Email Marketing

Understanding Email Anti-spam Laws in U.S., Canada, E.U.

Most ecommerce merchants understand the value of keeping a list of customers’ email addresses. By keeping such a list, merchants can send targeted, relevant offers to their clients, which can increase revenue and, also, keep customers engaged.

Some merchants rent or purchase lists to increase their marketing reach, while others use inbound marketing tactics, often by providing free information or advice, to entice visitors to leave their email addresses, thereby increasing the size of their list.

With so many options, it is worth revisiting the basic legal issues that surround email marketing.

It is important to draw a distinction between U.S. law and the laws of Canada and the European Union. A brief history of U.S. law helps to illuminate the differences.

U.S. Anti-spam Law

In January 2003, the State of California enacted a set of anti-SPAM statutes that were among the strongest in the nation. Section 17529.2 of the California anti-spam law stated that no person or entity could send, or advertise in, an unsolicited commercial email sent from California, nor could any person or entity send, or advertise in, an unsolicited commercial email sent to a California email address. California law defined an “unsolicited commercial email” as any email that, in the absence of a prior-established business relationship, a recipient did not opt-in to receive.

In response, Congress enacted in 2003 the federal CAN-SPAM Act, which explicitly preempted state laws seeking to ban or regulate email spam. The CAN-SPAM Act makes it unlawful for any person to send a commercial email message unless that email message clearly and conspicuously identifies that it is an advertisement or a solicitation (unless prior consent has been obtained), provides notice to the recipient of her ability to opt-out from further commercial email messages, and lists a valid physical postal address for a sender.

In response, Congress enacted in 2003 the federal CAN-SPAM Act, which explicitly preempted state laws seeking to ban or regulate spam.

Additionally, commercial email senders must honor opt-out requests within 10 business days of receiving them, and U.S. Federal Trade Commission regulations prohibit marketers from charging a fee or imposing other requirements on those who wish to opt out, such as a requirement to provide more information or to listen to a sales pitch.

Opt-out vs. Opt-in

Consequently, U.S. federal law, which preempted the more restrictive California law, now takes an opt-out, as opposed to an opt-in, approach. It is unlikely that an ecommerce merchant will need to worry about these federal requirements because compliance with them is now mostly handled by software created by and built into the services of most commercial email providers. Unless an ecommerce retailer is sending emails through its own servers, most will not have to worry about CAN-SPAM Act compliance.

With that said, the software provided by commercial email service providers only helps to comply with the regulations that apply to the sending of commercial email. These software platforms do not help to comply with the requirements that apply when generating a list.

Under the prior California law, it was unlawful for any person or business to send a commercial email from California or to a California email address if that email address was collected from the Internet or if that address that was obtained by using automated means to randomly generate it. It was also unlawful to use a script or other automated means to create email addresses from which commercial emails would be sent. This made it difficult for email marketers to utilize publicly-available data sources for their marketing efforts or to purchase lists from third party websites.

When the CAN-SPAM Act was adopted, it preempted these California requirements. The CAN-SPAM Act prohibits a person or business entity from sending an email to a recipient’s email address if the person or business entity had actual or implied knowledge that the recipient’s email address was obtained using automated means from a website that stated, in its privacy policy, that it would not give, sell, or otherwise transfer email addresses obtained from its users for the purposes of commercial solicitation.

Similar to California law, the CAN-SPAM Act also prohibits a person or business from sending an email to a recipient’s email address if that address was obtained by using automated means to randomly generate it. Thus, under federal law, businesses can use publicly available data sources on the Internet to support their email marketing efforts if those data sources do not explicitly prohibit the use of email addresses within their privacy policies.

Canada and Europe

All of this is very different from the law in Canada and the European Union. Under Canadian law, the sender of a commercial email must obtain permission from its recipient before it is allowed to send the email. According to the Canadian government, any email sent to or from a Canadian computer or network must comply with this rule. Under E.U. law, commercial emails may be sent only to recipients who have provided prior consent — those who have opted-in. Under E.U. law, a previously existing business relationship can be considered prior consent, or opt-in, as long as a means of opting out is provided and each commercial email message concerns similar products or services provided by the same company.

Privacy Policy

What does all of this mean? For best practices, businesses should adopt a privacy policy that explicitly and conspicuously notifies their visitors that, upon submission of their email address to the website, those addresses may be used for the purpose of commercial solicitation. This privacy policy should not only comply with U.S. federal law, but also take into account U.S. state law, Canadian law, and E.U. law if the business makes sales to consumers within those jurisdictions.

When sending commercial email solicitations, ecommerce retailers should use reputable email providers or, if sending through their own servers, ensure that they are complying with the law of all applicable jurisdictions. And if a retailer is obtaining emails from a public data source without opt-in, be sure, if possible, to target only U.S. customers.

Keeping these general tips in mind should go a long way to avoiding compliance hassles. As always, however, consult an attorney for an analysis of your specific situation.

John Di Giacomo
John Di Giacomo
Bio   •   RSS Feed


x