COMPLIANCE

Email Harvesting

CAN-SPAM prohibits email harvesting, which is generally defined as obtaining email addresses from a website using an automated means when the website has a notice stating that the operator of the website will not give, sell, or otherwise transfer email addresses maintained by the website for the purposes of allowing others to send emails to the address.

Thus, the Technology should not collect or provide email addresses to users of the Technology if those email addresses were acquired from a website that prohibits email address harvesting.

Opt-Out – Not Opt-In

While some jurisdictions outside of the United States (e.g., the European Union and Canada) require an affirmative opt-in in order to send marketing or commercial emails, the US has been, since the passage of CAN-SPAM, an opt-out jurisdiction. This means marketing emails can be sent to recipients unless and until they have opted out of receiving marketing emails from the sender.

Accordingly, a user of the Technology can send emails to email addresses acquired through the Technology provided that the recipient has not previously opted-out of receiving marketing emails from the Technology user / sender.

The sender of marketing emails acquired using the Technology should include an unsubscribe link or other opt-out mechanism in all marketing emails and promptly honor all opt-outs.

Other CAN-SPAM Compliance Tips

• Don’t use false or misleading header information. Your “From,” “To,” “Reply-To,” and routing information – including the originating domain name and email address – must be accurate and identify the person or business who initiated the message.
• Don’t use deceptive subject lines. The subject line must accurately reflect the content of the message.
• Identify the message as an ad. The law gives you a lot of leeway in how to do this, but you must disclose clearly and conspicuously that your message is an advertisement.
• Tell recipients where you are located. Your message must include your valid physical postal address. This can be your current street address, a post office box you’ve registered with the U.S. Postal Service, or a private mailbox you’ve registered with a commercial mail receiving agency established under Postal Service regulations.
• Monitor what others are doing on your behalf. The law makes clear that even if you hire another company to handle your email marketing, you can’t contract away your legal responsibility to comply with the law. Both the company whose product is promoted in the message and the company that actually sends the message may be held legally responsible.

Disclaimer

If you have questions about complying with the CAN-SPAM Act, you should contact your legal counsel.

Introduction

The CAN-SPAM Act of 2003 establishes requirements for companies that send commercial emails. The law covers email whose primary purpose is advertising or promoting a commercial product or service, including content on a website. A "transactional or relationship message" – an email that facilitates an agreed-upon transaction or updates a customer in an existing business relationship – may not contain false or misleading routing information but is otherwise exempt from most provisions of the Act. Violations of the Act can result in civil fines and criminal liability. The Act applies to consumer and business recipients and makes no exceptions for business-to-business emails.

Commercial Emails v. Transactional or Relationship Emails

The requirements of the CAN-SPAM Act differ based on whether the email is (1) a "commercial" email or (2) a "transactional or relationship email." An email is "commercial" if the primary purpose of the email is the commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose). A "transactional or relationship" email facilitates a commercial transaction (e.g., purchase of products or services) that the recipient has previously entered into or provides information relating to a product or service already purchased by the recipient from the sender, such as warranty or recall information or account balances. Most requirements and prohibitions of the Act apply only to commercial messages, but the Act does prohibit both commercial and transactional / relationship messages from containing false or misleading routing information (e.g., the source, destination, originating email address, "from" line, etc.).

Prior Consent / Opt-In Not Required. Opt-Out Mechanisms and Procedures.

Prior express consent or opt-in consent is not required in order to send commercial emails. Commercial emails may not, however, be sent to recipients who have opted-out or unsubscribed from receiving commercial emails from the sender.

Opt-Out Rather than Opt-In: While some jurisdictions outside of the United States (e.g. the European Union and Canada) require opt-in in order to send marketing or commercial emails, the US has been an opt-out jurisdiction since the passage of CAN-SPAM. This means marketing emails can be sent to recipients unless and until they have opted out of receiving marketing emails from the sender.

