COMPLIANCE
Disclaimer
This is not intended to be an exhaustive summary of all issues and requirements relating to the topics discussed. If you have any questions about any of these issues, you should contact your legal counsel.
Introduction
Using existing technology (referred to herein as a “Technology”), companies are able to obtain email addresses of visitors to websites who have not and do not disclose their email address to the website owner. This Summary discusses some of the legal issues relating to the use of this technology.
CAN-SPAM
Email Harvesting
CAN-SPAM prohibits email harvesting, which is generally defined as obtaining email addresses from a website using an automated means when the website has a notice stating that the operator of the website will not give, sell, or otherwise transfer email addresses maintained by the website for the purposes of allowing others to send emails to the address.
Thus, the Technology should not collect or provide email addresses to users of the Technology if those email addresses were acquired from a website that prohibits email address harvesting.
Opt-Out – Not Opt-In
While some jurisdictions outside of the United States (e.g., the European Union and Canada) require an affirmative opt-in in order to send marketing or commercial emails, the US has been, since the passage of CAN-SPAM, an opt-out jurisdiction. This means marketing emails can be sent to recipients unless and until they have opted out of receiving marketing emails from the sender.
Accordingly, a user of the Technology can send emails to email addresses acquired through the Technology provided that the recipient has not previously opted-out of receiving marketing emails from the Technology user / sender.
The sender of marketing emails acquired using the Technology should include an unsubscribe link or other opt-out mechanism in all marketing emails and promptly honor all opt-outs.
Other CAN-SPAM Compliance Tips
- Don’t use false or misleading header information. Your “From,” “To,” “Reply-To,” and routing information – including the originating domain name and email address – must be accurate and identify the person or business who initiated the message.
- Don’t use deceptive subject lines. The subject line must accurately reflect the content of the message.
- Identify the message as an ad. The law gives you a lot of leeway in how to do this, but you must disclose clearly and conspicuously that your message is an advertisement.
- Tell recipients where you are located. Your message must include your valid physical postal address. This can be your current street address, a post office box you’ve registered with the U.S. Postal Service, or a private mailbox you’ve registered with a commercial mail receiving agency established under Postal Service regulations.
- Monitor what others are doing on your behalf. The law makes clear that even if you hire another company to handle your email marketing, you can’t contract away your legal responsibility to comply with the law. Both the company whose product is promoted in the message and the company that actually sends the message may be held legally responsible.
OPT-OUT AND COMPLYING WITH THE CAN-SPAM ACT
Disclaimer
If you have questions about complying with the CAN-SPAM Act, you should contact your legal counsel.
Introduction
The CAN-SPAM Act of 2003 establishes requirements for companies that send commercial emails. The law covers email whose primary purpose is advertising or promoting a commercial product or service, including content on a website. A "transactional or relationship message" – an email that facilitates an agreed-upon transaction or updates a customer in an existing business relationship – may not contain false or misleading routing information but is otherwise exempt from most provisions of the Act. Violations of the Act can result in civil fines and criminal liability. The Act applies to consumer and business recipients and makes no exceptions for business-to-business emails.
Commercial Emails v. Transactional or Relationship Emails
The requirements of the CAN-SPAM Act differ based on whether the email is (1) a "commercial" email or (2) a "transactional or relationship email." An email is "commercial" if the primary purpose of the email is the commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose). A "transactional or relationship" email facilitates a commercial transaction (e.g., purchase of products or services) that the recipient has previously entered into or provides information relating to a product or service already purchased by the recipient from the sender, such as warranty or recall information or account balances. Most requirements and prohibitions of the Act apply only to commercial messages, but the Act does prohibit both commercial and transactional / relationship messages from containing false or misleading routing information (e.g., the source, destination, originating email address, "from" line, etc.).
Prior Consent / Opt-In Not Required. Opt-Out Mechanisms and Procedures.
Prior express consent or opt-in consent is not required in order to send commercial emails. Commercial emails may not, however, be sent to recipients who have opted-out or unsubscribed from receiving commercial emails from the sender.
Opt-Out Rather than Opt-In: While some jurisdictions outside of the United States (e.g. the European Union and Canada) require opt-in in order to send marketing or commercial emails, the US has been an opt-out jurisdiction since the passage of CAN-SPAM. This means marketing emails can be sent to recipients unless and until they have opted out of receiving marketing emails from the sender.
