The CAN-SPAM Act: Regulates, Doesn't Eliminate, Spam

The CAN-SPAM Act ' “Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003″ ' went into effect Jan. 1, and has important implications for anyone engaged in the sending of unsolicited e-mails, which are commonly known as spam. Contrary to public opinion, the act does not make spam unlawful; it attempts to regulate it.

CAN-SPAM Recap

The CAN-SPAM Act has three provisions to which spammers must adhere.

1. Labeling. Unsolicited e-mails must be clearly identified as solicitation or advertisements for products and services.
2. Offering an opt-out option. Senders must provide easily accessible, legitimate means for recipients to “opt-out” of receiving future messages.
3. Revelation of the sender's addresses. Unsolicited e-mails must contain legitimate return e-mail addresses, as well as the sender's postal address. (It should be noted that the CAN-SPAM Act offers some exclusion from the aforementioned three requirements noted above.)

For recipients who have previously consented to receipt of unsolicited commercial e-mail, the act has two additional requirements.

1. Spammers must use honest subject lines. Use of misleading or bogus subject lines to trick readers into opening messages is forbidden.
2. Spammers must comply with the “Do Not E-Mail Registry.” The CAN-SPAM Act indicates that within 6 months, a proposed plan will be submitted to Congress by the Federal Trade Commission (FTC) for a “Do Not E-Mail” list.

More than 30 states have enacted anti-spam legislation. The CAN-SPAM Act is intended to supersede state or local anti-spam laws, with certain exceptions for state laws related to deceptive trade practices or “computer crime.”

In addition, some of the current state anti-spam laws that the Act intends to pre-empt go further than the Act, either in terms of regulation or in giving causes of action to individuals. The scope of the Act's pre-emption is thus not clearly defined at this time. States have enacted both civil and criminal anti-spam laws. Most states' criminal anti-spam laws will not be pre-empted.

The enforcement of the Act is vested primarily in the FTC and states' Attorneys General. There is a private right of action, but it is limited to Internet service providers. Thus, people who receive spam may sue Internet service providers.

The penalties associated with the CAN-SPAM Act are significant. Certain fraudulent activities and repeat offenses include the possibility of imprisonment for 3-5 years. Otherwise, violators of the Act are subject to actual damages, statutory damages or fines of $250 per violation, with each unlawful message to each recipient being a separate violation. Statutory damages can go as high as $2 million.

Application of the Law

Spammers who comply with the Act may lawfully send “legitimate” spam, which will have more candid headers and subject lines.

Under the Act, spam must be identified, although there is no uniform label required, such as the ADV that some state laws demanded. (An ADV label identifies an e-mail as advertising in the e-mail header, which would allow users to employ filtering software to block the message.) And bulk e-mail must have a truthful header (address) and subject line.

Losing the ADV label will make it more difficult for anti-spam software to filter spam. Nevertheless, in due course, the FTC will require specific e-mail labeling ' most likely starting with sexually explicit e-mail.

The Act's most significant impact is how it will affect the implementation of California's new anti-spam law, which also went into effect on Jan. 1. The California law is an example of a state anti-spam law that is more restrictive than the new federal law. It bans even truthful spam, as long as it is unsolicited (unless it was from a business with which the customer had an existing relationship). The California law makes spammers, and advertisers who employ them, liable.

The Internet is not regulated or controlled by a central authority, thus spammers cannot completely control who gets their mail, nor can they completely control the receipt of “opt-out” requests. Thus, since complete compliance is not technically possible, the FTC and the courts will have to determine what constitutes substantial (acceptable) compliance with respect to the CAN-SPAM Act.

It is likely that a spammer who uses an honest address, plus a few other things, such as providing an opt-out feature and giving his or her physical address, will be found to be in substantial compliance despite engaging in activity that will inevitably result in numerous instances of individuals receiving spam involuntarily. The Act will likely be used in conjunction with existing state computer and computer data protection laws.

