Legal Overview of the CAN-SPAM Act Requirements

The CAN-SPAM Act, as enforced by the Federal Trade Commission (FTC), mandates compliance for all commercial electronic mail messages. Under this Act, a commercial message is defined as any electronic mail message whose primary purpose is the advertisement or promotion of a commercial product or service. This definition encompasses all emails that promote content on a commercial website.

The CAN-SPAM Act has 8 main requirements:

  1. Don’t use false or misleading header information. Your “From,” “To,” “Reply-To,” and routing information – including the originating domain name and email address – must be accurate and identify the person or business who initiated the message.
  2. Don’t use deceptive subject lines. The subject line must accurately reflect the content of the message.
  3. Identify the message as an ad. The law gives you a lot of leeway in how to do this, but you must disclose clearly and conspicuously that your message is an advertisement.
  4. Tell recipients where you’re located. Your message must include your valid physical postal address. This can be your current street address, a post office box you’ve registered with the U.S. Postal Service, or a private mailbox you’ve registered with a commercial mail receiving agency established under Postal Service regulations.
  5. Tell recipients how to opt out of receiving future marketing email from you. Your message must include a clear and conspicuous explanation of how the recipient can opt out of getting marketing email from you in the future. Craft the notice in a way that’s easy for an ordinary person to recognize, read, and understand. Creative use of type size, color, and location can improve clarity. Give a return email address or another easy Internet-based way to allow people to communicate their choice to you. You may create a menu to allow a recipient to opt out of certain types of messages, but you must include the option to stop all marketing messages from you. Make sure your spam filter doesn’t block these opt-out requests.
  6. Remember that subscribers and members can opt out of marketing emails, too. Recipients of emails from a sender that runs a subscription service or membership program still have the right to opt out of marketing messages from you. While you don’t need to get members’ consent to send them marketing emails, subscribers and members don’t lose their ability to opt out of marketing emails from you simply because they have a subscription or membership. Before sending a message without an unsubscribe link to subscribers or members, be sure that the primary purpose of the message fits within one of the five categories of “transactional or relationship” message set out in the Act. If it doesn’t, you need to include a way for recipients to opt out of further marketing messages from you.
  7. Honor opt-out requests promptly. Any opt-out mechanism you offer must be able to process opt-out requests for at least 30 days after you send your message. You must honor a recipient’s opt-out request within 10 business days. You can’t charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request. Once people have told you they don’t want to receive more messages from you, you can’t sell or transfer their email addresses, even in the form of a mailing list. The only exception is that you may transfer the addresses to a company you’ve hired to help you comply with the CAN-SPAM Act.
  8. Monitor what others are doing on your behalf. The law makes clear that even if you hire another company to handle your email marketing, you can’t contract away your legal responsibility to comply with the law. Both the company whose product is promoted in the message and the company that actually sends the message may be held legally responsible.

Each separate email in violation of the CAN-SPAM Act is subject to penalties of up to $51,744, so non-compliance can be costly. But following the law isn’t complicated.

CALIFORNIA PRIVACY LAWS

California Privacy Rights Act (CPRA) amending the California Consumer Privacy Act (CCPA)

The California Privacy Rights Act (CPRA), enacted through a ballot initiative in November 2020, serves as an amendment to the California Consumer Privacy Act (CCPA). This legislative measure not only modifies the existing provisions of the CCPA but also rebrands it as the CPRA. The CPRA introduces enhanced privacy protections for consumers, as detailed below:

  • Opt-Out of Sharing for Targeted Advertising. The CPRA expands consumer rights by including the right to opt-out of the sharing of personal information for targeted advertising, also known as “cross-contextual behavioural advertising.” This right applies regardless of whether the sharing involves monetary consideration. The CPRA mandates an opt-out mechanism for both the sharing and sale of personal information, with specific provisions for minors. For children aged 13 to 16, opt-in consent is required for the sale of their personal information. For children under 13, website operators must obtain verifiable parental consent before collecting, using, selling, or sharing their personal information.
    • The CPRA does not impose a blanket prohibition on the sharing of personal information. Instead, it requires companies that share personal information for targeted advertising to notify consumers and provide at least two methods for opting out of such sharing. One of these methods must be an interactive webform for submitting opt-out requests. Additionally, the use of technology to collect email addresses and send emails is considered sharing under the CPRA, necessitating both notice to the consumer and the option to opt out of this sharing.
    • There are certain exclusions from the opt-out requirements for the sharing of personal information. One notable exclusion is when a technology user directs the technology provider to intentionally disclose personal information to one or more third parties. In such cases, the sharing does not trigger the opt-out requirements.
    • If a technology user wishes to allow the technology provider or any third party to use personal information for purposes beyond providing services to the technology user, they must adhere to the CPRA’s notice and opt-out requirements. This includes providing notice to the consumer and offering the ability to opt out of the sharing of personal information for targeted advertising.

CPRA Notice

  • Obligation to Provide Notice: Under the California Privacy Rights Act (CPRA), website owners are required to provide a “Do Not Sell or Share My Personal Information” link that enables a user to opt-out of the sharing of a visitor’s personal information. In addition, a privacy notice or privacy policy to website visitors, in compliance with CPRA requirements.
  • Scope of Notice Requirements: This summary does not cover all notice requirements under the CPRA. However, it is important to note that the CPRA generally mandates that website visitors be informed if personal information that identifies or can reasonably be used to identify them is collected.
  • Purpose of Collection: The notice must specify the purposes for which personal information is collected, sold, or shared.
  • Disclosure to Third Parties: The notice must also include the categories of third parties to whom the personal information is disclosed.
  • Vendor Agreements: Pursuant to the California Privacy Rights Act (CPRA), business agreements must include specific language tailored to the nature of the business arrangement between the parties involved.
  • Sale of Personal Information: Although the CPRA does not explicitly prohibit the sale of personal information, the newly defined term “sharing” broadly includes targeted advertising. This separate definition implies that such activities may no longer be classified as sales under the CPRA.
  • Opt-out of Profiling and Automated Decision Making: While the CPRA does not provide detailed provisions on this matter, it grants the Attorney General or the soon-to-be-established California Privacy Protection Agency the authority to promulgate rules governing access and opt-out rights concerning automated decision-making technology, including profiling.

