What’s Your E-Mail Policy?

The online industry has long assumed email collection and usage information within a privacy policy is sufficient. In today’s war against spam, I’m here to argue it’s time to consider an alternative.

There are four types of email policies. You’re familiar with the first three: corporate email user policies, ISP and Web-based email provider use policies, and email broadcast software and services use policies. The fourth is likely unfamiliar. Let’s focus on that last, little-known policy: a separate document that compliments online privacy policies.

Consider these four reasons why your email policy should be separate and distinct from your privacy policy.

E-Mail’s Importance

In the late ’90s, rather than having our friends in Washington legislate what we do, we spent a lot of time proving the self-regulatory value of privacy policies. Dozens of studies indicate posted privacy policies increase user confidence on sites that collect of personally identifiable information.

Just as users are concerned their personal information might be collected and shared, they’re increasingly concerned about spam — where it comes from and how spammers obtain their email addresses. Users want to know their email addresses are as important to you as they are to them. Separating their email rights from the more general privacy policy shows users you care and respect their information.


I commend Web sites that post privacy policies. Practices of notice, choice, access, and security are nearly standardized. E-mail address collection and use fit into each of these practices, as does all other personal and nonpersonal information. Most of the time, email opt-out information is near the bottom of the privacy policies, beyond the point where most users will read.

Businesses that collect email addresses must ensure recipients want to receive their email. I strongly advocate user control, full disclosure, and immediate opt-out. Segregating email-related information and placing it near the top of a privacy policy or, better, in a separate section will greatly enhance user confidence.


A recent University of Pennsylvania study found 53 percent of respondents don’t understand online privacy policies. Sixty-six percent of those who think they do understand them were incorrect in their belief their data would not be shared with third parties. We shouldn’t expect users to be diligent or savvy enough to extrapolate from each policy section how their email addresses will be used.

I’ve found wording like this buried in a number of online privacy policies:

COMPANY may share Member PII with its partners, sponsors, advertisers, service providers, and marketers lookup and reference services and any other entities that COMPANY believes are able to provide USERS with special offers and opportunities.

Honesty is always the best policy. People can decipher from the above their information will be shared. What they don’t know is their email addresses are what are shared and they’ll soon hit their inbox quota with offers from those partners, sponsors, and others.

Go Above and Beyond

An email policy should go beyond the typical notice, choice, access, and security in privacy policies. E-mail policies should provide users with the entire set of email collection, maintenance, and suppression processes.

These processes could include sender field information, sender domain name, mailing frequency, behavioral tracking information, on- and offline suppression options, types of cobranded offers, and the specific partners from which they might expect to receive email.

Certainly, many users don’t need or want to know every link and image is unique and trackable. However, offering more information about email practices shows them you care about their experience.

Request for Leadership

I searched for email policies. The good news is I found an example. The bad news is I found only one.

Our example comes from Lighthouse Depot. This policy is nearly the opposite of a privacy policy. It’s actually a letter written to the site’s users that explains in plain language what’s being done with their email addresses. The policy is linked directly from the middle of the footer, adjacent to the privacy policy, from every page on the site.

E-mailers, especially you with large lists (I know you’re reading this), set an example and create a separate email policy. Years ago, I was told by posting a privacy policy, companies held themselves liable if they broke with those practices. They didn’t want to be accountable.

Well, now every commercial Web site follows the responsible lead and posts a privacy policy. It’s time emailers did the same. In today’s difficult email environment, the most effective emailers are those who are the most accountable.

Do you agree that email policies should be separate from privacy policies? Send me your thoughts!

Related reading