Build a List Legally – What Privacy Laws Mean for You

Build a List Legally

Privacy and marketing are two words that – historically – haven’t had much in common. In the past, consumer privacy has been more of a suggestion than a rule. Fortunately, that is changing for the better. With recent privacy laws and regulations, consumers in some locations have been granted better control of their personal, private information. 

This, my friends, is excellent news for you and me as marketers. 

Sadly, ours is an industry filled with people with no regard for consumer privacy or data security. They figure anything they can do to make a buck is perfectly fine. But that’s not how it works. 

Consider two reasons why enhanced privacy protections are beneficial: 

First, you and I are consumers, are we not? Sure, we are marketers too, but first and foremost, we are consumers who want our personal information protected. 

Secondly, forcing marketers and other business entities to respect privacy has a rather… cleansing effect on the industry. No longer can unscrupulous individuals disrespect our privacy with impunity. That’s excellent. 

That said, you and I need to keep a few things in mind to make sure we are compliant with the law. 

Now, before we go any further, I need to let you know that I am not a lawyer, and this article is not to be taken as legal advice. If you have questions about the privacy laws that are relevant to your marketing efforts, please consult legal counsel in your jurisdiction. 

Laws of the Land(s) 

The laws and regulations in view of this article are the EU’s General Data Protection Regulation (GDPR), the United States CAN-SPAM law and California’s “California Consumer Privacy Act” (CCPA). 

Each of these laws varies in scope and penalty, but the gist of each is the same: You have no right to acquire or process personal data without express consent. No exceptions. No ifs, ands, or buts. 

If it’s not your own data, you need permission to access it or use it. 

Who Do These Laws Cover? 

None of these laws protects everyone everywhere. 

The GDPR covers any citizen of the European Union – even if he is living outside of his home country. 

The CCPA covers citizens of California. 

CAN-SPAM covers the United States. 

Privacy laws are changing all the time, so make sure to stay up to date on the laws that apply to you and your subscribers. 

As a rule, however, it’s best to ensure your email list always complies with each of these laws. As your list grows, you may find individuals from each of the covered jurisdictions on your list. If even one individual from a covered jurisdiction is on your list, you must comply with that law. 

Names and Email Addresses are Personal Data 

Email marketers don’t typically handle protected health information (PHI) or payment data, but we do handle individuals’ names and email addresses. While perhaps not as private as health data or payment details, names and emails are still bits of data that people don’t typically love being public knowledge. 

This personal information is protected by law. 

Severe Penalties for Violating Consumer Privacy 

If you dare to violate any of the above mentioned privacy laws as you build a list, you can be subject to massive fines and major legal repercussions. I’m talking fines in the thousands – or even millions – of dollars. Ouch. 

For violating the GDPR, one may be fined up to 20 million Euros or up to 4% his annual, world-wide revenue. Whichever is greater.


Clearly, it’s not worth it. 

You and I need to be exceptionally careful to follow the law and respect the privacy of our subscribers – past, current, and future. 

How to Build Your List Legally 

Again, I’m not a lawyer, and this is not to be taken as legal advice. What I will do, however, is give you the gist of what you need to know to keep yourself out of legal danger so you can build your list in a way that respects both the law and the personal data of those on your list. 

Never Buy an Email List 

No doubt you have seen ads offering to sell lists of thousands of email contacts. Sounds like a great way to build a list overnight, right? It isn’t. It’s actually a great way to damage your reputation as a marketer and do irreparable harm to your brand, and it puts you in a very dangerous place legally

When you buy a list, you are purchasing the personal data of people who have not given their consent. Not good. Not good at all. In fact, this makes you a de facto spammer because you’re sending unsolicited email. 

Never Add Someone to Your List Without Permission 

Email marketing is 100% permission-based. If someone has not provided express consent, he or she should not be on your list. Never ever subscribe someone without asking. Better yet, let your email service provider handle all subscriptions through a web form on a lead capture page. 

As a general rule, you should not be adding people to your list manually. 

Use Double (Confirmed) Opt-In 

Double Opt-In is my preferred method for adding subscribers to my list. When this is enabled, a new subscriber must click a confirmation link sent to his email address before he or she is added to my list. 

This is awesome for two reasons: 

One – This prevents fake email addresses from being added to my list. Since every email must be confirmed before it’s subscribed, non-functional addresses won’t make the cut. 

Two – Confirmed opt-in generates GDPR-compliant proof of consent so if there is any question at all, I’m able to prove that an individual did, indeed, subscribe and that I did not add him to my list without permission. 

Respect Unsubscribe Requests 

If someone wants to unsubscribe, you must let him. Your email list should not be a hostage situation. No one should be on your list who doesn’t want to be. 

Continuing to send email to someone who has requested to unsubscribe is the same as sending spam. Don’t do it. 

Make Your Landing Page Clear 

Your opt-in forms and landing pages must make it clear that people are subscribing to an email list and will be receiving future emails. Don’t trick someone into subscribing by making them think they’ll be receiving no further emails. 

Protect Yourself. Protect Your List. 

These privacy laws may seem like a hurdle – and perhaps to some they are. But they are designed to protect both end users and marketers. As a marketer, I’m happy to see these laws and others like them. It’s far past time that the rights of the consumer get the respect they deserve. 

People are not commodities to be abused. Their information is not for sale. 

Laws like the GDPR, CAN-SPAM and CCPA hold us to a higher standard. We should welcome that for the sake of our industry and our subscribers.