Why does data privacy matter? A quick guide to CAN SPAM and GDPR.

We all agree that protecting users’ privacy is important. But with all the talk about data privacy and various regulations, it can be hard to determine which ones apply to you.

As a company in the US, where do you draw the line?

Where does authority of each regulation begin and end?

What is the underlying goal of these regulations?

We’re sharing a brief overview of what you need to know. The two main policies that affect your business growth are CAN-SPAM and now, the GDPR.

Here’s what you need to know about these regulations to keep your email marketing and customer outreach compliant.

As always, we’re here to give you tips and tricks for business growth and content best practices (check out our FREE ebook The Beginner’s Guide to Growing your Online Business Idea). This is not legal advice. If you are unsure of what either policy means for your business, please contact your attorney.


In 2003, US Congress passed the Controlling the Assault of Non-Solicited Pornography and Marketing Act – aka the CAN-SPAM Act.

According to the FTC:
“The CAN-SPAM Act, a law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations.”

Each separate violation of the CAN-SPAM Act can result in penalties of up to $41,484. That’s not a fine you want to earn with a poorly thought-out stunt email.

Compliance to this law is relatively easy. Partly because it’s been in effect for so long, and partly because the FTC expressly outlines steps you can take:

  • Don’t use false or misleading header information.
  • Don’t use deceptive subject lines.
  • Identify the message as an ad.
  • Tell recipients where you’re located.
  • Tell recipients how to opt out of receiving future email from you.
  • Honor opt-out requests promptly.
  • Monitor what others are doing on your behalf.

Who does CAN-SPAM affect?

If you are a company that sends emails to US-based users, you are subject to CAN-SPAM.

According to the law, there are 3 types of email messages:

  1. Commercial content
  2. Transactional/ Relationship content
  3. Content that is neither

Of the three types, only the first two are subject to CAN-SPAM. Commercial messages are subject to all regulations of the act. Messages that are transactional or “relationship” are mostly exempt, but may not contain false or misleading routing information.

The primary goal of the message is what defines its category (this is different than content targeting, which we cover in our Guest Blogging Series). A promotional email is clearly commercial content. A shipping confirmation email with a link to a flash sale is still transactional/ relationship content by most interpretations of the law.

International Spam

CAN-SPAM protects US-based users. Its international cousins include Canada’s stringent CASL and Australia’s Spam Act of 2003. And now the GDPR.

GDPR: The General Data Protection Regulation

GDPR stands for The “General Data Protection Regulation.” It’s a privacy law for the European Union that takes effect May 25th, 2018.

This regulation will affect the way companies do business online, and not just in the EU. You need to pay attention and get compliant…or face massive fines.

The GDPR covers the processing of personal data. Let’s break that down:

  • Processing” means “doing anything with personal data, at all.” From collection to deletion, at every step in between, you’re “processing.”
  • Personal Data means any information of someone who is, or could be, identified. Think:
    • Name
    • Email address
    • Physical address
    • Phone
    • IP address

As a US-based business, how does GDPR affect you?

If your business processes the data of anyone located in the EU, you’re subject to GDPR. It doesn’t hinge on citizenship or residency, just physical location.

Specifically, the GDPR applies to data processing in relation to offering products or services to people in the EU, whether it’s free or paid. It also applies to what you do with that data privately – think segmenting your email list or creating a retargeting ad campaign.

It also applies to any existing data you’re currently processing. To continue emailing EU-based people on your list, you’ve got to get consent.

Is GDPR the end of the opt-in freebie?

If you use email marketing as any part of your business growth strategy, you need to pay attention. The popular strategy of offering a freebie to capture email addresses for your list? Not GDPR compliant.

You’ll need to build in specific language and actions for your customers

The restrictions on email data will likely affect the majority of business owners. For specific steps on how to get compliant, check out Bobby Klinck’s webinar on the GDPR.

Privacy Policy

It also requires a slight change to your privacy policy and disclosure. If you’re a US-based business owner, you should already have a privacy policy in place (thanks to CalOPPA.)

To get GDPR compliant, you need to add more information to this policy.

What is the underlying goal of these regulations?

There are 8 Rights for Individuals guaranteed by the GDPR:

  1. The right to be informed – complete transparency about how companies use personal data.
  2. The right of access – knowing exactly what data is held and how it’s processed.
  3. The right of rectification – having incomplete or incorrect data resolved.
  4. The right to erasure – removing one’s data without needing to specify why they want it deleted.
  5. The right to restrict processing – blocking or revoking permission to process personal data.
  6. The right to data portability – retaining and reusing data for one’s own personal use.
  7. The right to object – under some circumstances, individuals can object to use of their personal data.
  8. Rights of automated decision making and profiling – this protects individuals against damaging automated decisions, like legal consequences.

These rights inform the articles of the GDPR and aim to better protect individuals physically located in the EU.

What do these laws mean for your business?

CAN-SPAM and now the GDPR exist to protect user privacy. They empower consumers. They hold businesses to a higher standard.

Those are all good ideals that we should strive for.

If your company attracts customers with valuable content then you’re in the clear. If you rely on spam as your customer outreach strategy then you’ve got some work to do.

If your business uses integrity in the collection, storage, and processing of user data, GDPR shouldn’t panic you.

Do your due diligence. Consult with your attorney if necessary. Update any weak areas – you still have time. Keep calm and perfect your content best practices. Our blog is the perfect place to do so.