Opt-in and privacy rules in EU and USA: key differencies

While opt-in rules in the U.S. and the EU differ, the intent remains the same. These laws aim to protect consumers against unwanted marketing communications. Because data privacy is not a privilege, it is a right.

Before engaging in email marketing activities, it is crucial to follow the regulations and market’s best practices to avoid enforcement actions and achieve the desired results.

Below you will find a simplified overview of email marketing rules in EU and USA.

European Union

The legal instrument covering this topic and supplementing the GDPR in the EU is the e-Privacy Directive. There is a difference between B2C and B2B marketing.

When sending B2C [business-to-consumer] emails, all recipients must give express prior consent. The consent must be freely given, specific, informed and unambiguous through a clear affirmative action, which means that pre-checked boxes or other types of implied consent is not sufficient. The recipient must also be informed exactly how their data will be used. Senders must keep evidence of the consent and provide proof if challenged.

The case is different with B2B [business-to-business] emails. The Directive gives the Member States room to maneuver how they will legally address this issue. It is up to each Member State to address this question in their national legislation.

However, for both B2C and B2B emails, there must be an opt-out possibility included. Sending email for purposes of direct marketing without a valid address or link to which the recipient may send a request that such communications cease is prohibited.

Moreover, disguising or concealing the identity of the sender on whose behalf the communication is made is prohibited.

Finally, companies registered or operating in the EU need to state their company details on every electronic business communication sent from their organisation. Business email messages sent by a company should include: the full name of the company and its legal form; the place of registration of the company; the registration number; the address of the registered office; and the VAT number.

United States

In the USA direct marketing by email is regulated by The CAN-SPAM Act, which covers commercial email messages with the primary purpose of advertisement or promotion of a commercial product or service.

The CAN-SPAM Act allows direct marketing email messages to be sent to anyone, without permission [i.e., this applies both to B2B and B2C emails], until the recipient explicitly requests that they cease (opt-out).

Every message must include opt-out instructions and the sender must honour the opt-out request within 10 days.

The CAN-SPAM Act prohibits false email header information. The subject line cannot mislead the recipient about the content or subject matter of the message. Identification that the message is an advertisement or solicitation is required.

Lastly, a valid physical postal address is required. A sender of commercial email can include an accurately registered post office box or private mailbox established under United States Postal Service regulations to satisfy the requirement that a commercial email display a valid physical postal address.

Conclusion

The EU follows GDPR legislation, which is more comprehensive than regulations in the US. One of the biggest differences between the two legislations is that the US does not require opt-ins for email marketing. Even so, many businesses in the U.S. collect opt-ins for enhanced transparency, and to ensure they are being compliant to customers around the world. 

GDPR Local is a proponent of opt-in (explicit prior consent) and strongly recommends using double-opt-in (subscription confirmation) even if this is not required by legislation.