Imported Can-Spam: How GDPR Affects Email Marketing From The U.S.

The Can-Spam law took effect in January 2004. And that very month, a gang of spammers who are now part of folklore launched a scheme that seemed to take Can-Spam as its playbook. 

They used botnets (forbidden) false headers and domains (forbidden), and sent hundreds of millions of emails to people who didn’t want them (forbidden). Worse, they peddled worthless pennystocks and used a Russian hacker to feed their botnets.

The alleged ringleader was the so-called Godfather of Spam: Alan J. Ralsky. 

Things have changed: Europe is now governed by the GDPR, and that law is reflected in state statutes in the U.S. while governing firms that market in the EU.

But the question is: Just what does GDPR say about email?

Accellion’s Vince Lau attempted to answer that question this week with a post on Security Boulevard. Lau advises that that you must:

  • Protect consumer data that you collect, store or use. Email data must be protected with an encryption algorithm.
  • Delete the data and not keep it for any longer than is absolutely necessary. 
  • Restrict yourself to the six lawful uses of consumer data: with consent, in performance of a contract, for legitimate vital interest, or public interest, and for a legal requirement. 
  • Observe the consumer’s right to be forgotten. 



Can-Spam is different in some respects. For one thing, GDPR requires consent, or an opt-in, prior to sending emails. Can-Spam mandates only that you must let people opt out.

And, while Can-Spam allows 10 days to process and opt-out requests, GDPR says it must be handled “promptly,” Lau writes. 

Finally (and thankfully for actual spammers), there is no right to be forgotten in the U.S. But that could change as states pass new privacy legislation.  

That pretty much wraps it up, Lau says.  

What happened to Ralsky and the gang of 2004? Most of them went to jail. 

Next story loading loading..