Privacy Opt-Outs vs. Email Unsubscribes

CCPA-Exemptions-Employee-and-B2B-Data-1
 

The ability to opt-out of the selling and sharing of data, and to unsubscribe from marketing emails, are powerful tools that give consumers control over how their personal information is used. There is substantial confusion, however, about the difference between the two rights. 

Many businesses assume they are essentially the same thing—due in large part to the fact that both could be described as an “opt-out”—or they are uncertain about how one affects the other. This uncertainty boils down to two questions:

  1. If a consumer unsubscribes from our emails, do we have to treat it as a privacy opt-out, too?
  2. If we receive an opt-out request from a consumer, do we also have to unsubscribe them from our emails?

The answer to both of these questions is no. Privacy opt-outs and email unsubscribes are legally distinct concepts that generally don’t affect each other. Here we’ll explain why.

Privacy Opt-Outs

Laws like the California Consumer Privacy Act (CCPA) give consumers the right to opt-out of the sale of their personal data (i.e., exchanging data for money or “other valuable consideration”) and the use of that data for targeted advertising. These opt-outs are about stopping the disclosure of personal data to third parties who will then use the data for their own purposes.

Consider targeted advertising, which is by far the practice most affected by opt-out requests. Targeted advertising requires tracking a consumer’s activity on one website and then disclosing it to an ad network such as Google or Facebook (via cookies and other trackers). Those networks then use the data to create their own profile of the consumer and decide which advertisements to display to them. 

It’s this tracking and disclosure of consumers’ browsing activity that is considered problematic, not the advertisements themselves.

Marketing emails, on the other hand, do not usually involve the selling or sharing of personal data. Even if a business uses an email vendor to actually send the emails, this vendor is typically acting in a “service provider” or “processor” role. That means the vendor is contractually bound to use the personal data purely for the purpose of performing its services; it can’t turn around and sell your email list to another company. 

Therefore, if a consumer submits an opt-out request, marketing emails are not affected.

Email Unsubscribes

The rules requiring businesses to allow consumers to unsubscribe from marketing emails come from an entirely separate set of laws, including the CAN-SPAM Act (USA) and the ePrivacy Directive (EU).

Under the anti-spam laws, it is the email itself that is considered to be the problem. If your business receives an unsubscribe request, all it has to do is stop sending marketing emails to that person’s address. You don’t have to delete their email address or do anything else (in fact, you’ll probably need to retain the address in order to keep track of unsubscribes). 

For this reason, an unsubscribe request does not trigger a broader privacy opt-out.

How to Handle Opt-Outs and More

Successfully managing privacy compliance isn’t just about doing enough to be compliant. It can be just as important to make sure you’re not overestimating your obligations and unnecessarily limiting your business’s marketing activities. Unsubscribing your customers from emails just because they submitted an opt-out request is a good example of such overkill, but it’s easy to make mistakes like this when you don’t have an in-house privacy expert.

TrueVault brings privacy expertise and custom-made compliance within the reach of businesses of all sizes. Designed by attorneys, our software platform guides you at every step along the way, from onboarding vendors to handling privacy requests. In as little as a few hours, you can get your business compliant with privacy laws from across the United States.

Contact our team to learn more and schedule a demo.

Schedule Call