How is this legal?

1. Capital Audience is only legal in the USA. International laws such as GDPR or CASL do not apply to us.

Our database only contains personal contact information in the USA.

If your organization is GDPR compliant worldwide, you can’t use Capital Audience.

Now that’s out of the way, let’s talk about the US CAN-SPAM Act of 2003, and why Capital Audience is not only legal, but also complies with industry best practices.

2. What You Didn’t Know About the US CAN-SPAM Act of 2003

According to the US CAN-SPAM Act of 2003 you do NOT need an opt-in to send email marketing in the USA. In Europe, you do; but in the US, you don’t.

To be CAN-SPAM compliant, all you need is an opt-out link in the communication, and you need to make it clear that it’s an advertisement, along with a few other requirements (see below).

Why you were led to believe that permission-based Email Marketing was a requirement

There are major differences between the actual CAN-SPAM laws and best practices for the Email Marketing industry.

Those differences start with Spamhaus.

Spamhaus is a large, important, and influential organization in Email Marketing.

Spamhaus’ definition of SPAM is not the law, but it’s what we’re all familiar with. It’s also what we’re taught by major Email Service Providers (ESPs) like Mailchimp and the Internet Service Providers (ISPs) like Gmail/Hotmail.

The Spamhaus definition of SPAM is the following:

"The word ‘Spam’ as applied to Email means ‘Unsolicited Bulk Email.’ Unsolicited means that the Recipient has not granted verifiable permission for the message to be sent. Bulk means that the message is sent as part of a larger collection of messages, all having substantively identical content. A message is Spam only if it is both Unsolicited and Bulk.”

Why abide by this definition, even though it’s considerably more restrictive than the law?

The ISPs agree with Spamhaus about what SPAM is, so to get delivery, you need to adhere to Spamhaus’ definition.

Two things are worth pointing out as all of this pertains to

  1. Spamhaus is NOT the US government. It’s an industry organization. A very important one. Even if you violated Spamhaus’ definition and sent people bulk unsolicited email, so long as it had an opt-out link (and met a few other criteria below), you would not be breaking the law.
  2. Capital Audience complies with Spamhaus’ definition for not qualifying as SPAM because we give you verifiable consent, ie, a third-party opt-in date and time, and the URL of our partner website that they opted in to. You can read the privacy policies of our partner websites to verify the consent. More on this later.

We typically see open rates that are between 15 and 20% from these emails, and spam complaints are well under the 1/1,000 industry standard.

Now that we’ve established that you don’t actually need an opt-in to send legal marketing emails, let’s go over what you do need.

3. The CAN-SPAM Act: What You Have to Do to Legally Comply

This is a summary created by the Federal Trade Commission of the CAN-SPAM act’s main requirements. Nowhere in the text will you see the words “opt-in.”

  1. Don’t use false or misleading header information. Your “From,” “To,” “Reply-To,” and routing information – including the originating domain name and email address – must be accurate and identify the person or business who initiated the message.
  2. Don’t use deceptive subject lines. The subject line must accurately reflect the content of the message.
  3. Identify the message as an ad. The law gives you a lot of leeway in how to do this, but you must disclose clearly and conspicuously that your message is an advertisement.
  4. Tell recipients where you’re located. Your message must include your valid physical postal address. This can be your current street address, a post office box you’ve registered with the U.S. Postal Service, or a private mailbox you’ve registered with a commercial mail receiving agency established under Postal Service regulations.
  5. Tell recipients how to opt out of receiving future email from you. Your message must include a clear and conspicuous explanation of how the recipient can opt out of getting email from you in the future. Craft the notice in a way that’s easy for an ordinary person to recognize, read, and understand. Creative use of type size, color, and location can improve clarity. Give a return email address or another easy Internet-based way to allow people to communicate their choice to you. You may create a menu to allow a recipient to opt out of certain types of messages, but you must include the option to stop all commercial messages from you. Make sure your spam filter doesn’t block these opt-out requests.
  6. Honor opt-out requests promptly. Any opt-out mechanism you offer must be able to process opt-out requests for at least 30 days after you send your message. You must honor a recipient’s opt-out request within 10 business days. You can’t charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request. Once people have told you they don’t want to receive more messages from you, you can’t sell or transfer their email addresses, even in the form of a mailing list. The only exception is that you may transfer the addresses to a company you’ve hired to help you comply with the CAN-SPAM Act.
  7. Monitor what others are doing on your behalf. The law makes clear that even if you hire another company to handle your email marketing, you can’t contract away your legal responsibility to comply with the law. Both the company whose product is promoted in the message and the company that actually sends the message may be held legally responsible.

