Closing the Profit Motive in the CAN-SPAM Act

Recently, a number of small entities and e-mail service providers have sought to use the CAN-SPAM Act to profit from the receipt of spam, but have faced increased scrutiny from federal courts.

This article discusses the CAN-SPAM Act generally, some notable spam judgments, and recent decisions interpreting the standing requirements under the federal statute.

CAN-SPAM in General

In 2003, Congress passed the CAN-SPAM Act to combat a growing onslaught of fraudulent and offensive unsolicited e-mails. See, 15 U.S.C. ”7701-7713 (www.law.cornell.edu/uscode/uscode15/usc_sup_01_15_10_103.html).

The Act does not ban spam outright, but rather provides a code of conduct to regulate commercial e-mail practices in terms of format and labeling. It prohibits persons from, among other things, sending e-mails with deceptive subject headings, or sending e-mails without including the advertiser's physical postal address or a mechanism for the recipient to opt out of future mass e-mail campaigns.

While the Act protects consumers by offering them a legal right to “opt-out” of future spam, in general, a recipient's permission to initially receive commercial e-mail is not required.

The statute empowers the Federal Trade Commission to enforce the Act rather than individual consumers. See, 15 U.S.C. '7706(a). However, the statute recognizes a limited cause of action for state attorneys general and certain private entities that are 1) “provider[s] of Internet access
service” which are 2) “adversely affected” by a violation of specific provisions of the act. See, 15 U.S.C. '7706(g)(1).

The CAN-SPAM Act defines the term “Internet access service” (“IAS”) as “a service that enables users to access content, information, electronic mail, or other services offered over the Internet, and may also include access to proprietary content, information, and other services as part of a package of services offered to consumers.” 15 U.S.C. '7702(11) (citing 47 U.S.C. '231(e)(4)).

The statute does not delineate the types of harm suggested by the “adversely affected” language, but courts have generally concluded that it must be of the problems uniquely experienced by Internet access services.

The Act provides for both civil and criminal penalties. When a state entity or Internet access provider is enforcing the Act, a court may award injunctive relief, as well as impose actual or statutory damages.

In a state action, brought by an attorney general, the amount of statutory damages can range from $250 per e-mail. In an Internet access provider case, the statutory damages penalty range is from $25 per e-mail for most violations (up to a total of $1 million) and $100 per e-mail for displaying false or misleading transmission information (with no damage cap).

A court may award treble damages for willful, knowing or aggravated violations, which may include such practices as directory harvesting and the automated creation of multiple e-mail accounts. Courts also examine whether the defendant implemented commercially reasonable practices and procedures to prevent CAN-SPAM Act violations. Attorney's fees also are available under the act.

Noteworthy Judgments

Huge damage awards under the CAN-SPAM Act are not uncommon, though whether a successful plaintiff can recover a multimillion-dollar judgment from a small spam operation or foreign defendant is a separate legal obstacle.

While many of the newsworthy spam judgments from the last decade involved major ISPs (see, e.g., America Online Inc v. Smith, 2006 WL 181674 (E.D. Va. Jan. 24, 2006) (http://bit.ly/fztDTI)), in the last several years, social networks have sought relief in the courts from spam and phishing schemes launched from fraudulent accounts. For example, in Facebook v. Guerbuez, No. C08-03889 (N.D. Cal. Nov. 21, 2008) (http://bit.ly/fTuJEW), the social network plaintiff was awarded a $837 million default judgment against a defendant who had sent more than four million spam e-mails to other Facebook users. After Facebook sought to enforce the U.S. judgment in Quebec, the Canadian defendant sought bankruptcy protection.

In Facebook Inc. v. Wallace, 2009 WL 3617789 (N.D. Cal. Oct. 29, 2009) (http://bit.ly/g1Z2jm), the social network sought a default judgment of more than $7 billion in statutory damages under the CAN-SPAM Act and California law against an individual who engaged in a phishing and spamming scheme that compromised the accounts of a substantial number of users.

