“You guys, we can’t. It’s like actually illegal.”
–Me, to a room full of raised eyebrows, doing my darndest to convince sales reps not to spam everyone and their mom.
Several recent blogs here at the Spot for Pardot have been posted about GDPR, CASL, and other kinds of email compliance considerations. But what will REALLY happen if you break these laws?
I mean, I see stuff come through my inbox all the time that I KNOW I did not opt into receiving. And no matter how many times I hit the unsubscribe link for a major hotel chain (who shall not be named), my inbox still seems flooded.
Pardot has a strict Permission-Based Marketing policy, and they take it seriously. If you send an email with a 10%+ bounce rate, get ready for a sternly worded email.
But is the government really going to come after you if you’re a Spammy McSpamface? What is the actual risk of this?
Love your subscribers like no one is watching
Before we visit the Land of the Worst Case Scenario, let’s level set.
Does it matter if the feds will be pounding on your door? Even if no one ever got their hand slapped, do you REALLY want to be that guy?
Your subscribers are a precious resource. Treat them like the magical special unicorns that they are, email them only stuff they asked for, and if they want to break up with you, don’t make it super hard or weird.
In short: be cool.
With that reminder top of mind, let’s dive into the actual question, shall we?
The worst-case scenarios for spammers
The potential fines and legal headaches – in theory — if you ignore international spam laws are significant. Here’s the worst case for violations:
The United States’ CAN-SPAM
$40,000 per email
Canada’s CASL
$10 million CAD, plus civil and criminal charges for individuals and corporations involved
The EU’s GDPR
Up to 4% of a company’s annual revenue
Australia’s Spam Act of 2003
Up to $1.7M AUD
Italy
Up to 3 years imprisonment (yes, really)
How spam laws have actually been enforced
CAN-SPAM
Individual citizens can’t initiate any kind of legal action under CAN-SPAM — only the Federal Trade Commission (FTC), state attorneys general, or in some cases, an internet service provider.
The first spammer to go down under CAN-SPAM was an 18-year-old who wrote a program to send 9 million spam DMs over MySpace. After he did this, he approached MySpace and asked for a job helping them preventing others from doing this. They said “boi bye” so he threatened to tell other people how to do it. Hence the lawsuit.
Since then, there have been dozens of cases where the FTC has issued fines and filed chargers against spammers. But almost all of them that I could find were SPAM, spam. Like the scum of the earth, people sending unsolicited porn, illegal diet pills ad, or doing something pretty objectively scammy. I couldn’t find a case of what I would consider a “legitimate” corporate marketing program getting in trouble for CAN-SCAM non-compliance.
CASL
The first company that the Canucks threw the book at under CASL was a firm called Compu-Finder. Compu-Finder was promoting business training courses on topics like management, social media and professional development – so a little more “mainstream” than the guilty parties we see being punished by CAN-SPAM.
Where did Compu-Finder go wrong? Well for starters, they emailed tons of people that never subscribed. And their unsubscribe link was just for fun – they didn’t actually remove people from their list who requested in.
A full 26% of consumer complaints in this industry segment were for Compu-Finder. Whoops.
They’re paying for the error of their ways in the form of a $1.1M CAD fine.
EU Privacy Directive
The EU’s current privacy and spam regulations are incredibly complex, and are about to get another layer of complexity piled on with GDPR.
As I researched companies that have actually been prosecuted under the EU Privacy Directive though, it seems like the primary people getting picked on are the giants – Facebook, Google and the like.
There have been some online jewelry companies in Spain and a Dutch public broadcaster who have been fined, but I could find very little on the specifics.
Even for those who want to comply with the relevant EU laws on spam/cookies/privacy, it’s very difficult… borderline unattainable. In fact, this company just gave up trying and is flagrantly inviting a lawsuit to put the rules to the test in a court room: http://nocookielaw.com/
The bottom line
You’re probably not going to be carted away in a paddywagon if you send crappy, unsolicited emails. But you’re not doing yourself any favors, either. Your metrics will suck, and subscribers will still hit that spam button and hurt your sender reputation.
So police yourself (and those on your team) and practice good email karma.
Oh and by the way… do not, I repeat, do not take this blog as legal advice.
If you’re worried, or holding a cease and desist letter in your very own hands, or actively considering something shady — please talk to a real lawyer and not your internet friend who’s researching this in sweatpants while catching up on Stranger Things II.
