Email compliance goes beyond making sure your marketing emails are compliant. Email compliance also includes day-to-day communications.

What is email compliance? Email compliance is the practice of following specific protocols in data privacy laws and regulatory standards. These standards can be industry-specific, like HIPAA or PCI, or region-specific, like GDPR.

Why Is Email Compliance Important?

Compliance standards invariably include some form of data privacy. With digital technology, information security is even more important. Accordingly, most regulations require some form of data protection to transmit personally identifiable information(PII) across any channel.

In many cases, security controls can function in a relatively smaller scope. Encryption for file transfers or data servers is localized to specific technologies or cloud environments, and internal security can protect this data.


The Role of Personally Identifiable Information

There are more concerns around email PII. To begin with, emails are, by default, unencrypted unless sent through an encrypted server. Unlike file transfer systems, email encryption requires both the sender and the receiver to use the same encryption method to maintain security. Because email is so widespread, many email providers, public and private, find lining up encryption incredibly hard.

Furthermore, because email is one of the most used forms of communication on the internet, it is often used by regulated organizations to communicate with the public. These organizations do not have any control over mail systems outside of their perimeter, which means that they cannot guarantee the security or privacy of that information.

Finally, many regulations also include data retention and record-keeping requirements, and public or third-party providers may not provide such features—at least not by default and not without a price.

Email compliance is incredibly important because many people rely on email. After all, it is not typically secure and represents a potentially vulnerable space for many organizations.

Which Privacy Laws Impact Email Communications?

Compliance requirements are not standard across industries or applications. Organizations need to understand a given industry’s specific obligations and requirements to frame compliance for an organization.

Some regulatory requirements include the following:

Health Insurance Portability and Accountability Act

Under HIPAA regulations, healthcare providers must secure patient health information from unauthorized disclosure, which rules out using unencrypted emails. Many of these organizations have turned to encrypted servers, private data centers, and secure links that direct patients to interactive portals as part of a HIPAA-compliant email plan. Providers can direct patients to their secure systems without risking disclosure or breaching regulations with these links.

Payment Card Industry Data Security Standard

Most of the time, an organization will never send payment information to any customer. Internally, however, compliant organizations deploy secure cardholder data environments that contain payment information. Email in these environments must meet Payment Card Industry Data Security Standard (PCI DSS) encryption requirements.

General Data Protection Regulation

General Data Protection Regulation (GDPR) is a European Union-based compliance framework known for its strict information controls. Compliance under GDPR operates under two different contexts: 

  • Security and Encryption: Consumer data is to be protected by businesses during transmission and processing, and this includes communications. As such, emails must be encrypted and any critical, private information obfuscated in the server and during transit.
  • Marketing and Consent: GDPR also calls for an “opt-in” approach to marketing compliance where businesses cannot use email for marketing purposes without the consumer’s express consent. This differs significantly from U.S. laws that allow companies to add user addresses to marketing databases and only offer opt-out options.

A similar law, the Privacy and Electronic Communications Regulations of 2003 did much of the same in the United Kingdom before the existence of the European Union, requiring direct consent for marketing purposes.

Another similar law, the California Consumer Protection Act, requires more stringent email controls for marketing, like the GDPR. The CCPA, however, only applies to businesses operating in the state of California.

Federal Risk and Authorization Management Program and Cybersecurity Maturity Model Certification

Both FedRAMP and CMMC are government regulations. The former governs cloud products and services used by federal agencies, and the latter regulates contractors offering digital services in the Department of Defense supply chain.

In both cases, these frameworks draw regulatory standards from documents published by the National Institute of Standards and Technology: NIST 800-53 and NIST 800-171. Both documents specify encryption for emails and prohibit transmission of protected data in unsecured emails both internally and externally.

Furthermore, both frameworks have regulations for email and vulnerability scanning.

Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM)

This general-purpose marketing law, passed by Congress in 2003, regulates how marketers in the U.S. send emails. This includes controlling marketing to include standards like requiring opt-out lists, accurate email contents (including subject and “From” information), and limitations on masking header information or sending to harvested accounts.

Email and Data Retention

Regulations often include a retention policy. Organizations are expected to maintain records of all email communications for a set period of time, typically in cases where evidence may be needed for legal proceedings or investigations.

Some of the frameworks that require email retention include the following:


Who They Apply To

Length of Required Email Retention

Freedom of Information Act (FOIA)

Federal and State Agencies

3 Years

Sarbanes-Oxley Act (SOX)

All Publicly Traded Companies

7 Years

Federal Deposit Insurance Corporation Regulations (FDIC)

Financial Institutions

5 Years

Health Insurance Portability and Accountability Act (HIPAA )

Healthcare Providers, Insurance Companies, and Vendors Managing Patient Information

7 Years

Payment Card Industry Data Security Standard (PCI DSS)

Any Business Processing or Storing Credit Payment Information

1 Year

IRS Reporting Regulations

All Businesses in the United States

7 Years

CMMC and Other Defense Regulations

DoD Contractors

3 Years

Retention may function differently for other jurisdictions. For example, GDPR contains specific laws limiting how businesses can hold and process consumer information—namely, they cannot do so beyond what is reasonable for their stated business purposes. As such, GDPR does not have a mandatory minimum or maximum for email retention.

Challenges and Best Practices for Email Compliance

Many organizations do not necessarily know who should own responsibility for compliance, and because of this, many will struggle with some aspects of compliance.

In general, there are a few challenges for email compliance:

  1. Training and Education: Employees must be trained as to what information they can and cannot share over email and how to use email technology correctly to maintain any encryption or security standards.
  2. Automation and Retention: Users cannot be expected to retain all emails, and over hundreds of thousands of emails per year, some are bound to be lost. Setting up automation and secure storage can mitigate retention compliance requirements without burdening employees or administrators.
  3. Maintaining Proof of Consent: In jurisdictions like the European Union, companies must have proof of consent for marketing emails. This should be built into CRMs or other compliant systems so that all records are in place if an audit or challenge from a consumer occurs.

Email Compliance Starts With Compliance Tools

Sending compliant emails can seem like a daunting task. However, by using compliant technologies and automation up front, an organization can avoid the pitfalls of maintaining compliance while still leveraging email communications to communicate with customers and employees.

The Kiteworks platform allows organizations, in industries like defense and government manufacturing, technology, healthcare, life sciences and pharmaceuticals, and legal, to maintain email compliance. The Kiteworks platform uses a system of secure email links, protected servers, data monitoring, and analytics to ensure that no sensitive information is released via email and that consent and opt-in documentation is secured in an immutable audit log.

To learn more about Kiteworks, request a personalized demo.


Back to Risk & Compliance Glossary

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who feel confident in their content communications platform today. Select an option below.


Avec Kiteworks, se mettre en conformité règlementaire et bien gérer les risques devient un jeu d’enfant. Rejoignez dès maintenant les milliers de professionnels qui ont confiance en leur plateforme de communication de contenu. Cliquez sur une des options ci-dessous.

Jetzt loslegen.

Mit Kiteworks ist es einfach, die Einhaltung von Vorschriften zu gewährleisten und Risiken effektiv zu managen. Schließen Sie sich den Tausenden von Unternehmen an, die sich schon heute auf ihre Content-Kommunikationsplattform verlassen können. Wählen Sie unten eine Option.

Get A Demo