Email disclaimers:
The What, the Why and the How
Find out what are email disclaimers, what purposes they typically serve in companies and what they may or may not consist of. Learn how email disclaimers are regulated by law in countries around the world and discover methods of deploying them in your organization.
PART 1: What (is an email disclaimer)?
An email disclaimer is a segment of informational text prepended or appended to emails in order to achieve one or more of the below ends:
- Inform about the legal status of emails (e.g. whether they can be used to enter into contracts)
- Reduce the risk of privacy or confidentiality breeches
- Help deal with email interceptions and malicious disclosures
- Comply with laws requiring businesses to provide selected company information
- Notify about collection or screening of data, etc.
- Suggest actions to be avoided or taken on emails and their contents
- Limit the legal impact of emails and their contents.
Most major organizations take steps to ensure that all their emails are stamped with uniform disclaimers. This way they can eliminate end-user oversight and errors, while at the same time maintaining a consistent email layout.
Methods of achieving email disclaimer consistency across an entire organization are discussed in Part 3 of this guide.
Part 2: Why (do you need email disclaimers)?
Apart from use in auxiliary capacities, email disclaimers are often the primary means of fulfilling legal requirements.
Below you will find the most important examples:
NOTE: Information in this article does not constitute legal advice or legal opinions. You should not act or rely on it without first seeking the advice of an attorney.
North America
Country | Regulation | |
---|---|---|
USA | The Health Insurance Portability and Accountability Act (HIPAA) HIPAA is a broad set of regulations related to healthcare and health insurance. One of its titles establishes standards of protection of healthcare information belonging to patients. Businesses, whose internal or outgoing email may potentially include patients’ private health data, should look at email disclaimers as a means of prevention, warning recipients about possible negative ramifications of revealing such information. Email disclaimers: Complementary | |
USA | Gramm-Leach-Bliley Act (GLBA) Compels organizations dealing in finance to take special precautions to ensure the security of customers’ financial records. When financial information is sent via email, disclaimers and other in-message notifications can serve as secondary insurance, instructing recipients about security best practices and warning against the risks related to emailing sensitive data. Email disclaimers: Complementary Reference: https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act | |
Canada | Canada’s Anti-Spam Legislation (CASL) Requires that emails sent to Canadian citizens concerning sales, marketing and other business topics contain information about the sender (be it an individual or company), as well as an easily available mechanism to opt out of receiving such emails in the future. The sender must provide the following details in all commercial correspondence:
Email disclaimers: Required Failure to include these details is punishable by a one-time fine of up to $10,000,000 (Canadian) Reference: https://ised-isde.canada.ca/site/canada-anti-spam-legislation/en |
Europe
Country | Regulation | |
---|---|---|
United Kingdom | The Companies (Trading Disclosures) Regulations 2008 Implemented in accordance with the Companies Act 2006, the regulations require senders based in the UK to feature the following details in business letters:
Email disclaimers: Required Failure to include these details is punishable by a one-time fine of up to £1,000 and a further daily fine of up to £100 until the offence is corrected. Reference: https://www.legislation.gov.uk/uksi/2008/495/pdfs/uksi_20080495_en.pdf | |
Ireland | Companies Act 1963 Senders based in Ireland are obligated to disclose the following information in all business correspondence:
Email disclaimers: Required Failure to include these details is punishable by a one-time fine of up to €2,000 and a further daily fine of up to €100 until the offence is corrected. Reference: https://www.irishstatutebook.ie/eli/2007/si/49/made/en/pdf | |
Germany | Gesetz über elektronische Handelsregister und Genossenschaftsregister The sender must feature the following details in commercial correspondence:
Email disclaimers: Required Failure to include these details is punishable by a one-time fine of up to €5,000. Reference: https://www.internetrecht-rostock.de/email-pflichtangaben.htm | |
France | French Commercial Code (Article R 123-237) Senders must feature the following details in all corporate correspondence:
Email disclaimers: Required Failure to include these details is punishable by a one-time fine of up to €3,500. | |
