Thomas C. Carey

Sunstein LLP Compliance with Privacy Laws

Table of Contents

As we build an intent-based advertising network that’s beneficial for consumers, brands, and publishers, we at are conscientious of privacy and in compliance with laws and regulations regarding compliance.

Disclaimer: This webpage regarding the CAN-SPAM Act, the CCPA and GDPR is intended solely for informational purposes and is not intended to constitute legal advice or to create an attorney-client relationship with Sunstein LLP. This is not intended to be an exhaustive summary of all requirements of the CAN-SPAM Act, CCPA, or GDPR. If you have questions about complying with the CAN-SPAM Act, CCPA, or GDPR, contact your legal counsel.

Last update: July 31, 2023

Overview of Privacy Compliance

There’s a lot of confusion about sales outreach, the United States of America’s CAN-SPAM Act of 2003, the European Union’s General Data Protection Regulation, and California’s California Consumer Privacy Act of 2018. We will clear up this confusion as best we can below.’s X-Ray tool is compliant with the CAN-SPAM Act of 2003.’s X-Ray tool is compliant with the European Union’s General Data Protection Regulation. Our compliance is achieved by excluding email addresses owned by people in the European Union.’s X-Ray tool is compliant with the California Consumer Privacy Act. Email addresses owned by California residents are excluded from our system.


We will now explain what The CAN-SPAM Act requires. The CAN-SPAM Act, according to the Federal Trade Commission, applies to all commercial messages, defined as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service,” including all email that promotes content on a commercial website.

The CAN-SPAM Act has 7 fundamental requirements:

  1. Don’t use false or misleading header information.
  2. Don’t use deceptive subject lines.
  3. Identify the message as an ad.
  4. Tell recipients where you’re located
  5. Tell recipients how to opt out of receiving future emails from you
  6. Honor opt-out requests promptly.
  7. Monitor what others are doing on your behalf.

Let’s go one by one.

Don’t use false or misleading header information.

The “From,” “To,” “Reply-To,” and routing information (including the originating domain and email address) must be accurate. They must identify the person or business who initiated the message. does not allow users to manipulate this information in our system.

Don’t use deceptive subject lines.

The subject line must reflect the content of the message.

Identify the message as an ad.

It must be clear and conspicuous that the message is an advertisement.

Tell recipients where you’re located.

A business is required to include a valid physical postal address in its email. This can be:

  • Current street address
  • A P.O. box you’ve registered with the United States Postal Service
  • A private mailbox you’ve registered with a commercial mail receiving agency under Postal Service regulations.

Tell recipients how to opt out of receiving future emails from you.

A business’s message must include:

  • A clear and conspicuous explanation of how the recipient can opt out of getting email from you in the future. This notice must be easy for an ordinary person to recognize, read, and understand.
  • Give a return email address or another easy internet-based way to allow people to communicate their decision to opt out to you.

You may give recipients an option to only opt out of certain emails from you but you must always include an option to opt out of all emails. does not allow senders to remove opt-out links from email communications.

Honor opt-out requests promptly.

No matter how you choose to accept opt-out requests, the option must be able to process opt-out requests for at least 30 days after the email is sent.

You must honor the opt-out request within 10 business days of receiving. If you are sending emails via’s system, this will be done automatically.

You cannot charge a fee as a condition of honoring the opt-out request.

You cannot require the recipient to give you any personally identifying information other than their email address as a condition of honoring the opt-out request.

You cannot make the recipient take any step other than sending a reply or visiting a single page on an Internet website as a condition of honoring the opt-out request.

Once someone has sent you an opt-out request, you cannot sell or transfer their email address. The only exception is that you may transfer the email addresses of people who have opted out to a company you’ve hired to help you comply with the CAN-SPAM Act.

Monitor what others are doing on your behalf.

Even if you hire another company to do your email marketing, you are still responsible for complying with the CAN-SPAM Act. Both you and the company hired are legally responsible.

If you do these things, you will be compliant with the CAN-SPAM act. If you do not, you may be in violation. Each separate email in violation of the CAN-SPAM Act is subject to penalties up to $50,120.

There is not an opt-in requirement in the CAN-SPAM Act.

You are not required by the CAN-SPAM Act to attain an opt-in before sending someone a commercial email. You are only required to do the above.

For answers to frequently asked questions about the CAN-SPAM Act, please visit “FAQs about the CAN-SPAM Act.”

California Consumer Privacy Act (CCPA) excludes emails from California residents. The California Consumer Privacy Act requires companies that meet certain criteria to provide California consumers with certain rights, including but not limited to the following:

  • The right to know about the personal information a business collects about them and how it is used and shared
  • The right to delete personal information collected from them (with certain exceptions)
  • The right to opt-out of the sale or sharing of their personal information
  • The right to non-discrimination for exercising their CCPA rights
  • The right to correct inaccurate personal information that a business has about them
  • The right to limit the use and disclosure of sensitive personal information collected about them
According to the Office of the Attorney General of California, CCPA applies to for-profit businesses that do business in California and meet any of the following:

  • Have a gross annual revenue of over $25 million;
  • Buy, sell, or share the personal information of 100,000 or more California residents, households, or devices; or
  • Derive 50% or more of their annual revenue from selling California residents’ personal information.

More information about what is specifically required of companies that meet at least one of these criteria can be found at the Office of the Attorney General of California website.

For answers to frequently asked questions about the CCPA, please visit “FAQs about the CCPA.”

The European Union’s General Data Privacy Regulation (GDPR) excludes EU citizens and residents.

According to the European Union, the GDPR applies to anyone who processes the personal data of EU citizens or residents, or who offers goods or services to such people. If you met either criteria, the GDPR applies, even if you’re not in the EU.

There are two tiers of fines for violating the GDPR. They max out at €20 million or 4% of global revenue (whichever is higher). Data subjects also have the right to seek compensation for damages.

The GDPR’s Article 6 outlines the only instances in which it is legal to process personal data.

Here is the information as outlined on the GDPR website.

  1. The data subject gave you specific, unambiguous consent to process the data. (e.g. They’ve opted in to your marketing email list.)
  2. Processing is necessary to execute or to prepare to enter into a contract to which the data subject is a party. (e.g. You need to do a background check before leasing property to a prospective tenant.)
  3. You need to process it to comply with a legal obligation of yours. (e.g. You receive an order from the court in your jurisdiction.)
  4. You need to process the data to save somebody’s life. (e.g. Well, you’ll probably know when this one applies.)
  5. Processing is necessary to perform a task in the public interest or to carry out some official function. (e.g. You’re a private garbage collection company.)
  6. You have a legitimate interest to process someone’s personal data. This is the most flexible lawful basis, though the “fundamental rights and freedoms of the data subject” always override your interests, especially if it’s a child’s data.

Under no other circumstances are you permitted to collect, store, or sell an applicable person’s data.

Additional resources

This document is for informational purposes only and does not constitute legal advice. For specific legal advice, please consult with an attorney. The CAN-SPAM Act, CCPA and GDPR are complex laws and this document does not cover all of its requirements. If you have questions about complying with the CAN-SPAM Act, CCPA or GDPR, please contact your legal counsel. Thomas Carey, Sunstein LLP


Generate more leads and meetings for your sales team with automated inbound lead capture, qualification, tracking and outreach across the most popular messaging channels.

I agree to receive text and email updates from


I agree to receive text and email updates from