Login
Get Started

Data & Email Compliance Overview

Informational Summary About Using Website Visitor Data and Sending Email

Important Notice
This page is for general informational purposes only. It is not legal advice. Scupe.ai LLC does not provide legal services. You should consult your own attorney for guidance on laws that apply to your business, marketing practices, or the use of Scupe’s services.

1. Introduction

Scupe provides technology that helps customers identify certain website visitors and deliver visitor data to their own systems. Because customer data practices are governed by various privacy and marketing laws, this page outlines key concepts customers should understand when using Scupe powered data in email outreach or marketing.

Each customer is solely responsible for complying with applicable laws, including CAN-SPAM, the CPRA/CCPA (California), the Colorado Privacy Act, and the Virginia CDPA, among others.

2. Understanding CAN-SPAM (U.S. Email Marketing Law)

Email Harvesting Restrictions

CAN-SPAM prohibits collecting email addresses from websites that expressly ban harvesting. Customers must ensure that Scupe-powered data is not sourced from websites with prohibitions on automated email collection.

Opt-Out, Not Opt-In (U.S. Standard)

In the U.S., promotional emails generally operate on an opt-out standard:

  • You may send marketing emails unless the recipient has previously opted out.

  • Every marketing email must include a clear unsubscribe mechanism.

  • Opt-outs must be honored within 10 business days.

Key CAN-SPAM Compliance Requirements

When sending emails using Scupe data:

  • Use accurate “From,” “To,” and routing information.

  • Use subject lines that accurately reflect the content of the message.

  • Identify the message as an advertisement (unless prior opt-in has been obtained).

  • Include your valid physical mailing address.

  • Monitor third-party service providers—your business is responsible for compliance even if others send emails on your behalf.

3. California Consumer Privacy Rights Act (CPRA)

The CPRA expands consumer privacy protections for California residents. It may apply to businesses that:

  • Have $25M+ in annual revenue,

  • Buy/sell/share data of 100,000+ residents annually, or

  • Derive 50%+ of revenue from selling/sharing personal data.

Opt-Out of Sale or Sharing

If a business sells or “shares” personal information—including identifiers used for targeted advertising—it must:

  • Provide a “Do Not Sell or Share My Personal Information” link,

  • Allow users to opt out through at least two methods (including a web form),

  • Disclose in the privacy policy how visitor data is collected and shared.

Using Scupe to identify website visitors constitutes “sharing” under CPRA if those visitors are California residents, so your privacy notice must disclose this.

Notice Requirements

A CPRA-compliant privacy policy should generally describe:

  • Categories of data collected (such as email identifiers),

  • Purposes for collection,

  • Categories of third parties receiving data (e.g., Scupe),

  • Consumers’ rights to access, delete, or opt-out.

Children’s Data

Special rules apply to consumers under 16, requiring opt-in for selling/sharing their information.

4. Colorado Privacy Act (CPA)

The CPA applies to businesses processing specified volumes of Colorado consumer data and grants:

  • Right to access, delete, correct, and opt-out,

  • Right to data portability,

  • Requirements for transparency and data minimization.

Controllers must:

  • Provide a clear privacy notice,

  • Collect only what is necessary for stated purposes,

  • Obtain consent before processing sensitive data,

  • Offer opt-outs for targeted advertising, profiling, and sales of personal data.

5. Virginia Consumer Data Protection Act (CDPA)

The CDPA includes:

  • Rights to access, correct, delete, obtain, and opt-out of processing data for targeted advertising or sales,

  • Opt-in for processing sensitive data,

  • Requirements for transparency and data security,

  • No private right of action (enforced by the Attorney General).

The CDPA applies only to Virginia residents acting in a personal or household context.

6. Your Responsibilities When Using Scupe

While Scupe provides data to help enhance marketing performance, your business controls how that data is used and is responsible for compliance with all privacy and email regulations. This includes:

  • Maintaining an accurate, compliant privacy policy

  • Providing required opt-outs or notices

  • Ensuring proper handling of consumer rights requests

  • Using Scupe data only for lawful, permitted purposes

  • Ensuring all marketing emails comply with federal and state laws

Scupe does not provide legal advice and cannot determine whether these laws apply to your business.

7. Recommendation

We strongly recommend consulting your legal counsel to review:

  • Your email marketing practices

  • Your privacy policy

  • Your use of Scupe-generated visitor data

  • Whether CPRA, CPA, CDPA, GDPR, or other laws apply

Start Turning Clicks Into Customers Today

Join free and unlock 25 visitor profiles to start seeing who’s
browsing your website.

Get Started