• Privacy Picks
  • Posts
  • Don't Forget About CAN-SPAM! (A Lesson from Experian)

Don't Forget About CAN-SPAM! (A Lesson from Experian)

PLUS: State privacy law webinar, data privacy overview for start-ups, and smartphone settings from a privacy expert.

In 2003, Congress passed the Controlling the Assault on Non-Solicited Pornography and Marketing Act, aka the CAN-SPAM Act.

The Act aimed to address the growing problem caused by unwanted commercial emails, or SPAM, flooding our inboxes.

While SPAM obviously hasn’t gone away, most companies now realize they must take certain measures to comply with CAN-SPAM when sending marketing messages.

One of the fundamental requirements of CAN-SPAM is to provide an opt-out mechanism for recipients, usually in the form of a clear and conspicuous “unsubscribe” link.

But what if it’s not a marketing email? 

What if the purpose of the email is to deliver ordered goods to a new customer, confirm their account, or provide important safety information to an existing customer?

Under CAN-SPAM, these types of emails would be considered “transactional” or “relationship” messages, as they are sent to existing customers and their “primary purpose” is not commercial.

Transactional or relationship emails, as further defined in Section 316.3(c), are not subject to CAN-SPAM.

However, in order to qualify for this exception, the message must consist “exclusively of transactional or relationship content.” 

And here’s where companies can get into trouble.

The FTC’s Proposed Order Against Experian

Sometimes, companies try to hide behind the relationship email exception, even when the primary purpose of the email is actually commercial.

For example, the FTC recently announced a proposed order for Experian to pay $650,000 in penalties to settle charges of violating CAN-SPAM by sending unsolicited marketing emails to customers without offering them a way to opt-out.

Experian was sending emails to recipients who had signed up for a free membership account. They even included a notice at the bottom of the emails stating that the email “contains important information about your account.” Sounds like a “transactional” or “relationship” email, right?

The problem was that their primary purpose was commercial in nature. Specifically, Experian was emailing members to promote two new products: a “Boost” your credit score service and a free “Dark Web” scan.

In proposing their $650K penalty (and prohibiting Experian from sending any marketing emails in the future that don’t offer an opt-out mechanism) the FTC is reminding companies that they intend to enforce a customer’s right to unsubscribe from marketing messages.

What’s the “Primary Purpose” of Your Emails?

The message here is that companies, small businesses included, shouldn’t be careless about sending out transactional emails to their customers with commercial content mixed in.

Always consider the primary purpose of your emails from a customer’s perspective.

If your email contains both transactional and commercial content, the FTC offers some guidance on determining what the primary purpose is from a recipient’s perspective:

If a recipient reasonably interpreting the subject line would likely conclude that the message contains an advertisement or promotion for a commercial product or service or if the message’s transactional or relationship content does not appear mainly at the beginning of the message, the primary purpose of the message is commercial.

FTC: CAN-SPAM Act: A Compliance Guide for Business

If you’re not certain, err on the side of caution by following these measures:

  1. Clearly identify emails as advertisements

  2. Use truthful and non-deceptive information in all email header fields.

  3. Ensure subject lines accurately reflect the content of the email.

  4. Provide a clear and easily accessible method for recipients to unsubscribe.

  5. Honor any opt-out requests within 10 business days.

  6. Include your postal address in all emails.

  7. Ensure compliance with the Act for third-party emails sent on your behalf.

This applies to both B2C and B2B customer messages, and includes emails as well as commercial text messages sent to cell phones.

Final Thoughts

CAN-SPAM is a federal privacy law that’s been around for a while. Many business owners take it for granted and assume they are covered by using a reputable email or newsletter service with compliance mechanisms built in.

However, if you have employees or work with outside sales reps, marketing consultants, or any other partners who use transactional emails as a pretext for promoting new goods or services or upsells on your behalf, you could be violating the CAN-SPAM Act.

And the penalties for violating CAN-SPAM can be stiff (and expensive), with a maximum penalty of up to $50,120 per email. And that’s just under the federal act. Many states have their own versions of email marketing laws with separate penalties.

Read this Compliance Guide from the FTC to learn more.

More Privacy Picks for Business Owners

Here are a few more stories and resources worth checking out:

  • This webinar provides a thorough overview of the current landscape of US State privacy laws from two national privacy law experts.

  • Looking for an overview of data privacy considerations for start-ups? This article from Built-In is a great place to start.

  • In this article, a UK privacy expert tells us how to up our privacy game when using an iPhone or Android device.