Opt-Out and CAN-SPAM Act Compliance
Disclaimer
This section provides information on the requirements set forth in Section 7704(a)(3) of the Act, which mandates the inclusion of an opt-out or unsubscribe mechanism in marketing messages:
Section 7704(a)(3) - Inclusion of Return Address or Comparable Mechanism
In general, it is unlawful for any person to initiate the transmission of a commercial electronic mail message to a protected computer that does not contain a functioning return electronic mail address or other Internet-based mechanism. This mechanism must be clearly and conspicuously displayed, allowing the recipient to submit a reply electronic mail message or other form of Internet-based communication to request not to receive future commercial electronic mail messages from that sender. The mechanism must remain capable of receiving such messages or communications for at least 30 days after the transmission of the original message.
Opt-Out Requirements
Section 7704(a)(4) of the Act outlines the opt-out requirements:
Section 7704(a)(4) - Prohibition of Transmission After Objection
If a recipient requests not to receive some or any commercial electronic mail messages from a sender using the mechanism provided pursuant to Section 7704(a)(3), it is unlawful:
- For the sender to initiate the transmission of a commercial electronic mail message within 10 business days after the receipt of such request if it falls within the scope of the request.
- For any person acting on behalf of the sender to initiate the transmission of a commercial electronic mail message within 10 business days after the receipt of such request with knowledge that such message falls within the scope of the request.
- For any person acting on behalf of the sender to assist in initiating the transmission of a commercial electronic mail message with knowledge that such message would violate the request.
- For the sender or any other person who knows that the recipient has made such a request to sell, lease, exchange, or otherwise transfer or release the recipient's electronic mail address for any purpose other than compliance with this Act or other provision of law.
Additional CAN-SPAM Act Requirements
It's important to note that the CAN-SPAM Act does not contain any requirements or references to opting-in to receive marketing email messages. The Federal Trade Commission has provided the following guidance on CAN-SPAM's main requirements:
- Don't use false or misleading header information. Ensure that your "From," "To," "Reply-To," and routing information accurately identify the sender.
- Don't use deceptive subject lines. Make sure the subject line accurately reflects the message's content.
- Identify the message as an advertisement clearly and conspicuously.
- Include your valid physical postal address in the message.
- Explain how recipients can opt out of receiving future emails from you in a clear and conspicuous manner. Provide a return email address or another easy Internet-based way for recipients to communicate their choice.
- Honor opt-out requests promptly. Ensure that your opt-out mechanism can process requests for at least 30 days and comply with opt-out requests within 10 business days.
- Monitor actions taken on your behalf by others in compliance with the law.
Compliance with CAN-SPAM Act
FTC Review and Opt-Out Requirements
As mandated by the Act, the FTC recently conducted a review of the law and solicited public comments to assess its appropriateness. On February 12, 2019, the FTC confirmed the following:
- The Act does not necessitate recipients' affirmative consent or opt-in for receiving commercial emails. Instead, each email must prominently feature an option for recipients to opt-out of receiving further commercial emails from the sender.
- Commercial emails must provide a return email address or another Internet-based response mechanism enabling recipients to express their desire not to receive future emails at that address. It's permissible to offer a "menu" of choices for opting out of specific message types, but the email must include an option to stop all commercial messages from the sender.
- The return email address/opt-out mechanism must process opt-out requests for at least thirty (30) days after the email is sent. Upon receiving an opt-out request, the sender must promptly cease sending emails to the requestor's email address within ten (10) business days. The Act also prohibits the sender from aiding another entity in sending emails to that address or selling/transferring email addresses of individuals who have opted not to receive commercial emails, except for transfer to another entity for compliance purposes.
- Recipients cannot be required to pay a fee, provide information beyond their email address and opt-out preferences, or take additional steps beyond sending a reply email or visiting a single web page to opt out.
Identification of Commercial Email
Commercial emails must be unmistakably identified as advertisements or solicitations. The email should explicitly state at the beginning that it is an advertisement from the sender and provide a general description of the advertised products or services. If the recipient previously consented to receive commercial emails from the sender (e.g., through opt-in), conspicuously identifying the email as an advertisement is not required.
