When General Data Protection Legislation (GDPR) went into effect on May 25, 2018, email marketers felt the impact in numerous ways. GDPR forced businesses to step back and revisit opt-in flow, data retention policies, and more. Some even thought GDPR would result in the end of email marketing.
Since GDPR applied to any organization that handled the personal information of European Union (EU) citizens and residents, some businesses outside of the EU took different approaches to email marketing post-GDPR:
Become 100% compliant with all GDPR regulations.
Stop sending to anyone in the EU.
Not comply with GDPR and hope to avoid a fine.
However, there are serious flaws in the last two approaches. By design, GDPR pushed organizations to follow best practices. So for those organizations looking to bypass email best practices, it’s a move that would likely impact them in the form of poor email deliverability, blocks, and now, fines with regulators. Additionally, those who chose to ignore (or not comply) with GDPR have several new laws to watch.
But GDPR isn’t the only concern for email marketers in the United States. Long before GDPR, there was CAN-SPAM.
Believe it or not, the federal antispam law CAN-SPAM Act of 2003 is 20 years old. Compared to GDPR or CASL (Canada’s Anti-Spam Law), CAN-SPAM doesn’t regulate opt-in policies and data retention policies. Attorney Anne P. Mitchell, who helped author a portion of CAN-SPAM, shares in the sentiment that after 20 years, an updated federal law is long overdue. Mitchell notes:
"The U.S. has always been known as having one of the weakest email marketing and antispam laws around. In fact, CAN-SPAM is often referred to as the "You Can Spam" law. So it was inevitable that eventually we would have to catch up with the rest of the world and, more importantly, finally make the most recalcitrant of email senders do the right thing."
In the absence of a new federal law, several states have enacted data privacy laws. California was among the first to introduce the California Consumer Privacy Act (CCPA) in 2018. This law impacts opt-in policies, opt-out policies, among other things, to protect California consumers’ data privacy rights. Since the California email privacy law went into effect, several states have introduced new data privacy laws, including:
Connecticut
Colorado
Virginia
Utah
Texas
Tennessee
Indiana
Montana
Iowa
Historically, businesses could collect email addresses in numerous (scrupulous or unscrupulous) ways and start marketing to them. However, these new email data privacy laws change the way businesses collect data such as email addresses.
With these new laws, affirmative opt-in and consent is a must. And while some of these laws don’t go into effect for another few years, businesses should begin to understand the new regulations and comply as soon as possible.