European Union | European Union Directive 2003/58/EC Similar regulations to the ones listed above have been implemented in all other EU countries in compliance with European Union Directive 2003/58/EC. Due to the shared origin, they all mandate the inclusion of a common set of details in business correspondence: the company’s name, physical address, place and number of registration, (if applies) the fact that the company is being liquidated, etc. Email disclaimers: Required Penalties depending on local regulations Reference: https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32003L0058:EN:HTML | |
European Union | General Data Protection Regulation (GDPR) GDPR replaces European Union Directive 95/46/EC. GDPR, unlike the Directive, applies to all European Union member countries without requiring any additional legislation. The Regulation is a set of requirements ensuring the protection of personal data of EU citizens that is being processed and/or collected by companies (regardless where they are based). It is important to note here, that the monitoring of staff email may be interpreted by legislators as processing of personal data of EU citizens. Regulations implemented under the GDPR predecessor, European Union Directive 95/46/EC, are currently part of such legislation as: Data Protection Act (United Kingdom), Bundesdatenschutzgesetz (Germany, Eng.: Federal Data Protection Act), Wet bescherming persoonsgegevens (Netherlands, Eng.: Personal Data Protection Act), etc. GDPR and other personal data-protection-related regulations require that all companies which process personal data inform the primary owner of the data about the following:
While this information must be provided prior to the data owner consenting to the process, email disclaimers are commonly accepted as an appropriate medium of providing an unsubscribe link and to the company's Privacy Policy. Email disclaimers: Complementary Failing to comply with the GDPR may result in a reprimand, temporary or definitive ban on processing and a fine of up to €20 million or 4% of the business’s total annual worldwide turnover. What if my company/organization fails to comply with the data protection rules? EU directive FAQ: https://gdpr.eu/faq/ General data protection regulation – (EU) 2016/679 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%3AOJ.L_.2016.119.01.0001.01.ENG&toc=OJ%3AL%3A2016%3A119%3ATOC Rules for business and organisations. https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations
|
Other types of disclaimers
Although other types of email disclaimers, than the ones mentioned above, rarely have legal standing in the strict sense, they may, in certain instances, be very effective.
Type of disclaimer | Legal status | |
---|---|---|
Trade secret notices | In countries and regions where trade secret regulations are in place, email disclaimers may be used to mark messages containing trade secrets. Email disclaimers: Complementary For suggestions for European businesses, see: Fact Sheet: How to manage confidential business information (section 4.3.5) | |
Prevention from entering into contracts | The fact that email exchanges can be treated as enforceable contracts is becoming increasingly well known. For companies to avoid contractual obligation where it was not intended, you can append emails with disclaimers that instruct the recipient on the legal status of email contents and let them know if the employee has the authority to enter a legally binding contract. Email disclaimers: Complementary For further details, see: | |
Confidentiality disclaimers | There are no known regulations concerning the use of confidentiality disclaimers in emails. However, there have been precedents in US courts, where confidentiality disclaimers tipped the scales one way or the other (see the “Email Disclaimers: Legal Effect in American Courts” article linked below). Furthermore, confidentiality disclaimers can be employed in a persuasive capacity, informing the recipient (intended or not) of the confidential nature of the information contained in the email and advising on preferred behavior. Note, however, that the common practice of placing confidentiality disclaimers at the very bottom of emails has been criticized as “an attempt to close the barn door after the horse has bolted”. Email disclaimers: Complementary For further details, see: Email Disclaimers: Legal Effect in American Courts Email Confidentiality Disclaimers: Annoying but Are They Legally Binding? |
Further reading
Law vs. email disclaimers: overview of existing international legislation
PART 3: How (to add email disclaimers to your company mail)
Below you will find instructions on setting up company-wide email disclaimers on popular email platforms (as indicated, in cases of some platforms the steps are identical).
Note: If you are adding multiple automatic content to emails, you may need to adjust their order or priority to achieve a desired effect.
