Multi-state payroll newsletter consent: penalty exposure and the 2026 state matrix

This page is a spoke in our newsletter strategy hub. It covers consent and penalty exposure specifically for PEOs, payroll bureaus, ASOs, benefits brokers, and HRIS vendors whose subscriber lists include contacts across multiple US states. The segmentation dimensions that determine which rules apply to which subscribers are covered in the companion page on HR and payroll newsletter segmentation; this spoke layers the legal requirements on top of that framework.

Does CAN-SPAM preempt state privacy laws for a multi-state payroll newsletter?

CAN-SPAM (15 U.S.C. § 7701) preempts state law in one narrow domain: rules “specifically regulating the use of electronic mail to initiate or transmit a commercial message.” It does not preempt state laws of general applicability that happen to affect email use. The California Consumer Privacy Act, the Texas Data Privacy and Security Act, the Colorado Privacy Act, and 16 other state privacy statutes now in effect regulate the collection, use, and sale of personal information — a domain CAN-SPAM says nothing about.

The practical consequence: a CAN-SPAM-compliant newsletter with a proper physical address, a working unsubscribe link, and non-deceptive headers is still potentially liable under CCPA if the sender fails to honor a Global Privacy Control opt-out signal, and still potentially liable under TDPSA if the sender processes geolocation data without the required notice. The FTC enforces CAN-SPAM. California, Texas, Colorado, Connecticut, Oregon, and Montana AGs enforce their state privacy laws. Both enforcement tracks operate independently and simultaneously.

The FTC's CAN-SPAM compliance guide is explicit: each separate email in a noncompliant campaign is a separate violation. The 2025 inflation-adjusted civil penalty cap is $53,088 per email, up from $51,744 in 2024, effective January 17, 2025.

What changed when the CCPA employee and B2B exemption expired in January 2023?

From CCPA's initial enforcement in 2020 through December 31, 2022, the statute carved out two large categories: employee and applicant data, and B2B contact data. Both exemptions were intended as temporary while the California legislature worked out the implementing rules. As Morgan Lewis documented in October 2022, the CPRA amendments let both exemptions expire on January 1, 2023.

For payroll and HR vendors, that date converted every California-resident contact on a newsletter list into a covered “consumer” under CCPA/CPRA. The HR director at a client company in San Jose. The benefits coordinator at a PEO worksite. The payroll manager who subscribed at an SHRM conference. All of them, as of January 1, 2023, carry the full CCPA rights bundle: right to know, right to delete, right to correct, right to limit use of sensitive personal information, and right to opt out of sale or sharing.

Most horizontal email-marketing compliance playbooks still treat B2B contact lists as exempt from state privacy laws. They are not — not in California, and not in the 10+ states whose privacy statutes similarly lack meaningful B2B carve-outs (Colorado, Connecticut, Oregon, Montana, Delaware, New Hampshire, New Jersey, Minnesota, Maryland). A payroll vendor that refreshed its CCPA program in 2021 and has not revisited it since is operating on an assumption of exemption that expired three years ago.

Which 19 state privacy laws govern a payroll newsletter list in 2026?

As of January 2026, 19 US states have enacted privacy statutes. Three became effective January 1, 2026: Indiana, Kentucky, and Rhode Island. Maryland's Online Data Privacy Act (MODPA) took effect October 1, 2025, and is the strictest on data minimization for sensitive information — it prohibits collection of sensitive data unless strictly necessary for the service provided.

Four obligations appear across the largest number of active statutes and represent the floor for any multi-state HR newsletter list: (1) honor Global Privacy Control or equivalent universal opt-out signals (required in CA, CO, CT, TX, OR, MT, DE, NH, NJ, MN, MD), (2) obtain opt-in consent before processing sensitive personal information (required in CA, VA, CO, CT, TX, OR, MT, DE, NH, NJ, TN, MN, MD, IN, KY, RI), (3) post a clear notice at the point of collection, and (4) maintain a data processing record sufficient to respond to rights requests.

