In today’s digital age, email marketing is a vital tool for businesses. However, non-compliance with legal requirements governing email communications can be costly. The recent $2.95 million settlement between Verkada Inc. and the Federal Trade Commission (FTC) serves as a cautionary tale for all companies engaging in email marketing. This blog explores how easy it is to fall into non-compliance with the CAN-SPAM Act and what measures businesses should take, especially when outsourcing their email marketing efforts to third-party vendors.

The CAN-SPAM Act: Overview and Requirements

The CAN-SPAM Act of 2003 (Controlling the Assault of Non-Solicited Pornography and Marketing) governs all commercial email messages used to advertise or promote a product or service. It applies to any business that sends out promotional emails, whether in-house or outsourced to a third-party vendor. CAN-SPAM mandates several specific requirements, including:
  1. Inclusion of a Valid Physical Postal Address: Every email must display the company's physical postal address to provide transparency and accountability.
  2. Clear and Conspicuous Opt-Out Mechanism: Recipients must be offered a clear and accessible way to opt out of receiving future emails.
  3. Honoring Opt-Out Requests Promptly: Once a recipient has opted out, the business has 10 business days to honor the request, after which sending further emails to that recipient violates the Act.
Failure to meet any of these requirements subjects a company to significant penalties. As of 2024, each individual email that violates CAN-SPAM regulations can result in fines of up to $51,744 per email—with no upper limit to the number of penalties a company can incur.

The Verkada Case: A Harsh Reminder

In September 2024, the FTC imposed its largest CAN-SPAM violation penalty to date: $2.95 million against Verkada Inc. The complaint alleged that Verkada sent numerous marketing and promotional emails that failed to include two essential elements:
  • A clear and conspicuous unsubscribe option.
  • A valid physical postal address.
Additionally, Verkada failed to honor consumer opt-out requests, exacerbating its CAN-SPAM violations. The hefty penalty demonstrates how easy it can be to overlook the Act’s requirements, especially when businesses are more focused on marketing than compliance. Verkada's failure to include basic information, such as an opt-out mechanism and a physical address, resulted in substantial financial consequences that could have been avoided with proper compliance protocols.

Outsourcing Isn’t a Free Pass

One key takeaway from the Verkada case is that outsourcing email marketing to a third-party vendor does not absolve a business of responsibility for CAN-SPAM compliance. Companies often make the mistake of assuming that if they hire an outside agency or marketing firm to handle their email campaigns, they are shielded from liability. However, the FTC's CAN-SPAM compliance guide makes it clear: the company benefiting from the marketing messages is ultimately responsible for ensuring compliance.

Why CAN-SPAM Compliance Is So Easy to Overlook

Many businesses fall into non-compliance with the CAN-SPAM Act simply because they underestimate its importance, they believe that the rules are too basic to be problematic, or they just do not think it is widely enforced. Common reasons companies overlook compliance include:
  • Relying on third-party vendors without verifying that the vendor is adhering to CAN-SPAM requirements.
  • Overemphasis on marketing metrics like open rates or click-through rates, often at the expense of regulatory adherence.
  • Failure to update marketing systems to ensure opt-out requests are honored in a timely manner.
In Verkada's case, a combination of these issues resulted in thousands of emails being sent without the proper unsubscribe options or a physical postal address, leading to substantial penalties.

Compliance Best Practices: Protecting Your Business

To avoid costly penalties and regulatory scrutiny, companies need to implement robust CAN-SPAM compliance measures, particularly when working with third-party email marketing vendors. Here are some best practices to follow:
  1. Vet Third-Party Vendors: Before outsourcing any email marketing, companies should ensure that the vendor is well-versed in CAN-SPAM compliance. Company agreements with such third-party vendors should include a right for the company to conduct regular audits and require proof of CAN-SPAM compliance processes in place to meet all legal requirements. Additionally, it is important to ensure that agreements include compliance obligations and mitigate noncompliance risks by clearly delineating liability for any violations and including applicable indemnification provisions.
  2. Establish Internal Oversight: Even if email marketing is outsourced, businesses should appoint a compliance officer or legal team to oversee the campaigns. This ensures that proper unsubscribe mechanisms, postal addresses, and opt-out procedures are in place and operational.
  3. Automate Opt-Out Processes: Use automated systems to handle opt-out requests, ensuring that all opt-out requests are honored within the required 10 business days.
  4. Regular Audits: Conduct regular audits of your email marketing campaigns. This includes reviewing emails to ensure they meet the Act's requirements and testing unsubscribe links to confirm they work correctly.
  5. Train Employees and Vendors: Any team member or third-party vendor involved in email marketing should be trained on CAN-SPAM requirements and company policies to avoid violations.
For more information on CAN-SPAM compliance, refer to the FTC's Business Guidance on the CAN-SPAM Act here. Sources: