Email Marketing in the US: How to Comply With the Law
There’s still no federal privacy law in the US, but an important consumer protection law regulates how companies send marketing emails. New state laws might also impact your company’s email marketing activities.
This article will answer some common questions about US email marketing regulation and break the law down into seven simple rules. We’ll also look at how privacy laws in California and Virginia could impact your email marketing campaigns.
Complying With CAN-SPAM: The US Federal Email Marketing Law
The main email-related law in the US is the Controlling the Assault of Non-Solicited Pornography And Marketing (“CAN-SPAM”) Act of 2003.
CAN-SPAM (which might have been better acronymised as “CAN’T-SPAM”) sets some important rules for email marketers—and comes with hefty penalties attached.
The Federal Trade Commission (FTC) can fine a company that violates CAN-SPAM $50,120 (€47,320) per non-compliant email (this figure is regularly adjusted for inflation and is correct as of February 2023).
Does CAN-SPAM Require Consent For Marketing Emails?
No, CAN-SPAM does not require businesses to obtain consent before sending marketing emails. In fact, no US federal law requires consent for marketing emails.
What Is a Marketing Email Under CAN-SPAM?
CAN-SPAM applies where an email’s “primary purpose” is commercial. This applies where the subject line and the majority of the message relate to the promotion of products, services, or promotional content.
Except for “rule 1” (see below), CAN-SPAM’s provisions do not apply to “transactional or relationship” emails, such as messages about updated terms of use or sales receipts.
Transactional emails can contain some marketing material—as long as their primary purpose is not commercial.
Does CAN-SPAM Apply to Business-to-Business Marketing Emails?
Yes, CAN-SPAM applies equally to business-to-business (B2B) and business-to-consumer (B2C) emails. The law makes no distinction between these two types of marketing emails.
Can I Buy or Sell Email Lists Under CAN-SPAM?
CAN-SPAM doesn’t cover the buying or selling of lists of people’s email addresses. However, other US state laws might stop you from buying or selling email addresses. We’ll consider these laws below.
Legal obligations aside, there are other good reasons to avoid buying or selling email addresses:
- Many email service providers, such as MailChimp and Substack, prohibit users from importing email addresses unless they have obtained affirmative consent from each individual.
- People may be surprised or upset to receive marketing emails from a company with whom they have no direct relationship. This can damage your company’s reputation and may lead to your marketing emails being “spam” filtered.
- You could be liable for data breaches affecting email addresses you have bought or sold.
Seven Email Marketing Rules Under CAN-SPAM
CAN-SPAM’s requirements can be broken down into seven essential rules for email marketing.
1. Use Accurate Header Information
CAN-SPAM requires marketing emails to contain accurate header information, defined as the “source, destination, and routing information, including the originating domain name and email address.
This means that the “From”, “To”, and “Reply-To” fields, plus the email’s routing information and originating domain and email address, must accurately identify your company as the sender.
Note that this rule applies to transactional emails as well as marketing emails (unlike CAN-SPAM’s other rules).
2. Write Clear and Honest Subject Lines
CAN-SPAM prohibits “deceptive subject lines”. The law says that an email’s subject line must not mislead the recipient about a “material fact” regarding the contents of the email.
Whether a subject line is misleading is context-dependent. Here are some examples of potentially deceptive email subject line practices:
- Pretending that the recipient has won a prize or is eligible for an exclusive discount.
- Using “RE:” or “FWD:” to falsely imply that the email is part of an ongoing conversation.
- Falsely stating that the email is “urgent” or “important”.
- Using language such as “About Your Order” when the email doesn’t relate to a recipient’s order.
Increasing your “open rate” via compelling subject lines is an essential part of email marketing. There’s no rule against writing enticing subject lines - just be honest about what the email contains.
3. Always Disclose Ads
Under CAN-SPAM, marketing emails must contain a “clear and conspicuous” indication that the message is an “advertisement or solicitation”.
The law doesn’t specify how marketers must disclose that their message is an ad. The FTC notes that you have “a lot of leeway” around how to do this.
