Mapping Compliance

A World of Security and Marketing Regulations

We’re in a moment of flux, privacy-wise. Enforcement of the EU’s General Data Protection Regulation (GDPR) is just around the corner, and that’s got a lot of brands thinking more seriously about ways in which today’s changing, shifting regulatory landscape can impact their marketing activities.

Even if your organization isn’t affected by GDPR, this is a great time to assess your organization's data privacy and security systems. In this map, we’ve highlighted some of the most significant regional laws and regulations overseeing data privacy/security and marketing rules, from HIPAA to CAN-SPAM to CASL to GDPR. Whether your brand is a first-party marketer leveraging customer data you’ve collected right from your customers or a third-party marketer working with data gathered by another firm, whether you’re focused on B2B or B2C, these rules and regulations shape the way that you understand and engage with your audience—so make sure you’re up on their ins-and-outs.

To explore our map, simply filter by regulation to see where it applies, then scroll over individual countries for more information. We’ve even included country-by-country e-marketing regulations for countries in the EU—right down to the opt-in and opt-out rules.

Learn More

Regulation Details:

General Data Protection Regulation

The General Data Protection Regulation (GDPR) set down new and stricter rules regarding the use of personal data on EU citizens by companies and other bodies. Companies need to be compliant by May 25, 2018 or they could face massive fines! GDPR is said to affect 80% of global brands as it applies to any organization with EU Citizens as customers.

The CAN-SPAM Act

The Controlling the Assault of Non-Solicited Pornography And Marketing (CAN-SPAM) Act of 2003, established the United States' first national standards for the sending of commercial e-mail and requires the Federal Trade Commission (FTC) to enforce its provisions.

The Canadian Anti-Spam Law (CASL)

The Canadian Anti-Spam Law (CASL) has been called the toughest of the anti-spam acts. It enforces the need for user consent in all CEMs (commercial electronic messages) sent within, to, or from Canada.

EU E-Marketing Regulations

Scroll over each country in the EU to read about the e-marketing regulations that apply. Each country has specific guidelines for first- and third-party B2B and B2C marketers, specifically regarding opt-in rules.

HIPAA

HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding medical information.

EU E-Marketing Regulations:

Austria

Austria e-Marketing Regulations:
Under Austria’s Telecommunications Act, first- and third-party marketers can only send messages to consumers and individuals following an explicit opt in for both B2C and B2B; however, for first-party, opt-out is also permitted where the Opt-out Rule applies. 

Belgium

Belgium e-Marketing Regulations:
Belgium e-marketing regulations fall under Article XII.13 of the Code of Economic Law and the Royal Decree of 4 April 2003 regulating advertising by electric mail.  For third-party marketing, opt-in is required. For first-party B2C, opt-in is required (opt-out is an option where Opt-out Rule applies). For B2B, If sent to an individual B2B email address: Opt-in. Opt-out permitted where Opt-out Rule applies. If sent to a generic email address (i.e. info@; sales@ etc) Opt-out.

Bulgaria

Bulgaria e-Marketing Regulations:
Under the Electronic Communications Act, first- and third-party marketers can only send messages to consumers and individuals following an explicit opt in for both B2C and B2B; however, for first-party, opt-out is also permitted where the Opt-out Rule applies. 

Croatia

Croatia e-Marketing Regulations:
Under Electronic Communications Act, first- and third-party marketers can only send messages to consumers and individuals following an explicit opt in for both B2C and B2B; however, for first-party, opt-out is also permitted where the Opt-out Rule applies. 

Cyprus

Cyprus e-Marketing Regulations:
Under the Processing of Data of a Personal Character Law and the Regulation of Electronic Communications and Postal Services Law, first- and third-party marketers can only send messages to consumers and individuals following an explicit opt in for both B2C and B2B; however, for first-party B2C communications, opt-out is also permitted where the Opt-out Rule applies. 

Czech Republic

Czech Republic e-Marketing Regulations:
Under the Act on Certain Information Society Services, first- and third-party marketers can only send messages to consumers and individuals following an explicit opt in for both B2C and B2B; however, for first-party, opt-out is also permitted where the Opt-out Rule applies. 

Denmark

Denmark e-Marketing Regulations:
Under the Danish Marketing Practices Act no.426 of 3 May 2017, article 10, first- and third-party marketers can only send messages to consumers and individuals following an explicit opt in for both B2C and B2B; however, for first-party, opt-out is also permitted where the Opt-out Rule applies. 

Estonia

Estonia e-Marketing Regulations:
Under the Electronic Communications Act, first-party B2C marketers must receive explicit opt-in (unless the Opt-out Rule applies, in which case opt-out is permitted). First-party B2B marketers can use opt-out. For third-party, B2C requires opt-in while B2B may use opt-out.

Finland

Finland e-Marketing Regulations:
Under the Information Society Code, Chapter 24, first-party B2C marketers must receive explicit opt-in (unless the Opt-out Rule applies, in which case opt-out is permitted). First-party B2B marketers can use opt-out. For third-party, B2C requires opt-in while B2B may use opt-out.

France

France e-Marketing Regulations:
Under Article L34-5 of the Postal and Electronic Communications Code, Chapter 24, first-party B2C marketers must receive explicit opt-in (unless the Opt-out Rule applies, in which case opt-out is permitted). First-party B2B marketers can use opt-out. For third-party, B2C requires opt-in while B2B may use opt-out.

Germany

Germany e-Marketing Regulations:
Under the German Act Against Unfair Competition as last amended 17 February 2016, first- and third- party marketers must receive explicit double opt-in to send messages to consumers and individuals. For first-party marketers, opt-out is permitted where the Opt-out Rule applies.

