Notice: This overview is provided solely for informational purposes and does not serve as legal counsel, nor does it establish a lawyer-client relationship between the law firm Foley & Lardner and any recipient or reader of this overview. This document should not be seen as a comprehensive review of all aspects and requirements related to the discussed subjects. For inquiries regarding these matters, it is advised to consult with legal experts.

Introduction: Modern technologies enable businesses to collect email addresses of website visitors without them revealing their email addresses to the website owners. This overview addresses several legal concerns associated with the use of such technologies.

CAN-SPAM and Email Collection: The CAN-SPAM Act forbids the practice of email harvesting, which typically involves the automated collection of email addresses from websites that have stated they do not permit the sharing of email addresses for email sending purposes. Therefore, technologies should not gather or distribute email addresses from such websites.

Opt-Out vs. Opt-In Policy: Different from some international jurisdictions requiring an opt-in approach for marketing emails, the U.S. follows an opt-out policy as per CAN-SPAM. This implies that marketing emails are permissible until recipients choose to opt out. Hence, technology users can send emails to acquired addresses unless those recipients have opted out from marketing emails.

Legal Compliance in Email Marketing: The sender of marketing emails must include clear methods for recipients to unsubscribe and honor these requests swiftly. Additional compliance guidelines include:

• Ensuring truthful header information, including accurate “From,” “To,” and routing information.
• Avoiding misleading subject lines and accurately representing the email’s content.
• Clearly identifying the email as an advertisement.
• Including the sender’s physical address in the message.
• Monitoring and ensuring compliance by any third-party services employed for email marketing.
• Adhering to opt-out requirements under the CAN-SPAM Act.

California Privacy Laws – CPRA Amendment to CCPA:

The CPRA amends the CCPA, enhancing privacy protections for consumers. It extends the right to opt out of personal data sharing for targeted advertising and requires businesses to provide notice and methods for consumers to opt out. These changes include specific provisions for children’s personal information. Businesses must comply with detailed notice requirements and ensure contractual language reflects these changes in vendor agreements. The CPRA clarifies definitions and exemptions, particularly regarding sales and sharing of personal information.

Colorado Privacy Act – CPA:

The CPA, effective July 1, 2023, sets forth rights and obligations concerning consumer data privacy in Colorado. It applies to businesses meeting specific criteria and includes consumer rights such as access, opt-out, correction, deletion, and data portability. The CPA outlines business duties including transparency, data minimization, and security, and mandates consent for processing sensitive data.

Virginia Consumer Data Protection Act – CDPA:

Effective January 1, 2023, the CDPA draws elements from the CPRA and GDPR, offering consumers rights similar to those in other privacy regulations. It applies to entities controlling or processing significant amounts of consumer data and excludes certain types of organizations and information. The CDPA outlines consumer rights, controller obligations, and requirements for data protection assessments and processor agreements, with enforcement by the Virginia Attorney General.