Disclaimer. This summary is intended solely for informational purposes and is not intended to constitute legal advice. This is not intended to be an exhaustive summary of all issues and requirements relating to the topics discussed. If you have any questions about any of these issues you should contact your legal counsel.
Introduction. Using existing technology (referred to herein as a “Technology”), companies are able to obtain email addresses of visitors to websites who have not and do not disclose their email address to the website owner. This Summary discusses some of the legal issues relating to use of this technology.
CAN-SPAM
Opt-Out – Not Opt-In. While some jurisdictions outside of the United States (e.g. the European Union and Canada) require an affirmative opt-in in order to send marketing or commercial emails, the US has been, since the passage of CAN-SPAM, an opt-out jurisdiction. This means marketing emails can be sent to recipients unless and until they have opted out of receiving marketing emails from the sender.
Accordingly, a user of the Technology can send emails to email addresses acquired through the Technology provided that the recipient has not previously opted-out to receiving marketing emails from the Technology user / sender.
The sender of marketing emails acquired using the Technology should include an unsubscribe link or other opt-out mechanism in all marketing emails and promptly honor all opt-outs.
Other CAN-SPAM compliance tips include:
Don’t use false or misleading header information. Your “From,” “To,” “Reply-To,” and routing information – including the originating domain name and email address – must be accurate and identify the person or business who initiated the message.
Don’t use deceptive subject lines. The subject line must accurately reflect the content of the message.
Identify the message as an ad. The law gives you a lot of leeway in how to do this, but you must disclose clearly and conspicuously that your message is an advertisement.
Tell recipients where you are located. Your message must include your valid physical postal address. This can be your current street address, a post office box you’ve registered with the U.S. Postal Service, or a private mailbox you’ve registered with a commercial mail receiving agency established under Postal Service regulations.
Monitor what others are doing on your behalf. The law makes clear that even if you hire another company to handle your email marketing, you can’t contract away your legal responsibility to comply with the law. Both the company whose product is promoted in the message and the company that actually sends the message may be held legally responsible.
California Consumer Privacy Act (CCPA)
Opt-Out – Not Opt-In. The CCPA contains an opt-out requirement for the sale of personal information, with the exception of the sale of personal information relating to children under the age of 16. (Children aged 13 to 16 must provide opt-in consent for the sale of their personal information. Website owners collecting, using or selling personal information relating to children under the age of 13 must obtain verifiable parental opt-in consent to do so.)
Use of the Technology to acquire email addresses and send emails to those addresses is not selling personal information under the CCPA simply as a result of using the Technology. (Note, however, that a user of the Technology could independently sell email addresses acquired using the Technology, which would require notice and the ability to opt-out of such sales.)
CCPA Notice. One of the primary requirements of the CCPA is the obligation to provide a privacy notice for privacy policy to website visitors complying with the requirements of the CCPA. All of the various notice requirements required under the CCPA are outside the scope of this summary. With respect to the Technology, generally speaking the CCPA requires notice to website visitors if personal information that identifies or can be used to identify them is collected by the website owner, the purposes for collecting and using the personal information, and third parties to whom the personal information is disclosed.
In its CCPA privacy notice, a user of the Technology should disclose and describe that, among other things, the website owner uses tracking technology to collect identifiable information about visitors (e.g., an email address or hashed email address), how it uses the information and that it shares the information with third parties (e.g., with the Technology provider to identify email addresses of visitors). Details will vary depending on the nature of the website and particular Technology used.
Sale of Personal Information. The CCPA is not outright prohibit the sale of personal information. Rather, if a company sells personal information the company must provide notice of this to the consumer and give the consumer at least 2 methods for opting-out of the sale of personal information, one of which must be an interactive webform to opt-out requests.
To avoid a “sale” of personal information triggering the opt-out requirements, the Technology user should permit the Technology provider to use the personal information collected only for the purposes of providing services to the Technology user.
Alternatively, if the Technology user desires to permit the Technology provider or any other third party to use the personal information for their own purposes outside of providing services to the Technology user, the Technology user should comply with the notice and opt-out requirements under the CCPA relating to the sale of personal information (“sale” being defined very broadly under the CCPA).