← Back to Legal & Compliance

US Compliance Guide

1. Overview

This guide covers US-specific compliance requirements for merchants using the Armour Cart Recovery API to reach American consumers.

Key Point: Armour generates content; merchants handle transmission. Compliance with transmission rules is the merchant's responsibility.

---

2. CAN-SPAM Act (Email)

2.1 Requirements

The CAN-SPAM Act applies to commercial emails sent to US recipients.

Requirement	Our Implementation	Merchant Responsibility
Unsubscribe Mechanism	N/A - ESP handles injection	ESP injects link; honour within 10 business days
Physical Address	N/A - ESP handles injection	ESP injects address
Honest Subject Lines	No deceptive subjects generated	Review before sending
Commercial Identification	Clear commercial nature	Ensure transparency
Opt-Out Honouring	API respects accepts_email_marketing: false	Maintain suppression lists

2.2 ESP Handles Unsubscribe

We generate email content only. Your ESP (SendGrid, Klaviyo, Elastic Email, etc.) automatically injects:

• Unsubscribe link (when Subscription Tracking is enabled)
• Physical address footer
• List-Unsubscribe headers for Gmail/Yahoo one-click unsubscribe

We do not inject unsubscribe links. This is industry standard - ESPs handle compliance elements during transmission.

2.3 Merchant Obligations

1. Maintain Suppression List: Track all unsubscribe requests
2. Process Within 10 Days: Honour opt-outs within 10 business days
3. No List Sharing: Don't transfer/sell email addresses
4. Monitor Third Parties: Ensure ESPs comply

---

3. TCPA (Telephone Consumer Protection Act)

3.1 SMS/Text Requirements

The TCPA imposes strict requirements on SMS marketing.

Requirement	Our Implementation	Merchant Responsibility
Prior Express Written Consent	Three-tier consent model	Obtain valid consent
Opt-Out Mechanism	"STOP to end" in all SMS	Process STOP immediately
Caller/Sender ID	N/A (we don't send)	Identify your business
Time Restrictions	N/A (we don't send)	Send 8am-9pm local time

3.2 Consent Requirements

Prior Express Written Consent (PEWC) is required for:

• Marketing/promotional SMS
• Automated/autodialed messages

Transactional Exception:

• Order confirmations and cart reminders may fall under transactional exemption
• Consult legal counsel for your specific use case

3.3 Our SMS Output

Every SMS generated by Armour includes:

Hi {name}! Your cart's waiting at {store}. Complete checkout: {url} Reply STOP to end

The "STOP to end" is mandatory and always included.

3.4 TCPA 2025 Opt-Out Rule

The FCC's 2025 rule strengthens opt-out requirements:

Requirement	Implementation
Reasonable Requests	Honour any reasonable opt-out (STOP, UNSUBSCRIBE, CANCEL, etc.)
10-Day Processing	Complete opt-out within 10 business days
No Confirmation Required	Don't require confirmation of opt-out
Single Message	May send one confirmation that opt-out was processed

3.5 Merchant Obligations

1. Obtain PEWC: Get written consent before sending marketing SMS
2. Document Consent: Keep records of when/how consent was obtained
3. Process STOP Immediately: Remove from lists within 10 days
4. Maintain DNC List: Internal do-not-call/text list
5. Time Compliance: Send only 8am-9pm recipient local time

---

4. CCPA/CPRA (California)

4.1 Overview

The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant California residents specific rights.

4.2 Our Position

CCPA Requirement	Our Status
Right to Know	Disclosure in Privacy Policy
Right to Delete	No data stored - nothing to delete
Right to Opt-Out of Sale	We do not sell personal information
Right to Non-Discrimination	We do not discriminate
Service Provider Status	We act as service provider to merchants

4.3 Service Provider Agreement

Under CCPA, we are a "service provider" because we:

1. Process data on behalf of businesses (merchants)
2. Are contractually prohibited from retaining/using data for other purposes
3. Do not sell data to third parties
4. Delete/return data upon instruction (N/A - transient processing)

4.4 Merchant Obligations

If you serve California residents:

1. Privacy Policy: Disclose use of service providers
2. CCPA Rights: Provide mechanism for exercising rights
3. Do Not Sell Link: If applicable, include "Do Not Sell" link
4. Respond to Requests: Answer CCPA requests within 45 days

---

5. State-by-State Considerations

5.1 States with Privacy Laws

Beyond California, consider:

State	Law	Effective	Key Provision
Virginia	VCDPA	Jan 2023	Opt-out of targeted advertising
Colorado	CPA	Jul 2023	Consent for sensitive data
Connecticut	CTDPA	Jul 2023	Right to data portability
Utah	UCPA	Dec 2023	Business-friendly approach

5.2 General Guidance

For all US states:

1. Transparency: Clear privacy disclosures
2. Consent: Appropriate consent for marketing
3. Opt-Out: Easy unsubscribe mechanisms
4. Data Minimisation: Only process necessary data

---

6. Content Generation Compliance

6.1 What We Include

Element	Included By Default
STOP/unsubscribe language	Yes (SMS)
Honest subject lines	Yes
Clear commercial nature	Yes

6.2 What Merchants Add

Element	Merchant Must Provide
Actual unsubscribe URL	Configure in ESP (Automatic)
Physical mailing address	Configure in ESP settings
Sender identification	Configure in ESP
Suppression list management	Maintain internally

---

7. Best Practices for US Merchants

7.1 SMS Best Practices

1. Get Written Consent: Use clear opt-in forms with TCPA-compliant language
2. Record Consent: Log timestamp, IP, and exact consent language
3. Honour STOP Immediately: Automate STOP keyword processing
4. Limit Frequency: 1-3 cart reminders maximum
5. Time Windows: Only send 8am-9pm local time
6. Identify Yourself: Include business name in messages

7.2 Email Best Practices

1. Clean Lists: Verify email addresses
2. Easy Unsubscribe: One-click unsubscribe
3. Process Quickly: Honour opt-outs within 10 days
4. No Purchased Lists: Only email those who opted in
5. Clear Sender: Accurate From name and address

7.3 Documentation

Maintain records of:

• Consent collection (method, timestamp, language)
• Opt-out requests and processing dates
• Suppression lists
• Complaint handling

---

8. Liability Allocation

Area	Responsibility
Content generation	Armour Consortium
Consent collection	Merchant
Transmission timing	Merchant
Suppression list management	Merchant
Regulatory compliance	Merchant

Armour Consortium provides compliant content. Merchants are responsible for compliant transmission.

---

9. Penalties Reference

Violation	Potential Penalty
TCPA (per call/text)	$500 - $1,500
TCPA (willful)	Up to $1,500 per violation
CAN-SPAM (per email)	Up to $50,120
CCPA (per violation)	$2,500 - $7,500

These penalties apply to the sender (merchant), not the content generator.

---

10. Resources

Resource	Link
FCC TCPA Guide	fcc.gov/tcpa
FTC CAN-SPAM Guide	ftc.gov/business-guidance/resources/can-spam-act-compliance-guide-business
CA AG CCPA	oag.ca.gov/privacy/ccpa

---

11. Disclaimer

This guide provides general information only. It is not legal advice. Consult qualified legal counsel for compliance guidance specific to your business.

---

12. Contact

For questions:

Email: hello@armourconsortium.ai

Armour Consortium AI is committed to supporting compliant cart recovery for US merchants.