Listen to Adam and Helen talk about the legality of Retention.com:
This post will clear up all of the CAN-SPAM and CCPA concerns, along with documentation that you can pass along to your legal team that supports what’s in this post.
1. Retention.com is not GDPR or CASL compliant, so it’s only legal in the USA.
Our database only contains email addresses in the USA.
If your organization is GDPR compliant worldwide, you can’t use Retention.com.
Now that’s out of the way, let’s talk about the US CAN-SPAM Act of 2003, and why Retention.com is not only legal, but also complies with industry best practices.
2. What You Didn’t Know About the US CAN-SPAM Act of 2003
According to the US CAN-SPAM Act of 2003 you do NOT need an opt-in to send email marketing in the USA. In Europe, you do; but in the US, you don’t.
To be CAN-SPAM compliant, all you need is an opt-out link in the communication, and you need to make it clear that it’s an advertisement, along with a few other requirements (see below).
If you want more details to pass along to your legal team, download our legal packet [COMING SOON] prepared for us by our friends at Foley and Lardner, LLP.
Why you always thought permission-based Email Marketing was a requirement
There are major differences between the actual CAN-SPAM laws and best practices for the Email Marketing industry.
Those differences start with Spamhaus.
Spamhaus is a large, important, and influential organization in Email Marketing.
Spamhaus’ definition of SPAM is not the law, but it’s what we’re all familiar with. It’s also what we’re taught by major Email Service Providers (ESPs) like Mailchimp and the Internet Service Providers (ISPs) like Gmail/Hotmail.
The Spamhaus definition of SPAM is the following:
“The word ‘Spam’ as applied to Email means ‘Unsolicited Bulk Email.’ Unsolicited means that the Recipient has not granted verifiable permission for the message to be sent. Bulk means that the message is sent as part of a larger collection of messages, all having substantively identical content. A message is Spam only if it is both Unsolicited and Bulk.”
Why abide by this definition, even though it’s considerably more restrictive than the law?
The ISPs agree with Spamhaus about what SPAM is, so to get delivery, you need to adhere to Spamhaus’ definition.
Two things are worth pointing out as all of this pertains to Retention.com:
- Spamhaus is NOT the US government. It’s an industry organization. A very important one. Even if you violated Spamhaus’ definition and sent people bulk unsolicited email, so long as it had an opt-out link (and met a few other criteria below), you would not be breaking the law.
- Retention.com complies with Spamhaus’ definition for not qualifying as SPAM because we give you verifiable consent, ie, a third-party opt-in date and time, and the URL of our partner website that they opted in to. You can read the privacy policies of our partner websites to verify the consent. More on this later.
We haven’t seen any deliverability consequences for any of the hundreds of clients who are using Retention.com.
We typically see open rates that are between 15 and 20% from these emails, and spam complaints are well under the 1/1,000 industry standard.
Now that we’ve established that you don’t actually need an opt-in to send legal marketing emails, let’s go over what you do need.
3. The CAN-SPAM Act: What You Have to Do to Legally Comply
To get a summary written by lawyers who specialize in CAN-SPAM for yourself or your legal team, download our legal packet here [COMING SOON].
This is a summary created by the Federal Trade Commission of the CAN-SPAM act’s main requirements. Nowhere in the text will you see the words “opt-in.”
- Don’t use false or misleading header information. Your “From,” “To,” “Reply-To,” and routing information – including the originating domain name and email address – must be accurate and identify the person or business who initiated the message.
- Don’t use deceptive subject lines. The subject line must accurately reflect the content of the message.
- Identify the message as an ad. The law gives you a lot of leeway in how to do this, but you must disclose clearly and conspicuously that your message is an advertisement.
- Tell recipients where you’re located. Your message must include your valid physical postal address. This can be your current street address, a post office box you’ve registered with the U.S. Postal Service, or a private mailbox you’ve registered with a commercial mail receiving agency established under Postal Service regulations.
- Tell recipients how to opt out of receiving future email from you. Your message must include a clear and conspicuous explanation of how the recipient can opt out of getting email from you in the future. Craft the notice in a way that’s easy for an ordinary person to recognize, read, and understand. Creative use of type size, color, and location can improve clarity. Give a return email address or another easy Internet-based way to allow people to communicate their choice to you. You may create a menu to allow a recipient to opt out of certain types of messages, but you must include the option to stop all commercial messages from you. Make sure your spam filter doesn’t block these opt-out requests.
- Honor opt-out requests promptly. Any opt-out mechanism you offer must be able to process opt-out requests for at least 30 days after you send your message. You must honor a recipient’s opt-out request within 10 business days. You can’t charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request. Once people have told you they don’t want to receive more messages from you, you can’t sell or transfer their email addresses, even in the form of a mailing list. The only exception is that you may transfer the addresses to a company you’ve hired to help you comply with the CAN-SPAM Act.
- Monitor what others are doing on your behalf. The law makes clear that even if you hire another company to handle your email marketing, you can’t contract away your legal responsibility to comply with the law. Both the company whose product is promoted in the message and the company that actually sends the message may be held legally responsible.
So, Email Marketing isn’t legally an opt-in channel in the US. Just have an opt-out.
Good to know.
4. How Retention.com is not only legal, but also opt-in via our partner network
We’ve established that as long as you have an opt-out link in your email, marketing to Retention.com contacts via Email-Based Retargeting is legal.
When you partner with Retention.com, you’re gaining access to our partner network of websites whose privacy policies explicitly state that information submitted via the opt-in form can and will be shared with a partner network.
Here’s an example of exactly how Retention.com works.
Step 1: User fills out an opt-in form of a partner website, typically a lead-gen site. For this example, we are using timelypayday.com.
As a condition of registration, registrants agree that timelypayday.net may share their PII with the Network Sites and unaffiliated third parties. If you do not agree that timelypayday.net may share your PII with such entities, you may not register on timelypayday.net, and if you are already registered, you must immediately terminate your account, by following the instructions in “Opting-Out of Further Communications.”
Which, again, you are not legally required to do by the CAN-SPAM law, but it is suggested you do by Spamhaus’ best practices.
5. What about California and CCPA?
For an overview of how CCPA relates to Retention.com prepared by our friends at Foley and Lardner, LLP, please click here.
PLEASE NOTE: CCPA DOES NOT APPLY TO 501c3’s, IT ONLY APPLIES TO FOR-PROFIT ENTITIES.
The first thing you need to determine when deciding whether or not you need to take action to comply with CCPA is whether or not your business meets the applicability thresholds.
Here are the applicability thresholds; you must meet one of the following criteria:
- Have $25mm in revenue
- Annually buy, receive, sell, or share personal information of 50,000 or more California consumers, households or devices; or
- Earn more than half of its annual revenue selling consumers’ data
If the answer is “no” to all of these items, you are not required to take action.
If the answer is “yes” to one or more, then the following updates are required:
- A description of consumers’ rights under the CCPA.
- A description of the categories of personal information collected by the business in the preceding 12 months.
- The commercial and business purposes for which the personal information is collected.
- The categories of personal information sold or disclosed for a business purpose in the preceding 12 months.
- The categories of third parties with which personal information is shared.
- If the Company sells personal information, a link to a “Do Not Sell My Personal Information” web-based opt-out tool.
Click here for more information about CCPA.R