Anti-Spam Law Impacts Legitimate e-Mail

Consider this hypothetical: Mary, a partner with P.J. Goldmorg & Co., a prominent Wall Street Investment Banking Firm, meets George, the CEO of a small biotech company, at a conference. George, who is not a client of P.J. Goldmorg's, mentions during conference that his company is considering going public. The two exchange business cards and go on their way. When Mary gets back to her office she sends George a short e-mail that says only the following: “George, it was a pleasure meeting you at the conference. Our firm provides an array of financial advisory services and I think we could be of tremendous value to you in preparing for your public offering. Attached is some material describing our practice. I look forward to hearing you soon. Mary” As soon as she hits “send,” Mary has just violated the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act).

Not possible, you think. How could such a simple (and very common) business related e-mail violate a law that, at least by its title, deals with only “spam.” Despite its clever name, the recently enacted CAN-SPAM Act, which became effective on Jan. 1, 2004, does not in fact prohibit “spam.” What the law does do is regulate “commercial e-mail,” which is defined broadly to include even the type of e-mail that Mary sent to George. Accordingly, the legal department of every business that uses e-mail should be advising its employees to take immediate steps to comply with the Act, as violations carry stiff penalties.

Overview of the Act

According to published Internet statistics, more than 31 billion e-mails are sent each day. Of that number, more than half (about 58% or about 18 billion e-mails) are considered spam. Companies incur billions of dollars each year ($8.9 billion in 2002) in expenses and lost time as a result of spam. In response to mounting public outcry, Congress took action in 2003 to limit and punish purveyors of spam.

The CAN-SPAM Act principally regulates “commercial e-mail,” defined as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service.” It is important to note that even a single e-mail message can qualify as “commercial e-mail.” The Act does not define many of the terms used in the definition of “commercial e-mail,” including the terms “primary purpose,” “advertisement,” or “promotion.” The Federal Trade Commission (FTC) is required to issue regulations within 12 months defining the criteria used to determine the “primary purpose” of a commercial e-mail. This regulation will be crucial in determining the impact and scope of the Act and whether it really includes e-mails such as the hypothetical one that Mary sent to George. For now, however, businesses should interpret the Act as broadly as possible and apply the requirements to all e-mails sent to customers and prospective customers.

Expressly exempted from the definition of “commercial e-mail” are “transactional or relationship messages” (TRMs). TRMs are subject to different standards and are not regulated as “commercial e-mail.” TRMs are defined as e-mails, the principal purpose of which is:

• To facilitate or complete a commercial transaction that the recipient has previously agreed to enter into with the sender;
• To provide recall or warranty information about a product or service used or purchased by the recipient;
• To provide notice of changes or periodic statements regarding a subscription, membership, account or similar ongoing commercial relationship;
• To provide information directly related to an employment relationship or related benefit plan; and
• To deliver goods or services, including product updates or upgrades, to which the recipient is entitled to under the terms of a transaction.

Prohibitions Against Professional Spamming

The CAN-SPAM Act is designed to deter and punish professional spammers and hackers. For example, the Act makes it a crime to hack into an innocent party's computer and send spam from it. The Act also makes it illegal to falsify header information (ie, the sender of the e-mail) for both commercial e-mail and TRMs, as well as the registry of five or more electronic e-mail addresses with false information if multiple e-mails are sent from accounts. The Act imposes criminal penalties, including prison terms of up to 5 years and fines of up to $6 million, for violations of these provisions.

Unfortunately, it is unlikely that the new law will have any impact on malicious spammers, as many will simply move their operations offshore to avoid enforcement. Certainly most people have not noticed any meaningful decrease in the spam being sent to their inboxes since the Act became effective in January. Also, the Act does not give recipients of spam any legal recourse against the senders of spam. While the Act does give Internet Service Providers (ISPs) the right to file civil suit against spammers (which has already happened), no such private cause of action is given to individuals. It is expected that the FTC and State Attorneys General offices will set up complaint procedures for individuals to report violations of the Act. Also worthy of note is the “spam bounty hunter” provision in the Act, whereby the FTC must establish a procedure to award individuals who track down and report violations of the Act. The award may be 20% or more of the civil penalty that the FTC ultimately obtains. For now, however, our hypothetical Mary has little reason to fear from either the FTC or a “bounty hunter.”

