United States In the US, the CAN-SPAM act has been in force since 2003, governing commercial emails. CAN-SPAM dictates that marketers cannot be dishonest when sending electronic messages. It also requires them to provide an unsubscribe function in their emails and act on it within ten days. There are no exceptions for B2B marketers. CAN-SPAM is enforced primarily by the FTC (Federal Trade Commission). The FTC has the power to impose penalties of up to $16,000 per email that violates CAN-SPAM.
Canada Elsewhere in the world, in Canada, there is CASL, which stands for Canadian Anti-Spam Legislation. CASL concerns email marketing and applies to all emails sent to Canadian residents as part of commercial activity. The primary feature of CASL is that recipients must give companies consent before they can email them. Implied consent can be used to send unsolicited B2B emails if the person’s email address is publicly available (e.g.: on company websites) and unaccompanied by a statement which confirms they do not wish to receive email marketing to their business email address.
If the person’s email address isn’t publicly available, B2B companies must ensure they only contact customers or prospects who have consented. It’s another provision of CASL that a clear unsubscribe option is included in all marketing communications. The penalties under CASL can be severe. The maximum fines are $1 million for individuals and $10 million for corporations per violation.
Europe The most well-known data compliance law, particularly in the UK, is the General Data Protection Regulation, or GDPR. It came into force in May 2018 across the whole of the EU and EEA.
The GDPR’s aim was to give citizens more control over their personal data, as well as set out ways that companies must process and protect the data they hold about their customers. GDPR rules around processing personal data do apply for B2B companies. But they can still carry out marketing activities such as cold calls or emails, if they can prove ‘legitimate interest’.
Penalties for not adhering to the GDPR are severe, with the maximum fine being €20 million or 4% of annual worldwide turnover for the preceding year – whichever is greater.
Brazil In Brazil, the LGPD will come into force in August 2020. The new law regulates companies that hold data on citizens of Brazil, whether they have a physical presence there or not. Like GDPR, the LGPD governs how companies can keep data on their customers. This law does not apply to B2B activities. However, it’s a good illustration of how countries are tightening up their data privacy laws. The direction of travel is towards tighter regulations everywhere.
Thanks to our friends at Cognism for much of the legal content.