Opt-in and privacy rules in EU and USA: key differencies
While opt-in rules in the U.S. and the EU differ, the intent remains the same. These laws aim to protect consumers against unwanted marketing communications. Because data privacy is not a privilege, it is a right.
Before engaging in email marketing activities, it is crucial to follow the regulations and market’s best practices to avoid enforcement actions and achieve the desired results.
Below you will find a simplified overview of email marketing rules in EU and USA.
The legal instrument covering this topic and supplementing the GDPR in the EU is the e-Privacy Directive. There is a difference between B2C and B2B marketing.
When sending B2C [business-to-consumer] emails, all recipients must give express prior consent. The consent must be freely given, specific, informed and unambiguous through a clear affirmative action, which means that pre-checked boxes or other types of implied consent is not sufficient. The recipient must also be informed exactly how their data will be used. Senders must keep evidence of the consent and provide proof if challenged.
The case is different with B2B [business-to-business] emails. The Directive gives the Member States room to maneuver how they will legally address this issue. It is up to each Member State to address this question in their national legislation.
However, for both B2C and B2B emails, there must be an opt-out possibility included. Sending email for purposes of direct marketing without a valid address or link to which the recipient may send a request that such communications cease is prohibited.
Moreover, disguising or concealing the identity of the sender on whose behalf the communication is made is prohibited.
Finally, companies registered or operating in the EU need to state their company details on every electronic business communication sent from their organisation. Business email messages sent by a company should include: the full name of the company and its legal form; the place of registration of the company; the registration number; the address of the registered office; and the VAT number.
In the USA direct marketing by email is regulated by The CAN-SPAM Act, which covers commercial email messages with the primary purpose of advertisement or promotion of a commercial product or service.
The CAN-SPAM Act allows direct marketing email messages to be sent to anyone, without permission [i.e., this applies both to B2B and B2C emails], until the recipient explicitly requests that they cease (opt-out).
Every message must include opt-out instructions and the sender must honour the opt-out request within 10 days.
The CAN-SPAM Act prohibits false email header information. The subject line cannot mislead the recipient about the content or subject matter of the message. Identification that the message is an advertisement or solicitation is required.
Lastly, a valid physical postal address is required. A sender of commercial email can include an accurately registered post office box or private mailbox established under United States Postal Service regulations to satisfy the requirement that a commercial email display a valid physical postal address.
The EU follows GDPR legislation, which is more comprehensive than regulations in the US. One of the biggest differences between the two legislations is that the US does not require opt-ins for email marketing. Even so, many businesses in the U.S. collect opt-ins for enhanced transparency, and to ensure they are being compliant to customers around the world.
GDPR Local is a proponent of opt-in (explicit prior consent) and strongly recommends using double-opt-in (subscription confirmation) even if this is not required by legislation.
Hope you find this useful. If you need an EU Rep, have any GDPR questions, or have received a SAR or Regulator request and need help then please contact us anytime. We are always happy to help...
Zlatko, Adam, Hristina, Marin.
As your Article 27 Representative we will always help if you receive a SAR, RTE, or other data prot
We have said this previously but we are still seeing a huge number of Subject Access Requests [
Summary: The Right to Be Forgotten is one of the fundamental rights defined in GDPR. Also