Currently, Internet Service Providers (ISPs) use their terms of use agreements and service agreement to stop spammers. The CAN-SPAM Act will likely be used in combination with those agreements, so as to make it easier for ISPs to block spam. The Act includes a provision for ISPs to sue spammers.

The Act also penalizes companies whose products or services are knowingly promoted by spam. This provision will likely first be used against providers of penis enlargement and miracle weight loss products.

What's an Online Marketer To Do?

If a company intends to send unsolicited e-mails, the following actions should be considered:

• The firm should establish a company policy against employees sending unapproved, unsolicited commercial e-mail to others. This policy should be incorporated into the employee manual.
• A firm should review all e-mail marketing campaigns. In particular, such campaigns should employ only e-mail lists of recipients who have consented to receive such mailings.
• A firm should consider reviewing client consent forms. Such reviews should ensure that consent requires an “affirmative action.” The use of pre-filled forms may not be acceptable.
  Also, such reviews should confirm that it is clear to customers of the client's business what they are going to receive via e-mail if they consent to receipt of such e-mails. Without such action, an e-mail recipient might argue that the firm failed to give full disclosure.
• You or your firm must keep records of customers' consent or pre-existing business relationships with customers. Such relationships allow sending spam to customers.

Potential Implementation Difficulties

The CAN-SPAM legislation may be ineffective for several reasons. First, to a large extent, the spam that is received in the United States comes from out of the country.

Bringing international spammers to justice requires cooperation from authorities outside of the U.S., which requires additional effort not envisioned by the CAN-SPAM law. International measures may be necessary to truly eradicate fraudulent spam.

Thus, the U.S. may have to negotiate and execute a substantial number of anti-spam bilateral treaties to require international spammers to adopt the CAN-SPAM standards.

Second, the CAN-SPAM Act may inspire some U.S.-based spammers to move their operations offshore. It should be noted that U.S.-based spammers must move more than merely their operation centers and servers to avoid the jurisdiction of the United States. The courts need look no further than their treatment of offshore Internet gambling to find a basis for jurisdiction of U.S. entities that send spam into the U.S. from outside its borders.

Third, the FTC, which is charged with enforcing the CAN-SPAM Act against spammers within the U.S., will not have the resources to enforce the law against all spammers. It is one thing to sue a large spammer or make an example of an individual spammer, but it is quite another matter to sue all those who do not comply with the CAN-SPAM law. In short, the FTC is not likely to be inclined to sue all individuals or small businesses that engage in spamming.

Fourth, the Constitution may limit the implementation of the CAN-SPAM law. In particular, the Do Not Spam Registry may be found to violate the First Amendment. There is no First Amendment issue with fraudulent commercial speech; the courts have not supported unlimited restrictions concerning commercial speech.

The telephone Do Not Call Registry has been subject to a similar legal challenge. Currently, its status is still unresolved. Thus, the destiny of an analogous spam (Do Not E-Mail) registry is similarly an open question.

How To Enforce: Technical Solutions Augment New Legal Protections

In light of the aforementioned potential difficulties, the employment of both technological and legal methods must be considered.

Among the technological solutions to be considered in conjunction with the Act are those that filter out spam and that help authorities implement the CAN-SPAM law.

One way is to change the setting on a company's e-mail server. In particular, a company should implement a setting that checks whether the origin of incoming e-mail has been faked. Such “spoofing” is a main reason spam goes undetected. In the event a spoof is discovered, the server should not deliver the e-mail and record it for use by authorities implementing the CAN-SPAM law.

Additionally, companies should implement a “challenge/response” system. These systems allow users to send direct messages only to people who have the sender's e-mail address in their address books. In the event a “challenge/response” system encounters an unexpected address, the system sends back a puzzle/question to which only a human, not an automated spam program, can respond with a solution. Give the correct response, and the e-mail goes through. Such systems should record “fails” for use by authorities implementing the law.

Jonathan Bick is of counsel to WolfBlock Brach Eichler of Roseland and is an adjunct professor of Internet law at Pace Law School and Rutgers Law School. He is also the author of 101 Things You Need To Know About Internet Law [Random House 2000] and is a member of this publicaton's Board of Editors.

The CAN-SPAM Act ' “Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003″ ' went into effect Jan. 1, and has important implications for anyone engaged in the sending of unsolicited e-mails, which are commonly known as spam. Contrary to public opinion, the act does not make spam unlawful; it attempts to regulate it.

CAN-SPAM Recap

The CAN-SPAM Act has three provisions to which spammers must adhere.

1. Labeling. Unsolicited e-mails must be clearly identified as solicitation or advertisements for products and services.
2. Offering an opt-out option. Senders must provide easily accessible, legitimate means for recipients to “opt-out” of receiving future messages.
3. Revelation of the sender's addresses. Unsolicited e-mails must contain legitimate return e-mail addresses, as well as the sender's postal address. (It should be noted that the CAN-SPAM Act offers some exclusion from the aforementioned three requirements noted above.)

For recipients who have previously consented to receipt of unsolicited commercial e-mail, the act has two additional requirements.

1. Spammers must use honest subject lines. Use of misleading or bogus subject lines to trick readers into opening messages is forbidden.
2. Spammers must comply with the “Do Not E-Mail Registry.” The CAN-SPAM Act indicates that within 6 months, a proposed plan will be submitted to Congress by the Federal Trade Commission (FTC) for a “Do Not E-Mail” list.

More than 30 states have enacted anti-spam legislation. The CAN-SPAM Act is intended to supersede state or local anti-spam laws, with certain exceptions for state laws related to deceptive trade practices or “computer crime.”

In addition, some of the current state anti-spam laws that the Act intends to pre-empt go further than the Act, either in terms of regulation or in giving causes of action to individuals. The scope of the Act's pre-emption is thus not clearly defined at this time. States have enacted both civil and criminal anti-spam laws. Most states' criminal anti-spam laws will not be pre-empted.

The enforcement of the Act is vested primarily in the FTC and states' Attorneys General. There is a private right of action, but it is limited to Internet service providers. Thus, people who receive spam may sue Internet service providers.

The penalties associated with the CAN-SPAM Act are significant. Certain fraudulent activities and repeat offenses include the possibility of imprisonment for 3-5 years. Otherwise, violators of the Act are subject to actual damages, statutory damages or fines of $250 per violation, with each unlawful message to each recipient being a separate violation. Statutory damages can go as high as $2 million.

Application of the Law

Spammers who comply with the Act may lawfully send “legitimate” spam, which will have more candid headers and subject lines.

Under the Act, spam must be identified, although there is no uniform label required, such as the ADV that some state laws demanded. (An ADV label identifies an e-mail as advertising in the e-mail header, which would allow users to employ filtering software to block the message.) And bulk e-mail must have a truthful header (address) and subject line.

Losing the ADV label will make it more difficult for anti-spam software to filter spam. Nevertheless, in due course, the FTC will require specific e-mail labeling ' most likely starting with sexually explicit e-mail.

The Act's most significant impact is how it will affect the implementation of California's new anti-spam law, which also went into effect on Jan. 1. The California law is an example of a state anti-spam law that is more restrictive than the new federal law. It bans even truthful spam, as long as it is unsolicited (unless it was from a business with which the customer had an existing relationship). The California law makes spammers, and advertisers who employ them, liable.

The Internet is not regulated or controlled by a central authority, thus spammers cannot completely control who gets their mail, nor can they completely control the receipt of “opt-out” requests. Thus, since complete compliance is not technically possible, the FTC and the courts will have to determine what constitutes substantial (acceptable) compliance with respect to the CAN-SPAM Act.

It is likely that a spammer who uses an honest address, plus a few other things, such as providing an opt-out feature and giving his or her physical address, will be found to be in substantial compliance despite engaging in activity that will inevitably result in numerous instances of individuals receiving spam involuntarily. The Act will likely be used in conjunction with existing state computer and computer data protection laws.

Currently, Internet Service Providers (ISPs) use their terms of use agreements and service agreement to stop spammers. The CAN-SPAM Act will likely be used in combination with those agreements, so as to make it easier for ISPs to block spam. The Act includes a provision for ISPs to sue spammers.

The Act also penalizes companies whose products or services are knowingly promoted by spam. This provision will likely first be used against providers of penis enlargement and miracle weight loss products.

What's an Online Marketer To Do?

If a company intends to send unsolicited e-mails, the following actions should be considered:

• The firm should establish a company policy against employees sending unapproved, unsolicited commercial e-mail to others. This policy should be incorporated into the employee manual.
• A firm should review all e-mail marketing campaigns. In particular, such campaigns should employ only e-mail lists of recipients who have consented to receive such mailings.
• A firm should consider reviewing client consent forms. Such reviews should ensure that consent requires an “affirmative action.” The use of pre-filled forms may not be acceptable.
  Also, such reviews should confirm that it is clear to customers of the client's business what they are going to receive via e-mail if they consent to receipt of such e-mails. Without such action, an e-mail recipient might argue that the firm failed to give full disclosure.
• You or your firm must keep records of customers' consent or pre-existing business relationships with customers. Such relationships allow sending spam to customers.

Potential Implementation Difficulties

The CAN-SPAM legislation may be ineffective for several reasons. First, to a large extent, the spam that is received in the United States comes from out of the country.

Bringing international spammers to justice requires cooperation from authorities outside of the U.S., which requires additional effort not envisioned by the CAN-SPAM law. International measures may be necessary to truly eradicate fraudulent spam.

Thus, the U.S. may have to negotiate and execute a substantial number of anti-spam bilateral treaties to require international spammers to adopt the CAN-SPAM standards.

Second, the CAN-SPAM Act may inspire some U.S.-based spammers to move their operations offshore. It should be noted that U.S.-based spammers must move more than merely their operation centers and servers to avoid the jurisdiction of the United States. The courts need look no further than their treatment of offshore Internet gambling to find a basis for jurisdiction of U.S. entities that send spam into the U.S. from outside its borders.

Third, the FTC, which is charged with enforcing the CAN-SPAM Act against spammers within the U.S., will not have the resources to enforce the law against all spammers. It is one thing to sue a large spammer or make an example of an individual spammer, but it is quite another matter to sue all those who do not comply with the CAN-SPAM law. In short, the FTC is not likely to be inclined to sue all individuals or small businesses that engage in spamming.

Fourth, the Constitution may limit the implementation of the CAN-SPAM law. In particular, the Do Not Spam Registry may be found to violate the First Amendment. There is no First Amendment issue with fraudulent commercial speech; the courts have not supported unlimited restrictions concerning commercial speech.

The telephone Do Not Call Registry has been subject to a similar legal challenge. Currently, its status is still unresolved. Thus, the destiny of an analogous spam (Do Not E-Mail) registry is similarly an open question.

How To Enforce: Technical Solutions Augment New Legal Protections

In light of the aforementioned potential difficulties, the employment of both technological and legal methods must be considered.

Among the technological solutions to be considered in conjunction with the Act are those that filter out spam and that help authorities implement the CAN-SPAM law.

One way is to change the setting on a company's e-mail server. In particular, a company should implement a setting that checks whether the origin of incoming e-mail has been faked. Such “spoofing” is a main reason spam goes undetected. In the event a spoof is discovered, the server should not deliver the e-mail and record it for use by authorities implementing the CAN-SPAM law.

Additionally, companies should implement a “challenge/response” system. These systems allow users to send direct messages only to people who have the sender's e-mail address in their address books. In the event a “challenge/response” system encounters an unexpected address, the system sends back a puzzle/question to which only a human, not an automated spam program, can respond with a solution. Give the correct response, and the e-mail goes through. Such systems should record “fails” for use by authorities implementing the law.

Jonathan Bick is of counsel to WolfBlock Brach Eichler of Roseland and is an adjunct professor of Internet law at Pace Law School and Rutgers Law School. He is also the author of 101 Things You Need To Know About Internet Law [Random House 2000] and is a member of this publicaton's Board of Editors.