This rule is closely related to the previous rule around deceptive subject lines. You don’t need to use the word “ad” or “advertisement” in the subject line. If the email is headed “Discounts On All Products”, it’s reasonably clear that the message is an ad.
4. Provide a Valid Mailing Address
Marketing emails must include “a valid physical postal address of the sender”.
In 2008, the FTC clarified that a “valid physical address” can include an official US Post Office Box, or a private mailing box registered with an agency established under Postal Service regulations.
5. Provide a Clear Unsubscribe Option
All marketing emails must include a “clear and conspicuous” way to opt out of receiving further messages from the sender.
Your unsubscribe mechanism might be: “Reply to this email with ‘unsubscribe’ if you don’t want to receive marketing emails from us in future”.
You can also provide an “unsubscribe” link. The target page should allow the recipient to opt out of all marketing emails. You can enable the recipient to opt out of some types of emails and not others—but the recipient should be able to cease all marketing emails via a single web page.
6. Process Opt-Outs Efficiently
CAN-SPAM specifies how you must process unsubscribe requests:
- You must stop sending the recipient marketing emails within 10 business days of receiving an opt-out request.
- You must ensure your reply address can receive unsubscribe requests for at least 30 days from the date of the marketing email.
- You can’t charge a fee.
- You can’t request any personal information beyond the recipient’s email address.
- You can’t require the recipient to take any additional steps.
Once a recipient has opted out, you can’t use, sell, or share their email address for any reason other than CAN-SPAM compliance.
7. Monitor Your Email Marketing Providers
You can use a service provider for email marketing. But you are responsible for the actions of any third party running email marketing campaigns on your behalf.
Make sure you have an agreement with any email marketing service provider that requires compliance with CAN-SPAM and any other relevant laws.
Try Wide Angle Analytics!
Other US Laws Impacting Email Marketing
In addition to CAN-SPAM, your email marketing activities might be impacted by two state privacy laws (plus three similar laws arriving throughout 2023).
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA), amended in January 2023 by the California Privacy Rights Act (CPRA) applies to your business if it meets one or more of the following criteria:
- It has gross annual revenues of over $25 million.
- It buys, sells, or shares personal information about 100,000 or more California residents or households.
- It derives at least 50% of its annual revenues from selling or sharing personal information about California residents.
The CCPA doesn’t directly regulate email marketing. However, several of the CCPA’s rules are relevant to email marketing activities.
- The CCPA’s “right to know” requires you to inform consumers about how you collect, use, and share personal information, including for email marketing purposes.
- Before sharing email addresses with an email service provider, you may require a “service provider agreement” obliging the company to comply with the CCPA.
- The CCPA enables consumers to opt out of the “sale” or “sharing” of their personal information. This is a broad provision that could cover email marketing-related activities (including, of course, the selling of email lists).
- The CCPA’s “right of access”, “right to correct”, and “right to delete” apply to personal information you have collected for email marketing purposes.
- The CCPA’s “purpose limitation” provision may affect whether you can use a person’s email address for marketing purposes if you have collected the address for unrelated purposes.
- The CCPA requires you to implement “reasonable security measures” to protect personal information, including email addresses, obtained for the purpose of marketing.
The CCPA initially excluded certain business-to-business activities. However, this exemption expired in January 2023. All the above considerations apply to B2B email marketing—as long as the relevant email addresses are considered “personal information”.
Virginia Consumer Data Protection Act (VCDPA)
The Virginia Consumer Data Protection Act (VCDPA) took effect in January 2023. The law applies if your business:
- Controls or processes personal data about at least 100,000 Virginia consumers per calendar year, or
- Controls or processes personal data about at least 25,000 Virginia consumers per calendar year AND derives over 50 percent of gross revenue from the sale of personal data.
Like California’s CCPA, the VCDPA does not address email marketing directly. However, several of the law’s provisions also apply to email marketing activity.
While the VCDPA is different from the CCPA in many important ways, the Virginia law’s impact on email marketing is substantially similar. All of the CCPA’s email marketing considerations (above) also apply to businesses covered by the VCDPA.
Several VCDPA “copycat” laws will take effect in Colorado, Connecticut, and Utah throughout 2023. These laws will also impact email marketing similarly to Virginia’s law.