The definition of “sensitive personal information” is where most newsletter operators underestimate exposure. Under CPRA, sensitive PI includes the contents of email and text messages, precise geolocation, racial or ethnic origin, religion, union membership, biometric identifiers, health or genetic data, sexual orientation, immigration status, financial account login credentials, and Social Security numbers. Newsletter click data combined with IP-derived geolocation and article topic (for example, a click on “What HR Needs to Know About Union Elections”) can cross the sensitive-PI line.

What did the Healthline $1.55 million CCPA settlement actually prohibit?

In July 2025, the California AG announced a $1.55 million CCPA settlement with Healthline Media — the largest CCPA settlement to date. The core allegations were targeted-ad data sharing via pixels and SDKs, and a consent banner that displayed an “opt out of sale” toggle that did not actually disable the tracking code on the backend.

The injunction term with direct precedent for HR and benefits newsletters: the AG specifically prohibited Healthline from sharing article titles that could reveal or imply a health condition, even when the user's identity is pseudonymous. A user who reads “Managing Type 2 Diabetes at Work” has, in the AG's view, disclosed health information through that click. That data, when passed to an ad partner, is sensitive PI under CPRA regardless of whether the user's name is attached to it.

The parallel for a payroll vendor or benefits broker newsletter: a subscriber who clicks “What HR Needs to Know About ADA Accommodations for Mental Health Conditions” has disclosed, by that click, a potential connection to mental health in the workplace. If the ESP passes click data to a retargeting partner, and the subscriber is a California resident, the Healthline injunction suggests that the AG would treat that transfer as sharing sensitive PI without proper consent. Most ESP integrations with ad platforms do exactly this by default.

Prior enforcement actions in the same pattern: the CA AG's Sephora $1.2 million settlement (2022) turned on failure to honor the Global Privacy Control signal. The DoorDash $375,000 settlement (February 2024) turned on sale of personal information through a marketing co-op without disclosure or opt-out. The pattern is consistent: the AG is not writing tickets for missing unsubscribe links; the AG is writing checks for data sharing arrangements that subscribers were not told about.

When does TCPA — not CAN-SPAM — govern an HR communication?

The Telephone Consumer Protection Act (47 U.S.C. § 227) governs any communication sent via SMS, MMS, or an autodialer. It also governs email-to-text gateway sends, which is how many payroll platforms deliver open-enrollment reminders and ACA deadline alerts to employees who provided mobile numbers during onboarding. The moment a message routes through an SMS gateway, CAN-SPAM's rules are largely irrelevant and TCPA's rules are controlling.

The FCC's Order 24-24 established a one-to-one consent requirement that took effect January 27, 2025. Under the Order, consent to receive automated texts must be: (1) given to a single seller (not to a broad category of companies), (2) obtained in response to a clear and conspicuous disclosure, and (3) logically and topically related to the website or form where consent was given. Prior consent obtained through a payroll onboarding form that said “you may receive communications from us and our partners” does not satisfy the one-to-one standard.

Revised TCPA opt-out rules took effect April 11, 2025, requiring senders to honor revocation requests in any reasonable manner the consumer chooses — including a reply “stop” to any message, not only a dedicated opt-out flow. Per the FCC TCPA rules page, statutory damages are $500 per violation for negligent violations and $1,500 for willful or knowing violations, with no actual injury required. TCPA carries a private right of action and is a favored vehicle for class actions. A 10,000-recipient ACA text blast sent without valid one-to-one consent carries up to $15 million in statutory damages at the willful rate before a single class action settlement is negotiated.

The practical boundary: if a payroll vendor sends an ACA open-enrollment reminder as an email and the subscriber's email client delivers it to a mobile address that forwards to SMS, the TCPA question turns on whether the vendor used an autodialer or gateway. If the vendor sends the same reminder directly to a mobile number via an SMS platform, TCPA governs with no ambiguity. Most HR compliance teams that have not reviewed their OE text programs since 2023 are operating on consent records that predate the one-to-one rule.

How does Texas's first TDPSA enforcement action change the multi-state risk picture?

On January 13, 2025, the Texas AG filed suit against Allstate Insurance and its telematics subsidiary Arity — the first enforcement action under the Texas Data Privacy and Security Act. Two specific pleadings matter for newsletter operators.

