A K A B A S   &   S P R O U L E     ATTORNEYS AT LAW

 
W H AT   Y O U   N E E D   T O   K N O W
A B O U T   T H E   N E W   C A N - S P A M   A C T
 
 
 

What You Need to Know About the New CAN-SPAM Act 

by Michael H. Sproule


The new CAN-SPAM Act provides for civil and criminal penalties for misuse of email as a marketing tool. The law is friendly to Internet business, but it does impose new requirements that everyone who markets by email must follow.

This article provides a blueprint for marketers to follow in order to avoid violating CAN-SPAM. It is not an exhaustive review of the law. We'd be happy to answer any questions you have on the law, and help you with any issues not directly covered here.


The Law Generally

CAN-SPAM does not forbid email marketing. Even unsolicited emails, which many of us would consider spam, are not prohibited. But marketers must follow certain rules to generally:
  • Clearly identify marketing emails.
  • Provide an opt-out mechanism from email lists.

Email Requirements

Leaving aside the prohibitions on unsavory spam practices, legitimate email marketers need to comply with the identification and opt-out procedures described below. CAN-SPAM went into effect on January 1, 2004, so it is important to take steps immediately to comply.

Transactional or Relationship Emails

Certain emails relating to ongoing customer transactions or relationships are not considered spam under the law. The requirements under CAN-SPAM for these emails are minimal. Such transactional or relationship emails include: transaction confirmations; warranty, recall, safety and security notices; account notices; employment or employment benefit plan notices; or emails that deliver a product or service, product update or product upgrade. In each case, the emails must relate to a previously purchased product or service and an ongoing customer relationship.

Senders are prohibited from sending transactional or relationship emails that include any false or misleading transmission information. This means that:
  • The email header information must point back to an initiator of the email. (It cannot be forged or disguised.) An initiator of an email is an original transmitter of the email or someone who procures the original transmission of the email. It may be the business whose products are marketed in the email or someone else – for example, an advertising or marketing firm. There can be more than one initiator for an email.
  • The "From:" line must also accurately identify an initiator of the email.
No other restriction is placed on transactional or relationship emails by CAN-SPAM.

Electronic newsletters sent by email may or may not be deemed transactional emails, depending on circumstances. A newsletter that strictly provides information for which the recipient subscribed would be considered a relationship email, because it is the delivery of the product purchased by the subscriber. On the other hand, an email whose "primary purpose" is to market new products or services, even where it is sent to subscribers to a newsletter, would be subject to the tighter regulations applicable to spam and described below. Because it is not always obvious whether a newsletter is a relationship email or not, it may be best to follow the tighter regulations with regard to all newsletters.

Spam

CAN-SPAM defines spam as email whose "primary purpose" is to market a product or service. The Federal Trade Commission (FTC) will be issuing regulations to clarify this definition. For now, it is best to err on the side of caution and follow the requirements applicable to spam whenever there is any doubt.

Spam emails must comply with the following requirements:
  • The email must not include any false or misleading transmission information. This means that:
    • The email header information must point back to an initiator of the email. (It cannot be forged or disguised.) An initiator of an email is an original transmitter of the email or someone who procures the original transmission of the email. It may be the business whose products are marketed in the email or someone else – for example, an advertising or marketing firm. There can be more than one initiator for an email.
    • The "From:" line must also accurately identify an initiator of the email.
  • The email must be clearly and conspicuously identified as an advertisement or solicitation. However, specific words (such as "ADV:") are not required. Also this identification is not required where the recipient has given prior affirmative consent (opted-in) to receive the email.
  • The "Subject:" line of the message must not be misleading about the contents or subject matter of the message.
  • The email must contain electronic means for the recipient to opt out of future emails.
  • The email must contain a valid physical postal address of the sender. For purposes of identification, the "sender" of a spam solicitation is the party whose products or services are promoted. This is true even where someone else originally transmits the email – for example, a marketing firm. It is this sender whose postal address must be listed. Post office box addresses are not allowed.
Sexually Oriented Material

Special labeling requirements generally apply to any spam emails that relate to sexually oriented material. Sexually oriented material depicts sexually explicit conduct. Note that sexually oriented material does not mean only pornography. It could apply, for example, to some medical materials, sex education materials, etc.

