CAN-SPAM Act Clarified
The Federal Trade Commission (“FTC”) has issued a Final Rule that adds four new provisions and provides clarification of some of the CAN-SPAM Act’s requirements. This Final Rule, effective July 7, 2008, is the culmination of work that was begun three years ago with a proposed FTC rule, and takes into account comment letters from 150 individuals, businesses, and organizations.
The CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003) regulates the sending of unsolicited commercial emails, and became effective January 1, 2004. Although “spam” is generally defined as unsolicited commercial e-mail sent to a large number of addresses, the Act makes no distinction between solicited and unsolicited commercial e-mail. It defines commercial e-mail as "any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose)." Transactional or relationship messages are not subject to or regulated by the Act.
The CAN-SPAM Act outlaws certain commercial acts and practices with respect to commercial email, and imposes requirements on senders of commercial emails:
- The transmission of any email that contains false or misleading header or “from” line information is prohibited.
- The transmission of emails with false or misleading “subject” line information is prohibited.
- The Act requires that a commercial email message contain a functioning return email address or similar Internet-based mechanism for recipients to use to “opt out” of receiving future commercial email messages.
- The sender, or others acting on the sender’s behalf, is prohibited from initiating a commercial email to a recipient more than ten business days after the recipient has opted out.
- A commercial email may not be sent without including three disclosures – a clear and conspicuous indication that the email is an advertisement or solicitation, a message and mechanism for the recipient to opt out of future solicitations, and a postal address for the sender.
Four specific practices are cited by the CAN-SPAM Act as “aggravated violations” which, when alleged and proven in combinations with certain other violations of the Act, will increase the statutory damages imposed upon the sender. These practices are: address harvesting; dictionary attacks; automated creation of multiple email accounts; and relaying or retransmitting through unauthorized access to a protected computer or network.
Changes to Definitions
The FTC made some changes several changes to the definitions found in the Act:
- It modified the definition of “sender” to clarify that for single emails promoting the products, services or Internet website of multiple persons, each of the persons whose products or services are promoted will be deemed to be a “sender” of the email, except that such emails will be considered to have only one sender if: (1) one person is within the definition of “sender” under the Act, (2) that person is identified in the “from” line as the sole sender of the email, and (3) that person complies with certain provisions of the Act that are applicable to initiators of emails.
This change provides a more flexible approach for email marketers, and is more logical from a consumer perspective since the consumer is likely to focus on the “from” line to identify the sender. It is this sender that must honor “opt out” requests, and is responsible for the email’s compliance with the CAN-SPAM Act requirements. It is important to realize, however, that liability for compliance with the Act does not shift exclusively to the sender, since certain other requirements and prohibitions imposed by the Act upon “initiators” of emails, will continue to apply to all persons identified in the commercial email.
- It added the new definition of “person” to mean any individual, group, unincorporated association, limited or general partnership, corporation, or other business entity. Despite strident calls by commentators to exempt non-profit entities, the FTC refused to do so, stating that consumers were deserving of the protections provided by the Act against all forms of spam, no matter the nature of the sender’s enterprise.
- The Act requires senders to include a “valid physical postal address” in any commercial email. The FTC broadened the definition of this term to allow senders to use post office boxes that have been accurately registered with the U.S. Postal Service, or a private mailbox accurately registered with a commercial mail receiving agency operating according to the U.S. Postal Service regulations.
Transactional or Relationship Messages
The FTC considered whether to change the statutory definition of “transactional or relationship messages,” to address various types of messages such as legally mandated notices, debt collection email communications, and employment-related messages. It ultimately declined to make any changes to the statutory definition, since none of the types of messages put forth in the Notice of Proposed Rulemaking met the statutory standard for modifying the definition. Some of the issues raised by the commentators with respect to a particular type of message could be resolved using the “primary purpose test”, as in the case of legally mandated messages, messages concerning copyright infringement or emails messages for the purpose of conducting market research. In the case of others, such as messages from debt collectors, including third party agents, or in the case of most employment-related email messages, the overwhelming majority of such messages will likely fall within the existing definition of “transactional or relationship messages.”
However, the FTC did provide guidance on the interpretation of some particular forms of communication:
- Email messages to effectuate or complete a negotiation will be considered “transactional or relationship messages” if issued in connection with a commercial transactions. However, where an unsolicited email delivers an offer to purchase goods or services, and attempts to launch a negotiation as part of the message, it would not fall within the definition of “transactional or relationship messages.”
- Email messages facilitating, completing or confirming registration with a “free” internet service where there is no exchange of consideration are likely to be “transactional or relationship messages,” but the FTC was not willing to preclude the possibility that such a message may be commercial even if there is no exchange of consideration.
- Where a recipient subscribes to a newsletter or other periodical to be delivered by email, or to which the recipient is entitled as a result of a prior transaction, the FTC would consider such an email to be a “transactional or relationship message,” as opposed to an unsolicited newsletter or periodical to which the recipient has not subscribed, which would likely be considered a commercial message.
The FTC was persuaded by the commentators to modify its earlier position on forward-to-a-“friend” messages. This type of message could arise under two different scenarios – where the content of the email message encouraged the recipient to forward the message to others, and where the seller’s web site encouraged visitors to supply others’ email addresses. Rather than attempt to refine the definition based upon the nature and method of forwarding, the FTC established a bright line test that turns on the presence or absence of consideration for the act of forwarding. A seller would not have liability under the Act for the forwarding of these types of email messages so long as the seller did not offer consideration for the forwarding. No matter what the nature (coupons, discounts, rewards) or amount of consideration – even an offer of de minimus consideration – an offer of consideration will be sufficient to cause the seller to be an “initiator” of the forwarded message, and subject the seller to liability under the Act.
No Fee for Opting Out
The FTC adopted a rule prohibiting a sender of commercial emails from imposing a fee upon a recipient for opting out of future unsolicited emails, or from requiring the recipient to provide any information other than a recipient’s email address and opt out preferences.
The CAN-SPAM Act gives the FTC enforcement authority for the Act. In addition, the Act gives the state attorneys general the authority to bring an enforcement action in federal court after giving advance notice to the FTC where possible. Finally, internet service providers may bring a federal court action to enforce certain of the Act’s prohibitions. The enforcement authority given to the FTC is the same as that afforded the FTC under its trade regulation rule authority, meaning that each violation is subject to fines of $11,000 per day, with additional penalties where “aggravated violations” are proven.