⚖️ Deliverability

GDPR and Indian Email Marketing Laws

Navigate the legal landscape of email marketing in India. Understand compliance requirements and protect your business.

AV
Aswathy Vikas
February 28, 2026 · 7 min read

Email marketing laws aren't optional. One compliance failure can cost your business lakhs in penalties and destroy your sender reputation permanently. If you send emails to customers in India, Europe, or anywhere globally, you need to understand the rules.

India: DPDPA 2023 (Digital Personal Data Protection Act)

India's data protection law came into effect in 2023 and directly impacts email marketing.

Key requirements:

  • Consent: You need clear, informed consent before sending marketing emails. Pre-checked boxes don't count. The subscriber must actively opt in.
  • Purpose limitation: You can only use email addresses for the purpose they were collected for. If someone gave their email for a purchase receipt, you can't automatically add them to your marketing list.
  • Right to erasure: Subscribers can request deletion of their data. You must comply within a reasonable timeframe.
  • Data Fiduciary obligations: If you collect email data, you're a Data Fiduciary under the law. You must implement reasonable security measures.
  • Children's data: Extra protections for anyone under 18. Don't collect or market to minors without verifiable parental consent.

Penalties: Up to ₹250 crore for significant non-compliance. The Data Protection Board of India can impose penalties on a per-incident basis.

GDPR (If You Email European Residents)

If even one subscriber is in the EU, GDPR applies to you — regardless of where your business is based.

Key requirements:

  • Explicit consent: Must be freely given, specific, informed, and unambiguous. No bundled consent ("by creating an account, you agree to receive marketing emails").
  • Right to access: Subscribers can request all data you hold about them.
  • Right to deletion: "Right to be forgotten" — you must delete all their data upon request.
  • Data portability: Subscribers can request their data in a machine-readable format.
  • Breach notification: You must notify authorities within 72 hours of a data breach.

Penalties: Up to €20 million or 4% of global annual revenue, whichever is higher.

CAN-SPAM (USA)

If you email anyone in the United States:

  • Every email must include your physical mailing address
  • Unsubscribe must be processed within 10 business days
  • Subject lines must not be deceptive
  • "From" field must be accurate
  • No purchased lists or harvested email addresses

Practical Compliance Checklist

For Every Email You Send:

  • ✅ Recipient explicitly opted in to receive this type of email
  • ✅ Unsubscribe link is visible and working
  • ✅ Your business name and address are in the footer
  • ✅ Subject line accurately reflects the content
  • ✅ You're sending from a verified domain

For Your Email List:

  • ✅ Double opt-in is enabled (subscriber confirms via email)
  • ✅ You record when and how each subscriber opted in
  • ✅ Unsubscribes are processed within 24-48 hours
  • ✅ Hard bounces are removed immediately
  • ✅ You have a data retention policy (how long you keep data)

For Your Business:

  • ✅ Privacy policy is published and accessible on your website
  • ✅ Cookie consent banner is in place (if tracking email opens/clicks via website)
  • ✅ Data processing agreements are signed with email service providers
  • ✅ You have a process for handling data access/deletion requests
  • ✅ Your team is trained on compliance requirements

Common Violations Indian Businesses Make

Adding customers to marketing lists without consent. Someone who bought from your website didn't consent to weekly newsletters. Keep transactional and marketing lists separate.

No physical address in emails. Required by CAN-SPAM and best practice everywhere. Use your registered business address.

Making unsubscribe difficult. If someone has to log in, send an email, or click through 5 pages to unsubscribe, you're violating multiple laws. One-click unsubscribe should be standard.

Ignoring data deletion requests. Under both DPDPA and GDPR, when someone asks you to delete their data, you must comply. This means removing them from all lists, databases, and backups where feasible.

The Simple Rule

When in doubt, ask yourself: "Would I be comfortable explaining this practice to a regulator?" If the answer is no, don't do it. Compliance isn't just about avoiding fines — it's about building trust. Businesses that respect their subscribers' data and preferences build stronger, more engaged email lists.

AV
Aswathy Vikas
Office Administrator
Administrative and HR specialist. Writes about team productivity, business operations, and workplace culture.

Ready to grow your email marketing?

BestEmail is built for Indian businesses. INR pricing, core email workflows, and a clearer rollout path for what is live now versus still planned.

View Pricing →

Related Articles

🔒 Deliverability · 8 min read
How to Set Up DKIM/SPF for Better Deliverability
A step-by-step guide to configuring DKIM, SPF, and DMARC records to ensure your emails land in the inbox every time.
← Back to all articles