Message Routing and Header Information
The "From," "To," and routing information in a commercial email, including the originating domain name and email address, must be accurate and identify the email's initiator. This applies to both commercial and transactional/relationship emails.
Subject Line Accuracy
The subject line must be transparent, truthful, and accurate, and it must not mislead the recipient about the email's content or subject matter.
Identification of Postal Address
A commercial email must include the sender's valid physical postal address, which may be a post office box or private mailbox.
Multiple Senders/Advertisers
In cases where multiple advertisers wish to send an email on behalf of each other (e.g., a joint-marketing arrangement), one of them must be designated as the sender responsible for honoring opt-out requests and meeting all statutory obligations. This designated sender must be the sole entity identified in the "from" line of the email and comply with all Act requirements. Other advertisers remain responsible for Act compliance and should review and ensure the designated sender's compliance, including handling opt-out requests.
No Sexually-Explicit Content
Emails must not contain sexually-explicit material. The Act imposes additional requirements for labeling, disclaimers, and presentation of emails containing such content.
No Harvesting or Automatic Email Generation
Senders should refrain from using automated methods to collect or "harvest" email addresses from third-party websites with terms that prohibit such practices or randomly generate potential email addresses.
Compliance with CAN-SPAM Act
FTC Review and Opt-Out Requirements
As mandated by the Act, the FTC recently conducted a review of the law and solicited public comments to assess its appropriateness. On February 12, 2019, the FTC confirmed the following:
- The Act does not necessitate recipients' affirmative consent or opt-in for receiving commercial emails. Instead, each email must prominently feature an option for recipients to opt-out of receiving further commercial emails from the sender.
- Commercial emails must provide a return email address or another Internet-based response mechanism enabling recipients to express their desire not to receive future emails at that address. It's permissible to offer a "menu" of choices for opting out of specific message types, but the email must include an option to stop all commercial messages from the sender.
- The return email address/opt-out mechanism must process opt-out requests for at least thirty (30) days after the email is sent. Upon receiving an opt-out request, the sender must promptly cease sending emails to the requestor's email address within ten (10) business days. The Act also prohibits the sender from aiding another entity in sending emails to that address or selling/transferring email addresses of individuals who have opted not to receive commercial emails, except for transfer to another entity for compliance purposes.
- Recipients cannot be required to pay a fee, provide information beyond their email address and opt-out preferences, or take additional steps beyond sending a reply email or visiting a single web page to opt out.
Identification of Commercial Email
Commercial emails must be unmistakably identified as advertisements or solicitations. The email should explicitly state at the beginning that it is an advertisement from the sender and provide a general description of the advertised products or services. If the recipient previously consented to receive commercial emails from the sender (e.g., through opt-in), conspicuously identifying the email as an advertisement is not required.
Message Routing and Header Information
The "From," "To," and routing information in a commercial email, including the originating domain name and email address, must be accurate and identify the email's initiator. This applies to both commercial and transactional/relationship emails.
Subject Line Accuracy
The subject line must be transparent, truthful, and accurate, and it must not mislead the recipient about the email's content or subject matter.
Identification of Postal Address
A commercial email must include the sender's valid physical postal address, which may be a post office box or private mailbox.
Multiple Senders/Advertisers
In cases where multiple advertisers wish to send an email on behalf of each other (e.g., a joint-marketing arrangement), one of them must be designated as the sender responsible for honoring opt-out requests and meeting all statutory obligations. This designated sender must be the sole entity identified in the "from" line of the email and comply with all Act requirements. Other advertisers remain responsible for Act compliance and should review and ensure the designated sender's compliance, including handling opt-out requests.
No Sexually-Explicit Content
Emails must not contain sexually-explicit material. The Act imposes additional requirements for labeling, disclaimers, and presentation of emails containing such content.
No Harvesting or Automatic Email Generation
Senders should refrain from using automated methods to collect or "harvest" email addresses from third-party websites with terms that prohibit such practices or randomly generate potential email addresses.