Requirements for Commercial e-Mails

Other provisions of the CAN-SPAM Act, while aimed at professional spammers, will nonetheless affect the way many legitimate businesses conduct themselves through e-mail. The Act imposes a number of requirements for all businesses:

• Functioning Return Address: Every commercial e-mail must include a conspicuous functioning (and legitimate) return e-mail address.
• Opt-Out Mechanism: Recipients must be given the ability of opting out of receiving future e-mails by responding to the return e-mail address provided in a commercial e-mail. Alternatively, the sender may provide an Internet or other menu-based system that permits a recipient to choose which e-mails he or she wishes to receive, as long as one of the choices is to receive no e-mails at all. The sender, and those acting for the sender, must stop sending e-mails within 10 business days of the receipt of an “opt-out” request.
• Notices: Commercial e-mail must include the following: 1) clear and conspicuous identification that the e-mail is an advertisement; 2) clear and conspicuous notice of the ability to opt-out of receiving future e-mails; and 3) a valid postal address.

The Act further regulates companies that promote products or services in improper e-mails, even when the company itself is not the sender of the e-mails. This provision may prove troubling for companies that could be held responsible for the e-mail activities of their employees and third parties acting on their behalf. Accordingly, corporate legal departments should educate their employees and vendors on the requirements of the Act.

Do Not Spam List

Perhaps one of the more challenging aspects of the Act is the provision requiring the FTC to report to Congress on the creation of a national “Do-Not-E-Mail” registry (similar to the FTC's “Do Not Call” list) which the FTC may establish no earlier than September of 2004. Such a registry may hamper the efforts of a number of companies that are currently utilizing e-mail for purposes of “cold calling” and initial marketing campaigns. Given the American public's frustration with spam, it is likely that the FTC will vigorously pursue the implementation of the “Do Not Spam” registry. As a result, many companies may have to revert to traditional (and more expensive) marketing methods, including mass-mailings, television and radio advertising and event sponsorships among others.

Enforcement

Generally, the FTC has jurisdiction to enforce the Act. Additionally, the Act permits State Attorneys General to file civil suit in federal court for injunctive relief and damages to protect the interest of state residents. As mentioned, the Act also allows for states and ISPs to bring civil suits against spammers for violations of the Act. Moreover, “for any person engaged in providing insurance,” the Act gives enforcement authority to the “applicable State insurance authority.” If the State insurance authority elects not to exercise the power, then the FTC is given sole authority.

Compliance Tips

In addition to the suggestions already made, there are other steps that businesses can take to comply with the Act:

• Evaluate whether a company's e-mail fall primarily into the commercial e-mail category or TRM category. If a company is sending exclusively TRMs, then it may not need to establish a compliance plan for the Act. Conversely, if a company is sending primarily commercial e-mails, it may choose to have every e-mail it sends comply with the Act. For companies that send substantial amounts of both categories of e-mail, they should explore separating the categories of e-mails and ensuring that commercial e-mails all comply with the Act.
• Businesses that use vendors to send e-mails on their behalf should ensure that the contract with the vendor has representations and warranties concerning the vendor's compliance with the Act and also includes indemnification provisions for a vendor's non-compliance.
• Businesses should also consider amending agreements they have with their customers to provide for the customers consent to receive commercial e-mails.
• Businesses should ensure that they have a centralized process for collecting and implementing opt-out requests they receive. Such a centralized system is necessary to meet the 10-day implementation period set forth in the Act. Employees should be advised of what to do if they receive an “opt-out” request. It is also important for a company to ensure that its opt-out systems actually work.
• Businesses should be wary when purchasing and using e-mail lists from third party. The Act states that it is unlawful to send an e-mail, “if such person had actual knowledge, or knowledge fairly implied on the basis of objective circumstances that the electronic mail address of the recipient was obtained using an automated means from an Internet website….” While the harvesting of e-mail addresses in not in itself unlawful, the use of those harvested addresses to send e-mails is now unlawful. Accordingly, businesses should take steps to ensure that they are not purchasing a list of illegally harvested e-mail addresses.
• Implementation and enforcement of the CAN-SPAM Act are still in their early stages and will continue to develop as the FTC issues regulations in conjunction with the Act. Nevertheless, businesses should not wait to begin taking steps to comply ' even Mary.

