Email & Digital Marketing: CAN-SPAM and Online Advertising

Commercial email is governed by CAN-SPAM, fifteen U.S.C.

seventy-seven-oh-one, and the exam's headline point is that it's an opt-out law, not an opt-in one. Unlike many countries, the U.S.

lets you send commercial email without prior consent, but you must give recipients a way to stop. So the obligations are about honesty and exit, not permission up front. You must offer a working unsubscribe mechanism and honor opt-out requests promptly, within ten business days, and you can't charge or require more than an email address to unsubscribe.

The F-T-C enforces CAN-SPAM; there's no broad private right of action for individuals, though internet service providers can sue. Remember opt-out, not opt-in, because the exam will offer the European opt-in answer as bait.

CAN-SPAM sets concrete content rules, and the exam tests them as a checklist. First, no deception: the from line, the routing and header information, and the subject line must be accurate and not misleading. Second, the message must be identifiable as an advertisement, though the law gives flexibility in how.

Third, it must include the sender's valid physical postal address. Fourth, it must offer a clear and conspicuous opt-out that stays functional for at least thirty days after sending, and once someone opts out you must stop emailing them and not sell or transfer their address. Senders are responsible even when they hire a third party to send on their behalf.

So a violation scenario usually shows a fake header, a missing address, or an unsubscribe link that doesn't work.

Beyond email, the exam covers online behavioral advertising, the tracking of users across sites with cookies, pixels, and device identifiers to serve targeted ads. At the federal level this space is largely self-regulated: industry groups like the Digital Advertising Alliance and the Network Advertising Initiative run opt-out programs and disclosure standards, and the F-T-C backstops them with Section five if a company misrepresents its practices. The expectation is transparency and an easy opt-out of targeted advertising.

What's changing fast, and what the updated blueprint emphasizes, is that state comprehensive privacy laws now turn that soft norm into hard rights: a consumer's right to opt out of targeted advertising and of the sale of their data, sometimes via a browser global-privacy-control signal.

Don't overlook the Video Privacy Protection Act, the VPPA, eighteen U.S.C.

twenty-seven-ten, a 1988 law that's become a major litigation engine. It bars video tape service providers from knowingly disclosing a consumer's video-viewing records without consent. It was born from a Supreme Court nominee's rental history being leaked, but courts now apply it to streaming services and websites with video.

The modern wave of cases targets tracking pixels that transmit what a user watched, together with an identifier, to advertising platforms. The VPPA matters on the exam because it carries a private right of action with statutory damages of at least twenty-five hundred dollars per violation, making it, like the TCPA, a class-action magnet. When a scenario leaks viewing data via a pixel, think VPPA.

Two CAN-SPAM nuances the exam likes. First, not every email is fully regulated. CAN-SPAM distinguishes commercial messages, whose primary purpose is advertising, from transactional or relationship messages, like a shipping confirmation or an account notice, which carry lighter obligations, mainly accurate headers.

When a message mixes both, a primary-purpose test decides which rules apply, so a so-called receipt that's really a sales pitch gets treated as commercial. Second, liability follows the sender, not just the mailer. If a company hires a third-party email vendor to run its campaign, the company whose product is promoted remains responsible for CAN-SPAM compliance, you can't outsource the obligation.

And deceptive headers can trigger more than CAN-SPAM, they can support fraud and computer-misuse claims too. So classify the message by its real purpose, and remember the brand stays on the hook.

Let's make this a channel map. If the scenario is email, you're in CAN-SPAM: opt-out, accurate headers, a physical address, and a working unsubscribe. If it's phone or text, you're back in the TCPA and the Telemarketing Sales Rule from the last lecture.

If it's cross-site ad tracking with cookies or pixels, federal law leans on self-regulation plus Section five, while state laws add real opt-out rights for targeted advertising and sale. And if the data being shared is what someone watched, reach for the VPPA. The single most common distractor on email is calling CAN-SPAM an opt-in regime, it is opt-out.

Recap: CAN-SPAM's checklist, the self-regulated-but-tightening world of online ads, and the VPPA's surprising punch. Now go test yourself, then we finish Domain two with telecom privacy.