Over the last few years, the privacy landscape has become much more complicated. There are a number of commercial regulations affecting how your organization can communicate with its audience. Understanding and adhering to CAN-SPAM, CASL, & GDPR can get tricky, especially for companies expanding their marketing abroad.
But just because it’s tricky doesn’t mean you can ignore it. In most cases, you are responsible for not only knowing these laws, but strictly adhering to them.
Failing to do so could lead to big fines and costly trips to the courtroom — ain’t nobody got time for that!
In this post we’ll give you a rundown of the most important laws and what you can do to stay compliant.
Key concepts of CAN-SPAM, GDPR, & CASL regulations
Before we dive into the details, all of these regulations have something in common… These similarities point towards a new approach in marketing in the 21st century. As consumers become more privacy focused, it’s not only laws you have to comply with, it’s customers that expect you’ll be good stewards of their information.
They promote transparency and power to the user. Companies should play fairly. These regulations promote informed and consensual relationships between users and companies, whether that’s knowing exactly how your data is used or having a clear path to opting out of any communications.
The company is always accountable. User data is not to be played with. Whether you handle marketing internally or outsource it to third parties, you are responsible for what happens to your user data.
Make sure you work with trusted third parties and don’t think they are an easy way out of worrying about regulations.
They can cause enormous fines. Are your eyes rolling at the thought of investing time and money into this? The height of the potential fines might make you realize it can be a worthy investment.
To enforce the CAN-SPAM Act, the FTC can seek penalties of up to $16,000 per email that violates CAN-SPAM, without a maximum penalty. Violating the CASL can land your company a penalty of up to $10 million. The EU’s GDPR has a maximum fine of €20 million or 4% of annual global turnover, whichever is greater.
Staying Compliant with CAN-SPAM
The CAN-SPAM (Controlling the Assault of Non-Solicited Pornography And Marketing) Act is a U.S. law passed in 2003 establishing the United States’ first national standards for sending commercial email. The law affects all US companies and those sending mail to US citizens, and enforced by the Federal Trade Commission (FTC).
CAN-SPAM Consent
CAN-SPAM is an opt-out law. Companies can send commercial messages without prior consent, but recipients must be able to opt-out easily.
CAN-SPAM Requirements
- Recipients must be opted out within 10 days of the recipient’s request.
- They must remain opted out for a minimum of 30 days.
- Tell recipients where you are located.
- Don’t use deceptive subject lines or false “from” information.
- Include an unsubscribe mechanism in all messages.
Who’s Responsible for following the CAN-SPAM act?
Applies to commercial electronic messages sent by US businesses and by foreign companies contacting US citizens.
Staying Compliant with GDPR
The GDPR (General Data Protection Regulation) is a regulation in EU law on data protection and privacy in the European Union and European Economic Area. It was introduced in 2016, meaning it’s the most recent and strictest privacy law. The regulation protects the data of all EU citizens.
Think you’re safe from needing to comply with GDPR because your business is based in the United States? Think again!
GDPR protects the citizens of EU countries, and if your website is accessible from the EU (and it probably is!) and collects information from European citizens, then you’re required to comply!
GDPR Consent
Consent must be through opt-in. It defines consent as “freely given, specific, informed and unambiguous”. This means implied consent is not sufficient.
Companies must also keep evidence of the given consent and be able to provide proof if challenged. If users give you consent to send them, for example, newsletters, you can only use their data for this purpose. If you want to send them another form of communication, such as promotions, you must acquire their consent for that specific activity.
GDPR Requirements
Companies must process personal data in a lawful, fair, and transparent manner. This means the processing has to be for a legitimate purpose, for nothing but the legitimate purpose, and users must be informed about the processing activities.
- Companies must limit the data processing to only the necessary data.
- GDPR requires explicit parental permission to process data of children under 16.
- Users have the right to know all information the company holds about them and what is done with it. Users also have the right to correct or request deletion of their personal data and can object to data processing.
Who’s Responsible for Following GDPR
GDPR affects the processing of all user data of citizens living in the European Union (EU) or European Economic Area (EEA). Unlike the other regulations, it’s not explicitly designed for marketing but rather all forms of data processing.
Staying Compliant with CASL
CASL (Canada’s Anti-Spam Legislation) is a federal law introduced in 2014. It applies to all commercial electronic messages, and its key feature is requiring consent before sending to users.
CASL Consent
All senders must obtain express or implied consent before sending to individuals. Pre-checked boxes are not considered consent. Organizations must keep records of when and how the recipient consented.
CASL Requirements
- Recipients must be opted out within 10 days of the recipient’s request.
- They must remain opted out for a minimum of 60 days.
- Tell recipients where you are located.
- Don’t use deceptive subject lines or false “from” information.
- Include an unsubscribe mechanism in all messages.
Who’s Responsible for Following CASL?
Applies to anyone who is sending or receiving commercial electronic messages in Canada.
Wrapping Up
These regulations can seem complicated at first. While the CAN-SPAM is still fairly lenient, the GDPR is the toughest privacy and security law in the world. Adjusting your marketing practices can be a time-consuming process at first but can save you a headache and hefty fine down the road.
Keep in mind all of these laws are constantly evolving, and new ones are being added every year. Unlike the European Union (with GDPR), the United States has taken a State-by-State approach to most of their data privacy laws, meaning there’s not just one federal law to follow — there are dozens of State laws.
When it comes to email marketing, it’s vital you use software that not only keeps up with these laws, but gives you the ability to comply — which is exactly what we do here at AllClients.
Our system takes care of email validation (for better deliverability), help you avoid spam filters, and we’ll provide you with resources to help your emails make it to your reader’s inbox!
Want to see for yourself? Start a free 14-day trial and learn first-hand why we’re the #1 CRM for small businesses!