CCPA Privacy FAQs: Under the CCPA, can a company send follow-up emails after hosting a trade show or conference?

August 26, 2019

In the United States, a company can send follow-up emails after hosting a trade show.

On the federal level, the CAN-SPAM Act governs commercial use of email.  While the CAN-SPAM Act prohibits the transmission of deceptive communications, and requires that companies include an unsubscribe link in commercial messages, it does not prohibit a company from transmitting email follow-ups following a trade show or conference, nor does it require that a company obtain opt-in consent to communicate a marketing message.

In California, the CCPA does not specifically address the use of email to communicate with attendees following a trade show or conference.  The CCPA does, however, generally require that a company that collects email addresses from California-resident conference attendees provide the attendees with a privacy notice that discloses that the email addresses may be used for follow-up communications.  Assuming that the privacy notice is provided, and California residents are informed about other CCPA-based rights (such as the right to request that their email address be deleted from the conference host), nothing within the CCPA prohibits a conference host from using the emails to transmit follow-up or marketing communications.  Note, however, that if the attendee list is given to a third party to handle the follow-up emails, the conference-host should ensure that the third party is a “service provider” as defined by the CCPA or risk that the information transfer could be classified as a “sale” of personal information, which would trigger an obligation to honor “do not sell” requests.

In Europe, whether a follow-up email can be sent depends in part upon the nature of the communication.  If the communication includes information relating to the event itself, the use of the email address may be permitted under GDPR Article 6(1)(a) (if consent had been obtained from the data subject), Article 6(1)(b) (if the follow-up communication is necessary to complete a transaction with the attendee), or Article 6(1)(f) (if the follow-up communication relates to other conference-related information, and the organizer failed to obtain consent to communicate).  If the communication includes marketing content, the transmission could theoretically be permitted under GDPR Article 6(1)(a) (if consent had been obtained), or Article 6(1)(f) (the legitimate interest of the conference host to send marketing communications).  It should be noted, however, that in order for a conference-host’s interest in marketing to be considered “legitimate” under the GDPR, the conference host must comply with other European laws that regulate marketing.  Some Member States may have legislation implementing the ePrivacy Directive that requires a conference-host to obtain the consent of an attendee prior to the transmission of a marketing communication.  The net result is that in many situations, a conference-host must obtain some form of consent before sending marketing communications to conference attendees.

 

Co-authored by Jason Schultz and David Zetoony


This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.