Email disclaimers:
The What, the Why and the How

Find out what are email disclaimers, what purposes they typically serve in companies and what they may or may not consist of. Learn how email disclaimers are regulated by law in countries around the world and discover methods of deploying them in your organization.

PART 1: What (is an email disclaimer)?

An email disclaimer is a segment of informational text prepended or appended to emails in order to achieve one or more of the below ends:

  • Inform about the legal status of emails (e.g. whether they can be used to enter into contracts)
  • Reduce the risk of privacy or confidentiality breeches
  • Help deal with email interceptions and malicious disclosures
  • Comply with laws requiring businesses to provide selected company information
  • Notify about collection or screening of data, etc.
  • Suggest actions to be avoided or taken on emails and their contents
  • Limit the legal impact of emails and their contents.

Email disclaimers: all you need to know

Most major organizations take steps to ensure that all their emails are stamped with uniform disclaimers. This way they can eliminate end-user oversight and errors, while at the same time maintaining a consistent email layout.

Methods of achieving email disclaimer consistency across an entire organization are discussed in Part 3 of this guide.

 

Part 2: Why (do you need email disclaimers)?

Apart from use in auxiliary capacities, email disclaimers are often the primary means of fulfilling legal requirements.

A confidentiality disclaimer in an email

Below you will find the most important examples:

NOTE: Information in this article does not constitute legal advice or legal opinions. You should not act or rely on it without first seeking the advice of an attorney.

 

CountryRegulation

USA

The Health Insurance Portability and Accountability Act (HIPAA)

HIPAA is a broad set of regulations related to healthcare and health insurance. One of its titles establishes standards of protection of healthcare information belonging to patients.

Businesses, whose internal or outgoing email may potentially include patients’ private health data, should look at email disclaimers as a means of prevention, warning recipients about possible negative ramifications of revealing such information.

Email disclaimers: Complementary

Reference: https://www.hhs.gov/hipaa/for-professionals/faq/570/does-hipaa-permit-health-care-providers-to-use-email-to-discuss-health-issues-with-patients/index.html

USA

Gramm-Leach-Bliley Act (GLBA)

Compels organizations dealing in finance to take special precautions to ensure the security of customers’ financial records.

When financial information is sent via email, disclaimers and other in-message notifications can serve as secondary insurance, instructing recipients about security best practices and warning against the risks related to emailing sensitive data.

Email disclaimers: Complementary

Reference: https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act

Canada

Canada’s Anti-Spam Legislation (CASL)

Requires that emails sent to Canadian citizens concerning sales, marketing and other business topics contain information about the sender (be it an individual or company), as well as an easily available mechanism to opt out of receiving such emails in the future.

The sender must provide the following details in all commercial correspondence:

  • His or her name (and, if different, of the person on whose behalf the email was sent)
  • Their company’s name
  • Its mailing address
  • Telephone number
  • Online address (email and/or web)
  • Opt-out mechanism that is free for the recipient (maximum 10 days to fulfill a request)

Email disclaimers: Required

Failure to include these details is punishable by a one-time fine of up to $10,000,000 (Canadian)

Reference: https://ised-isde.canada.ca/site/canada-anti-spam-legislation/en

CountryRegulation

United Kingdom

The Companies (Trading Disclosures) Regulations 2008

Implemented in accordance with the Companies Act 2006, the regulations require senders based in the UK to feature the following details in business letters:

  • Registered name of their company
  • Part of the UK where their company is registered (England, Scotland, Wales, etc.)
  • Registered number
  • The physical address of the registered office
  • The fact that it is a limited company in the following cases: if the company is exempt from adding the word “limited” to its name; if the company is a community interest company which is not a public company
  • The fact that the company is an investment company within the meaning of section 833 of the Companies Act 2006 (if applies)
  • Amount of paid-up share capital (if the company has chosen to display shared capital)

Email disclaimers: Required

Failure to include these details is punishable by a one-time fine of up to £1,000 and a further daily fine of up to £100 until the offence is corrected.