Disclaimer

This section provides information on the requirements set forth in Section 7704(a)(3) of the Act, which mandates the inclusion of an opt-out or unsubscribe mechanism in marketing messages:

Section 7704(a)(3) - Inclusion of Return Address or Comparable Mechanism

In general, it is unlawful for any person to initiate the transmission of a commercial electronic mail message to a protected computer that does not contain a functioning return electronic mail address or other Internet-based mechanism. This mechanism must be clearly and conspicuously displayed, allowing the recipient to submit a reply electronic mail message or other form of Internet-based communication to request not to receive future commercial electronic mail messages from that sender. The mechanism must remain capable of receiving such messages or communications for at least 30 days after the transmission of the original message.

Opt-Out Requirements

Section 7704(a)(4) of the Act outlines the opt-out requirements:

Section 7704(a)(4) - Prohibition of Transmission After Objection

If a recipient requests not to receive some or any commercial electronic mail messages from a sender using the mechanism provided pursuant to Section 7704(a)(3), it is unlawful:

• For the sender to initiate the transmission of a commercial electronic mail message within 10 business days after the receipt of such request if it falls within the scope of the request.
• For any person acting on behalf of the sender to initiate the transmission of a commercial electronic mail message within 10 business days after the receipt of such request with knowledge that such message falls within the scope of the request.
• For any person acting on behalf of the sender to assist in initiating the transmission of a commercial electronic mail message with knowledge that such message would violate the request.
• For the sender or any other person who knows that the recipient has made such a request to sell, lease, exchange, or otherwise transfer or release the recipient's electronic mail address for any purpose other than compliance with this Act or other provision of law.

Additional CAN-SPAM Act Requirements

It's important to note that the CAN-SPAM Act does not contain any requirements or references to opting-in to receive marketing email messages. The Federal Trade Commission has provided the following guidance on CAN-SPAM's main requirements:

• Don't use false or misleading header information. Ensure that your "From," "To," "Reply-To," and routing information accurately identify the sender.
• Don't use deceptive subject lines. Make sure the subject line accurately reflects the message's content.
• Identify the message as an advertisement clearly and conspicuously.
• Include your valid physical postal address in the message.
• Explain how recipients can opt out of receiving future emails from you in a clear and conspicuous manner. Provide a return email address or another easy Internet-based way for recipients to communicate their choice.
• Honor opt-out requests promptly. Ensure that your opt-out mechanism can process requests for at least 30 days and comply with opt-out requests within 10 business days.
• Monitor actions taken on your behalf by others in compliance with the law.

FTC Review and Opt-Out Requirements

As mandated by the Act, the FTC recently conducted a review of the law and solicited public comments to assess its appropriateness. On February 12, 2019, the FTC confirmed the following:

1. The Act does not necessitate recipients' affirmative consent or opt-in for receiving commercial emails. Instead, each email must prominently feature an option for recipients to opt-out of receiving further commercial emails from the sender.
2. Commercial emails must provide a return email address or another Internet-based response mechanism enabling recipients to express their desire not to receive future emails at that address. It's permissible to offer a "menu" of choices for opting out of specific message types, but the email must include an option to stop all commercial messages from the sender.
3. The return email address/opt-out mechanism must process opt-out requests for at least thirty (30) days after the email is sent. Upon receiving an opt-out request, the sender must promptly cease sending emails to the requestor's email address within ten (10) business days. The Act also prohibits the sender from aiding another entity in sending emails to that address or selling/transferring email addresses of individuals who have opted not to receive commercial emails, except for transfer to another entity for compliance purposes.
4. Recipients cannot be required to pay a fee, provide information beyond their email address and opt-out preferences, or take additional steps beyond sending a reply email or visiting a single web page to opt out.

Identification of Commercial Email

Commercial emails must be unmistakably identified as advertisements or solicitations. The email should explicitly state at the beginning that it is an advertisement from the sender and provide a general description of the advertised products or services. If the recipient previously consented to receive commercial emails from the sender (e.g., through opt-in), conspicuously identifying the email as an advertisement is not required.

Message Routing and Header Information

The "From," "To," and routing information in a commercial email, including the originating domain name and email address, must be accurate and identify the email's initiator. This applies to both commercial and transactional/relationship emails.

Subject Line Accuracy

The subject line must be transparent, truthful, and accurate, and it must not mislead the recipient about the email's content or subject matter.

Identification of Postal Address

A commercial email must include the sender's valid physical postal address, which may be a post office box or private mailbox.

