California Email Laws Explained
California email marketing laws can be infeasible – when you are subject to the federal CAN-SPAM law and other state anti-spam law provisions, how could you ever comply with about 100 anti-spam laws (some have been enacted and some have been introduced) in numerous states? If you market to email addresses of consumers in California, however, you need to be sure that you understand and comply with California’s laws on these matters. California’s email marketing law was passed in 2004, before at least five other major states passed similar legislation of their own with legislation that applies to both video text messages and email advertising. California emails laws possibly go beyond CAN-SPAM with respect to unsolicited email marketing and email marketing opt-out mechanisms. To make matters more complicated, California has adopted a new anti-counterfeiting law regarding the sale of counterfeit goods, but this law has teeth against spam emails that include counterfeit logos . And, yet, California is also known for its hoarding of consumer email address information under so-called anti-spam and anti-phishing laws. Does that mean that California email laws are typically overly high while other state email marketing laws are overly low, incomplete or just plain absent? Or do they balance each other out when compared against CAN-SPAM, which is basically okay – sort of? We provide a full guide to California email laws below, along with a comparison to CAN-SPAM, to try to help you find the right balance. Below you will find the latest email marketing laws that have been enacted in California, including CARU recommendations; when you need to get email marketing consent prior to sending an email advertisement; specific guidance on email marketing; opt-out requirements; other requirements on email marketing; and a review of recent cases and enforcement / regulatory actions.
Key Provisions Under The California Anti-Spam Law
When sending commercial email in California, there are two regulations you need to license your list under – CAN-SPAM and the California Anti-Spam Law.
As mentioned in CAN-SPAM legislation, the California Anti-Spam Law requires that commercial email contain the header information and opt-out links explained above. Under California’s spam law, email marketers must:
• Include a sender address that identifies the sender and a link to the sender’s privacy policy in the email;
• Include a subject line that adequately reflects the contents of the email; and
• Include a "Do Not Email" option.
The law also mandates that the communications be sent from valid domain names. Emails from domains such as @yahoo.com or @gmail.com may not comply with the California law. And the law applies to both solicitation emails and mass emails sent to current or potential customers.
California Consumer Privacy Act (CCPA) Explained
The California Consumer Privacy Act – CCPA – was introduced in 2018 and went into effect on January 1, 2020. The CCPA restricts companies from sharing and selling the personal data of consumers. For marketers, this impacts how email is used to drive sales. It also has a business impact that marketers should communicate to the C-Level. For companies that do a lot of marketing through the Internet, they must provide customers with the "right to know" regarding how their personal data is being used. This legislation gives consumers access to their personal information and provides consumers with the right to delete information shared with third parties.
Personal Data Under the CCPA, personal data includes: Names Home addresses (including IP addresses) Phone numbers Social Security numbers Email addresses Payment information Purchasing history Hobbies (food preferences and travel habits) Biometric records Print fingerprints Scanning of fingerprints, such as iPhone Touch ID Scanning of iris (eye) Scanning of face, such as iPhone Face ID Signatures In addition to standard personal information, consumers may have the right to know if the information businesses have about them is accurately recorded as a result of data collection practices and can seek correction of inaccurate data.
Right to Request Information The CCPA requires that businesses, including marketers, allow consumers the "right to know" what personal data is collected by the business. Consumers have the right to request: What information was collected What source the information was obtained from Is the information sold, shared, combined, or updated by the company With whom the information is shared and/or through what mechanism How the information includes recent purchases Whether certain types of information are used or used for targeted advertisements How the information is used to analyze and/or create a profile of consumers
Disclosing Personal Information The CCPA require businesses to disclose personal information within forty-five days of the consumer request and makes it mandatory to provide consumers the means to request the erasure of their personal information from the business.
Right to Delete The CCPA gives consumers the right to ask a business to delete personal information previously disclosed. It also prohibits businesses for selling or sharing the personal information collected.
Consumer Rights Under the CCPA The CCPA provides the following rights for consumers: Access. The consumer demands the business to disclose what personal information was collected and stored by it, and what was disclosed or sold to third-parties over the past two years, as well as the purpose. Correction. Consumers are permitted to ask the business to correct false or incomplete personal information. Deletion. Consumers can demand the business to delete all copies of personal information collected from or about them. Opt-out of a sale. Marketers have a mandatory duty to provide an easy method for consumers to opt-out of selling their personal information to third-parties.
The Essentials of Consent and Opt-Out Provisions
When sending an email marketing message, the marketer must provide a notice describing the procedure by which the consumer can opt-out of emails in the future. These opt-out notices must appear either at the time the contact information is collected or each time that the marketer sends an email marketing message to that consumer. Currently, there is no prescribed form, color or size for this notice. However, and in an effort to shine light on what opt-out notice best practices should be, California has used a relatively small court case to set the standard.
Recall our prior post on this case from 2019. There a consumer was sent an unsolicited email marketing message, which the recipient believed was unlawful because the email did not include any opt-out notices. As a result, the recipient filed a lawsuit under RBDA and sought to have the California Courts.com pass judgment on the matter. The Northern District Court for the Northern District of California issued an initial ruling stating that the act by itself provided for a private cause of action. However, a final ruling followed with an unpublished opinion, in favor of the marketer.
