Opt Out

IdentitySharks is not compliant with GDPR or CASL regulations, and therefore, it is only legally permissible in the USA. Our database solely comprises email addresses from the USA. If your organization adheres to GDPR regulations worldwide, then you cannot use IdentitySharks. With that being said, let’s talk about the US CAN-SPAM Act of 2003, and why IdentitySharks follows not only the law but also the best industry practices.

What You Didn’t Know About the US CAN-SPAM Act of 2003:

As per the US CAN-SPAM Act of 2003, sending marketing emails in the USA does not require an opt-in. However, it is necessary in Europe. To be CAN-SPAM compliant, you only need to include an opt-out link in your message and make it evident that it is an advertisement, among other requirements (discussed below).

For years, it was believed that permission-based email marketing was obligatory. However, there is a significant distinction between CAN-SPAM laws and Email Marketing industry’s best practices. This difference is exemplified by Spamhaus.

Spamhaus is a significant and influential organization in Email Marketing. However, Spamhaus’s definition of SPAM is not the law. It is what everyone is familiar with and what major Email Service Providers (ESPs) such as Mailchimp and Internet Service Providers (ISPs) like Gmail/Hotmail teach. Spamhaus defines SPAM as “Unsolicited Bulk Email,” implying that the recipient has not given verifiable permission for the message to be sent, and it is sent as part of a larger collection of messages, all of which have substantively identical content. A message is considered Spam only if it is unsolicited and bulk.

Even though Spamhaus’s definition is considerably more restrictive than the law, adhering to it is critical to get email delivery. However, it’s worth noting two things concerning IdentitySharks:

Spamhaus is not the US government; it is an industry organization that is highly influential. If you sent bulk unsolicited email that has an opt-out link (and meets other criteria discussed below), you wouldn’t break the law, even if you violated Spamhaus’s definition.

IdentitySharks adheres to Spamhaus’s definition by providing you with verifiable consent, such as a third-party opt-in date and time and the URL of our partner website where they opted-in. To verify the consent, you may read our partner websites’ privacy policies. We haven’t observed any deliverability consequences for any of the hundreds of clients who use IdentitySharks. Typically, these emails have open rates between 15 and 20%, and spam complaints are well below the 1/1,000 industry standard.

Now that it’s established that an opt-in isn’t required to send legal marketing emails, let’s discuss what is required.

The CAN-SPAM Act: What You Have to Do to Legally Comply:

The Federal Trade Commission has compiled a summary of the CAN-SPAM Act’s primary requirements. You won’t see the words “opt-in” in the text anywhere.

Don’t use false or misleading header information. Your “From,” “To,” “Reply-To,” and routing information, including the originating domain name and email address, must be accurate and identify the person or business who initiated the message.

Don’t use deceptive subject lines. The subject line must accurately reflect the content of the email.

To ensure compliance with email marketing regulations, there are several requirements that must be met. Firstly, it must be made clear that the message is an advertisement. Additionally, the message must include a valid physical postal address for the sender, as well as a clear explanation of how the recipient can opt out of receiving future emails. Any opt-out requests must be honored within 10 business days, and the ability to opt out must be available for at least 30 days after the message is sent. It is important to monitor any third-party companies that handle email marketing, as the legal responsibility for compliance cannot be contracted away.

IdentitySharks offers Email-Based Retargeting through its partner network, which allows access to websites whose privacy policies explicitly state that information submitted via opt-in forms may be shared with partners. As long as an opt-out link is included in the email, marketing to IdentitySharks contacts in this way is legal.

Businesses must determine if they meet the thresholds for compliance with the California Consumer Privacy Act (CCPA). These thresholds include having $25mm in revenue, annually buying, receiving, selling, or sharing personal information of 50,000 or more California consumers, households or devices, or earning more than half of its annual revenue selling consumers’ data. If a business meets one or more of these thresholds, they must update their privacy policy to include a description of consumers’ rights under CCPA, a description of the categories of personal information collected, the commercial and business purposes for collecting personal information, the categories of personal information sold or disclosed, the categories of third parties with which personal information is shared, and a link to a “Do Not Sell My Personal Information” opt-out tool if the company sells personal information. Any financial incentives for providing data or not exercising rights must also be disclosed.

Scroll to Top