Understanding Email Anti-spam Legislation in U.S., Canada, E.U.

Most ecommerce merchants understand the value of maintaining a list of clientsemail addresses. By keeping such a list, merchants can send targeted, relevant offers to their customers, which can increase revenue and, also, keep clients engaged.

Some merchants rent or buy lists to improve their marketing reach, while others use inbound marketing strategies, frequently by providing free advice or information, to lure visitors to leave their email addresses, thereby increasing the size of the listing.

With so many possibilities, it’s worth revisiting the fundamental legal problems that surround email advertising.

It’s important to draw a distinction between U.S. law and the laws of Canada and the European Union. A concise history of U.S. law will help to illuminate the gaps.

U.S. Anti-spam Law

In January 2003, the State of California enacted a set of anti-SPAM exemptions which were among the strongest in the nation. Section 17529.2 of the California anti-spam law said that no individual or entity could send, or promote in, an unsolicited commercial email sent from California, nor could any individual or entity send, or promote in, an unsolicited commercial email sent to a California email address. California law defined an”unsolicited commercial email” as any email that, in the absence of a prior-established business relationship, a receiver did not opt-in to get.

In response, Congress enacted in 2003 the national CAN-SPAM Act, which explicitly preempted state legislation seeking to prohibit or regulate email spam. The CAN-SPAM Act makes it unlawful for any individual to send a commercial email message unless email message clearly and logically explains it is an advertisement or a solicitation (unless prior permission has been obtained), provides notice to the receiver of her capacity to opt-out from further commercial email messages, and lists a valid physical postal address for a sender.

In response, Congress enacted in 2003 the national CAN-SPAM Act, which explicitly preempted state laws seeking to prohibit or regulate spam.

Furthermore, commercial email senders must honor opt-out requests within 10 business days of receiving them, and U.S. Federal Trade Commission regulations prohibit marketers from charging a commission or imposing different requirements on those who would like to opt out, including a requirement to provide more info or to listen to a sales pitch.

Opt-out vs. Opt-in

Consequently, U.S. federal law, which preempted the restrictive California law, now requires an opt-out, as opposed to an opt-in, approach. It’s not likely that an ecommerce merchant will have to be worried about these national requirements because compliance with them is now largely handled by software created by and constructed to the services of most commercial email providers. Unless an ecommerce merchant is sending emails via its own servers, most will not need to think about CAN-SPAM Act compliance.

That said, the software supplied by commercial email providers only will help to abide by the regulations that apply to the sending of commercial email. These software platforms don’t help to follow the requirements that apply when creating a list.

Under the previous California law, it was unlawful for any person or company to send a commercial email from California or to a California email address if this email address was collected from the web or if this speech that was obtained by utilizing automated means to randomly create it. It was also unlawful to use a script or other automated ways to make email addresses from which commercial mails could be sent. This made it hard for email marketers to use publicly-available data sources for their marketing efforts or to buy lists from third party sites.

When the CAN-SPAM Act was adopted, it preempted these California requirements. The CAN-SPAM Act prohibits a person or business entity from sending an email to a recipient’s email address when the individual or business entity had actual or implied knowledge that the recipient’s email address was obtained utilizing automated means from a web site that said, in its privacy policy, it wouldn’t give, sell, or otherwise transfer email addresses obtained from its customers for the purposes of commercial solicitation.

Very similar to California law, the CAN-SPAM Act also prohibits a person or company from sending an email to a recipient’s email address if that address was obtained by utilizing automated means to randomly create it. Thus, under federal law, companies can utilize publicly available data sources on the world wide web to support their email marketing efforts if these data sources don’t explicitly prohibit the use of email addresses in their privacy policies.

Canada and Europe

All This is very different from the law in Canada and the European Union. Under Canadian law, the sender of a commercial email must obtain permission from its receiver before it’s permitted to send the email. According to the Canadian authorities, any email sent to or by a Canadian computer or network must comply with this rule. Under E.U. law, commercial emails could be sent only to recipients who have provided prior consent — people who’ve opted-in. Under E.U. law, a previously existing business relationship could be considered prior consent, or opt-in, so long as a way of opting out is provided and every commercial email message questions similar goods or services supplied by the exact same company.

Privacy Policy

What does all this mean? For best practices, companies should adopt a privacy policy that explicitly and conspicuously informs their customers that, upon entry of the email address to the site, those addresses could be used for the purpose of commercial solicitation. This privacy policy should not just comply with U.S. federal law, but also take into account U.S. state law, Canadian law, and E.U. law when the company makes sales to customers within those jurisdictions.

When sending commercial email solicitations, ecommerce retailers must use reputable email suppliers or, if sending through their own servers, ensure they are complying with the law of applicable authorities. And if a merchant is getting emails from a public data source without opt-in, make sure, if possible, to target just U.S. customers.

Keeping these general tips in mind should go a long way to preventing compliance hassles. As always, however, consult a lawyer to get an analysis of your particular situation.