An invitation to a conference or a trade show is generally considered a commercial solicitation. On the federal level, the CAN-SPAM act does not require prior consent for a commercial email, only that it be clearly identified as an advertisement and include an unsubscribe link. It also prevents a company from using an email list that was generated by automated means1, either by scanning and harvesting emails from websites or by generating email addresses by combining names, letters, or numbers, into permutations. A company that buys an email list is still responsible for how it was created.
While the CAN-SPAM act pre-empts state laws that require opt-in consent before sending commercial emails, it does not preempt state laws that govern how companies collect email addresses. As a result, while companies are permitted to send mass marketing emails concerning upcoming events to the extent that they intend to cull prospective attendees from various lists, that activity may trigger other state privacy laws. For example, the CCPA requires that a company that collects an email address or any other personal information from a California resident distribute a privacy notice “at or before the point of collection.”2 The CCPA’s requirement is ambiguous as to whether a privacy notice must be provided only when the email address is collected directly from the resident, or whether it must be provided regardless of where the company obtains the email address.
Co-authored by Jason Schultz.
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.
1. 15 U.S.C. § 7704(b)(1)(A)
2. CCPA § 1798.100(b)