Getting Started6 min read

Email Compliance Checklist

Ensure your email signatures comply with CAN-SPAM, GDPR, and other regulations.

Last updated: Jan 1, 2026

Email signatures and campaigns must comply with various regulations depending on where you and your recipients are located. This checklist helps ensure your signatures meet legal requirements.

Quick Compliance Checklist

Use this checklist before deploying signatures across your organization:

Required Information

  • [ ] Company name is clearly displayed
  • [ ] Physical business address is included
  • [ ] Contact information (email or phone) is provided
  • [ ] Website URL is present

For Campaign Banners

  • [ ] Promotional content is clearly identifiable as marketing
  • [ ] Links lead to legitimate, working pages
  • [ ] Any claims are accurate and verifiable
  • [ ] Offers include necessary terms or disclaimers

For Tracking Features

  • [ ] Organization has disclosed email tracking in privacy policy
  • [ ] Tracking is used for legitimate business purposes only
  • [ ] Data is protected and retained appropriately

CAN-SPAM Compliance (USA)

The CAN-SPAM Act applies to commercial email sent to US recipients.

Requirements

| Requirement | How Signkit Helps | |-------------|-------------------| | Accurate header information | Signatures don't modify email headers | | Non-deceptive subject lines | Not applicable to signatures | | Identify as advertisement | Campaign banners should be clearly promotional | | Physical address | Include in your signature template | | Opt-out mechanism | Required in email body, not signature |

Best Practices

  1. Include your physical address in every signature
  2. Don't make false claims in campaign banners
  3. Honor opt-outs promptly (managed by your email system)
  4. Monitor third-party campaigns if you use them

CAN-SPAM primarily governs the email message itself. Email signatures support compliance by providing required contact information.

GDPR Compliance (EU/EEA)

The General Data Protection Regulation applies when processing data of EU/EEA residents.

Signature Content

Your signatures should include:

  • Business name and contact details
  • Link to your privacy policy (recommended)
  • Clear identification of your organization

Tracking Disclosure

If you use Signkit's tracking features:

  1. Disclose tracking in your privacy policy

Example text:

"Our email signatures may contain tracking technologies to measure engagement. This collects IP address, device type, and timestamp of email opens and link clicks."
  1. Include purpose of tracking
"We use this data to measure the effectiveness of our email communications and improve our marketing campaigns."
  1. Specify data retention

Signkit retains tracking data for 24 months (see our Privacy Policy).

For B2B email communications, tracking typically falls under "legitimate interests" (GDPR Article 6(1)(f)). Document your legitimate interest assessment.

Data Subject Rights

Recipients have rights including:

  • Right to access their data
  • Right to erasure
  • Right to object to processing

Direct data requests to support@signkit.io.

CASL Compliance (Canada)

Canada's Anti-Spam Legislation has strict consent requirements.

Requirements for Commercial Messages

| Requirement | Implementation | |-------------|----------------| | Sender identification | Include in signature | | Contact information | Include physical address | | Unsubscribe mechanism | Handle in email system | | Consent records | Maintain separately |

Transactional vs. Commercial

  • Transactional emails (receipts, account notifications) have different rules
  • Commercial emails (marketing, promotions) require express consent
  • Signature campaigns are typically considered commercial content

UK GDPR and PECR

Post-Brexit, the UK has its own data protection framework similar to EU GDPR.

Key Differences

  • Regulated by the ICO (Information Commissioner's Office)
  • Similar consent and transparency requirements
  • Specific rules for electronic communications (PECR)

PECR requires consent for non-essential tracking. For email tracking:

  • B2B communications may rely on legitimate interests
  • Include disclosure in your privacy policy

Industry-Specific Requirements

Financial Services

  • May require additional disclosures
  • Consider regulatory notices in signatures
  • Compliance review before campaign launches

Healthcare

  • HIPAA considerations for US healthcare
  • Don't include patient information in signatures
  • Extra caution with tracking and data
  • Client confidentiality notices
  • Disclaimer requirements vary by jurisdiction
  • Review bar association guidelines

Tracking and Privacy

What Signkit Tracks

When tracking is enabled:

| Data Point | Purpose | |------------|---------| | IP address | Geographic analytics | | Timestamp | Engagement timing | | Device/browser | Technical analytics | | Link clicks | CTR measurement |

Disclosure Recommendations

Add tracking disclosure to your:

  1. Privacy Policy (required)
  2. Email footer (recommended for marketing emails)
  3. Employee handbook (for internal awareness)

Sample Privacy Policy Text

Include this in your privacy policy:

Email Signature Tracking

>

Our email signatures may include tracking technologies that record when emails are opened and when links are clicked. This helps us understand the effectiveness of our email communications.

>

Data collected includes: IP address, device type, browser information, and timestamp.

>

This data is processed by Signkit (our email signature provider) and retained for up to 24 months. For more information, see Signkit's privacy policy.

International Considerations

Multiple Jurisdictions

If you email recipients in multiple regions:

  1. Apply the strictest applicable standard
  2. Segment by region if requirements differ significantly
  3. Consult legal counsel for complex situations

Safe Harbor Approach

General recommendations that satisfy most jurisdictions:

  • Include full business contact information
  • Disclose tracking in your privacy policy
  • Provide clear opt-out mechanisms
  • Honor data subject requests promptly
  • Retain data only as long as necessary

Campaign-Specific Compliance

Promotional Claims

  • Ensure all claims are accurate
  • Include "terms apply" for offers
  • Link to full terms if needed

Contest/Giveaway Banners

  • Include "No purchase necessary" if required
  • Link to official rules
  • Comply with local lottery/contest laws

Urgency Messaging

  • "Limited time" must be accurate
  • Deadlines must be honored
  • Don't create false scarcity

Accessibility

WCAG Considerations

Make signatures accessible:

  • Sufficient color contrast
  • Alt text for images
  • Readable font sizes
  • Clear link text

Why It Matters

  • Legal requirements in some jurisdictions
  • Better experience for all recipients
  • Improved deliverability

Regular Compliance Reviews

Quarterly Checklist

Every 3 months, review:

  • [ ] Contact information is current
  • [ ] Privacy policy reflects actual practices
  • [ ] Campaign content is accurate
  • [ ] Tracking disclosures are present
  • [ ] Data retention policies are followed

Annual Review

Yearly, consider:

  • [ ] Legal requirements have not changed
  • [ ] New markets require new compliance
  • [ ] Privacy policy needs updates
  • [ ] Training for new team members

Resources

Regulatory References

Getting Help

For compliance questions:

  • General questions: support@signkit.io
  • DPA requests: support@signkit.io
  • Data export requests: support@signkit.io

This guide provides general information and is not legal advice. Consult qualified legal counsel for compliance advice specific to your situation.

Next Steps

compliancegdprcan-spamlegalprivacy

Related articles

Creating Your First SignatureGetting StartedCreating CampaignsCampaignsIntroduction to SignkitGetting Started

Was this article helpful?

Contact us at support@signkit.io if you have questions.