Consider this hypothetical: Mary, a partner with P.J. Goldmorg & Co., a prominent Wall Street Investment Banking Firm, meets George, the CEO of a small biotech company, at a conference. George, who is not a client of P.J. Goldmorg's, mentions during conference that his company is considering going public. The two exchange business cards and go on their way. When Mary gets back to her office she sends George a short e-mail that says only the following: “George, it was a pleasure meeting you at the conference. Our firm provides an array of financial advisory services and I think we could be of tremendous value to you in preparing for your public offering. Attached is some material describing our practice. I look forward to hearing you soon. Mary” As soon as she hits “send,” Mary has just violated the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act).

Not possible, you think. How could such a simple (and very common) business related e-mail violate a law that, at least by its title, deals with only “spam.” Despite its clever name, the recently enacted CAN-SPAM Act, which became effective on Jan. 1, 2004, does not in fact prohibit “spam.” What the law does do is regulate “commercial e-mail,” which is defined broadly to include even the type of e-mail that Mary sent to George. Accordingly, the legal department of every business that uses e-mail should be advising its employees to take immediate steps to comply with the Act, as violations carry stiff penalties.

Overview of the Act

According to published Internet statistics, more than 31 billion e-mails are sent each day. Of that number, more than half (about 58% or about 18 billion e-mails) are considered spam. Companies incur billions of dollars each year ($8.9 billion in 2002) in expenses and lost time as a result of spam. In response to mounting public outcry, Congress took action in 2003 to limit and punish purveyors of spam.

The CAN-SPAM Act principally regulates “commercial e-mail,” defined as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service.” It is important to note that even a single e-mail message can qualify as “commercial e-mail.” The Act does not define many of the terms used in the definition of “commercial e-mail,” including the terms “primary purpose,” “advertisement,” or “promotion.” The Federal Trade Commission (FTC) is required to issue regulations within 12 months defining the criteria used to determine the “primary purpose” of a commercial e-mail. This regulation will be crucial in determining the impact and scope of the Act and whether it really includes e-mails such as the hypothetical one that Mary sent to George. For now, however, businesses should interpret the Act as broadly as possible and apply the requirements to all e-mails sent to customers and prospective customers.

Expressly exempted from the definition of “commercial e-mail” are “transactional or relationship messages” (TRMs). TRMs are subject to different standards and are not regulated as “commercial e-mail.” TRMs are defined as e-mails, the principal purpose of which is:

• To facilitate or complete a commercial transaction that the recipient has previously agreed to enter into with the sender;
• To provide recall or warranty information about a product or service used or purchased by the recipient;
• To provide notice of changes or periodic statements regarding a subscription, membership, account or similar ongoing commercial relationship;
• To provide information directly related to an employment relationship or related benefit plan; and
• To deliver goods or services, including product updates or upgrades, to which the recipient is entitled to under the terms of a transaction.

Prohibitions Against Professional Spamming

The CAN-SPAM Act is designed to deter and punish professional spammers and hackers. For example, the Act makes it a crime to hack into an innocent party's computer and send spam from it. The Act also makes it illegal to falsify header information (ie, the sender of the e-mail) for both commercial e-mail and TRMs, as well as the registry of five or more electronic e-mail addresses with false information if multiple e-mails are sent from accounts. The Act imposes criminal penalties, including prison terms of up to 5 years and fines of up to $6 million, for violations of these provisions.

Unfortunately, it is unlikely that the new law will have any impact on malicious spammers, as many will simply move their operations offshore to avoid enforcement. Certainly most people have not noticed any meaningful decrease in the spam being sent to their inboxes since the Act became effective in January. Also, the Act does not give recipients of spam any legal recourse against the senders of spam. While the Act does give Internet Service Providers (ISPs) the right to file civil suit against spammers (which has already happened), no such private cause of action is given to individuals. It is expected that the FTC and State Attorneys General offices will set up complaint procedures for individuals to report violations of the Act. Also worthy of note is the “spam bounty hunter” provision in the Act, whereby the FTC must establish a procedure to award individuals who track down and report violations of the Act. The award may be 20% or more of the civil penalty that the FTC ultimately obtains. For now, however, our hypothetical Mary has little reason to fear from either the FTC or a “bounty hunter.”