The court found that statutory damages were justified because the defendant “willfully violated the statutes in question with blatant disregard for the rights of Facebook and [its users]” and willfully violated the preliminary injunction issued in that case.

However, the court exercised its discretion, and instead awarded $50 for each of the 14.2 million violations of the CAN-SPAM Act, and a fixed amount for a single violation of state anti-spam law, for a total award of more than $711 million.

Last year, in Tagged Inc. v. Does 1-10, 2010 WL 370331 (N.D. Cal. Jan. 25, 2010), the defendant initiated several thousand spam e-mails seeking to fraudulently entice users to click on hyperlinks for an adult dating Web site. The court entered default judgment in favor of the plaintiff for, among other things, violations of several provisions of the CAN-SPAM Act and awarded statutory damages of more than $151,000 and a permanent injunction in favor of the plaintiff.

Private Actions

In recent years, an interesting question has arisen: What types of Internet access services may bring actions under the CAN-SPAM Act?

Major ISPs, e-mail service providers, and social network sites generally qualify under the statute, but what about free e-mail services whose business model is essentially spam profiteering? Must a provider employ spam filters and other routine spam-blocking technology before it can claim to have been “adversely affected” by the receipt of illegal spam?

As the Ninth U.S. Circuit Court of Appeals has noted, Congress sought to limit the private right of action under the CAN-SPAM Act to a narrow group of plaintiffs because it was wary that the lure of substantial statutory damages would entice opportunistic plaintiffs to try to game the statutory scheme. Thus, in any private action, a threshold issue is whether the plaintiff satisfies the statutory standing requirements, which involves two general components: 1) whether the plaintiff is an Internet access service provider; and 2) whether the plaintiff was “adversely affected” by statutory violations.

To be sure, with the rise of social networking sites and other user-driven portals, the ability to create forums for others to post online content is no longer a specialized service, such that a bona fide access service may not necessarily be an ISP in the traditional sense.

In recent years, district courts, primarily in the Ninth Circuit, had interpreted the definition of “Internet access service” broadly to encompass a wide range of services that provided further access to content and communications for users who accessed the Internet through a conventional ISP. See, Hypertouch Inc. v. Kennedy-Western Univ., 2006 WL 648688 (N.D. Cal. March 8, 2006) (provider of e-mail service alone qualifies as an IAS provider); Facebook Inc. v. ConnectU LLC, 489 F.Supp.2d 1087 (N.D. Cal. 2007) (http://bit.ly/eYuZbg) (social media site qualifies as an IAS provider).

However, in 2009, the Ninth Circuit rejected overly broad interpretations of “Internet access service” and defined more narrowly what types of entities could be considered “bona fide” Internet access service providers under the CAN-SPAM Act.

'Gordon'

In Gordon v. Virtumundo Inc., 575 F.3d 1040 (2009) (http://bit.ly/gEunzn), the Ninth Circuit held that a small provider of free e-mail accounts and a self-described “professional plaintiff” who took no steps to stem the flow of spam did not have standing to pursue claims under the CAN-SPAM Act as a result of unsolicited commercial e-mail sent to its users.

While the court recognized that statutory standing was not limited
to traditional ISPs (and included providers such as social network
Web sites), the court stated that the plaintiff lacked standing under the Act.

The Ninth Circuit declined to set forth a general test or to define the outer bounds of what an IAS provider is, but stated generally that: 1) providing e-mail accounts alone is not sufficient to be an IAS provider; 2) IAS providers are generally distinct from entities that merely carry or receive such e-mail; and 3) there may be a technical or hardware component implicit in the definition.

The court commented that the plaintiff neither had physical control over, nor access to, the hardware at issue, which was owned by another provider, and that the plaintiff failed to operate as a “bona fide e-mail provider,” such that the plaintiff purposefully accumulated spam through a variety of means for the purpose of facilitating litigation.