In that case, the court pointed out the essential differences between the manner given by the marketer in the opt-out notice in that case and the statute. It was found that the option to stop future emails was clearly presented and provided to the consumer in a proper manner. For example, the opt-out notice included a hyperlink directing the reader to a web-based interface, where the consumer could complete the opt out process. Thus, it gave the consumer the option to respond either through a one-click process or the time-consuming process of emailing back the marketer. It was held that such agency regulation with respect to the accessibility of the opt-out response options was done in compliance with the statute.
This decision is beneficial as it confirms that a marketer, having provided opt-out notices as required by the statute, satisfied its obligations to the consumers and that any other additional procedures beyond that are solely within the discretion of the marketer. There is nothing in the statute that prevents the use of such opt-out notices as permitted by the marketer. However, the California courts have been silent for sometime now on what kind of process is acceptable.
Consequences of Non-Compliance
Enforcement of the California email marketing laws is conducted by the Attorney General, the Federal Trade Commission and the Direct Marketing Association.
California Penal Code § 120220 provides for civil penalties against agencies, firms, or individuals engaged in the unencrypted storage of more than 10,000 pieces of personal information. Such persons may be liable for a fine up to $250,000 per violation.
FTC rules and regulations carry the same risk of civil penalties as described above. The FTC has entered into consent orders with marketers that have included civil penalties in the millions of dollars. The FTC has also issued fines of up to $16,000 per violation as recently as January, 2006. The California Attorney General’s Office may bring actions for violations of the CAN-SPAM statute and laws prohibiting deceptive advertising. In addition, consumers, state and local government agencies and Internet Service Providers may bring private actions against companies who violate the California Spam Act . The California Spam Act permits any person to sue for a minimum of $1,000 or actual damages and attorney’s fees, whichever is higher. There is a mandatory award of $1,000 damages for email harvesting. The California anti-spam law, known as the "Can-Spam Act," exposes violators to civil penalties of up to $1,000 per each email transmission and up to $100 per message for each failure to place "ADV" in an unsolicited commercial email (UCE). The California Penal Code also allows for criminal penalties, including a penalty of up to $1,000 per incident for knowingly or willfully advertising in UCE in violation of CAN-SPAM. The California Telephone Act, which by its terms also applies to text messages, provides that, in addition to injunctive relief, a person will be liable for statutory damages between $5,000 and $10,000 per violation, plus recovery of all attorney’s fees and costs. In addition, the California B&P Code prohibits harassment by telephone or text message and makes consumers whole for damages suffered. Although few such cases are brought, the potential exposure is substantial.
Email Marketing Best Practices for Compliance
A couple of the best practices for compliance are technical, but there are a number of things you can do that are more practical. First is ensuring that you have a clear opt-in or opt-out process. You must collect express permission to send your promotional emails and even then you need to include an opt-out mechanism in each email. The easiest way to do so is by including an unsubscribe link. Using a double opt-in process will also help. Make sure you are using an unsubscribe link that remains functional over time. An additional best practice is to make it easy to opt-out using a one-click method. Once someone has opted out, they should immediately be shown a confirmation page.
Also be sure your unsubscribe option includes the relevant forward to a friend options as well. Automatic implementation of this type of functionality is a good way to keep your email list fresh and up-to-date. Using third-party email delivery services is also a good way of ensuring compliance with California email marketing laws. It will also ensure that your email messages are formatted correctly and tracked in a systematic way. One final best practice is hand-scrubbing your email lists so you don’t have any obsolete or out-of-date email addresses.
The Importance of Federal CAN-SPAM Act
The CAN-SPAM Act preempts any state law, or rule adopted by a state agency, that obligates "any person to obtain the consent of a recipient for a commercial electronic mail message to be lawful or is based on the provision of such consent." Congress decided to preempt these more stringent federal laws based upon its consideration that a patchwork of different federal and state laws would create an intolerable burden on email marketers and make it difficult to "effectively conduct communications in interstate commerce."
But CAN-SPAM does not preempt state anti-spam legislation that is not inconsistent with the law. So while the federal law completely preempts any state regulation that requires consent of the email recipient as a prerequisite to sending the email, this is not the case with the general prohibitions against misleading or deceptive conduct contained within CAN-SPAM. The cases are split as to whether CAN-SPAM preempts state law claims based on falsity of header data and other misleading conduct. So far, however, California courts have held in each case that they will not be preempted. California courts have also held that CAN-SPAM is not at odds with California Civil Code section 17529, which proscribes making materially false or misleading representations in the transmission of a commercial email. This statute is stricter than the CAN-SPAM Act, providing for $1,000 for each false email violative of the provision. Unlike under CAN-SPAM, however, California law permits recovery without regard to whether the email sender intended to deceive its recipients by making materially false or misleading statements.
Conclusion: Understanding California Anti-SPAM law
Any business that has clients in California needs to stay on top of the CCPA and other privacy changes in the state, which companies are specifically responsible for. Be aware not only of the CCPA and the CPRA but also of the CDBP, as the DBPR further addresses consumer privacy rights under the CPRA, while also overseeing risk management and enforcement of these laws .
Additionally, the CAN-SPAM Act and the AEOA provides guidance on acceptable email marketing practices to those conducting business across state lines, and the CPRA will have an increasingly greater influence on the email marketing and e-commerce landscape in California. Email marketers who fail to understand the implications of these laws and their requirements could face costly enforcement actions or negatively impact their brand through the loss of subscriber trust.
No Responses