Office 365 / Exchange 2019 / Exchange 2016 / Exchange 2013
Starting from Exchange 2013, Microsoft fused all server management features, previously contained in the Exchange Management Console and Exchange Control Panel, into one web-based interface - the Exchange admin center.
At this point, the email disclaimer management mechanism available through the Exchange admin center, is identical across Exchange 2013, Exchange 2016 and Exchange Online. It allows for prepending and appending emails with content generated using HTML code, as well as with users’ data pulled from Active Directory.
Some of its limitations include the inability to insert disclaimers beneath latest messages in email conversations, not displaying the disclaimers in Sent Items folders, etc.
Implementation
- In Exchange admin center go to mail flow, rules.
- Click the plus button and select Apply disclaimers… .
- In the resulting window, configure the Apply this rule if… setting (one of the options is [Apply to all messages]), click Enter text… to provide the text of the disclaimer and Select one… to select the fall back action.
Note: To prepend the disclaimer, in the same window, click More options… , expand the Do the following… menu, highlight Apply a disclaimer to the message… and choose prepend a disclaimer. - If needed, define additional settings, and click OK.
For further details, see:
- Microsoft Office 365
- Microsoft Exchange Server 2019
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2013
Exchange 2010 / Exchange 2007
In both Exchange 2007 and Exchange 2010, you can manage email disclaimers using the Exchange Management Console. However, while the steps to do this are identical on the two platforms, the features differ slightly: Exchange 2010 allows for using HTML code and Active Directory variables to generate the content that will be added to emails; Exchange 2007 supports only static text with a narrow range of formatting options.
The limitations are the same in both cases. They include the lack of options to insert disclaimers within email conversations, display them in users’ Sent Items folders in email clients, embed images in disclaimers, etc.
Implementation
- In Exchange Management Console, expand Organization Configuration and click Hub Transport.
- In the middle section click the Transport Rules tab and in the Actions pane on the right, click New Transport Rule…
- Complete the steps of the New Transport Rule wizard. In the Actions step, check the append disclaimer text… action and configure it according to your needs.
Note: To prepend the disclaimer, in this step, click append and change it to prepend. - Click New and Finish.
For further details, see:
Google Workspace (G Suite)
In Google Workspace, you can centrally manage server-level disclaimers using the Google Admin console. The mechanism is very basic – it only allows for adding the disclaimer at the very bottom of an email chain, does not show up in Sent Items folders in email clients and offers conservative formatting and content insertion options.
Implementation
- In Google Admin console go to Apps.
- Next, click the G Suite card.
- Then, access the Gmail advanced settings by clicking Gmail.
- Find the Append footer option and click Configure.
- In the Add setting window design your disclaimer and decide if it should be also added to messages being sent within your organization.
For further details, see:
Disclaimer via VBS script distributed using GPO
This method is popular in organizations that are unable to set up server-level disclaimers. Other than that, it is recommended only if you cannot abide without disclaimers being displayed when a user composes a new email in Microsoft Outlook.
It’s drawbacks include: lack of control over the disclaimer after it has been deployed, including no guarantee that the end user will not modify or remove it; the need to deploy the disclaimer anew any time a change needs to be introduced; support for Microsoft Outlook only.
Implementation
- Prepare your VBS script, test it in Outlook and save it to a VBS file.
- Open the Group Policy Management console (e.g. by running gpmc.msc in Windows Run command)
- In the left pane of the Group Policy Management console, expand the domain you want to script to apply to and Group Policy Objects.
- Right-click Default Domain Policy and click Edit…
- Expand User Configuration, Policies, Windows Settings and click Scripts (Logon/Logoff).
- In the pane on the right, double-click the Logon entry. In the resulting Logon Properties window, click Show Files…, add your script to the Logon folder and click OK.
- Next, in the same window, click Add… and in the resulting Add a Script window, click Browse… and select the file with your script.
- Leave the Script Parameters field empty and OK your way back.
For further details, see: