The Rules of the Road in Email Marketing

There are several laws that marketers need to understand and comply with, as they build out their email marketing programs. In the United States, the key email marketing regulation is the CAN-SPAM Act of 2003, which lays out very specific rules and guidelines for marketing to recipients in the United States. 

CAN-SPAM Compliance

 The CAN-SPAM Act of 2003 requires, “that your email give recipients an opt-out method”. The law also states that, “You cannot help another entity send email to that address, or have another entity send email on your behalf to that address”.

It bans false or misleading header information. Your email’s “From”, “To”, and routing information – including the originating domain name and email address – must be accurate and identify the person who initiated the email.

It prohibits deceptive subject lines. The subject line cannot mislead the recipient about the contents or subject matter of the message.

It requires that your email give recipients an Opt-Out method. You must provide a return email address or another Internet-based response mechanism that allows a recipient to ask you not to send future email messages to that email address, and you must honor the requests. You may create a “menu” of choices to allow a recipient to opt out of certain types of messages, but you must include the option to end any commercial messages from the sender.

Any Opt-Out mechanism you offer must be able to process opt-out requests for at least 30 days after you send your commercial email. When you receive an Opt-Out request, the law gives you 10 business days to stop sending email to the requestor’s email address. You cannot help another entity send email to that address, or have another entity send email on your behalf to that address. Finally, it’s illegal for you to sell or transfer the email addresses of people who choose not to receive your email, even in the form of a mailing list, unless you transfer the addresses so another entity can comply with the law.

It requires that commercial email be identified as an advertisement and include the sender’s valid physical postal address. Your message must contain clear and conspicuous notice that the message is an advertisement or solicitation and that the recipient can opt out of receiving more commercial email from you. It also must include your valid physical postal address.

Additional CAN-SPAM Reference Material:

You can find more information about CAN-SPAM on the FTC website.

Check out our updated CAN-SPAM overview.  

If you need clarification on what the CAN-SPAM Act means to you and your email marketing campaigns, Contact Us Today – we would be happy to review this important legislation.

International Email Regulations

Email can be a highly effective marketing channel for campaigns running in multiple countries, however, it’s important to understand that regulations impacting email marketing can vary significantly from one country to another.  Outside of the U.S. and CAN-SPAM, perhaps the most significant law to understand is the General Data Protection Act (GDPR) in the European Union.  GDPR is a much broader law, impacting marketing channels well beyond email.  But, it’s impact on email is significant, as it sets requirements for both receiving prior permission to email recipients as well as rules for responding to opt-out requests.  

GDPR Compliance

With GDPR on many marketers’ minds, we have developed a brief overview of our current positioning under the new regulation, as your trusted vendor and partner.

For some time, OPTIZMO has been deeply involved in understanding our role and responsibilities under the new set of rules. After several consultations and evaluations, the consensus of our lawyers, the IAB, and other noted data privacy and protection groups is that OPTIZMO will in fact be categorized as a U.S. based data processor.

This is an important distinction for us, as the service provided to each of our clients may be used in whatever way they choose to deploy it. As always, opt-out links and mailer access keys are distributed only to partners of a clients’ choosing. Processed opt-out data will only be retained for the period during which we are engaged with a client, and it will be used solely for the purposes directed by the client and as required under CAN-SPAM, EU, or any other regionally applicable email compliance laws.

We have undertaken a full gap analysis, remediation phase, and will update our service agreements and other documentation for those clients who require GDPR-specific language.

The good news for OPTIZMO and all of our partners is that we have historically been doing almost all of what is required for GDPR readiness, both procedurally, and in the technologies we utilize around processing activities such as encryption and data movement. The majority of our GDPR initiatives include updating service agreements and documentation, and creating a few key records required under GDPR. We are also certifying under Privacy Shield, which is a fantastic all-around set of standardized criteria for responsible handling of data (not just from the EU), to further cement our position.

Protecting personal data is a shared responsibility between data controllers and their processors. However, the responsibilities of a processor like OPTIZMO vary greatly from those of controllers, which is how most of our clients will be categorized under GDPR. An important first step toward helping our clients is ensuring they are familiar with the requirements of data controllers under GDPR. While our best recommendation will be to consult legal experts of your own, please let us know if we can be of assistance in this area. We will also be posting more GDPR related content to our website and social media feeds for your reference.

As your trusted data processor, OPTIZMO is committed to providing you and all of our partners and clients with as many tools and documents as possible to help support your compliance with GDPR. We will also continue to strengthen our ability to facilitate and support your overall GDPR readiness in the future.

*Nothing in this statement should be taken as legal advice. We encourage you to become familiar with the actual text of the regulation and also obtain legal advice as to how GDPR may impact your business.

GDPR is NOT just for companies in the EU.

The General Data Protection Regulation (GDPR) went into effect on May 25, 2018. Despite a lot of coverage in various industry publications there remains quite a bit of confusion or a lack of understanding as to how the regulation will impact the digital marketing industry in the EU and also in other countries, like the U.S.

First, let’s dispel a myth – that GDPR only impacts companies in the EU. This is FALSE. GDPR expressly impacts any company that collects data on users who are in the EU. This means, if a company simply has a website with visitors from EU countries, then it needs to understand how it can gather, store, and utilize that data in a manner compliant with GDPR. The GDPR includes provisions for imposing extensive fines on companies that do not comply with the rules.

So, what exactly is GDPR?

GDPR introduces a variety of obligations on data Controllers and Processors in a number of areas. It strengthens the rules for gaining user consent when obtain ‘personal data’ and ‘sensitive personal data’ which must be specific, granular, and auditable. In addition, it further defines how companies may use this data and how that use must be in line with the consent received from the user.

What are the personal data requirements?

The regulation requires that persona data be:

  1. Processed lawfully, fairly, and transparently in relation to individuals
  2. Collected for specified, explicit and legitimate purposes and not be processed in a manner incompatible with those purposes
  3. Adequate, relevant, and limited to what is necessary for the intended purposes
  4. Accurate and any inaccuracies corrected without delay
  5. Kept in a format that permits identification of the data subjects for no longer than necessary
  6. Processed in a manner that ensures appropriate security

Learn more about Personal Data here.

What happens if a company is non-compliant with GDPR?

While exact fine amounts are related to the now severely a company fails to comply, but the regulation allows fines of up to 20 million Euros or 4% of a company’s annual global revenue, whichever is highest. This does not mean that fines of this magnitude will be imposed, but it creates the possibility that they could.

This is just a quick primer on some of the aspects of GDPR. We encourage you to become familiar with the actual text of the regulation and also obtain legal advice as to how GDPR may impact your business.

External links to more information on GDPR

If you want to learn more about GDPR, here are a few links to more in-depth details about the regulation.


As with any legal requirements, it is always recommended to get professional legal advice to ensure your email program is compliant with all relevant laws in different countries and regions