Reference: https://www.legislation.gov.uk/uksi/2008/495/pdfs/uksi_20080495_en.pdf

Ireland

Companies Act 1963

Senders based in Ireland are obligated to disclose the following information in all business correspondence:

  • Name and legal form of their company
  • Place and number of registration of their company
  • The physical address of its registered office
  • The fact that it is a limited company in the following cases: if the company is exempt from adding the word “limited” or “teoranta” to its name
  • The fact that the company is being wound up (if applies) • References to share capital must include information on subscribed and paid-up capital (if applies)

Email disclaimers: Required

Failure to include these details is punishable by a one-time fine of up to €2,000 and a further daily fine of up to €100 until the offence is corrected.

Reference: https://www.irishstatutebook.ie/eli/2007/si/49/made/en/pdf

Germany

Gesetz über elektronische Handelsregister und Genossenschaftsregister

The sender must feature the following details in commercial correspondence:

  • Name of their company (as listed in the Commercial Register) together with its legal form
  • Its place of establishment and current physical address
  • Registration number and court where the company is registered
  • Full names of directors or board members
  • Full name of the chairman of the supervisory board (if present)
  • Full name of the chairman of the board (if present)
  • Information on capital: in cases when it has not been fully paid up; share capital and the total value of outstanding shares (for joint venture companies) or outstanding deposits (for limited liability companies)

Email disclaimers: Required

Failure to include these details is punishable by a one-time fine of up to €5,000.

Reference: https://www.internetrecht-rostock.de/email-pflichtangaben.htm

France

French Commercial Code (Article R 123-237)

Senders must feature the following details in all corporate correspondence:

  • Their company’s name and unique registration number (SIREN number)
  • Register of Commerce (RCS) where their company is registered
  • Current physical address of the office
  • The fact that insolvency proceedings are in progress (if applies)
  • Name, legal form and all other details listed above of parent corporate entity (is its offices are registered overseas)
  • The fact that a lease manager (locataire-gérant) or an authorized management agent (gérant-mandataire) is in charge of the company (if applies)

Email disclaimers: Required

Failure to include these details is punishable by a one-time fine of up to €3,500.

Reference: https://larevue.squirepattonboggs.com/Implementation-in-France-of-European-Directive-2003-58-on-compulsory-corporate-information-on-correspondence_a1025.html

European Union

European Union Directive 2003/58/EC

Similar regulations to the ones listed above have been implemented in all other EU countries in compliance with European Union Directive 2003/58/EC.

Due to the shared origin, they all mandate the inclusion of a common set of details in business correspondence: the company’s name, physical address, place and number of registration, (if applies) the fact that the company is being liquidated, etc.

Email disclaimers: Required

Penalties depending on local regulations

Reference: https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32003L0058:EN:HTML

European Union

General Data Protection Regulation (GDPR)

GDPR replaces European Union Directive 95/46/EC. GDPR, unlike the Directive, applies to all European Union member countries without requiring any additional legislation. The Regulation is a set of requirements ensuring the protection of personal data of EU citizens that is being processed and/or collected by companies (regardless where they are based). It is important to note here, that the monitoring of staff email may be interpreted by legislators as processing of personal data of EU citizens.

Regulations implemented under the GDPR predecessor, European Union Directive 95/46/EC, are currently part of such legislation as: Data Protection Act (United Kingdom), Bundesdatenschutzgesetz (Germany, Eng.: Federal Data Protection Act), Wet bescherming persoonsgegevens (Netherlands, Eng.: Personal Data Protection Act), etc.

GDPR and other personal data-protection-related regulations require that all companies which process personal data inform the primary owner of the data about the following:

  • The data processor’s/collector’s and their representative’s (if present) identities
  • The reason for the collection/processing of the data
  • Third parties involved in the process (if present)
  • Whether supplying personal data is a necessary condition for receiving services
  • Means of directing claims and opting out of the data collection

While this information must be provided prior to the data owner consenting to the process, email disclaimers are commonly accepted as an appropriate medium of providing an unsubscribe link and to the company's Privacy Policy.

