Email marketing regulations around the world
github.comI live in Canada and I find it ridiculous that email without consent is illegal, phone calls without consent is illegal, but sending physical mail is perfectly fine. It makes me sad the amount of trees that must be cut down, shipped to a factory, processed into paper (with some hash chemicals), shipped to the printer, printed then shipped to me. Only to be thrown into the recycling unopened to be shipped to the recycling plant, then reprocessed to start the cycle over. It is just disgusting waste.
This is just a clear indication that it should have some cost to send a message, otherwise people (mis)use it until the legislators need to stop it attention robbery.
This is a big reason why advertisers loved newspapers. Getting a newspaper subscription is paying to have ads delivered to your home.
Well there is some cost to send a message. These are being sent via Canada Post. The problem is that the cost isn't high enough.
I think you misunderstood: The reason why modern societies need legislation on emails and not on traditional post is because there is a cost associated with traditional cost.
You'd probably see the same rules if you could send 20.000.000 letters via Canada Post in 30 seconds for the cost of the servers compute.
But clearly cost isn't enough. People are getting spam that they don't want.
You could raise the cost, but that only reduces the problem and inflicts cost on legitimate mail sending. It is clear to me that society does need legislation on physical mail. So your correlation doesn't make sense.
I'm guessing the cost isn't enough, because it works. Maybe tax commercial letter stamps by 50%, but keep private letters as is?
Ironically, spam e-mail, phone, and SMS is perfectly legal if it comes from a politician or political party. No consent necessary.
It's literally the only spam I get on my phone.
phone calls without consent are illegal in Canada?
This is missing out a lot of subtleties that a legal team might care about.
I have been a part of multiple companies trying to make a "harmonized" global opt-in policy: basically figure out any set of marketing preferences where we could get away with collecting information without first knowing the user's country - even if that meant more conservative marketing opt-ins.
In each case, we could never figure out a single-method for collecting explicit opt-in that worked worldwide. The standout countries always being some combination of South Korea, Germany, Russia, or Brazil.
CAN-SPAM is unenforced afaict. You can still take action against bad actors by signing up with old abandoned email address(es) though. ISP's will have converted them into spam traps and will subtract a higher amount from their sender reputation.
CAN-SPAM is still somewhat enforced. The problem is the type of spam it targeted is now sent from foreign bad actors and there's not much they can do to enforce it.
Is it?
E.g., recruiter spam, in particular. And I don't mean of the "are you interested in this job?" variety. I mean in the "can we hawk some candidates to you, that you can hire and they pay us for?" variety.
I am not involving in candidate sourcing in my company, period. These emails are directed to me, individually. Some claim to be American companies, and seem to have a "legit" web presence, if shady marketing tactics, and some seem to have no web presence and seem super shady, e.g., "we index heavily on the intangibles/DNA of a candidate; their Intelligence (EQ/IQ)". No mailing address, no unsubscribe link, no prior consent, all of which TFA claims CAN-SPAM requires.
"Survey" requests (American, no unsub link, no mailing address in email, no prior consent), "zero trust cloud access" company (American, no mailing address in email, no prior consent), … etc.
CAN-SPAM doesn't actually require prior consent. But if you are getting bulk email without a mailing address or unsubscribe link and the company is based in the US you can definitely report it.
GDPR (EU and UK) is much more nuanced than this makes out. For example, there are a number of legal bases that can be used to process someone's personal data.
For example, "Legitimate Interest" can be used if there is a reasonable way that the usage could be foreseen like sending a "How did we do" email after somebody buys something. Unfortaunately, this is not well-defined in the regulations so, for example, one company I came across got my information from Linked In, sold it to other businesses and those directly contacted me to sell something on the basis that the vacuuming company had a "legitimate interest" in selling my data i.e. it's how they made their money.
It's pretty well defined for the Netherlands and "making your money" as a legitimate interest could result in a hefty fine. Imho rightfully so.
Additionally, individual US states have started passing laws on data privacy, and these laws sometimes impact email marketers who do business in those states. For instance, California has the CCPA (recently amended by the CPRA), and Colorado, Connecticut, Utah, and Virginia recently passed their own laws. Still, credit to OP for raising awareness of data privacy issues.
Additionally I would say it creates a barrier for entering the market by small companies and startups. The idea is good but the execution is kinda off I would say, but that's usually how it goes with politicians and bureaucrats.
At our company, we are actually required to timestamp and enumerate the legitimate interest on all new marketing leads.
I think the issue is here that GDPR is a fairly poorly written cudgel of a law, and regulators are really only using it to go after larger foreign tech companies. Smaller, local companies can get away with much more malfeasance because it would be such a pain to enforce.
> really only using it to go after larger foreign tech companies
The big notable cases are against large tech companies, but most of the fines and procedures involve local entities
Question: How do I prove to the authorities that a subscriber has given consent?
I imagine that an attribute on my "users" table is not enough?
In any reasonable law, you would prove that your procedures require consent before you start sending the emails. If you have to prove things about a specific user, you are already on unreasonable land.
(But then, I have no idea what places have reasonable rules. I have never seen any with this specific failure for email, but IANAL and I haven't looked much.)
Actually this sounds like common law to me. But yes, this should be enough to me.
However, if I consent to a User Agreement, do you really think they keep a copy of the specific version of the User Agreement I accepted?
They almost certainly keep a copy of that specific version of the UA. They also very likely keep a log of you agreeing to it. And probably none of those would matter in a court (what you actually say on your site and how reasonable the document is certainly matter a lot more).
Anyway, UA acceptance does not require and does not imply in opt-in to your marketing emails.
“Double Opt In” is the way to go.
They sign up, then you send them an email and track when they hit the “I approve” link.
Watch out, if you get a HTTP GET request on the approve link, it could be the mail provider scanning for malware, not the user. You may need triple opt in :-)
We probably need a similar list of all different privacy laws.
Wowwww, thank you!