This article will address any concerns regarding CAN-SPAM, CCPA, and GDPR compliance, and provide documentation for your legal team to support the information presented here.

Our anonymous visitor identification database contains email addresses from all over the world. Let's discuss the US CAN-SPAM Act of 2003, the European Union's GDPR, and California's CCPA, and why SeloAI.com is not only legal but also adheres to industry best practices.

The US CAN-SPAM Act of 2003 does not require an opt-in for email marketing in the USA. In Europe, it is required, but not in the US. To be CAN-SPAM compliant, you only need an opt-out link in the communication, a clear indication that it's an advertisement, and a few other requirements (see below). For more details to share with your legal team, see more details.

Why Permission-Based Email Marketing is Often Misunderstood

There are significant differences between the actual CAN-SPAM laws and best practices for the Email Marketing industry. These differences begin with Spamhaus, a large and influential organization in Email Marketing. Spamhaus' definition of SPAM is not the law, but it is what we are familiar with and what is taught by major Email Service Providers (ESPs) and Internet Service Providers (ISPs) like Gmail/Hotmail.

Spamhaus defines SPAM as "Unsolicited Bulk Email." A message is considered SPAM only if it is both unsolicited and sent in bulk. This definition is more restrictive than the law, but ISPs agree with Spamhaus on what constitutes SPAM, so adhering to their definition is necessary for successful delivery.

It's important to note that Spamhaus is not the US government but an industry organization. Even if you violate Spamhaus' definition and send bulk unsolicited email, as long as it has an opt-out link (and meets a few other criteria below), you would not be breaking the law.

SeloAI.com complies with Spamhaus' definition of not qualifying as SPAM because we provide verifiable consent, i.e., a third-party opt-in date and time, and the URL of our partner website where the user opted in.

You can read the privacy policies of our partner websites to verify this consent. We have not seen any deliverability issues for any of our hundreds of clients using SeloAI.com.

Open rates for these emails are typically between 15 and 20%, and spam complaints are well below the 1/1,000 industry standard.

Now that we've established that an opt-in is not required for legal marketing emails, let's review what is needed.

For a summary of the CAN-SPAM Act written by legal experts, see here. The Federal Trade Commission created this summary of the main requirements of the CAN-SPAM Act, which does not include the term "opt-in."

To comply with the CAN-SPAM Act, you must:

- Not use false or misleading header information.

- Not use deceptive subject lines.

- Identify the message as an advertisement.

- Include your valid physical postal address.

- Provide recipients with a clear and easy way to opt-out of future emails.

- Honor opt-out requests promptly.

- Monitor what others are doing on your behalf.

Email marketing in the US is not legally an opt-in channel; just include an opt-out option.

Marketing to SeloAI.com contacts via Email-Based Retargeting is legal as long as you have an opt-out link in your email. When partnering with SeloAI.com, you gain access to our network of partner websites with privacy policies that explicitly state submitted information can be shared with a partner network.

Here's an example of how SeloAI.com works:

Step 1: User completes an opt-in form on a partner website, such as financialnews.com.

Step 2: Financialnews.com's Privacy Policy states that registrants agree to have their Personally Identifiable Information (PII) shared with Network Sites and unaffiliated third parties.

For an overview of how CCPA relates to SeloAI.com, click here. First, determine if your business meets the applicability thresholds for CCPA compliance. If your business does not meet any of the following criteria, no action is required:

- Have $25 million in revenue

- Annually buy, receive, sell, or share personal information of 50,000 or more California consumers, households, or devices

- Earn more than half of its annual revenue selling consumers' data

If your business meets one or more of these criteria, you must update your Privacy Policy to include specific information about CCPA. For more information about CCPA, click here.

A key element of the GDPR that can cause business friction is the gravity of consent that is required from individuals. Specifically, in order to collect and handle (or to “process”) personal data of Europeans, marketers, and services like SeloAI.com must have a “legal basis.”

Two common legal bases include:

- Consent of the data subject: This refers to the explicit agreement given by the individual to process their personal data. This consent must be freely given, specific, informed, and unambiguous. It cannot be inferred from silence, pre-ticked boxes, or inactivity. It should also be as easy for the individual to withdraw consent as it is to give it. Importantly, the responsibility lies with the business doing the marketing to obtain this consent directly. Third-party consent may not meet the stringent requirements of GDPR.

- A “legitimate interest” to use the data that is not outweighed by fundamental “rights and freedoms,” taking into account data subjects’ “reasonable expectations” of how data may be used.

The GDPR cites “direct marketing” as an example of a likely “legitimate interest.” Many legal commentators have noted that the GDPR leaves many questions unanswered and the potential for courts to resolve those questions in the years to come. Based on the best legal interpretations as of today, most B2B marketing like newsletters and most direct marketing is protected as a “legitimate interest” if executed in a thoughtful way.

However, campaigns that are not targeted in a way that is likely to be useful to someone given their industry or position may not fit a “legitimate interest.” It will, therefore, be more important than ever for B2B marketers to use data wisely and tailor campaigns and marketing to be relevant.

These elements are only relevant for prospects located in the EU so you don't need to worry about any of these regulations if you’re emailing anyone outside the GDPR’s jurisdiction.