Email disclaimers: Complementary

Failing to comply with the GDPR may result in a reprimand, temporary or definitive ban on processing and a fine of up to €20 million or 4% of the business’s total annual worldwide turnover. What if my company/organization fails to comply with the data protection rules?

EU directive FAQ: https://gdpr.eu/faq/

General data protection regulation – (EU) 2016/679 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%3AOJ.L_.2016.119.01.0001.01.ENG&toc=OJ%3AL%3A2016%3A119%3ATOC

Rules for business and organisations. https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations

 

Although other types of email disclaimers, than the ones mentioned above, rarely have legal standing in the strict sense, they may, in certain instances, be very effective.

Type of disclaimerLegal status

Trade secret notices

In countries and regions where trade secret regulations are in place, email disclaimers may be used to mark messages containing trade secrets.

Email disclaimers: Complementary

For suggestions for European businesses, see:

Fact Sheet: How to manage confidential business information (section 4.3.5)

Prevention from entering into contracts

The fact that email exchanges can be treated as enforceable contracts is becoming increasingly well known. For companies to avoid contractual obligation where it was not intended, you can append emails with disclaimers that instruct the recipient on the legal status of email contents and let them know if the employee has the authority to enter a legally binding contract.

Email disclaimers: Complementary

For further details, see:

Are Your Emails Enforceable Contracts?

Confidentiality disclaimers

There are no known regulations concerning the use of confidentiality disclaimers in emails.

However, there have been precedents in US courts, where confidentiality disclaimers tipped the scales one way or the other (see the “Email Disclaimers: Legal Effect in American Courts” article linked below).

Furthermore, confidentiality disclaimers can be employed in a persuasive capacity, informing the recipient (intended or not) of the confidential nature of the information contained in the email and advising on preferred behavior. Note, however, that the common practice of placing confidentiality disclaimers at the very bottom of emails has been criticized as “an attempt to close the barn door after the horse has bolted”.

Email disclaimers: Complementary

For further details, see:

Email Disclaimers: Legal Effect in American Courts

Email Confidentiality Disclaimers: Annoying but Are They Legally Binding?

 

Further reading

Law vs. email disclaimers: overview of existing international legislation

 

PART 3: How (to add email disclaimers to your company mail)

Below you will find instructions on setting up company-wide email disclaimers on popular email platforms (as indicated, in cases of some platforms the steps are identical).

Note: If you are adding multiple automatic content to emails, you may need to adjust their order or priority to achieve a desired effect.

Office 365 / Exchange 2019 / Exchange 2016 / Exchange 2013

Starting from Exchange 2013, Microsoft fused all server management features, previously contained in the Exchange Management Console and Exchange Control Panel, into one web-based interface - the Exchange admin center.

At this point, the email disclaimer management mechanism available through the Exchange admin center, is identical across Exchange 2013, Exchange 2016 and Exchange Online. It allows for prepending and appending emails with content generated using HTML code, as well as with users’ data pulled from Active Directory.

Some of its limitations include the inability to insert disclaimers beneath latest messages in email conversations, not displaying the disclaimers in Sent Items folders, etc.

  1. In Exchange admin center go to mail flow, rules.
    In Exchange admin center go to mail flow, rules
  2. Click the plus button and select Apply disclaimers… .
    Click the plus button and select Apply disclaimers...
  3. In the resulting window, configure the Apply this rule if… setting (one of the options is [Apply to all messages]), click Enter text… to provide the text of the disclaimer and Select one… to select the fall back action.
    'new rule' dialog in Exchange 2016, 2013, Online
    Note: To prepend the disclaimer, in the same window, click More options… , expand the Do the following… menu, highlight Apply a disclaimer to the message… and choose prepend a disclaimer.
  4. If needed, define additional settings, and click OK.

