Like many companies preparing for today’s GDPR enforcement deadline by the EU, Uber announced an update to its privacy policy in an email to their users yesterday. Uber updating its privacy policy certainly wasn’t a surprise — just about every company from Facebook to Google to Spotify updated their policies this week to comply with the new guidelines and to attempt more transparency with how they’re handling user data. But what did raise some eyebrows is that Uber’s email announcement could be violating another important regulation, the FTC’s CAN-SPAM Act.

It seems that Uber’s email announcing its new privacy policy went out to a number of people who said they had already unsubscribed from the company’s email list. Not only that, but the latest email itself didn’t include a link to unsubscribe to stop receiving emails from Uber. Both of these mistakes could put the company in violation of the CAN-SPAM Act.

The CAN-SPAM Act is “a law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations.” The law has many requirements, but the ones that Uber seems to be violating with its latest email include the following:

Tell recipients how to opt out of receiving future email from you. Your message must include a clear and conspicuous explanation of how the recipient can opt out of getting email from you in the future. Craft the notice in a way that’s easy for an ordinary person to recognize, read, and understand. Creative use of type size, color, and location can improve clarity. Give a return email address or another easy Internet-based way to allow people to communicate their choice to you. You may create a menu to allow a recipient to opt out of certain types of messages, but you must include the option to stop all commercial messages from you. Make sure your spam filter doesn’t block these opt-out requests.

Honor opt-out requests promptly. Any opt-out mechanism you offer must be able to process opt-out requests for at least 30 days after you send your message. You must honor a recipient’s opt-out request within 10 business days. You can’t charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request. Once people have told you they don’t want to receive more messages from you, you can’t sell or transfer their email addresses, even in the form of a mailing list. The only exception is that you may transfer the addresses to a company you’ve hired to help you comply with the CAN-SPAM Act.

As you can see from a screenshot of the email below, there’s no link to unsubscribe from the company’s email list nor any information on how to do so. This seems to directly violate the FTC’s rule that emails must include information telling recipients how to opt out of receiving future emails:

Furthermore, many Twitter users complained that they received this email from Uber despite unsubscribing from the company’s email list in the past. The law requires a company to process unsubscribe requests within 10 business days, and at least one user claims to have unsubscribed “months ago”:

According to LexisNexis, “the FTC can seek civil penalties of up to $16,000 per e-mail that violates CAN-SPAM, with no maximum penalty,” so if Uber truly is breaking the law, they could face some serious fines since their email list is likely quite large. Some companies have been forced to pay millions in damages in prior cases (see ValueClick’s case which resulted in a $2.9 million penalty).

What do you think? Did Uber violate the FTC’s SPAM laws? Did you receive the company’s email despite unsubscribing from their list? Let us know by commenting below.