THE FEDERAL CAN-SPAM ACT – NEW REQUIREMENTS FOR COMMERCIAL E-MAIL
After six years of debate, Congress finally passed “anti-spam” legislation in December 2003. The Act, entitled the Controlling the Assault of Non-Solicited Pornography and Marketing Act, is better known as the CAN-SPAM Act and became effective January 1, 2004. The Act sets forth a much needed set of national requirements for commercial e-mail. Now, companies can conduct e-mail marketing campaigns without fear of running afoul of inconsistent state laws.
Significantly, that Act does not ban spam per se, but instead prohibits deceptive or misleading commercial e-mail, requires providing recipients with the ability to “opt out” of future mailings, and imposes a variety of other requirements discussed below. Indeed, companies that use e-mail in their businesses should review their e-mail practices to assess whether they are in compliance with the Act. The CAN-SPAM Act also generally preempts 37 state anti-spam laws, although the exact scope of preemption may well be the subject of future litigation. Additionally, the Act requires the Federal Trade Commission to evaluate the creation of a do-not-spam registry similar to the national do-not-call registry, which was established in response to consumer complaints about telemarketers.
The CAN-SPAM Act provides for severe civil and criminal penalties for non-compliance, including statutory damages up to $6 million for willful violations and, in some cases, prison terms of up to 5 years. The Act does not provide for a private right of action by recipients of spam, but does authorize the federal government, state attorneys general and Internet Service Providers to bring actions against violators.
Businesses that engage in direct e-mail marketing (including wireless messaging) should review their marketing practices for compliance with the Act to avoid what could be substantial financial exposure as well as brand damage that can arise from non-compliance. And, companies that operate globally must also consider compliance with international requirements, particularly the European Communications Privacy and Electronic Communications Directive.
IMPACT OF SPAM
Companies that utilize commercial e-mail as a direct marketing tool have found it to be one of the most cost effective ways to advertise. Literally, with a “click” e-mail can reach millions of consumers at a modest cost and on a global level. Nevertheless, unsolicited commercial e-mail (“UCE,” i.e., spam) has become objectionable to many recipients and threatens to undermine the value of e-mail as a productive marketing and communication vehicle. Spam also imposes significant monetary costs on Internet Service Providers, businesses and consumers all of whom incur tangible and intangible costs as the volume of spam increases.
It is currently estimated that approximately 56% of all e-mail on the Internet is spam and this figure is expected to increase to 65% in 2004. In 2003, spam cost businesses an estimated ten billion dollars annually in lost productivity, additional servers to maintain e-mail transmission, and blocking and filtering software. Indeed, the market for anti-spam services is expected to climb above $1 billion by 2008 from a little over $120 million in 2003. Spammers are often responsible for the spread of computer viruses, which can virtually “shut down” a business’ network and directly impact productivity and revenue.
Finally, spam can pose a significant threat to the name and goodwill of a company as a result of “spoofing” — the hijacking of a legitimate company’s name, e-mail address or domain name and using it to disguise the source of the e-mail that is sent to consumers. Spoofing has become a preferred tactic for spammers because it allows them to bypass internet service provider filters that recognize a legitimate company’s name and thus trick consumers into opening an e-mail or to sell counterfeit goods of a company. In some cases consumers respond to the spam message they believe originated from a legitimate company and unknowingly provide personal information the spammer then uses for financial gain.
PROVISIONS OF THE CAN-SPAM ACT
The CAN-SPAM Act does not ban spam but instead sets forth a set of national requirements for the use and transmission of commercial e-mail. Accordingly, companies that do not think of themselves as “spammers” may nevertheless be subject to the Act if they use e‑mail in their businesses. The requirements of the CAN-SPAM Act vary depending on whether the e-mail is categorized as a commercial e-mail message or a transactional or relationship e‑mail message. A Commercial e-mail message is any e-mail the primary purpose of which is the commercial advertisement or promotion of a commercial product or service. Commercial e-mail is the most heavily regulated category of e-mail. A transactional or relationship e-mail message is e‑mail that is sent to facilitate an ongoing transaction or relationship and includes, among other things, providing information about employment relationships or related benefit plans, account balances, product recalls, upgrades, warranties, product safety and subscriptions. Transactional or relationship e-mail is subject to fewer requirements than commercial e-mail.
The Act imposes the following obligations on companies, depending upon the category of e-mail that is transmitted:
- The sender is prohibited from using false information and deceptive subject lines and must include a “from” line that accurately identifies the sender of the e-mail.
- The sender must clearly and conspicuously identify unsolicited commercial e-mail as an advertisement or solicitation.
- The sender must include clear and conspicuous notice of the opportunity to “opt-out” of receiving future e-mails and must provide an Internet based reply mechanism by which recipients “opt-out” such as a return e-mail address or a link to a web page from which the user can send an e-mail to contact the sender. This mechanism must remain operative for at least thirty (30) days after the original message is transmitted.
- The sender, or anyone acting on behalf of sender, must stop sending e-mails to recipients within ten (10) business days after receiving an opt-out request.
- The sender must include a valid physical postal address of the sender.
- The sender is prohibited from using an automated means to harvest e-mail addresses from web sites or on-line service providers that have policies of not sharing users’ e-mail addresses.
- The sender is prohibited from using automated means to register for multiple e-mail accounts to be used to send spam.
- The sender may not use another person’s e-mail or computer account to send e-mail.
- The sender must include a warning label on unsolicited commercial e-mail containing sexually oriented material.