COLORADO PRIVACY LAWS

This section pertains exclusively to residents of Colorado. Under the Colorado Privacy Act (CPA), you are entitled to the following rights. However, these rights are not absolute, and in certain instances, we may lawfully decline your request:

  • Right to Information: You have the right to be informed about whether we are processing your personal data.
  • Right to Access: You have the right to access your personal data.
  • Right to Correction: You have the right to correct any inaccuracies in your personal data.
  • Right to Deletion: You have the right to request the deletion of your personal data.
  • Right to Data Portability: You have the right to obtain a copy of the personal data you previously shared with us.
  • Right to Opt-Out: You have the right to opt out of the processing of your personal data if it is used for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects (“profiling”).

We engage in the sale of personal data to third parties and the processing of personal data for targeted advertising. You have the option to opt out of the sale of your personal data, targeted advertising, or profiling by disabling cookies in the Cookie Preference Settings. To submit a request to exercise any of the other rights described above, please contact us via the Support Portal or the ‘Contact Us’ form.

If we decline to take action regarding your request and you wish to appeal our decision, please contact us again. Within forty-five (45) days of receiving an appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for our decision.

CONNECTICUT PRIVACY LAWS

This section pertains exclusively to residents of Connecticut. Under the Connecticut Privacy Act (CTDPA), you are entitled to the following rights. However, these rights are not absolute, and in certain instances, we may lawfully decline your request:

  • Right to Information: You have the right to be informed about whether we are processing your personal data.
  • Right to Access: You have the right to access your personal data.
  • Right to Correction: You have the right to correct any inaccuracies in your personal data.
  • Right to Deletion: You have the right to request the deletion of your personal data.
  • Right to Data Portability: You have the right to obtain a copy of the personal data you previously shared with us.
  • Right to Opt-Out: You have the right to opt out of the processing of your personal data if it is used for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects (“profiling”).

We engage in the sale of personal data to third parties and the processing of personal data for targeted advertising. You have the option to opt out of the sale of your personal data, targeted advertising, or profiling by disabling cookies in the Cookie Preference Settings. To submit a request to exercise any of the other rights described above, please contact us via the Support Portal or the ‘Contact Us’ form.

If we decline to take action regarding your request and you wish to appeal our decision, please contact us again. Within sixty (60) days of receiving an appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for our decision.

VIRGINIA PRIVACY LAWS

Under the Virginia Consumer Data Protection Act (VCDPA):

  • A “Consumer” is defined as a natural person who is a resident of the Commonwealth of Virginia, acting solely in an individual or household context. This definition explicitly excludes individuals acting in a commercial or employment context
  • “Personal data” refers to any information that is linked or reasonably linkable to an identified or identifiable natural person. This definition excludes de-identified data and publicly available information.
  • “Sale of personal data” refers to the transfer or disclosure of personal data to a third party in exchange for monetary or other valuable consideration.
  • If this definition of “consumer” is applicable to you, we are required to comply with specific rights and obligations concerning your personal data.

Your rights with respect to your personal data

  • Right to Information: You have the right to be informed about whether we are processing your personal data.
  • Right to Access: You have the right to access your personal data.
  • Right to Correction: You have the right to correct any inaccuracies in your personal data.
  • Right to Deletion: You have the right to request the deletion of your personal data.
  • Right to Data Portability: You have the right to obtain a copy of the personal data you previously shared with us.
  • Right to Opt-Out: You have the right to opt out of the processing of your personal data if it is used for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects (“profiling”).

We engage in the sale of personal data to third parties or process personal data for targeted advertising purposes. Please refer to the following section to learn how you can opt out of the sale or sharing of your personal data for targeted advertising or profiling purposes.

Exercise your rights provided under the Virginia VCDPA

You have the option to opt out of the sale of your personal data, targeted advertising, or profiling by disabling cookies in the Cookie Preference Settings. To submit a request to exercise any of the other rights described above, please contact us via the Support Portal or the ‘Contact Us’ form.

If you are utilizing an authorized agent to exercise your rights, we may deny the request if the authorized agent fails to provide valid proof of their authorization to act on your behalf.

Verification Process

We may request additional information reasonably necessary to verify your identity and your consumer’s request. If you submit the request through an authorized agent, we may need to collect further information to verify your identity before processing the request.

Upon receiving your request, we will respond without undue delay and within forty-five (45) days of receipt. The response period may be extended once by an additional forty-five (45) days when reasonably necessary. We will inform you of any such extension within the initial 45-day response period, along with the reason for the extension.

Notice of Decision and Appeal Process

In the event that we decline to take action on your request, we will provide you with a written notification detailing our decision and the rationale behind it. Should you wish to appeal this decision, you may do so by contacting us through the Support Portal or the ‘Contact Us’ form.

Upon receipt of your appeal, we will review it and, within sixty (60) days, issue a written response outlining any actions taken or not taken in response to your appeal, along with a detailed explanation of the reasons for our decision. If your appeal is denied, you have the right to submit a complaint to the Attorney General to submit a complaint.