The special rules are in addition to, and not in place of, the rules described above for all commercial emails. Sexually oriented emails must comply with both sets of rules. On the other hand, the special rules do not apply if the recipient has given prior affirmative consent to receive the sexually oriented email, but the general rules still apply.

The FTC will soon prescribe specific words that must be used to identify a sexually oriented email. These words must be in the subject line or in the body of the email. If they are in the body of the email, then the email must be clearly and conspicuously identified as a solicitation and, on opening the email, the email must only display: 1) the prescribed words, 2) opt-out information, 3) a valid postal address, and 4) information on accessing the sexually oriented material.


Email Lists

Opt-out Option

Email marketers must implement means that allow recipients to respond to spam emails with requests to be removed from future emails. The means must be electronic – for examples, an email return address or a link to an opt-out web page. The opt-out mechanism must work for at least 30 days after the message is sent. The opt-out mechanism can provide more than one choice, such as an option to opt-out of certain types of email, but not others.

A removal request must be complied with in not more than 10 business days. After 10 business days, further spam email cannot be sent to the recipient, and the recipients name must be removed from email address lists sold, leased or exchanged with others to be used for email marketing.

Lists Obtained from Third-Parties

Email marketers are responsible for the email lists they obtain from third-parties. They should obtain assurances and indemnifications from list providers with regard to CAN-SPAM compliance, before using a list to send spam emails.


Discouraged Practices

In passing CAN-SPAM Congress wanted to discourage certain practices that email marketers sometimes use to send spam. In particular, Congress wanted to discourage the practices of:
  • Scraping email addresses off websites or from ISP email directories, if the websites or directories have a posted policy of not providing those email addresses to third-parties for marketing purposes.
  • Automatically creating multiple email addresses strictly for the purpose of using them as the sending addresses for spam.

While these practices are not prohibited, if they are used in conjunction with other violations of CAN-SPAM, then the penalties for the other violations may be enhanced. Consequently, email marketers should use these methods with caution. Further, they should determine if their third-party list providers or email marketing services use them.


Criminal Practices

CAN-SPAM's strongest provisions apply to certain fraudulent spam practices. The practices are made criminal offenses. They are in a thumbnail:
  • Sending multiple spam emails through someone else's hijacked computer.
  • Sending multiple spam emails where the source of the emails is disguised by relaying them through other computers in order to deceive the recipient about their origin.
  • Sending multiple spam emails with falsified header information.
  • Sending multiple spam emails using multiple email accounts obtained with false registration information.
  • Sending multiple spam emails using Internet Protocol (IP) addresses that the sender falsely represents to be its own.
It is unlikely that any legitimate email marketer intentionally uses these techniques, but marketers should be sure that any marketing firms with whom they contract to send commercial email do not engage in these practices.


Enforcement

CAN-SPAM is primarily enforced by the FTC. However, where a sender is regulated by other federal or state agencies, then those other agencies have secondary enforcement power. For example, federal bank regulators have enforcement powers over banks and financial institutions, the SEC over securities firms, and state insurance regulators over insurance companies and brokers.

In addition, state attorneys general will have enforcement power with regard to spam sent to their state citizens. The criminal provisions of the law are enforceable by the US Department of Justice.

Finally, Internet service providers who are affected by spam (because it is sent to their customers or via their email servers) will have a private right of action against spammers who violate the law.


More to Come

CAN-SPAM contemplates that Congress will take further action to control spam in the future. The FTC is directed to study and report on the implementation of a national "Do-Not-Spam" list similar to the Do-Not-Call list, which recently went into effect. The FTC is also directed to study the implementation of a program that would pay a bounty to individuals who report spammers who violate the law.

In addition, the Federal Communications Commission is required to implement analogous anti-spam regulations to be applicable to wireless communications.

CAN-SPAM was rushed into law, and now Internet marketers must act quickly to comply with its new regulations. While CAN-SPAM does not prohibit all email marketing, even legitimate marketers need to review their procedures to ensure they comply with CAN-SPAM's new identification and opt-out requirements.



The information in this article is intended solely for your information. It does not constitute legal advice. You should always seek the legal advice of competent counsel in your jurisdiction.


 
  488 Madison Ave, 11th Floor   New York, New York 10022   V: 212.308.8505   F: 212.308.8582
  © 2006-08 Akabas & Sproule (terms of service)