As to the “adversely affected” standing requirement, the court stated that the receipt of a large volume of commercial e-mail was not enough to establish statutory standing, and that a plaintiff must plead something beyond the mere annoyance of spam and greater than the negligible burdens typically borne by an IAS provider in the ordinary course of business.

Rather, the court found that a plaintiff must plead those types of harms uniquely encountered by IAS providers, that is, network crashes, higher bandwidth utilization, and increased costs for hardware and software upgrades, network expansion and additional personnel, such that, in most cases, “evidence of some combination of operational or technical impairments and related financial costs attributable to unwanted commercial e-mail would suffice.”

The court also noted that trial courts should take a closer look at services that may not be bona fide providers, yet also stated that any heightened standing threshold should not pose a high bar for the legitimate service operations and well-recognized ISPs.

Not surprisingly, the plaintiff has not been able to overcome the standing issue in other spam-related disputes. See, e.g., Gordon v. First Premier Bank Inc., 2009 WL 5195897 (E.D. Wash. Dec. 21, 2009); Omni Innovations LLC v. Inviva Inc., 2010 WL 771499 (W.D. Wash. March 2, 2010) (http://bit.ly/guuADc).

Frequently Cited

Subsequently, Gordon has been cited multiple times by courts inside the Ninth Circuit and followed by at least one court outside of the circuit.

For example, in Ferguson v. Active Response Group, 2009 WL 3229301 (9th Cir. Oct. 8, 2009) (unpublished) (http://bit.ly/e5IDNZ), a service provider that offered free e-mail forwarding services lacked standing under the CAN-SPAM Act because the operator was not “adversely affected” by incoming spam when the service was forced to switch to a broadband connection.

Similarly, in Melaleuca Inc. v. Hansen, No 07-212 (D. Idaho Sept. 30, 2010) (http://bit.ly/fHBAs2), the court ruled that a marketing company that possessed a domain name and also offered e-mail services through a third party was not a bona fide ISP under the CAN-SPAM Act and lacked standing to pursue a claim.

The U.S. District Court for the District of Columbia also recently followed Gordon in finding that a digital media outsourcing and consulting firm that made no allegations that it was an Internet access service that suffered network harms lacked standing under the CAN-SPAM Act. RJ Production Co. v. Nestle USA Inc., 2010 WL 1506914 (D.D.C. April 15, 2010) (http://bit.ly/fThfYj).

Ultimately, so-called professional plaintiffs and “spam businesses” that set up small e-mail services to collect and profit from the flood of spam have been greatly impacted by the Ninth Circuit's ruling.

For instance, Asis Internet Services, a small e-mail service provider that had brought at least 20 actions seeking to profit from CAN-SPAM violations, achieved mixed results in its litigation campaign. However, after the Ninth Circuit ruled that it lacked standing under the CAN-SPAM Act, the district court, on remand, awarded more than $806,000 in attorney's fees to one of the remaining defendants, an amount that threatens to place Asis in either bankruptcy or corporate dissolution. See, Asis Internet Services v. Azoogle.com Inc., 2009 WL 4841119 (9th Cir. Dec. 2, 2009) (unpublished) (http://bit.ly/hti43Z); Asis Internet Servs. v. Optin Global Inc., 2010 WL 2035327 (N.D. Cal. May 19, 2010).

Subsequently, Asis voluntarily dismissed its final open spam-related action in the Northern District of California. See, Asis Internet Services v. Subscriberbase Inc., 2010 WL 3504792 (N.D. Cal. Sept. 8, 2010).

Conclusion

It remains to be seen whether serial litigants will stop pursuing spam litigation or will alter their practices and seek to qualify as bona fide service providers that may attain statutory standing under the CAN-SPAM Act.

While improved filters at the enterprise and Internet service provider (“ISP”) level have lightened the flow of unsolicited commercial “junk” e-mail (known colloquially as “spam”) that formerly flooded Inboxes during the last decade, spam continues to create consternation among Internet users and service providers.

Beyond wasted time and aggravation, spam remains a serious concern for businesses, institutions and other entities worried about network slowdowns, server crashes, data security breaches and increased costs for spam detection. All of this has inspired frustration, countermeasures and lawsuits.