Frequently Asked Questions Regarding the California Consumer Privacy Act
Disclaimer
These FAQs regarding the California Privacy Rights Act (CPRA), amending and renaming the California Consumer Privacy Act (CCPA), are provided for informational purposes only and do not constitute legal advice. This summary does not cover all CPRA requirements. For questions about CPRA compliance, please consult your legal counsel.
The CPRA and Its Applicability
The CPRA, a ballot initiative passed by voters in November 2020, amends the CCPA and renames the law. Frequently asked questions relating to the CPRA are discussed below.
-
Who does the CPRA apply to?
The CPRA applies to any business, a for-profit legal entity, that collects and sells consumer "personal information," with a few exemptions discussed below. The law sets criteria based on revenue and the number of consumer records processed for CPRA applicability. A company must meet one or more of the following criteria for the CPRA to apply:
- Have $25 million or more in annual revenue (not limited to California-generated revenue).
- Annually buy, sell, or share personal information of 100,000 or more California consumers or households.
- Earn more than half of its annual revenue from selling or sharing consumers' personal data.
Exemptions exist for non-profit entities, health providers, and insurers governed by HIPAA, as well as limited exemptions for certain types of information and businesses.
-
What if we are not located in California?
If you collect personal information from California residents while they are in California, you are likely doing business in California, and the law would apply if your company satisfies any of the applicability triggers discussed above.
-
What qualifies as "personal information" under the CPRA?
The CPRA defines personal information broadly, encompassing information that can identify, relate to, describe, associate with, or reasonably be linked to a particular consumer or household. The law provides a list of personal information categories and includes inferences drawn from personal information for consumer profiling.
-
Does the CPRA apply to protected health information and medical data?
Personal information excludes protected health information (PHI) governed by HIPAA or medical information under California's Medical Information Act (CMIA). The CPRA also exempts organizations handling patient information similarly to PHI under HIPAA.
-
Does the CPRA apply to employee information?
Employee (including independent contractor) data is excluded from most CPRA provisions until January 1, 2023. However, employers must provide employees with a brief privacy notice regarding the personal information collected, its purposes, and recipients.
-
What rights do consumers have under the CPRA?
The CPRA grants California residents rights similar to the EU's General Data Protection Regulation, including the right to access, correct, delete, and limit the use of their personal information. Consumers can also opt-out of automated decision-making and profiling, as well as the sale or sharing of their personal information.
-
Do we need to revise our privacy policies, and what should they cover?
Revisions to privacy policies are likely required if the CPRA applies to your organization. The CPRA introduces new elements, including disclosures about consumer rights, categories of collected personal information, purposes of collection, categories of third-party sharing, opt-out links, and information about financial incentives for data sharing or not exercising rights.
-
For the "do not sell" opt-out, what constitutes the "sale" of personal information?
The CPRA defines the "sale" of personal information broadly, encompassing various actions that involve exchanging personal information for monetary or other valuable consideration.
-
What would NOT be considered a "sale" of personal information?
The law provides examples of situations not considered a "sale" of personal information, such as intentional disclosure by a consumer, sharing of opt-out decisions, and certain transactional situations.
-
For the "do not share" opt-out, what constitutes the "sharing" of personal information for "cross-context behavioral information"?
The CPRA broadly defines "sharing" of personal information for "cross-context behavioral advertising," encompassing various actions related to sharing consumer data for targeted advertising.
-
What would NOT be considered "sharing" personal information?
Exclusions from "sharing" under the CPRA include intentional consumer-directed disclosures, sharing of opt-out decisions, and specific business transactions.
COLORADO PRIVACY LAWS
Colorado Privacy Act (“CPA”)
Disclaimer. This summary of the Colorado Privacy Act (CPA) is provided for informational purposes only. This is not an exhaustive summary of all CPA requirements. For questions about CPA compliance, please consult your legal counsel.
On July 7, 2021, Colorado Governor Jared Polis signed the Colorado Privacy Act (“CPA”) into law. The law is likely subject to significant changes both before and after it goes into effect on July 1, 2023.
The CPA applies to businesses that intentionally target Colorado consumers and that collect and store data on at least 100,000 consumers or earn revenue from selling data of at least 25,000 consumers. Notably absent is any revenue threshold.
Key Takeaways:
- Exclusions: Certain types of data are excluded, including employment records, job applications, personal data governed by certain federal or state laws such as GLBA, and data available in public records.