Greece

Greece e-Marketing Regulations:
Under Article 11, paras 1,3, and 7 of Law 3471, first- and third-party marketers can only send messages to consumers and individuals following an explicit opt-in for both B2C and B2B; however, for first-party, opt-out is also permitted where the Opt-out Rule applies. 

Hungary

Hungary e-Marketing Regulations:
Under the Info Act, the Advertising Act, the E-Commerce Act, and Act C of 2003 on Electronic communications, first- and third- party B2C marketers may send messages to consumers or individuals after receiving explicit opt-in. First- and third- party B2B marketers are permitted to use opt-out. For certain sectors, such as medicine, other legislation may apply

Ireland

Ireland e-Marketing Regulations:
Under the European Communities Regulations 2011, first-party marketers as well as third-party B2B marketers are permitted to use opt-out provided there has been compliance with the Opt-out Rule. Third-party B2C marketers must receive explicit opt-in.

Italy

Italy e-Marketing Regulations:
Under the Consolidation Act regarding the Protection of Personal Data, first- and third-party marketers can only send messages to consumers and individuals following an explicit opt in for both B2C and B2B; however, for first-party B2C, opt-out is also permitted where the Opt-out Rule applies. 

Latvia

Latvia e-Marketing Regulations:
Under the Law on Information Society Services dated 4 November 2004, first- and third-party B2C marketers can only send messages to consumers and individuals following an explicit opt in; however, for first-party B2C, opt-out is also permitted where the Opt-out Rule applies. For first- and third-party B2B marketers, opt-out is permitted.

Lithuania

Lithuania e-Marketing Regulations:
Under the Law on Legal Protection of Personal Data 1996, the Law of Electronic Communications 2004, and the Law on Advertising 2000, first- and third-party marketers can only send messages to consumers and individuals following an explicit opt in for both B2C and B2B; however, for first-party, opt-out is also permitted where the Opt-out Rule applies. 

Luxembourg

Lithuania e-Marketing Regulations:
Under Law of 14 August 2000 on e-commerce and Law of 30 May 2005 on electronic communications networks and services, first- and third-party B2C marketers can only send messages to consumers and individuals following an explicit opt-in; however, for first-party B2C, opt-out is also permitted where the Opt-out Rule applies. For first- and third-party B2B marketers, opt-out is permitted.

Netherlands

Netherlands e-Marketing Regulations:
Under the Telecommunications Act dated 5 June 2012, first- and third-party marketers can only send messages to consumers and individuals following an explicit opt in for both B2C and B2B; however, for first-party, opt-out is also permitted where the Opt-out Rule applies. 

Norway

Norway e-Marketing Regulations:
Under the 2009 Marketing Control Act, first- and third-party marketers can only send messages to consumers and individuals following an explicit opt-in, but can target generic B2B addresses unless the target business opts out.

Poland

Poland e-Marketing Regulations:
Under The Act on Personal Data Protection, the Act on e-Services, and the Telecommunications Law, both first- and third-party marketers are required to obtain explicit opt-in prior to sending messages to any consumers or individuals. While there are nuances regarding opt-out rules associated with these individual legislations, opt-in is the default for all scenarios listed. 

Portugal

Portugal e-Marketing Regulations:
Under Law 41/2004 of August 18 on processing the personal data and protection of privacy in the electronic communications sector, first- and third-party B2C marketers can only send messages to consumers and individuals following an explicit opt in; however, for first-party B2C, opt-out is also permitted where the Opt-out Rule applies. For first- and third-party B2B marketers, opt-out is permitted.

Romania

Romania e-Marketing Regulations:
Under Law No. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector, first- and third- party marketers may send messages to consumers and individuals only after receiving explicit opt-in. For first-party B2C and B2B marketers, opt-out is permitted where the Opt-out Rule applies, but for B2B, the possibility to opt-out must be offered both at the receipt of the electronic address and on the occasion of each e-marketing message sent, if the customer did not initially oppose it.

Slovakia

Slovakia e-Marketing Regulations:
Under the Act on e-Commerce and the Act on Electronic Communications, first- and third-party marketers can only send messages to consumers and individuals following an explicit opt in for both B2C and B2B; however, for first-party, opt-out is also permitted where the Opt-out Rule applies. 

Slovenia

Slovenia e-Marketing Regulations:
Under the Electronic Communications Act and the Personal Data Protection Act, first-party B2C marketers must obtain explicit opt-in from individuals, unless the Opt-out Rule applies, in which case opt-out is permitted. Opt-out is permitted for first-party B2B. Opt-in is required for all third-party e-marketing. 

Sweden

Sweden e-Marketing Regulations:
Under the Marketing Practices Act and the Electronic Communications Act, first- and third- party B2C marketers must receive explicit opt-in from individuals, though opt-out is permitted for first-party B2C if the Opt-out Rule applies. For first- and third-party B2B marketing, opt-out is permitted. 

Spain

Spain e-Marketing Regulations:
Under Law 34/2002 on information society services and electronic commerce, first- and third- party marketers may only message consumers and individuals who explicitly opt-in. First-party marketers are permitted to use opt-out where Opt-out Rule applies. 

United Kingdom

United Kingdom e-Marketing Regulations:
Under the Privacy and Electronic Communications Regulations of 2003, first- and third- party B2C marketers must receive explicit opt-in from individuals, though opt-out is permitted for first-party B2C if the Opt-out Rule applies. For first- and third-party B2B marketing, opt-out is permitted.