The federal Controlling the Assault of Non-Solicited Pornography and Marketing (“CAN-SPAM”) Act attempts to strike a balance, that is, to curb the negative consequences of spam without stifling legitimate marketing and e-commerce. The law provides only a limited private right of action, such that only qualified “Internet access providers” are permitted to bring actions against violators of the Act.

Recently, a number of small entities and e-mail service providers have sought to use the CAN-SPAM Act to profit from the receipt of spam, but have faced increased scrutiny from federal courts.

This article discusses the CAN-SPAM Act generally, some notable spam judgments, and recent decisions interpreting the standing requirements under the federal statute.

CAN-SPAM in General

In 2003, Congress passed the CAN-SPAM Act to combat a growing onslaught of fraudulent and offensive unsolicited e-mails. See, 15 U.S.C. ”7701-7713 (www.law.cornell.edu/uscode/uscode15/usc_sup_01_15_10_103.html).

The Act does not ban spam outright, but rather provides a code of conduct to regulate commercial e-mail practices in terms of format and labeling. It prohibits persons from, among other things, sending e-mails with deceptive subject headings, or sending e-mails without including the advertiser's physical postal address or a mechanism for the recipient to opt out of future mass e-mail campaigns.

While the Act protects consumers by offering them a legal right to “opt-out” of future spam, in general, a recipient's permission to initially receive commercial e-mail is not required.

The statute empowers the Federal Trade Commission to enforce the Act rather than individual consumers. See, 15 U.S.C. '7706(a). However, the statute recognizes a limited cause of action for state attorneys general and certain private entities that are 1) “provider[s] of Internet access
service” which are 2) “adversely affected” by a violation of specific provisions of the act. See, 15 U.S.C. '7706(g)(1).

The CAN-SPAM Act defines the term “Internet access service” (“IAS”) as “a service that enables users to access content, information, electronic mail, or other services offered over the Internet, and may also include access to proprietary content, information, and other services as part of a package of services offered to consumers.” 15 U.S.C. '7702(11) (citing 47 U.S.C. '231(e)(4)).

The statute does not delineate the types of harm suggested by the “adversely affected” language, but courts have generally concluded that it must be of the problems uniquely experienced by Internet access services.

The Act provides for both civil and criminal penalties. When a state entity or Internet access provider is enforcing the Act, a court may award injunctive relief, as well as impose actual or statutory damages.

In a state action, brought by an attorney general, the amount of statutory damages can range from $250 per e-mail. In an Internet access provider case, the statutory damages penalty range is from $25 per e-mail for most violations (up to a total of $1 million) and $100 per e-mail for displaying false or misleading transmission information (with no damage cap).

A court may award treble damages for willful, knowing or aggravated violations, which may include such practices as directory harvesting and the automated creation of multiple e-mail accounts. Courts also examine whether the defendant implemented commercially reasonable practices and procedures to prevent CAN-SPAM Act violations. Attorney's fees also are available under the act.

Noteworthy Judgments

Huge damage awards under the CAN-SPAM Act are not uncommon, though whether a successful plaintiff can recover a multimillion-dollar judgment from a small spam operation or foreign defendant is a separate legal obstacle.

While many of the newsworthy spam judgments from the last decade involved major ISPs (see, e.g., America Online Inc v. Smith, 2006 WL 181674 (E.D. Va. Jan. 24, 2006) (http://bit.ly/fztDTI)), in the last several years, social networks have sought relief in the courts from spam and phishing schemes launched from fraudulent accounts. For example, in Facebook v. Guerbuez, No. C08-03889 (N.D. Cal. Nov. 21, 2008) (http://bit.ly/fTuJEW), the social network plaintiff was awarded a $837 million default judgment against a defendant who had sent more than four million spam e-mails to other Facebook users. After Facebook sought to enforce the U.S. judgment in Quebec, the Canadian defendant sought bankruptcy protection.