For further details, see:

Exchange 2010 / Exchange 2007

In both Exchange 2007 and Exchange 2010, you can manage email disclaimers using the Exchange Management Console. However, while the steps to do this are identical on the two platforms, the features differ slightly: Exchange 2010 allows for using HTML code and Active Directory variables to generate the content that will be added to emails; Exchange 2007 supports only static text with a narrow range of formatting options.

The limitations are the same in both cases. They include the lack of options to insert disclaimers within email conversations, display them in users’ Sent Items folders in email clients, embed images in disclaimers, etc.

  1. In Exchange Management Console, expand Organization Configuration and click Hub Transport.
    In Exchange Management Console, expand Organization Configuration and click Hub Transport
  2. In the middle section click the Transport Rules tab and in the Actions pane on the right, click New Transport Rule…
    In the middle section click the Transport Rules tab and in the Actions pane on the right, click New Transport Rule...
  3. Complete the steps of the New Transport Rule wizard. In the Actions step, check the append disclaimer text… action and configure it according to your needs.
    Complete the steps of the New Transport Rule wizard. In the Actions step, check the append disclaimer text... action and configure it according to your needs
    Note: To prepend the disclaimer, in this step, click append and change it to prepend.
  4. Click New and Finish.

For further details, see:

Google Workspace (G Suite)

In Google Workspace, you can centrally manage server-level disclaimers using the Google Admin console. The mechanism is very basic – it only allows for adding the disclaimer at the very bottom of an email chain, does not show up in Sent Items folders in email clients and offers conservative formatting and content insertion options.

  1. In Google Admin console go to Apps.
    Email Singature in Google Workspace 1
  2. Next, click the G Suite card.
    Email Singature in Google Workspace 2
  3. Then, access the Gmail advanced settings by clicking Gmail.
    Email Singature in Google Workspace 3
  4. Find the Append footer option and click Configure.
    Email Singature in Google Workspace 4
  5. In the Add setting window design your disclaimer and decide if it should be also added to messages being sent within your organization.
    Email Singature in Google Workspace 5

For further details, see:

Disclaimer via VBS script distributed using GPO

This method is popular in organizations that are unable to set up server-level disclaimers. Other than that, it is recommended only if you cannot abide without disclaimers being displayed when a user composes a new email in Microsoft Outlook.

It’s drawbacks include: lack of control over the disclaimer after it has been deployed, including no guarantee that the end user will not modify or remove it; the need to deploy the disclaimer anew any time a change needs to be introduced; support for Microsoft Outlook only.

  1. Prepare your VBS script, test it in Outlook and save it to a VBS file.
  2. Open the Group Policy Management console (e.g. by running gpmc.msc in Windows Run command)
    Opening the Group Policy Management console by running gpmc.msc in Windows Run command
  3. In the left pane of the Group Policy Management console, expand the domain you want to script to apply to and Group Policy Objects.
    In the left pane of the Group Policy Management console, expand the domain you want to script to apply to and Group Policy Objects
  4. Right-click Default Domain Policy and click Edit…
    Right-click Default Domain Policy and click Edit...
  5. Expand User Configuration, Policies, Windows Settings and click Scripts (Logon/Logoff).
    Expand User Configuration, Policies, Windows Settings and click Scripts (Logon/Logoff)
  6. In the pane on the right, double-click the Logon entry. In the resulting Logon Properties window, click Show Files…, add your script to the Logon folder and click OK.
    In the pane on the right, double-click the Logon entry. In the resulting Logon Properties window, click Show Files..., add your script to the Logon folder and click OK
  7. Next, in the same window, click Add… and in the resulting Add a Script window, click Browse… and select the file with your script.
    Next, in the same window, click Add... and in the resulting Add a Script window, click Browse... and select the file with your script
  8. Leave the Script Parameters field empty and OK your way back.

For further details, see: