New Federal Anti-Spam Law Creates a National Regulatory Framework For Senders of Commercial E-mail
Over the past few years, unsolicited commercial e-mail, or “spam,” has grown from being a nuisance into a significant burden on IT infrastructure. In response to increasing pressure to establish a uniform national framework, on December 8, 2003, Congress enacted the “Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003,” better known as the “CAN-SPAM Act.” President Bush signed the Act on December 16, 2003, and it will become effective on January 1, 2004.
The statute sweeps broadly: it applies to all commercial e-mail messages. Consequently, every business that uses e-mail as part of its marketing efforts needs to be aware of the new rules. This alert summarizes the highlights.
An overview of the Act
There are five major aspects to the Act. First, the Act pre-empts state anti-spam laws in favor of a uniform national standard. Second, the Act takes an “opt-out” approach to the regulation of commercial e-mail messages, requiring senders of commercial e-mail messages to provide a clear and conspicuous opt-out mechanism and to honor opt-out requests. Third, the Act requires that senders include certain information in commercial e-mail. Fourth, the Act prohibits a range of conduct that has been associated with abusive e-mail practices. Fifth, the Act directs the Federal Trade Commission (FTC) to develop a plan for establishing a “Do-Not-E-mail” Registry, and gives the FTC discretion to implement such a plan not earlier than October 1, 2004.
What does the Act cover?
The Act applies to all commercial e-mail messages, not just the unsolicited advertising that most people think of as spam. The term “commercial e-mail message” includes any e-mail message whose primary purpose is to advertise or promote a commercial product or service, including Web-site content.
The statute expressly excludes “transactional or relationship messages” from the definition of “commercial e-mail message.” Transactional or relationship messages are messages whose primary purpose is to:
(i) facilitate, complete, or confirm a transaction that the parties have already agreed to (such as an e-mail sending a confirmation number for an e-commerce transaction)
(ii) provide warranty, safety or recall information about a product used or purchased by the recipient
(iii) notify the recipient of changes in terms, features or account status in connection with an ongoing commercial relationship such as a subscription, account or loan
(iv) provide information to employees or enrollees in a benefit plan about the relationship
(v) deliver goods or services, including updates or upgrades, that the recipient is entitled to receive under a prior agreement
Congress has directed the FTC to issue regulations within the next 12 months to specify the criteria to be used in determining the primary purpose of an e-mail. The FTC also has the authority to expand or narrow the categories of messages that are treated as transactional or relationship messages.
What does the Act require?
The Act specifies a number of requirements that apply to any person who “initiates” the sending of a commercial e-mail. For instance, such a person must:
(i) not include materially false or misleading header information
(ii) not use a subject heading that would be likely to mislead a recipient about the subject of the e-mail
(iii) include a functioning return e-mail address or other Internet-based mechanism to allow the recipient to opt-out of receiving future commercial e-mail from the sender
(iv) not send a commercial e-mail message to a recipient more than ten business days after the recipient has opted out of receiving such e-mails
(v) not sell, lease, or transfer the e-mail address of a recipient who as opted-out
(v) include a clear and conspicuous identification that the e-mail message is an advertisement or solicitation
(vi) include a clear and conspicuous notice of the opportunity to opt out from receiving future commercial e-mail from the sender
(vii) include a valid physical mailing address for the sender
(viii) include warning labels, in a form to be prescribed by the FTC within 120 days, in commercial e-mail containing sexually oriented material
The term “initiate” includes both originating or transmitting a message directly or paying another to originate a message, but it does not include the routine conveyance of a message.
What does the Act prohibit?
The Act prohibits a number of “aggravated violations” relating to commercial e-mail. It is unlawful, for instance, to:
(i) “harvest” e-mail addresses from a Web-site or proprietary online service
(ii) use “dictionary attacks” to generate e-mail addresses
(iii) use scripts or other automated means to register multiple e-mail accounts to send unlawful e-mail messages
(iv) knowingly relay or re-transmit unlawful e-mail messages
The Act prohibits a person from knowingly promoting or allowing another to promote the person’s trade, business, goods or services by means of unlawful e-mail.
The Act also establishes criminal penalties for a number of abusive acts and practices used by unscrupulous spammers, including hacking into computers to send bulk spam, using open relays to deceive recipients about the source of spam, falsifying header information in bulk spam, registering for five or more e-mail accounts or two or more domain names to send bulk spam, and sending bulk spam from another’s IP address.
What is the effect on state anti-spam laws?
The new federal Act supersedes any state or local law that expressly regulates commercial e-mail, except to the extent that such a law prohibits falsity or deception in commercial e-mail. Consequently, the California anti-spam act that was scheduled to take effect on January 1, 2004, which took an “opt-in” approach to e-mail and imposed strict liability on anyone who caused the transmission of unsolicited commercial e-mail, is largely pre-empted. The federal Act does not pre-empt other state laws that are not specific to e-mail, such as trespass, contract or tort law, or computer fraud and abuse statutes.
Who can enforce the Act?
The FTC, state attorneys general, and affected Internet service providers, subject to certain limitations, are authorized to enforce the Act, including by recovering multiple damages for certain aggravated violations. Unlike many state anti-spam laws, however, individual recipients of unlawful e-mail do not have the right to bring a private cause of action for damages.
What should businesses do to comply with the Act?
At the outset, it is important to emphasize that this alert provides only a summary overview of the major features of the Act; there are many details that must be reviewed with care.
At a minimum, all businesses must review their current use of e-mail and the practices of joint marketing partners who distribute e-mail on their behalf. It will be important to establish procedures for determining if the primary purpose of an e-mail is commercial, if the e-mail is a “transactional or relationship message,” and if a third party is transmitting commercial e-mail on behalf of the business. It will also be necessary to develop administrative and technical measures for honoring opt-out requests and to develop appropriate contractual provisions for agreements with marketing partners. Of course, businesses must also be sure to avoid any of the practices that are made unlawful by the Act, such as using automated means to acquire e-mail addresses.