Are You Compliant With Email SPAM Laws?

October 31, 2017 6:15:22 AM | By Matt Benati

Email SPAM Laws - LeadGnome

Following the rise in email marketing over the past couple decades – and subsequent spam that served to annoy anyone with an email address – government agencies stepped up their regulations to protect citizens’ rights to a mailbox (mostly) free of unsolicited messages.

In 2003, the United States introduced the CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography And Marketing) that requires senders of Commercial Electronic Messages (CEMs) to provide a frictionless process for recipients to unsubscribe from mailing lists.

In 2014, Canada followed suit with a much stricter law under CASL (Canadian Anti Spam Legislation), that requires senders to obtain – and be able to prove – express consent from recipients.

And in Europe, the GDPR (General Data Protection Regulation) is set to take effect May 25, 2018, and is the European Union’s (EU) most important change to data privacy in 20 years.

Clearly, compliance is a big deal. Any business that utilizes email marketing needs to be aware of these regulations and specifically how they affect the way they send emails, manage their database, and develop processes for handling subscriptions and mailing lists.

What’s In A CEM?

In addition to email messages, Commercial Electronic Messages also cover text messages, instant messages, and even some social media correspondence. It’s important to note that fax numbers do not fall under CEMs regulations.

For a CEM to be scrutinized under CAN-SPAM and CASL regulations, the content of the message must be promotional in nature with a call to action that asks the recipient to partake in some activity that benefits your business. This means that messages related to charity and political organizations, those that are trying to enforce a court order or legal right, and those that contain important information about safety recalls, warranty, and security information are generally exempt.

Opt Out vs Opt In

CASL is based on people opting-in to your messages while the CAN-SPAM law focuses on making it easy for people to opt-out of your email campaigns. Here’s the difference:

  • Opt-in email sign-up: Your email subscription form has only one function: to add someone to your mailing list. Meaning, the person has to manually enter their name/email to give you express permission to email them. OR, you can choose to add a checkbox during your registration or checkout process asking people if they would like to receive emails from you. The box is left UNCHECKED by default. In both cases, someone has to actively demonstrate that YES, they want to hear from you.
  • Opt-out email sign-up: In this scenario, you assume that people will opt-out if they don’t want your communication after they receive your first email. You may choose to either add every email you capture to your mailing list. Or, you may choose to PRE-CHECK the checkbox in your checkout/registration process. This means people will automatically receive your emails, and will have to manually unsubscribe.

As we dive into the difference between GDPR, CASL and CAN-SPAM, it will become clear which methods you will choose depending on where your recipients reside.

Understanding CASL

The Canadian Anti-Spam Legislation covers all CEMs leaving and coming into Canada. Whether you’re a business in Canada, or you’re sending to recipients in Canada, you are required to obey the law.

With CASL, consent is broken down into two categories:

  • Express – Your recipient agrees explicitly to receive your content.
  • Implied – Through action or relationship, it is implied you can send email.

Compared to the CAN-SPAM Act in the United States, which is mostly an opt-out regulation, CASL is an opt-in approach — meaning, you need consent before sending an email to a recipient. There are a slew of details to keep your legal team happy, and Jeff Coveney, President of RevEngine Marketing, published an awesome two-part series that’s a must-read if you’re emailing Canadian contacts.

It’s important to remember that implied consent is the exception, not the norm, and that implied consent expires after 24 months. So, reach out to contacts obtained within the implied consent framework and obtain express consent. Since tracking the timelines of implied consent can be challenging, many organizations choose to err on the side of safety and obtain express consent as soon as possible.

Since 2014, Canadian regulatory bodies have been investigating and appropriately fining businesses found in violation. As of July 1, 2017, private citizens can file suit for infractions. The way the law is written, now every Tom, Dick and Harry can start to bring legal action, and fine amounts are as high as $1 million for individuals and $10 million for businesses.

Understanding CAN-SPAM

In 2003, Congress enacted the federal CAN-SPAM Act, which makes it illegal for any person or business to send a CEM unless that message:

  • Is clearly identified as a solicitation or advertisement – unless prior consent has been given (subscribed/opted-in to a mailing list
  • Provides notice and ability for the recipient to opt-out
  • Lists a physical address of the sender

In addition, senders must act on opt-out/unsubscribe requests within 10 days, and the Federal Trade Commission prohibits businesses from “charging” for an opt-out — such as requiring the recipient to listen to a sales pitch or receive additional information before being removed from the mailing list.

Understanding GDPR

If your organization does business in Europe, now is the time to get up to speed and make sure you’re compliant with this regulation before it takes full effect on May 25, 2018.

