Some privacy laws require businesses to create data retention policies, but figuring out the maximum amount of time you can hold on to data can be complicated.
The ability to opt-out of the selling and sharing of data, and to unsubscribe from marketing emails, are powerful tools that give consumers control over how their personal information is used. There is substantial confusion, however, about the difference between the two rights.
Many businesses assume they are essentially the same thing—due in large part to the fact that both could be described as an “opt-out”—or they are uncertain about how one affects the other. This uncertainty boils down to two questions:
The answer to both of these questions is no. Privacy opt-outs and email unsubscribes are legally distinct concepts that generally don’t affect each other. Here we’ll explain why.
Laws like the California Consumer Privacy Act (CCPA) give consumers the right to opt-out of the sale of their personal data (i.e., exchanging data for money or “other valuable consideration”) and the use of that data for targeted advertising. These opt-outs are about stopping the disclosure of personal data to third parties who will then use the data for their own purposes.
Consider targeted advertising, which is by far the practice most affected by opt-out requests. Targeted advertising requires tracking a consumer’s activity on one website and then disclosing it to an ad network such as Google or Facebook (via cookies and other trackers). Those networks then use the data to create their own profile of the consumer and decide which advertisements to display to them.
It’s this tracking and disclosure of consumers’ browsing activity that is considered problematic, not the advertisements themselves.
Marketing emails, on the other hand, do not usually involve the selling or sharing of personal data. Even if a business uses an email vendor to actually send the emails, this vendor is typically acting in a “service provider” or “processor” role. That means the vendor is contractually bound to use the personal data purely for the purpose of performing its services; it can’t turn around and sell your email list to another company.
Therefore, if a consumer submits an opt-out request, marketing emails are not affected.
The rules requiring businesses to allow consumers to unsubscribe from marketing emails come from an entirely separate set of laws, including the CAN-SPAM Act (USA) and the ePrivacy Directive (EU).
Under the anti-spam laws, it is the email itself that is considered to be the problem. If your business receives an unsubscribe request, all it has to do is stop sending marketing emails to that person’s address. You don’t have to delete their email address or do anything else (in fact, you’ll probably need to retain the address in order to keep track of unsubscribes).
For this reason, an unsubscribe request does not trigger a broader privacy opt-out.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.