How the New State Email Privacy Laws Affect Senders (2023)

August 11, 2023
Written by
Denis O'Sullivan
Opinions expressed by Twilio contributors are their own
Reviewed by
Ayanna Julien
Opinions expressed by Twilio contributors are their own

How the New State Email Privacy Laws Affect Senders (2023)

When General Data Protection Legislation (GDPR) went into effect on May 25, 2018, email marketers felt the impact in numerous ways. GDPR forced businesses to step back and revisit opt-in flow, data retention policies, and more. Some even thought GDPR would result in the end of email marketing. 

Since GDPR applied to any organization that handled the personal information of European Union (EU) citizens and residents, some businesses outside of the EU took different approaches to email marketing post-GDPR:
  1. Become 100% compliant with all GDPR regulations.
  2. Stop sending to anyone in the EU.
  3. Not comply with GDPR and hope to avoid a fine.
However, there are serious flaws in the last two approaches. By design, GDPR pushed organizations to follow best practices. So for those organizations looking to bypass email best practices, it’s a move that would likely impact them in the form of poor email deliverability, blocks, and now, fines with regulators. Additionally, those who chose to ignore (or not comply) with GDPR have several new laws to watch. 

But GDPR isn’t the only concern for email marketers in the United States. Long before GDPR, there was CAN-SPAM.

What is CAN-SPAM?

Believe it or not, the federal antispam law CAN-SPAM Act of 2003 is 20 years old. Compared to GDPR or CASL (Canada’s Anti-Spam Law), CAN-SPAM doesn’t regulate opt-in policies and data retention policies. Attorney Anne P. Mitchell, who helped author a portion of CAN-SPAM, shares in the sentiment that after 20 years, an updated federal law is long overdue. Mitchell notes: 

"The U.S. has always been known as having one of the weakest email marketing and antispam laws around. In fact, CAN-SPAM is often referred to as the "You Can Spam" law.  So it was inevitable that eventually we would have to catch up with the rest of the world and, more importantly, finally make the most recalcitrant of email senders do the right thing." 

Which states have introduced new data privacy laws?


In the absence of a new federal law, several states have enacted data privacy laws. California was among the first to introduce the California Consumer Privacy Act (CCPA) in 2018. This law impacts opt-in policies, opt-out policies, among other things, to protect California consumers’ data privacy rights. Since the California email privacy law went into effect, several states have introduced new data privacy laws, including:
  • Connecticut
  • Colorado
  • Virginia
  • Utah
  • Texas
  • Tennessee
  • Indiana
  • Montana
  • Iowa  
Historically, businesses could collect email addresses in numerous (scrupulous or unscrupulous) ways and start marketing to them. However, these new email data privacy laws change the way businesses collect data such as email addresses.

With these new laws, affirmative opt-in and consent is a must. And while some of these laws don’t go into effect for another few years, businesses should begin to understand the new regulations and comply as soon as possible. 

Send confidently with Twilio SendGrid’s email deliverability services

Need assistance with your opt-in process, opt-out methods, and general email best practices? Twilio SendGrid’s deliverability services can help. Sign up for a free account to get started.

Recommended For You

Most Popular

Send With Confidence

Partner with the email service trusted by developers and marketers for time-savings, scalability, and delivery expertise.