The following chart summarizes certain of the differences in requirements based on whether e‑mail is categorized as commercial or transactional or relationship:
|COMMERCIAL E‑MAIL MESSAGES||TRANSACTIONAL or RELATIONSHIP E-MAIL MESSAGES|
|False Header Information||Prohibited||Prohibited|
|Misleading Subject Line||Prohibited||Not Addressed|
|Opt-Out Notice/Opt-Out Mechanism||Required||Not Required|
|Identification as Advertisement||Required (unless recipient has given prior consent to receive)||Not Required|
|Valid Physical Postal Address||Required||Not Required|
|Warning for Sexually Oriented Material||Required (unless recipient has given prior consent to receive)||Not Required|
BEST PRACTICES FOR COMMERCIAL E-MAIL
Developing a Company-Wide E-Mail Marketing Policy
Although not required by the Act, businesses should consider adopting a “best practices” policy to implement the foregoing requirements and ensure consistency across business divisions and marketing groups. A company can also be held liable for violations of the Act committed by vendors who send e-mail on the company’s behalf if the company: (1) knows or should have known it is being promoted by spam; (2) is receiving or expects to receive an economic benefit from such promotion; and (3) takes no reasonable precautions to prevent such spam or to detect and report it to the FTC. Thus, a company should consider imposing its best practices guidelines upon outside vendors as well as on company employees.
Maintaining An “Opt-Out” Database
Because the Act requires companies to stop sending e-mail to consumers who opt-out, companies should require employees and outside vendors to maintain a list of consumers who have opted out of receiving future e-mails and, obviously, take steps to ensure e-mail is not sent to recipients on that list. Companies and their outside vendors are responsible to adhere to each other’s opt‑out lists, and appropriate contract provisions should be adopted to ensure this occurs.
Purchasing or Renting Mailing Lists
The Act’s prohibition on harvesting e-mail addresses has led to confusion about the purchase or renting of e-mail lists from third-parties. The Act does not prohibit this traditional method of expanding a company’s direct marketing activities, but the Act’s requirements will apply to commercial e-mail sent from such lists. Consequently, companies acquiring such lists should consider seeking sufficient representations and warranties (with indemnification and other appropriate remedies) from the provider of such lists that: (a) the list was not created by means that violate the Act; (b) each recipient has been given clear and conspicuous notice that their e-mail address can be shared; and (c) each recipient has not opted-out of receiving commercial e-mail. These provisions do not provide a “safe harbor” from liability under the CAN-SPAM Act, but rather provide some measure of recourse. Consequently, companies should exercise care in selecting third-parties from which they acquire lists.
The Act preempts anti-spam laws of 37 states, many of which imposed far more stringent requirements on use of commercial e-mail (including California’s, which had mandated an opt-in requirement and allowed for private causes of action by consumers). However, the Act does provide for two exceptions to state law preemption. First, the Act does not preempt state laws that “prohibit falsity or deception in any portion of an electronic mail message….” Because each state has its own definition of what is false or deceptive, this exception may be problematic for a company that relies upon the definitions in the federal Act. Additionally, it is unclear whether state penalties, which can be more severe, or federal penalties will apply if a company is prosecuted by a state for false or deceptive e-mail. The Act also does not preempt state laws that are “not specific to electronic mail, including state trespass, contract and tort laws; or other state laws…relate[d] to acts of fraud or computer crime.” This means that companies may still be subject to consumer, or Internet Service Provider, litigation if their direct marketing e‑mail activities exceed certain bounds. This may result in undermining one of the primary goals of the federal legislation, namely, providing a uniform set of national guidelines for the transmission of e-mail.
INTERNATIONAL ANTI-SPAM LAWS
Companies with cross border e-mail marketing campaigns must also comply with international anti-spam laws that exist in 41 countries and the European Union. In an effort to address the inconsistencies in anti-spam laws of its member states, the European Union adopted the Privacy and Electronic Communications Directive. The Directive includes some commercial e-mail restrictions that are similar to the CAN-SPAM Act such as: (1) prohibiting the use of false or misleading subject lines; (2) requiring that senders include a valid reply address for recipients to request not to receive future e-mails; and (3) allowing companies to transmit transactional e-mail to offer similar products or services if customers were informed that they may receive such e-mails and are given an opportunity to opt-out. However, the Directive takes a very different approach to spam in that it actually prohibits, rather than regulates, unsolicited commercial e-mail. The Directive includes an opt-in requirement, which many believe does more to reduce spam and protect an individual’s rights to privacy than the U.S. opt-out approach. The US law adopts the less restrictive opt-out requirement, largely in response to businesses’ success at convincing Congress such an approach appropriately balanced business needs with consumer protection.
The CAN-SPAM Act’s requirements for e-mail marketing are not universally supported. Supporters of the Act claim that by preempting disparate state anti-spam laws, the Act provides a much-needed national standard for e-mail marketing. Opponents argue that by preempting tougher state laws the Act does little to decrease the amount of spam on the Internet and consistency of enforcement will not in fact occur. Indeed, companies must still seek to create e-mail direct marketing best practices that comply not only with federal law, but when applicable, international law as well. The good news is that compliance with the federal law should ensure that companies may now transmit commercial e-mail in the United States without significant risk.
Technology Commentaries are a publication of Jones Day and should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at its discretion. The mailing of this publication is not meant to create, and receipt of it does not constitute, an attorney-client relationship.
For further information, readers are encouraged to contact their regular Jones Day attorney or the principal Jones Day authors of this Commentary, James Brelsford in the Menlo Park Office (telephone: 650-739-3944; Rachel Lerner in the Cleveland Office (telephone: 216-586-7743; e-mail: firstname.lastname@example.org), or Elizabeth Robertson in the London Office (telephone: 44-20-7039-5204; e-mail: email@example.com). General e-mail messages may be sent using our web site feedback form, which can be found at www.jonesday.com.