Multiple Senders/Advertisers

In cases where multiple advertisers wish to send an email on behalf of each other (e.g., a joint-marketing arrangement), one of them must be designated as the sender responsible for honoring opt-out requests and meeting all statutory obligations. This designated sender must be the sole entity identified in the "from" line of the email and comply with all Act requirements. Other advertisers remain responsible for Act compliance and should review and ensure the designated sender's compliance, including handling opt-out requests.

No Sexually-Explicit Content

Emails must not contain sexually-explicit material. The Act imposes additional requirements for labeling, disclaimers, and presentation of emails containing such content.

No Harvesting or Automatic Email Generation

Senders should refrain from using automated methods to collect or "harvest" email addresses from third-party websites with terms that prohibit such practices or randomly generate potential email addresses.

References:

• [1] 15 USC § 7704(a)(3)
• [2] FTC CAN-SPAM Act Compliance Guide

FTC Review and Opt-Out Requirements

As mandated by the Act, the FTC recently conducted a review of the law and solicited public comments to assess its appropriateness. On February 12, 2019, the FTC confirmed the following:

1. The Act does not necessitate recipients' affirmative consent or opt-in for receiving commercial emails. Instead, each email must prominently feature an option for recipients to opt-out of receiving further commercial emails from the sender.
2. Commercial emails must provide a return email address or another Internet-based response mechanism enabling recipients to express their desire not to receive future emails at that address. It's permissible to offer a "menu" of choices for opting out of specific message types, but the email must include an option to stop all commercial messages from the sender.
3. The return email address/opt-out mechanism must process opt-out requests for at least thirty (30) days after the email is sent. Upon receiving an opt-out request, the sender must promptly cease sending emails to the requestor's email address within ten (10) business days. The Act also prohibits the sender from aiding another entity in sending emails to that address or selling/transferring email addresses of individuals who have opted not to receive commercial emails, except for transfer to another entity for compliance purposes.
4. Recipients cannot be required to pay a fee, provide information beyond their email address and opt-out preferences, or take additional steps beyond sending a reply email or visiting a single web page to opt out.

Identification of Commercial Email

Commercial emails must be unmistakably identified as advertisements or solicitations. The email should explicitly state at the beginning that it is an advertisement from the sender and provide a general description of the advertised products or services. If the recipient previously consented to receive commercial emails from the sender (e.g., through opt-in), conspicuously identifying the email as an advertisement is not required.

Message Routing and Header Information

The "From," "To," and routing information in a commercial email, including the originating domain name and email address, must be accurate and identify the email's initiator. This applies to both commercial and transactional/relationship emails.

Subject Line Accuracy

The subject line must be transparent, truthful, and accurate, and it must not mislead the recipient about the email's content or subject matter.

Identification of Postal Address

A commercial email must include the sender's valid physical postal address, which may be a post office box or private mailbox.

Multiple Senders/Advertisers

In cases where multiple advertisers wish to send an email on behalf of each other (e.g., a joint-marketing arrangement), one of them must be designated as the sender responsible for honoring opt-out requests and meeting all statutory obligations. This designated sender must be the sole entity identified in the "from" line of the email and comply with all Act requirements. Other advertisers remain responsible for Act compliance and should review and ensure the designated sender's compliance, including handling opt-out requests.

No Sexually-Explicit Content

Emails must not contain sexually-explicit material. The Act imposes additional requirements for labeling, disclaimers, and presentation of emails containing such content.

No Harvesting or Automatic Email Generation

Senders should refrain from using automated methods to collect or "harvest" email addresses from third-party websites with terms that prohibit such practices or randomly generate potential email addresses.

References:

• [1] 15 USC § 7704(a)(3)
• [2] FTC CAN-SPAM Act Compliance Guide

Disclaimer. This summary of the Consumer Data Protection Act (CDPA) is provided for informational purposes only. For questions about CDPA compliance, please consult your legal counsel.

On March 2, 2021, Virginia’s governor signed the Consumer Data Protection Act (“CDPA”) into law. The CDPA contains elements of both the newly passed California Privacy Rights Act (“CPRA”), which revised the California Consumer Protection Act of 2018 (“CCPA”), and the European General Data Protection Regulation (“GDPR”). Even businesses who are compliant with the current CCPA and/or GDPR will find that there are a few nuances in the CDPA that will require a few adjustments to their privacy practices to address the nuances between those laws and the new CDPA.

