> where is the line between marketing to them and a phishing attack?

The courts have an answer for this one: intent. How do courts know if your intent meets the definition of fraud or theft or whatever crime is relevant? They throw a bunch of evidence in front of a jury and ask them.

From the point of view of a marketer, that means you need be well behaved enough that it is crystal clear to any prosecutor that you are not trying to scam someone, or you risk prosecution and possible conviction. (Of course, many people choose to take that risk).

From the point of view of a victim, it's somewhat reassuring to know that it's a crime to get ripped off, but in practice law enforcement catches few criminals and even if they do restitution isn't guaranteed and can take a long time. You need actual security in your tools, not to rely on the law.