First, the AG specifically alleged that Allstate and Arity failed to post the TDPSA-mandated notice line: “NOTICE: We may sell your sensitive personal data.” The statute requires this notice at the point of collection when a covered controller sells or shares sensitive PI. The AG treated its absence as a standalone violation. This is boilerplate text — one sentence in a privacy policy or consent form — and its absence is actionable.

Second, the complaint alleged processing of precise geolocation data without consent. For a payroll or HR newsletter, geolocation enters the picture in two ways: IP-address-derived location data collected by the ESP's tracking pixel on open, and precise GPS data if any mobile app integration feeds into the subscriber record. Both are sensitive PI under TDPSA.

The significance beyond Texas: the CA AG has now enforced GPC signal recognition twice (Sephora, Healthline). The TX AG has now enforced sensitive-data notice. Other state AGs watching these enforcement patterns will likely pursue the same theories in their own statutes. The CCPA/CPRA enforcement record is the most developed, but TDPSA, Colorado CPA, and Connecticut CTDPA all have the same legal hooks. The risk is no longer purely California-centric.

What is the realistic CAN-SPAM penalty exposure for a single noncompliant blast?

The FTC's civil penalty for a CAN-SPAM violation is $53,088 per email as of January 17, 2025, per the FTC's inflation-adjusted civil penalty schedule. Each recipient in a noncompliant campaign is a separate violation. The arithmetic: 50,000 recipients × $53,088 = $2.644 billion theoretical ceiling. No single CAN-SPAM enforcement action has approached that number; real-world settlements have run from the low six figures to the low seven figures. The ceiling matters because it determines the FTC's negotiating posture in enforcement discussions, not because courts impose it directly.

The more realistic exposure window comes from combining CAN-SPAM violations with state privacy law violations in a single enforcement action. A noncompliant send to a 50,000-subscriber multi-state list might expose the sender to FTC action under CAN-SPAM (headquarters state), CA AG action under CCPA for the California-resident subset, TX AG action under TDPSA for the Texas-resident subset, and potentially FCC action if any mobile numbers were involved. Four separate agencies, four separate penalty structures, all arising from one send button.

The seven requirements that make a CAN-SPAM violation actionable: deceptive “from” headers, deceptive subject lines, failure to identify the message as an advertisement, omission of the sender's physical postal address, failure to include a functional opt-out mechanism, processing opt-out requests after ten business days, and having a third party send on the company's behalf without monitoring compliance. HR and payroll newsletter operations most commonly fail on the third-party monitoring obligation when using agencies or ghostwriters.

When does HIPAA's marketing rule apply to a benefits-broker newsletter?

The HIPAA Privacy Rule's marketing provisions (45 CFR § 164.508(a)(3)) apply when a covered entity or business associate uses or discloses protected health information for marketing purposes. A benefits broker acting as a business associate to an employer's health plan is covered. A PEO that handles benefits enrollment data for worksite employees is almost certainly a business associate and may be a hybrid entity.

The marketing rule requires written authorization from the individual before PHI is used for marketing — and the rule defines marketing broadly. Per HHS guidance, “even a generic newsletter can become marketing if it targets individuals with PHI-relevant content.” An OE reminder that says “for those enrolled in a high-deductible health plan” has referenced plan-election data, which is PHI if the sender is a BA. The OE reminder sent to the employer's entire HR contact list — not to individual employees — is generally outside the PHI scope because it does not use individual-level health data. The moment segmentation touches plan enrollment status, diagnoses, or claims history, HIPAA is in play.

The NAPEO member community regularly surfaces this question: is a PEO a covered entity, a business associate, or both? The answer is typically “BA with respect to plan data, employer with respect to payroll data.” That hybrid status makes newsletter segmentation decisions legally material in a way they are not for a simple SaaS vendor.

The regulatory stack: one send, six regimes

The following stack is not additive in the sense that each layer is independent — it is additive in the sense that all of them apply simultaneously to a single multi-state newsletter send, and compliance with one does not substitute for compliance with another.

1. 1. CAN-SPAM (federal floor)

   15 U.S.C. § 7701; FTC 16 CFR Part 316. Penalty $53,088 per email (2025). Seven requirements: honest headers, non-deceptive subject lines, ad identification, physical address, functional opt-out, 10-business-day opt-out processing, third-party monitoring. Enforced by FTC and state AGs in some states.

