Federal Law 38-FZ on Advertising and email marketing in Russia

Federal Law No. 38-FZ "On Advertising" dated 13 March 2006 is the main statute governing commercial mailings in Russia. Article 18 applies directly to email marketing: it prohibits sending advertising over electronic communication networks without the recipient’s prior consent.

The law has been in force for nearly two decades, but its application to email still generates questions. Where is the line between an informational message and advertising? What consent wording holds up? How do you document that permission was actually given?

What counts as advertising

38-FZ defines advertising as information distributed by any means, addressed to an indefinite circle of persons, and intended to draw attention to an advertised object. In practice: if a message contains an offer of goods, a service, or a discount, it is advertising.

Transactional messages are not advertising: order confirmations, receipts, delivery notifications, password resets, two-factor authentication codes, and information about the terms of an already-signed contract. Add a “You might also like” block to any of those, though, and the message becomes advertising.

The grey area is informational digests and educational content. Russia’s Federal Antimonopoly Service (FAS) assesses each case individually. Messages that link to commercial pages or mention products can be classified as advertising. Pure editorial content without commercial elements is less likely to be.

What Article 18 requires for consent

Part 1 of Article 18 is direct: advertising may be distributed over electronic communication networks only with the prior consent of the subscriber or addressee. The word “prior” matters. Consent comes first, the message comes second.

The law does not prescribe a specific form. Consent can be written, submitted through an online form, or verbal. It must be:

• Explicit: the person takes an active step. A pre-ticked checkbox does not qualify.
• Informed: the person understands what they are agreeing to. “By clicking, you agree to everything” will be a weak argument in a dispute.
• Provable: if FAS audits you, you must produce evidence: the signup date, IP address, and the exact text of the consent form at that moment.

Double opt-in is not a formal legal requirement, but it makes proof much easier. A click on the confirmation link creates a clear audit trail that is difficult to dispute.

Burden of proof

Part 2 of Article 18 is unambiguous: the burden of proving consent falls on the advertising distributor. If FAS receives a complaint, the recipient does not have to prove they never subscribed. You have to prove they did.

The practical implication is that every signup needs a log. The minimum record contains: email address, date and time of signup, source URL, IP address, and the exact consent wording in effect at that moment. If the form changes, all versions need to be kept. The retention period is the entire duration of the mailing plus three years, which is the statute of limitations under the Russian Code of Administrative Offences (CoAO).

Right to withdraw

The law requires that sending stop immediately after an opt-out request. For email this means: an unsubscribe link in every promotional message, and the unsubscribe action must work without delays, questionnaires, or login requirements.

If someone clicks “unsubscribe” and then receives another message two days later with a note saying “we will process your request within 10 business days”, that is a violation. Removal must be immediate.

Fines and FAS enforcement

Violating Article 18 is prosecuted under Article 14.3 of the CoAO. Fines for legal entities run from 100,000 to 500,000 rubles per incident. For individual officials the range is 4,000 to 20,000 rubles.

The typical enforcement sequence: a recipient files a complaint through the FAS website and attaches a screenshot of the message. FAS requests proof of consent from the sender. No proof, fine. A single complaint about a single message can be enough to trigger this.

Separately, recipients can sue in civil court for moral damages. Awards are usually modest (1,000 to 5,000 rubles), but litigation creates operational and reputational costs that far exceed the damages themselves.

Relationship to Federal Law 152-FZ on personal data

38-FZ is not the only law in play. Federal Law No. 152-FZ "On Personal Data" governs the collection and storage of email addresses. An email address is personal data under Russian law, and processing it requires a separate legal basis.

When you collect email addresses, you are simultaneously processing personal data. That requires: a privacy policy on your website, notification to Roskomnadzor (via pd.rkn.gov.ru), and consent to data processing. You can combine this with mailing consent in a single form, but the wording has to cover both actions clearly.

Federal Law 149-FZ "On Information" also touches on mailing in terms of sender identification: every message must make clear who sent it. Anonymous bulk mail violates this. Companies reaching EU audiences face GDPR on top of all this; US audiences bring CAN-SPAM into scope. For mailings within Russia, 38-FZ and 152-FZ are the core pair.

Common mistakes

Purchased lists. Buying an email list does not transfer the subscribers’ consent to the buyer. Those people agreed (if they agreed at all) to hear from the list vendor, not from you. Sending to a purchased list violates Article 18.

Partner mailings. A “we share data with partners” clause in a privacy policy is not consent to receive mail from those partners. Each advertising distributor must obtain consent independently.

B2B addresses. The law makes no exception for corporate email addresses. Sending an unsolicited proposal to info@company.ru is the same violation as sending to a personal inbox. The belief that B2B “doesn’t count” has no basis in the statute.

Existing customers. Unlike GDPR’s “soft opt-in,” which allows sellers to market similar products to people who have already purchased, 38-FZ contains no equivalent exemption. In Russia, even an active customer must give separate consent for promotional mailings.

Practical recommendations

• Use a separate checkbox for mailing consent. Do not bundle it with personal data processing consent or terms of service acceptance.
• Log every signup with full detail: timestamp, IP address, form URL, and the consent wording in effect at that moment. Automate this.
• Implement double opt-in. It is not a legal requirement, but it is the strongest evidence you can produce in a FAS review.
• Make unsubscribing one click. The List-Unsubscribe header simplifies the process for both recipients and their email clients.
• Clean your list regularly to remove invalid and inactive addresses. Sending to non-existent mailboxes does not directly violate 38-FZ, but it damages sender reputation and raises bounce rates.
• Include the company’s full legal name and contact details in every message. Both 38-FZ and 152-FZ require this.