- Consumer Rights: Consumers gain five key rights under the CPA: right of access, right to opt out, right to correct, right to delete, and right to data portability. They also gain a right to appeal.
- Business Obligations: Businesses have multiple new obligations, including a duty of transparency, duty to avoid secondary use, duty of data minimization, duty of care regarding data security, and a duty to obtain consent before processing a consumer's sensitive data.
- Enforcement: The CPA is enforced by the attorney general and district attorneys. There is no private right of action.
- Effective Date: The law will take effect July 1, 2023.
- Amendments: The Colorado Governor has already requested that the legislature amend the CPA, which may significantly alter the law’s obligations and requirements.
Applicability and Exemptions
The CPA as currently enacted applies to any business (a “controller”) that conducts business in Colorado or produces or delivers commercial products or services intentionally targeted to residents of Colorado and meets one or both of the following thresholds:
- The controller processes or controls personal data of at least 100,000 Colorado consumers per year.
- The controller processes or controls personal data of at least 25,000 Colorado consumers per year and derives revenue or receives a discount on the price of goods or services from the sale of personal data.
The CPA applies only to information about consumers, defined as Colorado residents acting only in an individual or household context, excluding information about individuals acting in a commercial or employment context.
The law applies to a controller’s processing of “personal data,” which is defined as “information that is linked or reasonably linkable to an identified or an identifiable individual.” However, de-identified information or publicly available information is explicitly excluded.
Consumer Rights
The CPA provides Colorado consumers with the following rights regarding their personal data:
- Right of access: Consumers have the right to confirm whether a business is processing their personal data and to access their personal data.
- Right to opt out: Consumers have the right to opt out of processing of their personal data for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning them.
- Right to correction: Consumers have the right to correct inaccuracies in their personal data.
- Right to deletion: Consumers have the right to delete personal data about themselves.
- Right to data portability: Consumers have the right to obtain their personal data in a portable format twice per year.
- Right to appeal: Businesses must respond to consumer requests under the CPA within 45 days of receipt, with the possibility of an extension. If the business decides not to take action on the consumer’s request, it must inform the consumer how they can appeal the decision.
Business Obligations
In addition to permitting consumers to exercise their rights, the CPA imposes multiple new affirmative duties on controllers:
- Transparency: Controllers must provide consumers with a clear and meaningful privacy notice that includes specific categories of personal data collected or processed, purposes of processing, consumer rights, data sharing details, and third-party information.
- Data Minimization: Controllers must limit collection of personal data to that which is relevant and reasonably necessary in relation to the specified purpose of the data processing.
- Purpose limitation: Controllers are required to clearly and conspicuously disclose the express purposes for which personal data is collected and processed, obtaining consumer consent for non-necessary purposes.
- Duty of care: Controllers must take reasonable measures to secure personal data from unauthorized acquisition during storage and use.
- Avoiding Unlawful Discrimination: Controllers are prohibited from processing personal data in violation of federal or state laws that prohibit unlawful discrimination against consumers.
- Consent for Processing Sensitive Data: Controllers must obtain consent before processing a consumer’s sensitive data, including data revealing racial or ethnic origin, religious beliefs, health information, or other sensitive categories.
- Sales of Personal Data: Controllers must clearly disclose the sale of personal information or any processing of personal data for targeted advertising and provide opt-out opportunities for consumers.
- Data Protection Assessments for High-Risk Processing: Controllers must conduct and document data protection assessments for high-risk processing activities.
- Processors and Data Processing Agreements: Processors must comply with the controller’s instructions and enter into written agreements with terms similar to GDPR requirements.
VIRGINIA PRIVACY LAWS
Disclaimer. This summary of the Consumer Data Protection Act (CDPA) is provided for informational purposes only. For questions about CDPA compliance, please consult your legal counsel.
On March 2, 2021, Virginia’s governor signed the Consumer Data Protection Act (“CDPA”) into law. The CDPA contains elements of both the newly passed California Privacy Rights Act (“CPRA”), which revised the California Consumer Protection Act of 2018 (“CCPA”), and the European General Data Protection Regulation (“GDPR”). Even businesses who are compliant with the current CCPA and/or GDPR will find that there are a few nuances in the CDPA that will require a few adjustments to their privacy practices to address the nuances between those laws and the new CDPA.
