Estimated Reading Time: 9 Minutes, 56 Seconds ∙ 1,988 Words *

Email marketing is Finagle’s law – anything that can go wrong will and at the worst possible time. You, for example, build a quintuple-digit email list of lead magnet action takers, webinar attendees, and course students. Somebody, then, reports to their national authorities that they didn’t consent to receive your business’ weekly emails. You’ve got a stress headache and a sizeable fine to pay for the infringement now – and worse, you gauged their interest at a networking event and didn’t know you needed extra consent. Here’re a few international privacy and data protection laws and regulations laws you’ve got to know about to stay out of trouble with email marketing.

Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM)

CAN-SPAM is an American law regulating spam and establishing commercial email communication guidelines. It’s old – the oldest. It was enacted on December 16, 2003. Simply put, it sets standards for commercial emails and text messages and requires you to be honest and transparent in emails. It requires you to include your name and your business’s physical mailing or registered postal box address in emails to let folks know you’re sending them emails and allowing them to opt out of future emails. This is a big deal. You can’t send emails to anybody who opt-out of your emails or text messages, and you’ve got to remove those folks from your list within ten business days.

CAN-SPAM is an anti-spam law protecting Americans. Some spammers send unsolicited commercial emails and text messages; others collect and sell or trade the email addresses or phone numbers, yet others do both. Let’s call a thing a thing: commercial means ad. Commercial emails and text messages advertise or promote products or services. You’ve got to call an ad an ad, and you can’t mask a transactional email as a promotional – or ad email. The law sets the standard for receiving, reading, and opting out of commercial email or text messages. The Federal Trade Commission (FTC) reviewed the CAN-SPAM rule on February 12, 2019, and voted to keep the law unchanged.

The FTC enforces CAN-SPAM, and the non-compliance fine, for a CAN-SPAM violation, such as not “clearly and conspicuously” labeling commercial emails or text messages sent for the primary purpose of advertisement or solicitation, is up to $46,517 per email or message in violation. And, worse, a CAN-SPAM violation can be a criminal offense – yep, jail time. It, too, can make your penalty public, potentially causing reputable damage. You can avoid these fines or jail or embarrassment altogether by evaluating your “from,” “to,” and “reply-to” text, subject lines and preview texts, and content, keeping your mailing address up-to-date, and managing your opt-outs.

Learn more about CAN-SPAM →

Canada’s Anti-Spam Legislation (CASL)

CASL is a Canadian law regulating spam and electronic threats and establishing guidelines for commercial email communication. It's new – relatively new. It was approved on December 15, 2010, but enforced on July 1, 2014. It replaced the Electronic Commerce Protection Act (ECPA) and changed the Personal Information Protection and Electronic Documents Act (PIPEDA). It's like CAN-SPAM in setting standards for commercial emails and text messages. CASL includes commercial messages to social networking accounts. You've got to get consent for those too. And you must keep a record of permissions, including when and where you collected those consents.

CASL is an anti-spam law protecting Canadians. It's the most hardheaded anti-spam law. CASL is all about explicit or implied consent. Businesses sending messages to potential or existing customers need consent. It's about geolocation, not citizenship or residency. CASL applies to domestic or foreign businesses that send commercial messages to Canadian citizens. A Toronto-based business sends emails to Torontonians, or an American-based business can send text messages to Nova Scotians. CASL protects these folks based on the geolocation of their IP address – city, state or region, postal or zip code, country, Internet Service Provider (ISP), and time zone.

The Office of the Privacy Commissioner of Canada (OPC), the Canadian Radio-Television and Telecommunications Commission (CRTC), and the Competition Bureau enforce CASL. The Canadian government tabled CASL's Private Right of Action on June 2, 2017, allowing recipients to sue senders who sent them spam for actual and punitive damages, and non-compliance fines can tally CA$200 per violation up to CA$1 million per day. The non-compliance fine for a CASL violation, such as sending unsolicited or misleading commercial electronic messages (CEM), is up to CA$1 million for individuals and CA$10 million for businesses.

Learn more about CASL →

General Data Protection Regulation (GDPR)

GDPR is a European Union law regulating data collection, storage, usage, and management the 28 European Union member states. It’s new. It was enacted on May 25, 2018. Simply put, it requires you to be pure and simple about your processes and policies for collecting – and using folk’s data. You’ve got to get explicit consent for each reason you’re collecting somebody’s email address. You’ve, for example, got to get a “Yep, give me this free guide” and “Absolutely, send me time-sensitive deals.” And the consent must be “freely given, specific, informed, and unambiguous” and indicated by a “clear statement or clear affirmative action.”

GDPR is a data protection law protecting folks’ data – names, surnames, birth dates or ages, personal email addresses, IP addresses, home addresses, city and state, and biometric data – in the 28 member states of the European Union. It’s about geolocation, not citizenship or residency. GDPR applies to folks who live – and don’t live in the EU or the UK. They can be French citizens who opt-in to attend your webinar next week. They, too, can be American citizens visiting Paris who opt-in for your lead magnet. GDPR protects these folks based on the geolocation of their IP address – city, state or region, postal or zip code, country, Internet Service Provider (ISP), and time zone.

