Most of the industry has it wrong. It is not enough to comply with just the federal CAN-SPAM Act. The majority of individual states also have strict laws regulating unsolicited commercial email originating or coming into their state. It is widely misunderstood that the CAN-SPAM Act preempts all of these but it doesn’t, Penalties can be severe with fines as high as $1,000,000!
This is serious business as some states have become very aggressive in recent years have successfully prosecuted violators to the tune of millions of dollars and have even jailed some violators. While most in the industry know that CAN SPAM Act carries steep fines of $16,000 per email sent in a non-compliant campaign, they misunderstand that they only need to comply with this one federal law. In fact, we estimate that around three dozen states also have their own laws governing different aspects of email marketing practices ranging from email address harvesting to privacy to opt-in/opt-out requirements (CAN SPAM has no opt-in requirement) to fraud and more. While many state laws or parts thereof were indeed pre-empted by CAN SPAM for the sake of uniform compliance, this goes out the window for laws that states have enacted under their Computer Crimes, Fraud, Privacy and other statutes that are apart from their general anti-spam statutes governing commercial email originating from their state or being sent to email addresses of individuals residing in their state.
Many of these laws carry huge fines and also permit private parties who received a non-compliant email to sue for large damages. Likewise, in some states, Internet Service Providers whose system received the non-compliant emails are also granted the right to sue under similar statutes. Some or all of the penalties are often set by statute and can also be very large.
Although the federal law does not require an opt-in process or mechanism, it does have strict requirements for providing an opt-out process and mechanism. Some states, however, require both. Such standard industry practices as opting-in a customer or trade show lead who dropped a business card into a fishbowl requesting more information do not meet the legal definition of “opt-in” in certain states. These states also fail to recognize an “opt-in” as compliant when it comes from a third-party list (rented, purchased, licensed, swapped or appended) as they require express opt-ins using clear and conspicuous language direct to the sender. These specific laws hold that an opt-in is no longer valid when an email list is transferred to a third party. While some states will recognize an opt-in as compliant if the email addressee agreed to language on a website to receive offers from partners, this is not the case in all states and where it is very specific language and other requirements apply.
The bottom line is that having an email address with website address, date/time stamp of the opt-in and/or a representation from a data source or swap partner that the list they are providing is opt-in is not going to get you off the hook if a complaint leads to an investigation by regulators or a private party right to sue where a state has granted that authority. Making this more concerning, some states hold the sender who the advertisement is for, the ESP who broadcast the message, the list source and even consultants and developers of the Creative co-liable and it matters not who made the decisions, designed the non-compliant template or wrote the message, who provided the list or broadcast the email.
So, if most of the industry including the major trade associations have it wrong, how do you get the information you need to comply with? That’s where we come in! While we are not a law firm, and would strongly recommend seeking qualified legal counsel in this important area, we can review your current practices and advise you where we interpret you to be in non-compliance and can give you recommendations to help you comply universally. We can also alert you to what states are the most aggressive with the heaviest penalties for non-compliance so you can decide if it will even be possible for you comply with their legal requirements or if you want to avoid emailing into or from those specific states.