diff --git a/app/logical/user_deletion.rb b/app/logical/user_deletion.rb
index d74d6ba56..572b81694 100644
--- a/app/logical/user_deletion.rb
+++ b/app/logical/user_deletion.rb
@@ -74,5 +74,9 @@ class UserDeletion
     if user.is_admin?
       errors.add(:base, "Admins cannot delete their account")
     end
+
+    if user.is_banned?
+      errors.add(:base, "You cannot delete your account if you are banned")
+    end
   end
 end
diff --git a/app/policies/email_address_policy.rb b/app/policies/email_address_policy.rb
index 57d8e03ae..2f8ee8da2 100644
--- a/app/policies/email_address_policy.rb
+++ b/app/policies/email_address_policy.rb
@@ -9,7 +9,7 @@ class EmailAddressPolicy < ApplicationPolicy
 
   def update?
     # XXX here record is a user, not the email address.
-    record.id == user.id
+    record.id == user.id && !user.is_banned?
   end
 
   def verify?
diff --git a/test/functional/emails_controller_test.rb b/test/functional/emails_controller_test.rb
index ec6ad52d0..91a8e3f1e 100644
--- a/test/functional/emails_controller_test.rb
+++ b/test/functional/emails_controller_test.rb
@@ -105,6 +105,16 @@ class EmailsControllerTest < ActionDispatch::IntegrationTest
           assert_enqueued_email_with UserMailer, :email_change_confirmation, args: [@user], queue: "default"
           assert_equal(true, @user.user_events.email_change.exists?)
         end
+
+        should "not allow banned users to change their email address" do
+          create(:ban, user: @user, duration: 1.week)
+          put_auth user_email_path(@user), @user, params: { user: { password: "password", email: "abc@ogres.net" }}
+
+          assert_response 403
+          assert_equal("bob@ogres.net", @user.reload.email_address.address)
+          assert_no_emails
+          assert_equal(false, @user.user_events.email_change.exists?)
+        end
       end
 
       context "with the incorrect password" do
diff --git a/test/unit/user_deletion_test.rb b/test/unit/user_deletion_test.rb
index b89c45306..9c386ae7f 100644
--- a/test/unit/user_deletion_test.rb
+++ b/test/unit/user_deletion_test.rb
@@ -26,6 +26,15 @@ class UserDeletionTest < ActiveSupport::TestCase
         assert_includes(@deletion.errors[:base], "Admins cannot delete their account")
       end
     end
+
+    context "for a banned user" do
+      should "fail" do
+        @user = create(:banned_user)
+        @deletion = UserDeletion.new(@user, "password", @request)
+        @deletion.delete!
+        assert_includes(@deletion.errors[:base], "You cannot delete your account if you are banned")
+      end
+    end
   end
 
   context "a valid user deletion" do