Are Email Addresses Confidential Data?

By: Absolute Team | 11/8/2017

There are many laws, agreements and regulations that govern the use and protection of personal data. These laws and regulations vary between countries, states—even industries. It is challenging to understand how each piece of data you collect is affected by various laws. Email addresses are often identified as sensitive personal information in various regulations, but it’s not always clear cut whether email addresses should be treated strictly as confidential. And the answer to the question often comes down to context, geography, and intent.

GDPR and Email: Strict and Clear Rules

GDPR (EU General Data Protection Regulation) came into effect in May 2018 and it impacts any organization that handles the personal data of European Union residents (and U.K. residents during the post-Brexit transition). This means that nearly every company in the world needs to comply with GDPR—Yes, GDPR Applies to You—which is why the GDPR-mandated cookie notices are displayed on websites around the world.

We all do business with the EU, so we all must comply.

GDPR unified and clarified the patchwork privacy rules throughout the EU giving everyone one a single set of guidelines to follow. One of the most important parts of GDPR governs how email addresses are sought, collected, used and protected. GDPR defines personal data as:

“Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, your posts on social networking websites, your medical information, or your computer’s IP address.” – EU GDPR definition of Personally Identifiable Information

Meaning, yes, emails are in this case confidential information. Under GDPR, emails can only be collected through explicit opt-in, with a requirement to keep record of consent. Explicit opt-in means a check box asking if you would like to receive additional emails from a company must be unchecked by default so someone must explicitly check the box to opt-in. You must also make sure you keep and track the record of consent—often handled by your email marketing software—and be able to remove emails from your system on request. If you haven’t updated how your email marketing and CRM systems manage and track subscriptions in the past two years—you need review those systems to ensure the emails you have meet consent minimums.

Under GDPR, email addresses are considered confidential and must be used and stored within strict privacy and security guidelines. For more information specific to GDPR compliance, we invite you to read our whitepaper or listen to our webcast.

[caption id="attachment_33040" align="aligncenter" width="704"] The volume of sensitive data found on endpoints continues to grow as more people work and learn from home in the midst of the COVID-19 outbreak. Our weekly-updated dashboard provides the numbers and outlines the implications.[/caption]

NIST Definitions

In the United States, the National Institute of Standards and Technology (NIST) defines personally identifiable information (PII) in their guide. In this document, PII is defined as:

Any information about an individual maintained by an agency, including:

  1. any information that can be used to distinguish or trace an individual‘s identity

  2. any other information that is linked or linkable to an individual

While email addresses fall under the NIST definition of PII, does that mean that they are also considered confidential data? In this case, context actually matters. The NIST guide outlines a framework that the confidentiality of PII should be protected based on its impact level. Email addresses, then may be treated differently depending on the situation. Sometimes they are confidential, sometimes not. To get more in depth, read the guide here.

Following NIST guidelines may not be sufficient to cover you under California’s CCPA privacy law, CIPA for education, or any of the other privacy laws taking shape.  NIST might have a sliding scale based on impact, but CCPA and CIPA do not.


In both the U.S. and Canada there are specific regulations that specifically cover email. In the U.S. CAN-SPAM regulated by the Federal Trade Commission (FTC) aims to reduce the amount of spam people receive and levy fines against violators. In Canada,  Canada’s anti-spam law (CASL) protects Canadian consumers “against spam, electronic threats and the misuse of digital technology while ensuring businesses remain competitive in a global digital marketplace.” In many respects, CASL is stricter than CAN-SPAM and closer akin to GDPR in protecting email addresses.

The CASL website has several suggestions for steps individuals can take to protect their email addresses:

  • Use your primary email address only with trusted personal or business contacts
  • Create a secondary email address to use for online activities. These could include filling out forms, signing up for mailing lists or joining online forums
  • If you must post your email address on a website, make sure not to use the @ symbol. Instead use a format that spells out all symbols in the address (e.g. jane at myDomain dot com). This will help obfuscate your email address from potential spambots.

However, these suggestions do not relieve companies of their responsibility—like with GDPR—to understand how email addresses are collected and used across the organization. CASL still requires companies to get explicit opt-in, track how email addresses are stored, and how those lists are protected from abuse.

Absolute and Achieving Compliance

You can learn more about regulatory compliance in our regulatory compliance post with information in the wide range of regulations and how to stay compliant with them.

Absolute helps you achieve your compliance goals with solutions tailored to achieve compliance for a range of regulations leveraging our patented self-healing Persistence technology that is embedded in the firmware of more 500 million endpoint devices and provides you unbreakable endpoint monitoring and protection capabilities. Learn more about Absolute’s self-healing endpoint security and how we can help you protect sensitive data – including email addresses – across all your endpoints.

Financial Services