Disclaimer. This summary is intended solely for informational purposes and is not intended to constitute legal advice or to create an attorney-client relationship between TrafficMagic.ai and any recipient or reader of this summary. This is not intended to be an exhaustive summary of all issues and requirements relating to the topics discussed. If you have any questions about any of these issues you should contact your legal counsel.

Introduction

Using existing technology (referred to herein as a “Technology”), companies are able to obtain email addresses of visitors to websites who have not and do not disclose their email address to the website owner. This Summary discusses some of the legal issues relating to use of this technology.

CAN-SPAM

CAN-SPAM prohibits email harvesting which is generally defined as obtaining email addresses from a website using an automated means when the website has a notice stating that the operator of the website will not give, sell or otherwise transfer email addresses maintained by the website for the purposes of allowing others to send emails to the address.

TrafficMagic.ai Technology collects email addresses from users submitting their information on websites that clearly state they share or sell this data with 3rd party marketing services.

Opt-Out – Not Opt-In

While some jurisdictions outside of the United States (e.g. the European Union and Canada) require an affirmative opt-in in order to send marketing or commercial emails, the US has been, since the passage of CAN-SPAM, an opt-out jurisdiction. This means marketing emails can be sent to recipients unless and until they have opted out of receiving marketing emails from the sender.

Accordingly, a user of the Technology can send emails to email addresses acquired through the Technology provided that the recipient has not previously opted-out to receiving marketing emails from the Technology user / sender.

The sender of marketing emails acquired using the Technology should include an unsubscribe link or other opt-out mechanism in all marketing emails and promptly honor all opt-outs.

Other CAN-SPAM compliance tips include:

  • Section 7704(a)(3)[1] of the Act requires that marketing messages contain an opt-out or unsubscribe mechanism.
  • Don’t use false or misleading header information. Your “From,” “To,” “Reply-To,” and routing information, including the originating domain name and email address – must be accurate and identify the person or business who initiated the message.
  • Don’t use deceptive subject lines. The subject line must accurately reflect the content of the message.
  • Identify the message as an ad. The law gives you a lot of leeway in how to do this, but you must disclose clearly and conspicuously that your message is an advertisement.
  • Tell recipients where you are located. Your message must include your valid physical postal address. This can be your current street address, a post office box you’ve registered with the U.S. Postal Service, or a private mailbox you’ve registered with a commercial mail receiving agency established under Postal Service regulations.
  • Monitor what others are doing on your behalf. The law makes clear that even if you hire another company to handle your email marketing, you can’t contract away your legal responsibility to comply with the law. Both the company whose product is promoted in the message and the company that actually sends the message may be held legally responsible.

https://www.ftc.gov/tips-advice/business-center/guidance/can-spam-act-compliance-guide-business

CALIFORNIA PRIVACY LAWS

California Privacy Rights Act (CPRA) amending the California Consumer Privacy Act (CCPA)

Disclaimer.  These Summaries and FAQs regarding the California Privacy Rights Act (CPRA), amending and renaming the California Consumer Privacy Act (CCPA) are intended solely for informational purposes and is not intended to constitute legal advice or to create an attorney-client relationship between TrafficMagic.ai and any recipient or reader of this summary. This is not intended to be an exhaustive summary of all requirements of the CPRA. If you have questions about complying with the CPRA, you should contact your legal counsel.

The CPRA, a ballot initiative passed by voters in November 2020, amends the CCPA and renames the CCPA to the CPRA. The CPRA includes additional privacy protections for consumers as discussed below.

Opt-Out of Sharing for Targeted Advertising. The CPRA extends a consumers right to opt-out of sales to include a right to opt-out of the sharing of the consumer’s personal information for targeted advertising (defined as “cross-contextual behavioral advertising”), whether such sharing is made with or without consideration. The CPRA contains an opt-out requirement for the sharing or sales of personal information, with the exception of the sharing or sales of personal information relating to children under the age of 16. (Children aged 13 to 16 must provide opt-in consent for the sale of their personal information. Website owners collecting, using, selling, or sharing personal information relating to children under the age of 13 must obtain verifiable parental opt-in consent to do so.).

  • The CPRA does not outright prohibit the sharing of personal information. Rather, if a company shares personal information for targeted advertising the company must provide notice of this to the consumer and give the consumer at least 2 methods for opting-out of the sharing of personal information for targeted advertising, one of which must be an interactive webform to opt-out requests. Use of the Technology to acquire email addresses and send emails to those addresses is sharing under the CPRA, which would require notice and the ability to opt-out of such sharing.
  • There are few exclusions from a “sharing” of personal information triggering the opt-out requirements, including when a Technology user directs the Technology provider to intentionally disclose personal information with one or more third parties.
  • If the Technology user desires to permit the Technology provider or any other third party to use the personal information for their own purposes outside of providing services to the Technology user, the Technology user should comply with the notice and opt-out requirements under the CPRA relating to the sharing of personal information for targeted advertising.

CPRA Notice. One of the primary requirements of the CPRA is the obligation to provide a “Do Not Sell or Share My Personal Information” and a privacy notice or privacy policy to website visitors complying with the requirements of the CPRA. All of the various notice requirements required under the CPRA are outside the scope of this summary. With respect to the Technology, generally speaking the CPRA requires notice to website visitors if personal information that identifies or can be reasonably used to identify them is collected by the website owner, the purposes for collecting, selling, or sharing the personal information, and the categories of third parties to whom the personal information is disclosed.

  • On its website homepage, a user of the Technology should provide a clear and conspicuous link titled “Do Not Sell or Share My Personal Information” that enables a user to opt-out of the sharing of a visitor’s personal information.
  • In its CPRA privacy notice, a user of the Technology should disclose and describe that, among other things, the website owner uses tracking technology to collect identifiable information about visitors (e.g., an email address or hashed email address), how it uses the information and that it shares the information with third parties (e.g., with the Technology provider to identify email addresses of visitors). Details will vary depending on the nature of the website and particular Technology used.
  • Vendor Agreements. Under the CPRA, specific language is required in business agreements depending on the nature of the business arrangement between the parties.
  • Sale of Personal Information. While the CPRA does not outright prohibit the sale of personal information, the newly defined term “sharing” broadly encompasses targeted advertising. The implication of the separate definition of sharing, suggests that such activities be may no longer considered sales under the CPRA.
  • Opt-out of Profiling and Automated Decision Making. While not detailed in the CPRA, the CPRA vests the Attorney General or a soon to be formed governing body, the California Privacy Protection Agency, with the authority to further establish rules governing access and opt-out rights with respect to automated decision-making technology, including profiling.