So, Email Marketing isn’t legally an opt-in channel in the US. Just have an opt-out.

Good to know.

4. How Capital Audience is not only legal, but also opt-in via our partner network

We’ve established that as long as you have an opt-out link in your email, marketing to Capital Audience's contacts via Email-Based Retargeting is legal.

When you partner with Capital Audience, you’re gaining access to our partner network of websites whose privacy policies explicitly state that information submitted via the opt-in form can and will be shared with a partner network.

Here’s an example of exactly how Capital Audience works.

Step 1: User fills out an opt-in form of a partner website, typically a lead-gen site. For this example, we are using

Step 2: Here is a Privacy Policy, with respect to how they handle Personally Identifiable Information (PII):

As a condition of registration, registrants agree that may share their PII with the Network Sites and unaffiliated third parties. If you do not agree that may share your PII with such entities, you may not register on, and if you are already registered, you must immediately terminate your account, by following the instructions in “Opting-Out of Further Communications.”

5. What about California and CCPA?

The first thing you need to determine when deciding whether or not you need to take action to comply with CCPA is whether or not your business meets the applicability thresholds.

Here are the applicability thresholds; you must meet one of the following criteria:

  1. Have $25mm in revenue
  2. Annually buy, receive, sell, or share personal information of 50,000 or more California consumers, households or devices; or
  3. Earn more than half of its annual revenue selling consumers’ data

If the answer is “no” to all of these items, you are not required to take action.

If the answer is “yes” to one or more, then the following updates are required:

Update your Privacy Policy to include the following:

  1. A description of consumers’ rights under the CCPA.
  2. A description of the categories of personal information collected by the business in the preceding 12 months.
  3. The commercial and business purposes for which the personal information is collected.
  4. The categories of personal information sold or disclosed for a business purpose in the preceding 12 months.
  5. The categories of third parties with which personal information is shared.
  6. If the Company sells personal information, a link to a “Do Not Sell My Personal Information” web-based opt-out tool.
  7. A description of any financial incentives for providing data or not exercising rights (e.g., if the company offers a 15% discount to individuals who provide their email address for marketing purposes, this incentive must be disclosed in the privacy policy).

6. Let's thank META's legal team for fighting for the good marketers in court in a landmark decision

This is a summary created by Tantango with a video brought to you by Innvosita Law, home to the TCPA Defense Force. Innovista's lawyers have helped companies navigate potential TCPA landmines through effective risk-mitigation and compliance strategies.

SCOTUS unanimously supported Meta on April 1, 2021.
SCOTUS ruling on Facebook v. Duguid was good news for SMS marketers, as it could mean fewer lawsuits on automated telephone dialing systems (ATDS). But, it does not mean open season on the Telephone Consumer Protection Act (TCPA.)

However, this ruling is not a definitive one. Sending text is allowed if not using a random number generator, but there is still potential for legal action.

The ruling provides marketers a temporary window to clean their contact list against the DNC list until further legislation is passed to prevent it.

*This page should not be considered legal advice. If necessary, we send a legal packet to your legal team during the review process. Seek your own legal counsel before using Capital Audience's data for direct outreach.