In Facebook Inc. v. Wallace, 2009 WL 3617789 (N.D. Cal. Oct. 29, 2009) (http://bit.ly/g1Z2jm), the social network sought a default judgment of more than $7 billion in statutory damages under the CAN-SPAM Act and California law against an individual who engaged in a phishing and spamming scheme that compromised the accounts of a substantial number of users.

The court found that statutory damages were justified because the defendant “willfully violated the statutes in question with blatant disregard for the rights of Facebook and [its users]” and willfully violated the preliminary injunction issued in that case.

However, the court exercised its discretion, and instead awarded $50 for each of the 14.2 million violations of the CAN-SPAM Act, and a fixed amount for a single violation of state anti-spam law, for a total award of more than $711 million.

Last year, in Tagged Inc. v. Does 1-10, 2010 WL 370331 (N.D. Cal. Jan. 25, 2010), the defendant initiated several thousand spam e-mails seeking to fraudulently entice users to click on hyperlinks for an adult dating Web site. The court entered default judgment in favor of the plaintiff for, among other things, violations of several provisions of the CAN-SPAM Act and awarded statutory damages of more than $151,000 and a permanent injunction in favor of the plaintiff.

Private Actions

In recent years, an interesting question has arisen: What types of Internet access services may bring actions under the CAN-SPAM Act?

Major ISPs, e-mail service providers, and social network sites generally qualify under the statute, but what about free e-mail services whose business model is essentially spam profiteering? Must a provider employ spam filters and other routine spam-blocking technology before it can claim to have been “adversely affected” by the receipt of illegal spam?

As the Ninth U.S. Circuit Court of Appeals has noted, Congress sought to limit the private right of action under the CAN-SPAM Act to a narrow group of plaintiffs because it was wary that the lure of substantial statutory damages would entice opportunistic plaintiffs to try to game the statutory scheme. Thus, in any private action, a threshold issue is whether the plaintiff satisfies the statutory standing requirements, which involves two general components: 1) whether the plaintiff is an Internet access service provider; and 2) whether the plaintiff was “adversely affected” by statutory violations.

To be sure, with the rise of social networking sites and other user-driven portals, the ability to create forums for others to post online content is no longer a specialized service, such that a bona fide access service may not necessarily be an ISP in the traditional sense.

In recent years, district courts, primarily in the Ninth Circuit, had interpreted the definition of “Internet access service” broadly to encompass a wide range of services that provided further access to content and communications for users who accessed the Internet through a conventional ISP. See, Hypertouch Inc. v. Kennedy-Western Univ., 2006 WL 648688 (N.D. Cal. March 8, 2006) (provider of e-mail service alone qualifies as an IAS provider); Facebook Inc. v. ConnectU LLC , 489 F.Supp.2d 1087 (N.D. Cal. 2007) ( http://bit.ly/eYuZbg ) (social media site qualifies as an IAS provider).

However, in 2009, the Ninth Circuit rejected overly broad interpretations of “Internet access service” and defined more narrowly what types of entities could be considered “bona fide” Internet access service providers under the CAN-SPAM Act.

'Gordon'

In Gordon v. Virtumundo Inc. , 575 F.3d 1040 (2009) ( http://bit.ly/gEunzn ), the Ninth Circuit held that a small provider of free e-mail accounts and a self-described “professional plaintiff” who took no steps to stem the flow of spam did not have standing to pursue claims under the CAN-SPAM Act as a result of unsolicited commercial e-mail sent to its users.

While the court recognized that statutory standing was not limited
to traditional ISPs (and included providers such as social network
Web sites), the court stated that the plaintiff lacked standing under the Act.

The Ninth Circuit declined to set forth a general test or to define the outer bounds of what an IAS provider is, but stated generally that: 1) providing e-mail accounts alone is not sufficient to be an IAS provider; 2) IAS providers are generally distinct from entities that merely carry or receive such e-mail; and 3) there may be a technical or hardware component implicit in the definition.