Requirements for Commercial e-Mails

Other provisions of the CAN-SPAM Act, while aimed at professional spammers, will nonetheless affect the way many legitimate businesses conduct themselves through e-mail. The Act imposes a number of requirements for all businesses:

• Functioning Return Address: Every commercial e-mail must include a conspicuous functioning (and legitimate) return e-mail address.
• Opt-Out Mechanism: Recipients must be given the ability of opting out of receiving future e-mails by responding to the return e-mail address provided in a commercial e-mail. Alternatively, the sender may provide an Internet or other menu-based system that permits a recipient to choose which e-mails he or she wishes to receive, as long as one of the choices is to receive no e-mails at all. The sender, and those acting for the sender, must stop sending e-mails within 10 business days of the receipt of an “opt-out” request.
• Notices: Commercial e-mail must include the following: 1) clear and conspicuous identification that the e-mail is an advertisement; 2) clear and conspicuous notice of the ability to opt-out of receiving future e-mails; and 3) a valid postal address.

The Act further regulates companies that promote products or services in improper e-mails, even when the company itself is not the sender of the e-mails. This provision may prove troubling for companies that could be held responsible for the e-mail activities of their employees and third parties acting on their behalf. Accordingly, corporate legal departments should educate their employees and vendors on the requirements of the Act.

Do Not Spam List

Perhaps one of the more challenging aspects of the Act is the provision requiring the FTC to report to Congress on the creation of a national “Do-Not-E-Mail” registry (similar to the FTC's “Do Not Call” list) which the FTC may establish no earlier than September of 2004. Such a registry may hamper the efforts of a number of companies that are currently utilizing e-mail for purposes of “cold calling” and initial marketing campaigns. Given the American public's frustration with spam, it is likely that the FTC will vigorously pursue the implementation of the “Do Not Spam” registry. As a result, many companies may have to revert to traditional (and more expensive) marketing methods, including mass-mailings, television and radio advertising and event sponsorships among others.

Enforcement

Generally, the FTC has jurisdiction to enforce the Act. Additionally, the Act permits State Attorneys General to file civil suit in federal court for injunctive relief and damages to protect the interest of state residents. As mentioned, the Act also allows for states and ISPs to bring civil suits against spammers for violations of the Act. Moreover, “for any person engaged in providing insurance,” the Act gives enforcement authority to the “applicable State insurance authority.” If the State insurance authority elects not to exercise the power, then the FTC is given sole authority.

Compliance Tips

In addition to the suggestions already made, there are other steps that businesses can take to comply with the Act:

• Evaluate whether a company's e-mail fall primarily into the commercial e-mail category or TRM category. If a company is sending exclusively TRMs, then it may not need to establish a compliance plan for the Act. Conversely, if a company is sending primarily commercial e-mails, it may choose to have every e-mail it sends comply with the Act. For companies that send substantial amounts of both categories of e-mail, they should explore separating the categories of e-mails and ensuring that commercial e-mails all comply with the Act.
• Businesses that use vendors to send e-mails on their behalf should ensure that the contract with the vendor has representations and warranties concerning the vendor's compliance with the Act and also includes indemnification provisions for a vendor's non-compliance.
• Businesses should also consider amending agreements they have with their customers to provide for the customers consent to receive commercial e-mails.
• Businesses should ensure that they have a centralized process for collecting and implementing opt-out requests they receive. Such a centralized system is necessary to meet the 10-day implementation period set forth in the Act. Employees should be advised of what to do if they receive an “opt-out” request. It is also important for a company to ensure that its opt-out systems actually work.
• Businesses should be wary when purchasing and using e-mail lists from third party. The Act states that it is unlawful to send an e-mail, “if such person had actual knowledge, or knowledge fairly implied on the basis of objective circumstances that the electronic mail address of the recipient was obtained using an automated means from an Internet website….” While the harvesting of e-mail addresses in not in itself unlawful, the use of those harvested addresses to send e-mails is now unlawful. Accordingly, businesses should take steps to ensure that they are not purchasing a list of illegally harvested e-mail addresses.
• Implementation and enforcement of the CAN-SPAM Act are still in their early stages and will continue to develop as the FTC issues regulations in conjunction with the Act. Nevertheless, businesses should not wait to begin taking steps to comply ' even Mary.