The Legality of

How do I speak to my legal team about

For our legal packet that we designed specifically to be presented to legal teams, click here.

Once people understand Email-Based Retargeting and how it works, the first reaction we usually get is “Is this legal,” or “my legal team is going to go over this with a fine-toothed comb.”

So we’ve decided to create a guide to speaking to legal teams about Email-Based Retargeting. 

We think it’s best to split the conversation into five parts: 

  1. What is Email-Based Retargeting
  2. The technology behind it
  3. What a “partner database” is, and how people are opting-in to it (example website and language included)
  4. What the CAN-SPAM law actually is in the US
  5. Whether GDPR, CCPA (California), or the new Nevada privacy laws apply

1. What is Email-Based Retargeting?
At, we use the following definition for Email-Based Retargeting: 

Email-Based Retargeting uses identification technology — usually a pool of persistent cookies — to identify anonymous website visitors. 

Those visitors are matched to a partner network database of contact records (with opt-ins), and the end user is sent email addresses of people who are not already on their list.

The last part of the definition, “….of people who are not already on their list,” is what separates Email-Based Retargeting from all technology before it, such as Cart Abandonment, Category Abandonment, and Behavior Triggered Email. 

With Email-Based Retargeting (unlike Display Retargeting), the end user pays once and owns the contact record forever. As long as there’s an opt-out link in the email, the end-user can email that contact record for as long as they wish.

How is this opt-in Email Marketing? Keep reading.

2. The technology Email-Based Retargeting uses (and the legality of that technology)

Email-Based Retargeting is a two-part technology. 

The first piece is identification of anonymous traffic. 

Identification is usually done through a pool of persistent cookies. There is no applicable US law about disclosing use of cookies. However, if you have a European target audience, you will need to obtain informed consent before you store any data.

Our guess is that if you are speaking with your legal team, you are large enough that you have already built something like this into your website.

For example:

Here is the legislation:

Once a website visitor is identified, he or she is matched back to a database of third party opt-ins that our partner network of publishers has acquired, and we keep up-to-date and accurate.

3. What is a third party opt-in? Who are these “partners?”

A third party opt-in is when someone opts in to a list where the opt-in language or privacy policy very clearly states that the information input in the form will be shared with other related or unrelated entities, and those entities will be marketing to them via email and/or other channels.

These websites are typically lead-gen websites that drive traffic to landing pages, then sell data to vendors. We give you the partner website URL and opt-in date with every contact record, so you can verify the privacy policies yourself.

For information about the language on our partner websites, click here.

Here is an example of one of our partner websites, and what happens when a user hits the website.

Step 1: User fills out an opt-in form of a partner website, typically a lead-gen site. For this example, we are using

Step 2: Here is’s Privacy Policy, with respect to how they handle Personally Identifiable Information (PII): 

“As a condition of registration, registrants agree that may share their PII with the Network Sites and unaffiliated third parties. If you do not agree that may share your PII with such entities, you may not register on, and if you are already registered, you must immediately terminate your account, by following the instructions in ‘Opting-Out of Further Communications.’

Step 3: When we pass you a customer record, we include the “source” URL, and you can read their Privacy Policy to confirm that you are actually in compliance with verifiable consent. 

4. What actually is the CAN-SPAM law in the United States? 

It’s different than you think. We wrote a long-form post about this. Click here to read it.

5. How is GDPR, CCPA (California), and coming Nevada privacy acts relevant to Email-Based Retargeting?

Email-Based Retargeting is not GDPR compliant, but the database is only USA contacts, so it’s not relevant. 

The next question we usually get is “what about the California legislation that is coming down the pipeline?”

The state legislation for California, Nevada, and Vermont has nothing to do with opt-in email marketing. Similar to CAN-SPAM, it’s all opt-out. 

You may have to change your privacy policy if you qualify — meaning have revenues above $25mm — but if you do, you are probably putting a substantial amount in place for California anyway.

For our complete legal packet which addresses all of this to pass along to your legal team, click here.

Table of Contents