2. 2. CCPA / CPRA + 18 state analogs

   Employee and B2B exemptions expired January 1, 2023 under CPRA. GPC signal must be honored in California (Sephora precedent). Sensitive PI requires opt-in in 14+ states. Penalty $2,500 per unintentional violation, $7,500 per intentional or minor violation under CCPA. Texas TDPSA adds the sale-of-sensitive-data notice line. Maryland MODPA imposes the most-strict collection minimization.

3. 3. TCPA (texts and email-to-text gateways)

   47 U.S.C. § 227. One-to-one consent rule effective January 27, 2025 (FCC 24-24). Revised opt-out rules effective April 11, 2025. Statutory damages $500–$1,500 per violation, private right of action, no actual injury required. Applies the moment an ACA reminder, OE alert, or any automated message routes to a mobile number.

4. 4. HIPAA marketing rule (BAs and covered entities)

   45 CFR § 164.508(a)(3). Written authorization required before PHI is used for marketing. Applies to benefits brokers and PEOs acting as business associates. Triggered the moment segmentation or content references individual-level plan-election or claims data.

5. 5. ERISA electronic disclosure safe harbor

   29 CFR § 2520.104b-1; expanded 2020 retirement-plan e-disclosure rule (Federal Register, May 27, 2020). SPDs, SBCs, SMMs, SARs distributable by email under safe harbor. Consent and access requirements are separate from CAN-SPAM consent. An email address collected for CAN-SPAM compliance purposes does not automatically satisfy the ERISA electronic disclosure consent chain.

6. 6. State security mandates (MA + NY, applicable everywhere)

   MA 201 CMR 17.00 requires a Written Information Security Program (WISP) for any business that holds Massachusetts-resident personal information, regardless of where the business is located. One MA-resident HR director on the list triggers the obligation. The NY SHIELD Act imposes reasonable-safeguards requirements and expanded breach-notification duties for New York-resident PI. These are not consent rules; they govern how the list itself is stored, encrypted, and protected.

7. 7. GDPR (any EU-resident subscriber)

   Regulation 2016/679. Applies if any subscriber is located in the EU or EEA. Recital 47 legitimate interest is available for B2B email if a documented Legitimate Interest Assessment is on file. Art. 7 consent must be freely given, specific, informed, and unambiguous. Double opt-in is not explicitly required but creates the strongest timestamped record. US payroll vendors with EU client employees on the list — common for multinational PEO clients — should maintain a GDPR-separate consent chain.

Practical checklist: what a consent architecture for a multi-state payroll newsletter must include

The consent and data-handling architecture is covered in detail in the companion page on HR and payroll newsletter segmentation. The minimum viable architecture for a multi-state list, based on the enforcement record above:

• 01GPC signal detection on every landing page, preference center, and web form. Confirm with your ESP that the GPC header triggers an opt-out record in the list, not just a cookie preference.
• 02Sensitive-PI audit of ESP integrations. List every third-party pixel, SDK, or CRM sync that receives click data or engagement events. Map each one against the article topics in your newsletter. Topics touching health, union activity, geolocation, or financial distress are sensitive-PI triggers under CPRA.
• 03Texas notice line in the privacy policy and at any consent collection point: “NOTICE: We may sell your sensitive personal data.” One sentence. Its absence was sufficient grounds for the first TDPSA enforcement complaint.
• 04Separate TCPA consent chain for any mobile number in the database. The payroll-onboarding mobile number and the newsletter opt-in email address are two different consent records under the post-January 2025 FCC rules.
• 05HIPAA marketing authorization for any segmentation based on plan-election, claims, or health-status data. If segmentation is based solely on employer type or headcount, HIPAA marketing authorization is not required. The moment segmentation touches individual-level health data, it is.
• 06MA WISP documentation if any Massachusetts-resident PI is in the list. The regulation requires written policies, encryption for portable storage, access controls, and an incident-response plan. Scope: any business, in any state, holding MA-resident PI.

For the technical side of consent — how list hygiene, authentication, and engagement signals interact with deliverability — see the newsletter deliverability hub. For content strategy that stays on the right side of the HIPAA marketing line, see newsletter content.