GDPR applies to all countries in the European Union and any business that processes the personal information of subjects residing in the EU — regardless of where that business is located. Essentially, if you are emailing prospects or customers in the EU, this law applies. GDPR does acknowledge, however, that direct marketing will often be a ‘legitimate interest of the data controller. You can read more about that in Phil Lee’s recent article.

Some important things to note regarding GDPR:

  • Withdrawing consent (opt-out) must be as easy as giving consent
  • EU residents have a right to access their personal data from any business
  • EU residents have a right to be forgotten – have their personal data erased

How LeadGnome supports compliance:

  • Adds 20%+ net new contacts annually (request legal opinion at
  • Maintains accurate contact information
  • Catches manual opt-out requests

For more information, you can review our Data Processing Addendum on our Terms of Service page for details on how LeadGnome was proactively designed to support your need to market and sell to contacts in the EU.

How To Keep Your Email Marketing Compliant

The key to email compliance is maintaining a clean database and monitoring replies closely to catch manual unsubscribe requests.

Remove opt-out contacts immediately – This is one place where the two regulations are unwavering. If someone says they do not want to receive communication from you, you need to act immediately to remove them from your mailing lists.

LeadGnome Client Example: Prior to LeadGnome, this customer was not able to monitor reply emails in a timely, effective, and complete manner. Analyzing their first campaign replies, LeadGnome identified a manual reply from a contact claiming they had asked five times to be removed from the mailing list. This contact was angry and threatening legal action under CAN-SPAM regulations.

Recognizing the severity of the situation, our customer immediately reached out to this contact by phone, apologized that the emails were not caught, and assured them new processes were in place to identify opt-out requests. Had this “last straw” email not been caught, this customer’s organization could have faced hundreds of thousands of dollars in fines — and more importantly a tarnished reputation.

Ensure any new contacts have explicitly opted in –  This is more specific to CASL, but it is a smart best practice in general as it protects your brand’s reputation and minimizes the amount of work needed to mitigate unsubscribe requests.

While it may require more thought goes into your processes, or that you receive fewer signups, getting explicit consent ensures the people you are capturing actually want to hear from you. And this keeps you on the right side of the law, no matter what. Marketing automation platforms allow you to set up workflows to identify where leads come from and the type of form they completed, while automatically adding them (or removing them) from the proper lists and sending the corresponding information.

Reply Email Mining Keeps Email Campaigns Compliant

What are the keys to staying compliant? A clean database and monitoring replies. And that’s exactly what a reply email mining service like LeadGnome does. By sending just 2 emails per month, you can add up to 36% more net new leads and cleanse and enrich up to 72% of existing leads annually. Additionally, you free up valuable human resources that were previously allocated to manually monitoring and analyzing hundreds, or even thousands, of replies.

Most importantly, you’re catching unsubscribe requests that could cost your company millions if ignored.

What are the keys to staying compliant with your #EmailMarketing? A clean database and monitoring replies. Click To Tweet

And as a huge bonus, those net new contacts that LeadGnome identifies in your reply emails can be engaged lawfully under all three regulations: GDPR, CASL and CAN-SPAM.

Say whaaaat?

Here’s how it works:

When you send an email marketing campaign – to anywhere in the world – you’re going to get auto-responses like Out-Of-Office and Left-The-Company. Those replies are public. ANYONE who sends to those recipients will receive the same automated reply. And what do those messages contain? Permission from your original contact to reach out to other people within their organization:

Out Of Office:

  • Dates in and out of the office
  • Alternate contact’s name
  • Alternate contact’s email, phone number and title

Left The Company

  • Effective date
  • Replacement contact’s name
  • Replacement contact’s email, phone number and title

Under CAN-SPAM, you have free rein to email these new contacts – as long as you state your purpose and give them the option to opt-out. Under CASL, you can email the new contacts under implied consent since your original contact gave you permission to email them. Under GDPR, you have “legitimate interest” (Recital 47), to market and sell to these new contacts.

While you can legally sell and market to these contacts, we still recommend a permission-marketing best practice of requesting express consent – ask the new leads to opt-in during your initial outreach to them.

Whether you’re worried about missing opt-out requests, or you want to beef up your database with account-specific leads, LeadGnome helps you stay compliant with CAN-SPAM, CASL, and GDPR while boosting revenue. 

Please note that this article provides an overview about international email laws, but is not intended, and should not be taken, as legal advice. Please contact your attorney for advice on email marketing regulations or any specific legal problems.

Want to learn more about GDPR and how it will change the way you do business with European citizens? Check out our free GDPR Brief:

Download GDPR Brief

Related Blog Posts:

Pin It on Pinterest