There exists a misconception across Europe that the USA does not have any state laws enacted which protect consumer rights and privacy of consumers. The European Commission has enacted a very powerful tool with the implementation and development of the GDPR, which sometimes makes us reconsider other country’s rules. The USA has a wide range of privacy-protective acts under the roof of federal and state laws to protect consumers from deceptive market practises. This article intends to summarize some important findings regarding email marketing in B2B and B2C environment in the USA. For this purpose, we have assessed the CAN-SPAM Act.

What is the CAN-SPAM Act?

The CAN-SPAM Act is the Controlling the Assault of Non-Solicited Pornography And Marketing (CAN-SPAM) Act of 2003.  The act establishes some standards for commercial emails sent to consumers and businesses. Its compliance is monitored by the Federal Trade Commission. The major aim of the law is to put an end to spam emails across the USA. It does not deal with fraud. Before it was enacted, US consumers suffered a lot of bulk emails, unsolicited messages, and commercial emails. The law has not been able to end all spam procedures, but defined unsolicited marketing practises regarding false or misleading content.

Does the Act apply to every email communication?

The simple answer is no. What is important to know is that the scope of the CAN-SPAM Act applies to commercial content only. This is contrary to the EU approach which is not to review the purpose of any email. This Act does not apply to transactional / relationship nor other content.

The Act defines what is considered as a commercial electronic message and transactional or relationship messages. It is decisive to assess the primary purpose of an email, which is different from the EU approach:

  • “commercial electronic mail message“ means any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose.
    „commercial electronic mail message“ does not include a transactional or relationship message.
  • „transactional or relationship message“ means an electronic mail message the primary purpose of which is—

(i) to facilitate, complete, or confirm a commercial transaction that the recipient has previously agreed to enter into with the sender;

(ii) to provide warranty information, product recall information, or safety or security information with respect to a commercial product or service used or purchased by the recipient;

(iii) to provide—

(I) notification concerning a change in the terms or features of;

(II) notification of a change in the recipient’s standing or status with respect to; or

(III) at regular periodic intervals, account balance information or other type of account statement with respect to, a subscription, membership, account, loan, or comparable ongoing commercial relationship involving the ongoing purchase or use by the recipient of products or services offered by the sender;

(iv) to provide information directly related to an employment relationship or related benefit plan in which the recipient is currently involved, participating, or enrolled; or

(v) to deliver goods or services, including product updates or upgrades, that the recipient is entitled to receive under the terms of a transaction that the recipient has previously agreed to enter into with the sender.

If an email contains content relating to both of the aspects, then the primary purpose is the deciding factor for the USA. This means that certain factors need to be taken into consideration and case by case assessments are required.

What are the major aspects?

If you are used to GDPR standards, those aspects may sound very familiar to you. However, we should not forget that for the USA, this law has changed many business practises. Below you can find four major points:

  • The Act requests specific information regarding the header info (from and to include originating domain and email address), subjects’ lines to accurately reflect the email content and business location details.
  • Businesses need to make sure to provide opt-out mechanisms to stop future emails. It is recommended to use text-only rather than images or buttons to unsubscribe.
  • Consumers have the right to opt-out which needs to be honoured by the businesses. This means that businesses need to develop a good mechanism to ensure opt-outs are implemented.
  • Agencies, marketers, and other service providers can not take away your business responsibilities to comply with the law. Marketers need to develop suppression lists.

However, the CAN-SPAM Act includes many further specifications that are interesting to review for EU lawyers and legal counsels. The consideration of those may be good for USA-based businesses or if any EU companies intend to roll out commercial marketing activities in the EU.

How can a business which complies with the CAN-SPAM Act ensure compliance in the EU?

The European Union has enacted the Privacy and Electronic Communications Directive 2002/58/EC on Privacy and Electronic Communications, commonly known as ePrivacy directive. The scope of this directive is not directly applicable across the EU but provides some minimum harmonizing standards for EU member states. This means in practise that each country across the EU has enacted a different law with different approaches towards electronic communication. However, some rules maintain very similarly and others are very different. What is important to know is that the approach towards, towards, for example, opt-out time frames for businesses is narrower than within the CAN-SPAM Act.

To achieve compliance for businesses targeting consumers across the EU, this can be very tough and challenging. In my opinion global digital life would be boring if we would not face such interesting manageable challenges?!