Like with most consumer-focused businesses, email communication has always played a big role in ecommerce. With the recent increased focus on data privacy and laws like the GDPR and CCPA coming into effect, it’s important to know what rules to follow when sending customer emails – and specifically, when consent is required. In this post, we’ll take a quick look – by region – at when consent is and isn’t required when sending customer communications.
No, under the Federal CAN-SPAM Act you do not need opt-in consent for sending commercial emails, however you must provide a visible opt-out or unsubscribe option in all such communications. Furthermore, CAN-SPAM rules state that you must provide valid identification information and mark promotional emails as an ad.
If you could have California-based users on your site, consider that the California Consumer Privacy Act (CCPA) might apply. The CCPA has many rules that are relevant to website owners, but most important within this context is that under the CCPA, valid opt-in consent but be obtained for children. I.e. consent is required before emailing California-based children under the age of 16.
More info on how you can collect consent in the EU section below.
Consent is not required in cases of “soft-spam” for existing customers when the following conditions are met:
Do note that opt-out requests must be honored.
In all other cases than the above, consent is required before emailing EU-based users. The consent must be freely given, specific, informed, and, withdrawable.
The usual way of acquiring consent is via data collection forms like newsletter, sign-up or checkout forms. However, do note that where opt-in consent is required, certain conditions must be met for the consent to be considered valid.
Your data collection forms must:
Most importantly, please note that you must always give the possibility to revoke the consent (opt-out) and honor the request. Under the GDPR, you must also be able to demonstrate that compliant consent was collected, via valid records of consent. More on consent records here.
Learn more about the legal requirements for ecommerce in our short Compliance for Ecommerce summary guide.
Compliance solutions for websites, apps and organizations: collect GDPR consent, document opt-ins and CCPA opt-outs via your web forms.