Columbus Data Security and Privacy Lawyer: Email Opt-In and Opt-Out Requirements in the U. S., Canada and the E. U.

Depending on the geographic region, different email opt-in and opt-out requirements may apply to a company that sends direct email marketing messages. When sending direct email marketing messages to recipients, the location of the recipient will determine which set of regulations apply. Generally, a recipient’s location is where the message will be opened.

United States

Commercial electronic communications in the United States are regulated by the CAN-SPAM Act (the “U.S. Regulations”). The U.S. Regulations cover commercial email messages with the primary purpose of advertising or promotion of a commercial service or product. The U.S. Regulations do not govern collection of new email addresses. Companies in the U.S. are permitted to buy lists of email addresses. The U.S. is unique in this respect as it is one of the few countries that allows companies to send direct email marketing messages without first obtaining the permission from the recipient.

The U.S. Regulations does not have an “opt-in” requirement. Companies are free to send direct email marketing messages to anyone, subject to the “opt-out” provisions.

The US Regulations require companies to include an “opt-out” option for recipient. The direct email marketing messages must include instructions for the recipient to opt-out of future messages. A company may not charge the recipient a fee to opt-out. Companies must honor opt-out requests within 10 days. Further, opt-out requirements may not require the recipient to do more than reply to the direct email marketing message or visit a single internet website in order to opt-out.

There are several consumer protection mechanisms within the U.S. Regulations to guard against spam messages. The U.S. Regulations prohibit false email header information, open relay abuses, sending direct email marketing messages from multiple email addresses, address harvesting, dictionary attacks, and other fraudulent spamming methods. Further, the subject line of the direct email marketing message must be accurate and cannot mislead the recipient. The direct email marketing message must identify that the message is an advertisement or solicitation.

A company must maintain a valid physical postal address under the U.S. Regulations. This physical presence may be a registered post office box or private mailbox.

Violations of the U.S. Regulations can subject a company to a $16,000 penalty per violation, per recipient. Violations are investigated and enforced by the state attorney general. The U.S. Regulations do not provide a private cause of action.

The U.S. Regulations do not apply to, nor does they prohibit a company from encouraging a recipient to forward the direct email marketing message to non-recipients. Direct email marketing messages can include clickable links that can be forwarded to non-subscribing recipients. However, if a company offers an incentive, such as a discount, to the subscribing recipient to forward the message, then the forwarding of that message will be subject to the U.S. Regulations and the company will be responsible for ensuring adherence to the regulations.

Canada

Canada’s Anti-Spam Law (the “Canadian Regulations”) regulates all commercial electronic messages, including emails. Commercial electronic messages under the Canadian Regulations includes any messages that are sent with the purpose of encouraging participation in a commercial activity. Unlike the U.S. Regulations, the Canadian Regulations apply to more than just emails. The Canadian Regulations apply to any means of telecommunication including text messages, sound messages, voice messages, as well as emails. Another primary difference between the Canadian Regulations and the U.S. Regulations is that the Canadian regulations are considered “opt-in” rules, while the U.S. Regulations are considered “opt-out” rules.

The Canadian Regulations require companies to first obtain the consent of recipients before a company is permitted to send them direct email marketing messages. This is known as the “opt-in” requirement.

An exception to the opt-in requirement exists if there is an “existing business relationship” between the company and the recipient. A business relationship can be established in several situations including the purchase or lease of a product or service by the recipient, the bartering for a product or service, as well as several other contractual arrangements between the company and the recipient. If there is an existing business relationship, then consent is implied and a recipient does not need to opt-into receiving direct email marketing messages. Implied consent is good for two years beginning on the day before the business relationship was formed.

The Canadian Regulations include an opt-out provision. Under the Canadian Regulations, companies must provide opt-out instructions within every direct email marketing message sent. Opt-out procedures must be simple and cannot require the recipient to pay a fee. Opt-out requests must be honored within 10 business days after the company receives the request.

Spam, malware, spyware, address harvesting, and false and misleading messages are prohibited under the Canadian Regulations.

Direct email marketing messages sent to Canadian recipients must include a valid physical postal address of the company. This information can either be included in the direct email marketing message itself or contained on a webpage whose link is clearly and prominently contained within the email.

The Canadian Regulations went into effect in 2014 and include a transition period until July 1, 2017. During the transition period, only the Canadian Radio-Television and Telecommunications Commission, the Competition Bureau, and the Office of the Privacy Commissioner of Canada may investigate and punish companies. However, once the transition period ends, any recipient will be permitted to bring a private claim if they believe a violation has taken place. Penalties for violations of the Canadian Regulations range from $1-10 million per violation.

European Union

The European Union regulates direct email marketing messages through the EU Opt-In Directive (the “EU Regulations”).

The EU Regulations include an “opt-in” provision. Companies may only send direct email marketing messages to EU recipients who have previously consented to such messages. Business-to-Business marketing messages are not subject to the opt-in requirement under the default EU Regulations, however, individual EU member states may extend the opt-in requirement to cover business to business communications as well.

The EU Regulations require every direct email marketing message to include opt-out instructions. A recipient must be able to respond to the email address from which the direct email marketing message was sent from and request to opt-out.

Under the EU Regulations, a company may not conceal or disguise the identity of the sender.

The EU Requirements state that the same requirements for direct email marketing messages apply to physical business mailings. The direct email marketing message must also include a physical return address. Direct email marketing messages sent to EU recipients should include (i) the full name of the company; (ii) country and state/province of the company’s registration; (iii) applicable registration number; (iv) address of the registered office, and (v) the company’s VAT number.