Email marketing remains a powerful tool for reaching and engaging customers in today's digital landscape. You may have heard of the CAN-SPAM Act, which sets the national standards for commercial emails. Various states have also enacted their own privacy laws, creating another layer of regulations businesses must be aware of. This blog provides an overview of the CAN-SPAM Act and the specific marketing laws of states like California, Nevada, Colorado, and Virginia to help ensure you are staying compliant with your email sends. Note that laws can change at any time and this guide's purpose is to educate not provide legal advice.
CAN-SPAM Law Overview
The CAN-SPAM Act sets the rules for commercial email at a national level. This act established requirements for commercial messages, giving recipients the right to opt out of emails and has laid out tough penalties for violations. The law applies to all commercial messages, defined as "any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service," including email that promotes content on commercial websites. A crucial aspect of compliance with CAN-SPAM is ensuring that emails are not misleading. To stay compliant with this aspect, ensure your "From" and "Subject" lines are accurate and provide recipients with a straightforward way to opt out of future emails.
For more detailed information on CAN-SPAM, click here.
State-Level Marketing Laws
Specific states have expanded upon CAN-SPAM by developing their own marketing laws. These unique laws apply to any recipients in their given state, so you must be aware of the location of your email recipients and ensure you comply to avoid legal risk.
California – California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) is a comprehensive data privacy law that applies to businesses meeting specific criteria. This law applies if your annual gross revenues are over $25 million, your company buys, receives, or sells the personal information of 100,000 or more California residents, or you derive 50% or more of annual revenues from selling California residents' personal information. The law states that businesses must provide California residents with the right to know what personal information is collected, how it is used, the ability to delete or correct their personal information, opt out of the sale of their personal information, limit the use of their information, and protection from discrimination for exercising these rights.
Key compliance points:
- Disclose the collection and use of personal information
- Provide a clear and straightforward way to opt out of the sale of personal information
- Include a link to a privacy policy detailing CCPA rights
- Provide contact details to request access or deletion of their data
For more detailed information on CCPA, click here.
Nevada – Nevada Privacy Law (SB 220)
The Nevada Privacy Law primarily applies to businesses operating websites that collect personal information from Nevada residents. Key requirements include having a clear privacy notice stating data collection practices and providing an opt-out option for the sale of personal information. Note: Businesses must respond to opt-out requests within 60 days.
Key compliance points:
- Clear statement in emails or links to privacy policy detailing data collection practices
- Provide opt-out information
- Contact information for exercising opt-out rights
For more detailed information on SB 220, click here or here.
Colorado - Colorado Privacy Act (CPA)
The Colorado Privacy Act (CPA) applies to businesses that control/process the data of 100,000 or more Colorado consumers annually. The law also applies to businesses that derive revenue from selling personal data and processing data of at least 25,000 Colorado consumers. To comply, businesses must provide consumers with the right to access, correct, and delete personal data and opt out of the sale of personal data and targeted advertising. Note that businesses must respond to consumer requests within 45 days, with an additional 45-day extension if necessary.
Key compliance points:
- Accessible and plain language privacy policy
- Easy opt-out of data sales and targeted advertising
- "Do Not Sell My Personal Data" link (if applicable)
- Consent before processing sensitive data
- Ensure data is secure
For more detailed information on CPA, click here.
Virginia – Virginia Consumer Data Protection Act (VCDPA)
Like the Colorado law, the Virginia Consumer Data Protection Act (VCDPA) applies to businesses controlling or processing personal data of at least 100,000 consumers annually, or at least 25,000 consumers while deriving over 50% of gross revenue from selling that data. Virginia residents have the right to access, correct, delete their personal data, and opt out of the sale and processing of their data for targeted advertising.
Key compliance points:
- Accessible and plain language privacy policy
- Consent before processing sensitive data
- Ensure data is secure
For more detailed information on VCDPA, click here.
Ensuring compliance with federal and state marketing laws is necessary for any business sending emails. It's important to get familiar with and follow the CAN-SPAM Act and the specific rules in states like California, Nevada, Colorado, and Virginia to effectively manage your customers' and prospects' data privacy and consumer rights.
Please note that the information provided in this blog is intended to offer a general overview and should not be considered legal advice. We recommend consulting with a legal professional for detailed guidance tailored to your specific situation. At TopLine Results, we are dedicated to helping you succeed with your marketing strategies while keeping compliance in mind.
For more information on effective email campaigns or digital marketing automation, please contact TopLine Results Corporation at info@toplineresults.com or 800-880-1960.