The Information Commissioner’s Office (ICO) enforces GDPR. The non-compliance fine, for example, for a GDPR violation such as “the basic principles for processing,” “the conditions of consent,” or “data subjects’ rights,” are up to €20 million or 4% of your worldwide revenue – whichever is higher. The fines for these violations apply to significant – and small businesses. You can avoid these fines by accessing what data you process, who has access to the data, what you do with the data, how you protect the data, and how you plan to remove the data. An exception to these rules is collecting and using data for research, statistical, or scientific purposes for the public’s good.

Learn more about GDPR →

California Consumer Privacy Act (CCPA)

CCPA is an American – Californian law regulating how businesses handle consumer data, including email addresses, within California. It’s new – well, the newest. It was enacted on January 1, 2020. It grants folks certain rights over their personal information and places obligations on businesses that collect or process that information. It requires you to be transparent about your data collection practices and inform folks about the categories of personal information collected and the purposes for which it’s used. You’ve got to give folks the right to know whether their personal information is being sold or disclosed to third parties and the opportunity to opt out of such practices.

CCPA is a privacy law protecting the personal information of Californians. It beefs up privacy rights and gives Californians more control over their personal information, and puts the squeeze on businesses that handle their data. It gives folks the right to know what info is being collected, how it’s used, and whether it’s sold or shared with others. It, too, gives them the right to give a thumbs-down to the sale of their data and demand access or deletion of their info, with a few exceptions. Businesses must spill the beans about their data collection and handling methods with clear and easily accessible privacy notices. They’ve got to play it safe and protect personal info from unauthorized access, disclosure, or misuse.

The California Attorney General’s Office (OGA) enforces the CCPA and can impose fines for violations. The CCPA applies to businesses meeting specific criteria, like raking in big bucks or collecting data from a significant number of Californians. If businesses drop the ball and fail to comply, they could face hefty fines and potential legal trouble. Businesses need to grasp their obligations, take necessary measures to toe the line, and be ready to handle consumer requests for their info to avoid getting caught with their pants down. The non-compliance fine, for example, for a CCPA violation like selling personal data without allowing folks to unsubscribe, is $7,500 per intentional violation or $2,500 per non-intentional violation.

Learn more about CCPA →

There’s a heap of international privacy and data protection regulations apart from CAN-SPAM in America, CASL in Canada, GDPR in the European Union, and CCPA in California. There’s, for example, the Law on Information Society Services and e-Commerce in Spain, the Dutch Telecommunications Act in the Netherlands, the Italian Data Protection Act in Italy, the Data Protection Act in the UK, the Article L. 43-5 Code of Postal and Electronic Communications in France, the Federal Data Protection Act in Germany, the Directive on Privacy and Electronic Communications in the EU, and the Spam Act of 2003 in Australia. Some regulations are in place, and others are in discussion.

And their rules differ. All these laws, for example, require consent to send emails except CAN-SPAM, which only requires an opt-out option. CASL requires consent, but the consent can be explicit or implied. Explicit consent is clear – “Yes, I want this checklist, and here’s my email address; I typed in my email address, or I checked the box” – and it doesn’t expire. Implied consent insinuates – “I bought your eBook, and here’s my email address to send me a receipt” – and expires after two years for purchases and six months for product or service inquiries which renew with each transaction. And you can get explicit consent verbally, electronically, or in writing. CCPA requires the option to refuse consent and say “nah” to selling their email addresses.

This blog post offers a high-level or broad, plain-language view of CAN-SPAM, CASL, GDPR, and CCPA. It isn’t, and you shouldn’t consider it legal advice, but instead, legal information and education. Legal advice describes the law and how statutes, case law, and legal principles might apply to your situation. Legal information describes the law and how it might apply in general situations. If you’ve questions or concerns or need clarification, visit the abovementioned websites to learn about their fundamental rights, legislation, the national authorities, and the standard contractual clauses, and then refer to a lawyer or an attorney. 

*Read time is the time an average person takes to read a piece of text while maintaining reading comprehension silently. Based on the meta-analysis of hundreds of studies involving over 18,000 participants, an adult’s average silent reading speed is approximately 238 words per minute (Marc Brysbaert, 2019).

References

Brysbaert, M. (2019). How many words do we read per minute? A review and meta-analysis of reading rate. Journal of Memory and Language, 109. https://doi.org/10.1016/j.jml.2019.104047

Canadian Radio-Television and Telecommunications Commission. (2020, November 11). Frequently asked questions about Canada’s anti-spam legislation. https://crtc.gc.ca/eng/com500/faq500.htm

European Union. (2022). Data protection in the EU. https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

Federal Trade Commission. (2022, September). CAN-SPAM Act: A Compliance Guide for Business. https://www.ftc.gov/business-guidance/resources/can-spam-act-compliance-guide-business

Office of the Attorney General. (2023, May 10). California Consumer Privacy Act (CCPA). https://oag.ca.gov/privacy/ccpa

Aren’t sure if comply with CAN-SPAM, CASL, GDPR, and CCPA? Take the Email Compliance: Are You in the Zone? Quiz. It’ll take you fewer than five minutes.

Author: Kenyana David, MBA, DBA(c), is the founder of 81Eighteen™, LLC and the creator of the Fe-Mail Marketing for Entrepreneurs (FEMME) Academy™. She's Cornell University certified in Women's Entrepreneurship and HubSpot certified in email marketing, inbound, inbound sales, inbound marketing, content marketing, frictionless sales, and social media marketing.