The CAN-SPAM Act, One Year Later

Reviews are mixed regarding the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, known commonly as the CAN-SPAM Act, one year after it took effect Jan. 1, 2004.

Most people agree that the amount of spam in in-boxes nationwide has not decreased. Some say the act just creates obstacles for legitimate e-mail marketers but is ineffective at stopping real spammers, who prove difficult to track. However, the act has given responsible businesses a way to distinguish themselves from spammers, letting them expand their databases legally, avoid lawsuits and target messages to interested customers. An overview of the first year follows.

The good news for marketing departments is that CAN-SPAM makes it legal to send unsolicited commercial e-mail to potential customers provided the sender complies with the act’s requirements.

The act also preempts state laws regulating spam. If one of the 30-plus state laws regulating e-mail has any provision contradicting CAN-SPAM, it can be ignored. However, state law can be a basis of a claim against a business sending unsolicited e-mails if it pertains to the e-mail’s content (such as defamation or breach of privacy) or if it relates to state laws prohibiting fraud or computer crime.

CAN-SPAM gives no private right of action. Individual e-mail recipients are not entitled to bring lawsuits to enforce provisions of the act. The enforcers are the Federal Trade Commission, state attorneys general and ISPs. Criminal penalties involve substantial fines and up to five years imprisonment. Civil penalties include injunctive relief, $250 per violation (each e-mail sent that does not comply is a violation), up to $2 million for state actions and $1 million for ISP actions and attorneys fees.

Federal criminal prosecutions have involved egregious spammers engaging in aggravated violations. Several prosecutions have been initiated under CAN-SPAM by state attorneys general. Most cases have been brought by ISPs, such as Microsoft, EarthLink, AOL and Yahoo. They have filed dozens of lawsuits against senders of unsolicited e-mails that do not comply with the act.

How to comply. CAN-SPAM applies to commercial electronic communications where the primary purpose is commercial advertisement or promotion. “Transactional or relationship messages” sent to complete or confirm a transaction (such as time of delivery, etc.) are for all practical purposes excluded. Transactional or relationship messages also mean those sent to a recipient with whom the business has an ongoing relationship and include warranty or recall information, safety or security information, subscriptions, memberships or account information.

The FTC issued final regulations Dec. 16 defining when an e-mail’s “primary purpose” is commercial. The key regulation involves “dual purpose” e-mails where the message contains both noncommercial and commercial content. An example would be an e-mail from a magazine advising subscribers that their subscriptions are about to expire while also pitching renewal. Another example is if a manufacturer/retailer advises former customers about the use of the purchased product, and also promotes upgrades or related items.

Dual-purpose e-mails will be considered commercial unless: the subject line, reasonably read, does not contain a commercial message, and; the transactional or relationship context mainly appears at the beginning of the message, and; the net impression of the message (graphics, type, size, etc.) is reasonably considered not to be commercial.

The ambiguity of these regulations invites questions that will need to be resolved in future cases. If you want a dual-purpose e-mail to be considered noncommercial, it is critical that the subject line contain no commercial content and that the noncommercial content appear at the beginning of the text.

The Five Requirements for Each E-Mail Covered by the Act

· Be honest as to whom you are. The “From,” “To” and routing information must be accurate and identify the person who initiated the e-mail. Do not try to disguise the person or organization sending the e-mail.

· Be honest as to the subject. The message’s subject line and content cannot be likely to mislead a recipient acting reasonably about a material fact regarding the content of the subject matter. This is directed mainly at abusive spammers who try to trick recipients into opening and reading a message under false pretenses. But if you think any puffery in the subject matter, such as “Once in a lifetime opportunity,” is over the top and may mislead a reasonable recipient, then consult your lawyer before sending.

· Say it’s an ad. There must be “clear and conspicuous” identification that the message is an ad or a solicitation. There is no “magic word,” and it need not appear in the subject line, but somewhere in the e-mail there should be a notation that the message is an ad.

· Say where you are. The sender needs a valid, physical postal address. It is an open question whether a post office box is sufficient.

· The big one: an opportunity to opt out. The e-mail must give the recipient a chance to opt out of receiving further electronic messages from the sender. This requirement can be met by providing a menu from which the recipient may choose to unsubscribe only to certain types of messages from the sender, as long as it includes the option to receive no more messages at all.

When the recipient clicks the opt-out option, it must be sent to a functioning return e-mail address that is “clearly and conspicuously” displayed and that remains functioning (except for temporary glitches) for at least 30 days. The sender has 10 days to get its system to delete from its database the unsubscriber’s name and address. Any commercial message by the sender, or on behalf of the sender, sent to a recipient 10 days or more after the opt-out option was selected violates the act. No time limit exists for the unsubscriber to change his mind, so you should assume that once you receive an opt out, you are bound in perpetuity!

Open Questions Under CAN-SPAM

· Joint promotions. If Company A and Company B engage in a joint promotion and together send electronic ads of both companies’ products and services to people on Company B’s database, must Company B delete people who unsubscribed from mailings from Company A? How would Company B identify such people?

The safer answer is that in joint promotions, no e-mail should go to anybody who opted out of further mailings from either company. Each company should maintain a suppression list containing the names, e-mail addresses and opt-out dates of its unsubscribers. This list should be given to Company B solely for deleting the names of Company A’s unsubscribers from the electronic mailing. It also is recommended that the companies have cross indemnifications protecting each other from the failure of the other to comply with the act.

· “Refer a friend.” This device, by which the recipient of a commercial electronic ad is invited to send the message to a friend, is used commonly to increase the circulation of the message. It also is used in electronic sweepstakes whereby entrants can obtain more entries if they transmit the sweepstakes message to a friend. In the case of refer a friend, the sender of the second message is the original recipient, but the message is commercial.

Marketers who use this device should try to comply with as many provisions of the act as possible. (It seems to be impossible for the refer-a-friend device to comply with the prohibition against sending further messages to unsubscribers within 10 days of receipt of the opt-out notice.)


· Keep accurate records of suppression lists with the names, e-mail addresses and opt-out dates of all unsubscribers and treat this list as confidential information.

· Have an e-mail policy that sets forth the provisions of the act and lets only employees trained in this policy send commercial e-mails. The act allows for mitigation of penalties where the business has established commercially reasonable practices to prevent violations.

· Recognizing that it is tough to meet the 10-day limit, ensure you have an employee who is responsible for deleting the names of those who opt out and for putting them on the suppression list. When this employee is absent, ensure someone else performs the task. The time limit is 10 days, not 10 business days.

· Evaluate your database and verify that no addresses are the result of “harvesting.”

These recommendations apply only to e-mails to U.S. recipients. Different rules exist in Canada and the European Union countries.

Related Posts