messages and individual emails sent to customers or prospects.

To comply with the CAN-SPAM Act, you must include a valid physical postal address in every email you send. This can be your current street address, a registered post office box, or a private mailbox you've registered with a commercial mail receiving agency. Furthermore, ensure that your email's subject line accurately reflects the content of the message, as misleading subject lines are a violation of the CAN-SPAM Act.

Another critical requirement of the CAN-SPAM Act is providing recipients with a clear and conspicuous opportunity to opt-out of receiving future emails. This can be done by including an unsubscribe link or clear instructions on how to unsubscribe in every email you send. Once a recipient opts out, you must honor their request within ten business days and refrain from adding them to your email list again without their explicit consent.

What is the Canadian Anti-Spam Legislation (CASL)

CASL is a Canadian law that regulates commercial electronic messages (CEMs) and aims to protect Canadians from spam and other electronic threats. CASL applies to any business sending CEMs to recipients in Canada, regardless of the sender's location.

To comply with CASL, you must obtain either express or implied consent from recipients before sending them CEMs. Express consent is when the recipient actively agrees to receive your CEMs, while implied consent can be inferred from an existing business or non-business relationship, such as when a customer has made a purchase from you within the last two years. Similar to GDPR, implementing a double opt-in process can help ensure that you have the necessary consent from your recipients.

When sending CEMs, you must clearly identify yourself or your organization as the sender and provide accurate contact information, including your mailing address, phone number, email address, and website. This information must remain accurate for at least 60 days after sending the message. Additionally, include a straightforward and efficient method for recipients to unsubscribe from your emails. When a recipient unsubscribes, you must honor their request within ten business days and remove them from your email list.

Achieving compliance with CASL also involves maintaining records of consent, either express or implied, for all recipients on your email list. This includes documenting when and how consent was obtained, as well as any relevant communication history. These records can help demonstrate your compliance with CASL in case of an investigation or complaint.

AWS SES Resources
Authenticating with our SES Monitor API 29th January, 2024
SES Monitor Domains API 29th January, 2024
SES Monitor Messages API 29th January, 2024
Send an email with an attachment in Python via AWS SES 16th November, 2023