Regulatory Crackdown: $650,000 Fine Imposed on Marketing Email Violation

With so many businesses sending marketing emails to their customers, it is easy to forget that such practices are governed by a multitude of privacy laws and that failure to follow the requirements of such privacy laws may lead to hefty fines.

In fact, the Federal Trade Commission (FTC) has recently announced that it will fine Experian Consumer Services $650,000 as part of a settlement.

The settlement arises from the allegation that Experian sent customers unsolicited emails without an option to opt out of such emails as required by the CAN-SPAM Act.

In this article, we will discuss this settlement, the CAN-SPAM Act, and examples of other privacy laws and their requirements so that you can make sure that your email marketing follows the proper rules.

Why was Experian fined?

The lawsuit filed by the Department of Justice on behalf of the FTC claimed that Experian spammed customers with email marketing after customers signed up for an account and failed to provide clear and conspicuous notice that customers could opt out of such email marketing.

The FTC stated that the fact that customers signed up for Experian services does not mean that they also wanted to sign up for email marketing, signifying that companies should ask their customers whether they would like to sign up for email marketing and obtain opt-in consent for email marketing for customers creating accounts.

In addition, since the emails were marketing and were not related to customers’ accounts, the FTC stated that Experian must follow the CAN-SPAM Act and provide a clear “unsubscribe” link within those emails, which Experian has failed to do.

In addition to the penalty of $650,000, Experian is also ordered to stop all email marketing that does not include an unsubscribe link for customers who want to opt out of such emails.

What is the CAN-SPAM Act?

The CAN-SPAM Act is a US privacy law that applies to messages whose primary purpose is commercial advertising or promoting a commercial product or service.

It is important to note that the CAN-SPAM Act does not apply to purely transactional emails, such as a confirmation of a purchase or a notice that a subscription is renewing, but instead applies to email marketing.

Examples of email marketing include having a sale or enticing customers to purchase new products or services. Violations of CAN-SPAM are subject to penalties of up to $50,120 per email, so following its requirements is important.

The main requirements of the CAN-SPAM Act are below:

1. Do not use false or misleading header information. For example, a marketing email cannot appear to be sent from a different business;
2. Do not use deceptive subject lines. For example, a marketing email cannot state that action is required to keep an account active where that is not the purpose of the email;
3. Identify the message as an advertisement;
4. Inform recipients of your physical postal address;
5. Inform recipients how to opt out of future email marketing – this must be a clear and conspicuous explanation. The explanation can include a return email address or a link to a web page that allows individuals to opt out of emails;
6. Remember that customers who have a subscription with your company can still opt out of email marketing;
7. Honor opt-out requests promptly – You must honor a request to opt-out within 10 business days;
8. Ensure that any vendors (such as your marketing agency) that send email marketing on your behalf follow the rules above.

If you send email marketing to your customers or prospects, you should ensure that you meet the above rules to prevent enforcement actions and fines.

Are there other privacy laws that cover email marketing?

It is important to note that while CAN-SPAM is a US federal privacy law that governs email marketing, other privacy laws may also impose additional restrictions on email marketing.

For example, the General Data Protection Regulation (GDPR) states that you must obtain opt-in consent from individuals before sending them email marketing messages.

GDPR requires you to have a comprehensive Privacy Policy that states the fact that you will be using personal data for the purpose of email marketing and that you must obtain actual consent (meaning opt-in consent) and allow individuals to withdraw that consent at any time.

For consent to be valid, it must be freely given, specific, informed, and unambiguous.

Another example of a privacy law that requires consent for the sending of marketing emails is the Personal Information Protection and Electronic Documents Act (PIPEDA), which protects the personal data of residents of Canada.

PIPEDA requires companies to provide relevant information in their Privacy Policies, clear options to say “yes” or “no”, accountability, and the ability to demonstrate compliance with the law.

Lastly, most privacy laws provide consumers with privacy rights, such as the right to opt out of processing their personal data for certain purposes (such as email marketing) and the right to delete personal data.

It is important that you honor those privacy rights and stop sending individuals unwanted email marketing.

What should companies do?

Companies that engage or wish to engage in email marketing should ensure that they perform the following:

1. Ensure that you obtain opt-in consent for any individual to whom you would like to send email marketing messages (regardless of whether they sign up for an account with you);
2. Check all email marketing messages to see if they contain the information specified above and a clear and conspicuous link as to how to unsubscribe from receiving such emails in the future;
3. Honor requests to opt-out and stop sending email marketing messages to individuals who have opted out;
4. Ensure to provide adequate information within your Privacy Policy about the fact that you will be using personal data for email marketing purposes.