CDPA AT-A-GLANCE
- Consumer Rights: CDPA gives consumers broad rights to access and obtain, correct, delete, and opt-out of certain processing of their personal data, protects against non-discrimination, and provides consumers with the right to appeal a businesses’ denial of a consumer right.
- Opt-in Consent: Opt-in consent requirements for sensitive data.
- Effective Date: CDPA is effective January 1, 2023.
- Controller and Processor Modifications: Controllers and Processors (as described below) will need to modify operations, policies, and procedures to comply with the new requirements of the CDPA.
- Enforcement: No private right of action, but CDPA does provide for statutory penalties after a 30-day cure period.
Scope of the CDPA
- Definition of Personal Information: The CDPA defines personal information broadly as “any information that is linked or reasonably linkable to an identified or identifiable person.”
- Definition of Consumers: The CDPA has narrower definitions of consumers than the CCPA.
- Thresholds: Like the CCPA, the CDPA only applies to organizations that meet certain thresholds (the “Controller”).
- Excluded Organizations: The CDPA does not apply to certain businesses, such as governmental agencies, non-profits, covered entities and business associates subject to Health Insurance Portability and Accountability Act (“HIPAA”), financial organizations subject to Gramm-Leach-Bliley Act (“GLBA”), and higher education institutions.
- Excluded Information: Similar to other privacy laws, the CDPA excludes certain information, including employee information, and information subject to GLBA, HIPAA, the Family Educational Rights and Privacy Act, and the Fair Credit Reporting Act, among others.
- Definition of a “Sale”: Both the CDPA and CCPA define what it means to sell data, and require that consumers have the opportunity to opt out of a sale.
CDPA Consumer Rights
- Right to Access and Obtain Personal Data: Consumers will have the right to access and obtain a copy of the consumer’s personal data in a portable and, to the extent technically feasible, readily usable format;
- Right to Correct: Consumers will have the right to correct inaccuracies in a consumer’s personal data;
- Right to Delete: Consumers will have the right to delete personal data collected about them;
- Right to Opt-out of Sales, Profiling and Targeted Advertising: Consumers will have the right to opt-out of sales of their personal data, profiling that produces a legal or similarly significant effect, and processing of their data for targeted advertising;
- Right to Non-Discrimination: Controllers may not discriminate against a consumer for exercising a right under the CDPA;
- Right to Appeal: Consumers will have the right to appeal a decision of the entity refusing to take action or denying a consumer rights request;
- Opt-In Rights to Processing of Sensitive Data: Controllers may not process certain sensitive data unless the consumer has affirmatively opted-in to the processing.
New Controller Requirements
- Data Minimization: Controllers must limit the collection of personal data to that which is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed as disclosed to the consumer;
- Use Limitations: The processing of personal data must be reasonably necessary and compatible with the purpose disclosed to the consumer;
- Employ Reasonable Security: Controllers must establish, implement and maintain reasonable administrative, technical and physical security practices that are appropriate to the volume and nature of the personal data;
- Notice of Sales and Targeted Advertising: Controllers must clearly and conspicuously disclose sales of personal data and targeted advertising.
- Privacy Notice: Controllers will need to be substantially more transparent about their collection and use of personal information and must provide consumers with notice (in their privacy policies) of their new rights under the CDPA;
- Data Processing Agreements: Controllers will be required to enter into contracts that govern Processors’ use and processing of personal data, including specific terms to be entered in that agreement;
- Mandatory Data Protection Assessments: Controllers must conduct a data protection assessment for certain personal data processed after the effective date of CDPA, January 1, 2023.
New Processor Requirements
Under the CDPA, an entity who is processing data on behalf of another entity (the “Processor”) must adhere to the Controller’s instructions and assist the Controller with the Controller’s obligations under CDPA.
Enforcement
Unlike the CCPA, there is no private cause of action for violations of the CDPA and a business has a 30-day cure period for violations.
If a Controller or Processor has not cured the violation within the cure period, the Virginia Attorney General may assess a civil penalty of up to $7,500 per violation and recover reasonable costs for the investigation and prosecution by the Attorney General.