CA Spam Law May Put E-Mail List Industry in Crosshairs
"This [law] was absolutely designed to go after those people who just compile random lists of e-mail to senders who send them out in bulk," said state Sen. Kevin Murray, D-Los Angeles. "We did not intend to go after those people who get legitimate permission from people in order to send e-mail."
However, Murray's intentions may be moot.
Signed by Gov. Gray Davis on Sept. 23 and scheduled to take effect Jan. 1, the law is worded such that it bans commercial e-mail sent to or from a California e-mail address unless the advertiser -- not just the sender -- has direct consent or a pre-existing business relationship with the recipient.
As a result, the law would seem to ban third-party e-mail list rental because by definition, even though the recipient may have given permission to the list owner, he or she would not have given any advertiser who rents the list direct consent.
The law does not address third-party list rental. As a result, Murray contends it is open enough to interpretation to protect managers of permission-based lists.
Meanwhile, the law broadly defines a California e-mail address as one ordinarily accessed from a computer located in the state, or one where the bill from the ISP goes to a California address.
Under that definition, AOL could set up servers in California, theoretically making all its subscribers' addresses California addresses.
"We're still trying to analyze the law, but it does look like California is trying to close its doors to e-mail acquisition, responsible or not," said Michael Mayor, president of New York e-mail list development and management firm NetCreations Inc. "They want advertiser-specific permission."
NetCreations represents 40 million e-mail addresses from 500 sources. It claims that all the e-mail addresses in its files were gathered on a "double opt-in" basis. The term, coined by co-founder and former CEO Rosalind Resnick, means that to get on a NetCreations list, the e-mail address owner must supply his or her address and then respond to an e-mail verifying that it was him or her who supplied the address. Even the most adamant anti-spammers consider this list-building method to be a foolproof protection against spam. Most e-mail list managers' policies are less strict.
"I think there's a distinction between [list managers who require strict permission] and a significant number of the people out there who rent lists," Murray said.
The law lets individuals and the California attorney general sue for $1,000 for each e-mail in violation of the law, up to $1 million.
"This is exactly why federal legislation is needed," Mayor said. "Imagine if the other 49 states do something quirky like this. It just becomes a minefield."
Many industry experts expect the law to be challenged on the grounds that it violates the U.S. constitutional ban on interference with interstate commerce.
But it could create serious trouble even for permission-based e-mail list managers in the meantime.
"The law really doesn't contemplate transfer of permission," said Ray Everett-Church, an attorney who is a spam law expert and chief privacy officer at privacy consultancy ePrivacyGroup, Philadelphia. "While the law clearly doesn't deal with the issue of third-party permission-based lists, I think a credible argument could be made that a very well-documented permission-based list would satisfy the law's requirements."
Also, Murray said: "It is not intended to restrict someone from sending an e-mail to a consumer who has clearly said they want to receive those e-mails."
But the law addresses this possibility, and not in a way that lets defendants who are trying to avoid spamming off the hook:
"If the court finds the defendant established and implemented, with due care, practices and procedures reasonably designed to effectively prevent unsolicited commercial e-mail advertisements that are in violation of this article, the court shall reduce the liquidated damages ... to a maximum of one hundred dollars ($100) for each unsolicited commercial e-mail, or a maximum of one hundred thousand dollars ($100,000) per incident," the new law says.
Murray, however, said this provision is aimed at protecting marketers who can prove they made a mistake.
Also, someone on the list would have to be upset enough to go to the trouble of suing, which is far less likely when the list is truly permission-based, both Murray and Everett-Church said.
"Cold comfort, but you've got to have somebody who feels that they're on this list inappropriately," said Everett-Church. "At which point the truth of the permission process provides a defense. And while this may need to be sorted out in court, it may need to be sorted out only once."
Meanwhile, however, starting Jan. 1, marketers renting lists with California e-mail addresses on them will be at risk for lawsuits from individuals until California's new anti-spam law is sorted out.