This article explains the rules that apply when importing contacts into Shotgun.
When you import contacts, you act as the sender of communications. This means you are fully responsible for complying with the laws that apply to your location and to your audience.
In this article
US organizers
Email marketing
⚠️ In the United States, email marketing is mainly governed by the CAN-SPAM Act, which follows an opt-out model. This means that prior consent is not always required, as long as recipients are clearly informed and can easily opt out of future marketing emails at any time.
When can contacts be imported as "opt-in"?
You may import contacts as subscribed only if these meet the following conditions:
- Existing Relationship: You have a pre-existing business or professional relationship with the individuals (e.g., they have previously attended your events or signed up for your services).
- No Previous Opt-out: The individuals have not previously requested to be removed from your mailing lists or expressed a desire not to receive marketing communications from you.
- Legitimate Collection: The email addresses were not obtained through automated scrapping or dictionary attacks, which are prohibited under the CAN-SPAM Act.
💡 Even with a valid contact list, all marketing emails must comply with the CAN-SPAM Act, including clear sender identification and a functional unsubscribe mechanism. You are responsible for ensuring compliance with applicable laws when importing and using contact lists!
SMS marketing
⚠️ In the US, SMS communications are subject to specific legal requirements, most of which are regulated by the Telephone Consumer Protection Act (TCPA). Marketing SMS messages may be sent only if prior explicit consent (opt-in) has been obtained from the recipient.
When can contacts be imported for SMS marketing?
You may import and use a contact for SMS marketing purposes only if valid prior consent to receive SMS communications has already been obtained.
This consent must be obtained before the contact is imported or used for SMS marketing.
What is valid SMS consent in the U.S.?
To be considered valid under U.S. law, SMS consent must meet the following conditions:
- Explicit opt-in: The individual clearly agreed to receive SMS messages (for example, by checking an unchecked box, sending a keyword, or completing a signup form that explicitly mentions SMS).
- Informed: At the time consent was collected, the individual was informed that they would receive marketing messages by SMS, and from whom.
- Specific to SMS: Consent must specifically cover SMS communications.
- Documented: You must be able to demonstrate when and how consent was collected, and what information was provided at that time.
Providing a phone number alone, silence, or inactivity does not constitute valid SMS consent.
Shotgun does not verify whether valid SMS consent has been obtained at the time of import. You are solely responsible for ensuring that any contact used for SMS marketing meets all applicable consent requirements.
⚠️ Obtaining valid SMS opt-in does not relieve organizers of other legal or regulatory obligations for SMS communications. You must comply with all applicable requirements beyond consent.
UE organizers
Your role and responsibility
When you import contacts into Shotgun, you act as the Data Controller for those contacts.
This means that you are responsible for:
- the origin of the contact data,
- the legal basis for using those contacts,
- the lawfulness of any emails or communications sent to them.
Shotgun provides a technical tool and acts as a Data Processor only.
Shotgun does not verify the origin or legality of imported contact lists.
When can contacts be imported as “subscribed”?
In the European Union, contacts may be marked as “subscribed” and imported only if they have given explicit prior valid consent to receive marketing emails, in accordance with applicable data protection laws.
Simply having someone’s email address is not sufficient.
⚠️ Importing lists purchased from third parties, rented, or obtained through public scraping is strictly prohibited, as these methods do not provide a valid legal basis for marketing under applicable laws.
What is valid consent?
In accordance with applicable data protection laws (including the GDPR and applicable local data protection laws) consent is the permission given by a contact through a clear affirmative action to receive your communications.
To be legally valid, consent must meet four cumulative criteria:
- Freely given: The individual must have a genuine choice and not be pressured or coerced into providing their agreement.
- Specific: Consent must be dedicated to a clearly defined purpose (e.g. “marketing newsletters”) and not bundled with general terms and conditions.
- Informed: At the time of collection, the contact must know exactly who is processing their data and for what specific purpose.
- Unambiguous: Consent must result from a clear affirmative action (e.g. checking an unchecked box). Silence, pre-ticked boxes, or inactivity do not constitute valid consent.
⚠️ Consent must also be easy to withdraw. Every contact imported as 'subscribed' must have the right to unsubscribe at any time.
Proof of consent
As the Data Controller, you must be able to demonstrate consent if required by law or by a supervisory authority. This typically includes:
- the date consent was collected,
- the method used (form, signup page, event registration, etc.),
- the information shown to the contact at the time of consent.
Shotgun does not store or verify this proof on your behalf.
💡 For questions related to Shotgun’s data processing role, please contact dpo@shotgun.live