Massachusetts’ Consumer Privacy in Commercial Transactions Act (the “Act”) limits the ability of businesses to request and collect personally identifiable information (“PII”) that is not necessary to complete a transaction. The Act does not mention e-commerce and the earlier online retail industry, but like many other trends in privacy litigation, this privacy law is now being tested in the online context. The Act gives a private right of action and provides for statutory damages of $25 per violation (and up to three times the statutory amount can be sought for an intentional violation of the Act).
What can we learn from these documents?
Plaintiffs monitor online data collection practices, even those that are widespread. In these Massachusetts cases, the plaintiffs examine the customer experience at checkout and look at each retailer’s messages about marketing emails. These cases examine three different options: (1) an unchecked box with a call to action to check the box to receive marketing messages; (2) a message to customers that by completing their transaction they agree to receive marketing messages, subject to their opt-out actions; and (3) no message about marketing at all. Regardless of the messages, the plaintiffs allege that the retailers sent improper marketing emails. While these cases focus on checkout emails, online checkout is likely not a business’s only source of customer emails. Businesses should understand how they collect checkout emails and other sources of email collection. It’s possible that the same data point is being collected through multiple means and by different teams across the organization. Consider reaching out to website teams, marketing teams, and agencies to better understand your organization’s practices and identify potential risks.
Does the opt-in jurisdiction apply to email marketing in the US?
Not necessarily, but context is important. The federal CAN-SPAM Act remains an email “opt-out” or “unsubscribe” law. However, your email marketing program and instructions should consider laws that regulate the collection of personal information, including in specific applications such as the checkout process. Other laws, including state consumer privacy laws, the FTC Act, and state UDAP laws. The FTC Act and state UDAP laws prohibit unlawful and/or deceptive trade practices. These laws cover promises made by a business about how it will (or will not) use consumer data. For example, if a business gives a consumer the option to opt-in to email marketing, the business should consider any UDAP implications of sending a marketing email if a consumer’s option is ignored. When researching sources of email addresses, determine if the source has “rules” about how the email address can be used. For example, a “rule” that the source gave the consumer the option to receive marketing messages (or not) upon opting in. A business can use processes and controls to manage the suitability of email sources for email marketing based on consumer experience, unsubscribe status, etc.
Our discussion in this alert focuses on email collection under Massachusetts law, but online merchants should also be aware of cases in California challenging the collection of IP addresses in online checkout experiences under the Song-Beverly Credit Card Act. You can read more about this topic here.