The court commented that the plaintiff neither had physical control over, nor access to, the hardware at issue, which was owned by another provider, and that the plaintiff failed to operate as a “bona fide e-mail provider,” such that the plaintiff purposefully accumulated spam through a variety of means for the purpose of facilitating litigation.

As to the “adversely affected” standing requirement, the court stated that the receipt of a large volume of commercial e-mail was not enough to establish statutory standing, and that a plaintiff must plead something beyond the mere annoyance of spam and greater than the negligible burdens typically borne by an IAS provider in the ordinary course of business.

Rather, the court found that a plaintiff must plead those types of harms uniquely encountered by IAS providers, that is, network crashes, higher bandwidth utilization, and increased costs for hardware and software upgrades, network expansion and additional personnel, such that, in most cases, “evidence of some combination of operational or technical impairments and related financial costs attributable to unwanted commercial e-mail would suffice.”

The court also noted that trial courts should take a closer look at services that may not be bona fide providers, yet also stated that any heightened standing threshold should not pose a high bar for the legitimate service operations and well-recognized ISPs.

Not surprisingly, the plaintiff has not been able to overcome the standing issue in other spam-related disputes. See, e.g., Gordon v. First Premier Bank Inc., 2009 WL 5195897 (E.D. Wash. Dec. 21, 2009); Omni Innovations LLC v. Inviva Inc., 2010 WL 771499 (W.D. Wash. March 2, 2010) (http://bit.ly/guuADc).

Frequently Cited

Subsequently, Gordon has been cited multiple times by courts inside the Ninth Circuit and followed by at least one court outside of the circuit.

For example, in Ferguson v. Active Response Group, 2009 WL 3229301 (9th Cir. Oct. 8, 2009) (unpublished) (http://bit.ly/e5IDNZ), a service provider that offered free e-mail forwarding services lacked standing under the CAN-SPAM Act because the operator was not “adversely affected” by incoming spam when the service was forced to switch to a broadband connection.

Similarly, in Melaleuca Inc. v. Hansen, No 07-212 (D. Idaho Sept. 30, 2010) (http://bit.ly/fHBAs2), the court ruled that a marketing company that possessed a domain name and also offered e-mail services through a third party was not a bona fide ISP under the CAN-SPAM Act and lacked standing to pursue a claim.

The U.S. District Court for the District of Columbia also recently followed Gordon in finding that a digital media outsourcing and consulting firm that made no allegations that it was an Internet access service that suffered network harms lacked standing under the CAN-SPAM Act. RJ Production Co. v. Nestle USA Inc., 2010 WL 1506914 (D.D.C. April 15, 2010) (http://bit.ly/fThfYj).

Ultimately, so-called professional plaintiffs and “spam businesses” that set up small e-mail services to collect and profit from the flood of spam have been greatly impacted by the Ninth Circuit's ruling.

For instance, Asis Internet Services, a small e-mail service provider that had brought at least 20 actions seeking to profit from CAN-SPAM violations, achieved mixed results in its litigation campaign. However, after the Ninth Circuit ruled that it lacked standing under the CAN-SPAM Act, the district court, on remand, awarded more than $806,000 in attorney's fees to one of the remaining defendants, an amount that threatens to place Asis in either bankruptcy or corporate dissolution. See, Asis Internet Services v. Azoogle.com Inc., 2009 WL 4841119 (9th Cir. Dec. 2, 2009) (unpublished) (http://bit.ly/hti43Z); Asis Internet Servs. v. Optin Global Inc., 2010 WL 2035327 (N.D. Cal. May 19, 2010).

Subsequently, Asis voluntarily dismissed its final open spam-related action in the Northern District of California. See, Asis Internet Services v. Subscriberbase Inc., 2010 WL 3504792 (N.D. Cal. Sept. 8, 2010).

Conclusion

It remains to be seen whether serial litigants will stop pursuing spam litigation or will alter their practices and seek to qualify as bona fide service providers that may attain statutory standing under the CAN-SPAM Act.