As we have always predicted they would, the shortcomings of the CAN-SPAM Act have given rise to new state email opt-in laws and email consent laws, in the form of their new personal data privacy laws. The new Connecticut privacy law, along with new privacy laws in Colorado, Virginia, and Utah, all require consent before you can send targeted advertising to someone whose personal data you have acquired.
This means that where the answer to the question “is it illegal to send emails without permission” used to be a flat-out “no, it’s not illegal” (as the CAN-SPAM Act does not address it one way or the other), now the answer is “yes, if you are in or do business with anyone in Colorado, Virginia, Connecticut, or Utah.
And of course, if sending email to someone in any of those states is construed as “doing business with them”, as it might well be, you could find yourself staring down the barrel of a lawsuit from that state’s Attorney General.
A quick note: these laws all speak in terms of data controllers and data processors. You don’t really need to worry about that for these purposes; if you are building or maintaining an email list, you are a controller. (You can read more about what is a data controller and data processor here.)
Is an Email Address Considered Personal Data?
First, it’s important to understand that email addresses are considered personal data, along with home addresses, telephone numbers, and a whole lot of other pieces of information. Basically the definition of “personal data” is a piece of data from which someone can determine the identity of the individual to whom that personal data belongs or applies.
The B2B Exception
The exception to the general rule that an email address is considered personal data is when the email address is a typical business-use address, such as “in**@ex*****.com” or “cu**************@ex*****.com”. However, and it’s a big “however”, if that email address only ever goes to one individual, and that individual is the only person who has access to that email address, and they also use it for their personal individual or household use (i.e. not just for business), then it may or may not be considered personal data.
The takeaway here is that email addresses belonging to individuals as their personal email address is always considered to be personal data, and email addresses that are connected with businesses are usually not, but you need to be pretty darned sure that they are actually business email addresses.
Targeted Advertising and Email Opt-in
Colorado, Connecticut, Virginia, and Utah all define ‘targeted advertising’ along the same lines, which is targeting advertising to someone based on the personal data that you have acquired about them. For example Connecticut’s law states that “‘Targeted advertising’ means displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer’s activities over time and across nonaffiliated Internet web sites or online applications to predict such consumer’s preferences or interests.”
At first glance you might be forgiven for thinking that this doesn’t apply to email, email marketing, or mailing lists. But think again. Nearly any method someone has for obtaining somebody’s personal email address, unless the person has personally given their email address to you, involves your acquiring or inferring that email address from websites or online applications.
Did you find their email address on a dog training website and now you want to send them information about your new dog halters? That’s targeted advertising based on their personal data being on that website. Did you get their email address by acquiring a mailing list of people who signed up for or attended an alternative energy trade show, and now you want to send them information about your solar panels? That’s targeted advertising based on their personal data being on that mailing list. Did you buy a mailing list of people who attended a retirement seminar, and now you want to email them info about your financial planning services? That’s targeted advertising based on their personal data being on that mailing list. You see how this works?
Requirement of Disclosure
All of these laws boil down to a couple of things: 1. They require that you disclose what you intend to do with any personal information that you have collected about someone; 2. They require you give the person the opportunity to opt-out of any of the uses that you have disclosed to them; and 3. they require that you not use that personal data for anything other than what you disclosed at the time of collection unless you get the affirmative consent of the person for that new use.
This closely tracks GDPR, and what it means, in plain English, is that if you don’t tell someone that you intend to put them on a mailing list at the time that you collect their email address from them, then you are prohibited from adding them to a mailing list unless you first get their affirmative consent.
The Virginia Email Opt-In Requirement in 2023
The Virginia Consumer Data Protection Act (VCDPA) is the first to take effect, becoming effective on the very first day of 2023. That law states that the data controller must “[l]imit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer,” and must “not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent.”
In other words, you have to tell people you are going to put their email address on an email list and give them an opportunity to say “no” at the point at which you are collecting their email address in order to put them on that mailing list; if you don’t tell them and give them that opportunity to say ‘no’, then you must directly obtain their consent and opt in.
The Colorado Email Opt-In Requirement in 2023
The Colorado Privacy Act (CPA) takes effect on July 1, 2023. The CPA requires controllers to get “affirmative consent from consumers prior to (1) collecting and processing sensitive data, (2) processing personal data for reasons other than those specified when the data was collected, or (3) selling or processing personal data for targeted advertising after a consumer has opted out of such uses. Such consent must be affirmative, freely given, specific, informed, and unambiguous. Acceptance of broad terms of service, hovering over, pausing, or otherwise interacting with content generally, and agreement obtained through deceptive webpage design is not considered consent under the CPA.”
The Connecticut Email Opt-In Requirement in 2023
The Connecticut Data Privacy Act (CTDPA), also takes effect on July 1, 2023, and is nearly identical to the Virginia CDPA saying that the controller must “[l]imit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer,” and also that the controller must “not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent.”
The Utah Email Opt-In Requirement in 2023
The Utah Consumer Privacy Act (UCPA) takes effect on the very last day of 2023, on December 31, 2023. The difference between the above three laws and Utah’s law is really in the wording, as the Utah CPA essentially requires much the same thing. Utah’s law requires that if a controller “engages in targeted advertising, the controller shall clearly and conspicuously disclose to the consumer the manner in which the consumer may exercise the right to opt out of the processing for targeted advertising.” In other words, as with the other laws, before you put their email address on a mailing list you have to “clearly and conspicuously” disclose that you are going to do so.
What each of these laws say boils down to this: you must tell someone that you are planning to put them on your mailing list before you put them on your mailing list, and at least give them an opportunity to say “no”, if not to affirmatively opt in.
Now, of course, all of these laws deal with much more than email, in fact for the most part they only deal with email by inference, email being but one piece of personal data in the population of things that are defined as ‘personal data’. (For an excellent chart showing the breakdown of all of the various aspects of each of these new laws, see Squire Patton Boggs’ ‘Navigating Compliance in a Patchwork of State Privacy Laws’.) And in that context you can be sure that there will be lawsuits trying to define email out of that context, or give it some sort of exemption. But unless and until that happens, you would be well-advised to make sure that all of your mailing lists have been built with, and only with, consent, for this and so many other reasons.