CDPA AT-A-GLANCE

• Consumer Rights: CDPA gives consumers broad rights to access and obtain, correct, delete, and opt-out of certain processing of their personal data, protects against non-discrimination, and provides consumers with the right to appeal a businesses’ denial of a consumer right.
• Opt-in Consent: Opt-in consent requirements for sensitive data.
• Effective Date: CDPA is effective January 1, 2023.
• Controller and Processor Modifications: Controllers and Processors (as described below) will need to modify operations, policies, and procedures to comply with the new requirements of the CDPA.
• Enforcement: No private right of action, but CDPA does provide for statutory penalties after a 30-day cure period.

Scope of the CDPA

• Definition of Personal Information: The CDPA defines personal information broadly as “any information that is linked or reasonably linkable to an identified or identifiable person.”
• Definition of Consumers: The CDPA has narrower definitions of consumers than the CCPA.
• Thresholds: Like the CCPA, the CDPA only applies to organizations that meet certain thresholds (the “Controller”).
• Excluded Organizations: The CDPA does not apply to certain businesses, such as governmental agencies, non-profits, covered entities and business associates subject to Health Insurance Portability and Accountability Act (“HIPAA”), financial organizations subject to Gramm-Leach-Bliley Act (“GLBA”), and higher education institutions.
• Excluded Information: Similar to other privacy laws, the CDPA excludes certain information, including employee information, and information subject to GLBA, HIPAA, the Family Educational Rights and Privacy Act, and the Fair Credit Reporting Act, among others.
• Definition of a “Sale”: Both the CDPA and CCPA define what it means to sell data, and require that consumers have the opportunity to opt out of a sale.

CDPA Consumer Rights

• Right to Access and Obtain Personal Data: Consumers will have the right to access and obtain a copy of the consumer’s personal data in a portable and, to the extent technically feasible, readily usable format;
• Right to Correct: Consumers will have the right to correct inaccuracies in a consumer’s personal data;
• Right to Delete: Consumers will have the right to delete personal data collected about them;
• Right to Opt-out of Sales, Profiling and Targeted Advertising: Consumers will have the right to opt-out of sales of their personal data, profiling that produces a legal or similarly significant effect, and processing of their data for targeted advertising;
• Right to Non-Discrimination: Controllers may not discriminate against a consumer for exercising a right under the CDPA;
• Right to Appeal: Consumers will have the right to appeal a decision of the entity refusing to take action or denying a consumer rights request;
• Opt-In Rights to Processing of Sensitive Data: Controllers may not process certain sensitive data unless the consumer has affirmatively opted-in to the processing.

New Controller Requirements

• Data Minimization: Controllers must limit the collection of personal data to that which is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed as disclosed to the consumer;
• Use Limitations: The processing of personal data must be reasonably necessary and compatible with the purpose disclosed to the consumer;
• Employ Reasonable Security: Controllers must establish, implement and maintain reasonable administrative, technical and physical security practices that are appropriate to the volume and nature of the personal data;
• Notice of Sales and Targeted Advertising: Controllers must clearly and conspicuously disclose sales of personal data and targeted advertising.
• Privacy Notice: Controllers will need to be substantially more transparent about their collection and use of personal information and must provide consumers with notice (in their privacy policies) of their new rights under the CDPA;
• Data Processing Agreements: Controllers will be required to enter into contracts that govern Processors’ use and processing of personal data, including specific terms to be entered in that agreement;
• Mandatory Data Protection Assessments: Controllers must conduct a data protection assessment for certain personal data processed after the effective date of CDPA, January 1, 2023.

New Processor Requirements

Under the CDPA, an entity who is processing data on behalf of another entity (the “Processor”) must adhere to the Controller’s instructions and assist the Controller with the Controller’s obligations under CDPA.

Enforcement

Unlike the CCPA, there is no private cause of action for violations of the CDPA and a business has a 30-day cure period for violations.

If a Controller or Processor has not cured the violation within the cure period, the Virginia Attorney General may assess a civil penalty of up to $7,500 per violation and recover reasonable costs for the investigation and prosecution by the Attorney General.