To: Interested Parties
From: David H. Kramer
Date: July 26, 2006
Re: Federal “CAN-SPAM” Act
The first-ever federal legislation directed to the transmission
of commercial email, titled the CAN-SPAM Act, took effect on January 1,
2004. The legislation preempted most state laws targeting email marketing
including California’s outright ban on spam. CAN-SPAM is largely
directed to fraudulent and deceptive practices employed by illegitimate
marketers. It does, however, set forth requirements applicable to all
entities sending commercial email messages.1
Criminal Prohibitions on Fraudulent Email Marketing Tactics
CAN-SPAM contains criminal prohibitions on some of the most offensive,
fraudulent tactics employed in the transmission of email advertising.
For example, the legislation prohibits the hijacking of others’
computers, the falsification of “header” information, and
the use of fraudulently obtained email accounts in connection with the
transmission of commercial email messages. While these tactics are already
illegal under computer crime and consumer protection statutes, the legislation
identifies them specifically for enhanced punishment.
Regulation of Email Marketing In General
CAN-SPAM takes a decidedly pro-marketing approach to email. The legislation
effectively authorizes a sender to transmit truthful commercial email
messages to a recipient as often as the sender wishes, unless and until
the recipient opts-out of receiving such messages. All commercial email
messages, however, must contain the following:
1. A clear and conspicuous identification that the message is an advertisement
or solicitation. The FTC has previously described the “clear
and conspicuous” requirement: www.ftc.gov/bcp/conline/pubs/buspubs/dotcom/index.html#III.
The legislation is silent as to precisely what the identification must
be, leaving it to the discretion of the sender.2
Further, this requirement is not applicable to commercial email messages
sent to recipients who have given their “affirmative consent”
to receive them.3
2. A clear and conspicuous notice to the recipient of an opportunity
to decline to receive further commercial email messages from the sender
via a working “unsubscribe” mechanism. The legislation
requires that a commercial email message contain “a functioning
return email address or other Internet-based mechanism” through
which a recipient may submit an opt-out request “in a manner specified
in the message.” Thus, the required opt-out mechanism is expressly
left to the discretion of the sender. While marketers may choose to allow
recipients to opt-out by replying to a message or by clicking on a link
in a message, the legislation appears also to contemplate a method in
which the recipient visits a website and utilizes an opt-out mechanism
presented there.4
Notably, if a recipient opts-out of receiving further messages from a
sender, neither the sender nor its agents may send further commercial
email messages to the recipient more than ten business days after receiving
the opt-out request.
3. A valid physical postal address of the sender.5
Prohibitions on Deceptive Practices
In addition to its specific content requirements, CAN-SPAM prohibits the
use of deceptive subject lines and the falsification of “header”
or transmission information in commercial email messages. More importantly,
while CAN-SPAM generally preempts state laws, it does not preempt those
that prohibit falsity or deception in any portion of a commercial email
message. Because there are already a host of such state laws, some of
which carry significant penalties, email marketers must ensure that their
messages are not deceptive in any way.
Enforcement
CAN-SPAM contains relatively limited civil enforcement authority, making
it unlikely that any but the most egregious violations will result in
liability. Most importantly, CAN-SPAM does not authorize recipients of
messages sent in violation of the law to sue the sender themselves.
The principal enforcer under the legislation is the FTC which is authorized
to seek civil penalties of up to $11,000 per knowing violation. The FTC
may also seek injunctive relief to prohibit violations, knowing or not.
State law enforcement agencies may also prosecute certain violations and
seek injunctive relief and statutory damages of up to $250 for each prohibited
email message, with a cap of $2 million per suit. Internet access providers
may likewise pursue certain violators to obtain injunctive relief and
statutory damages of up to $25 per message with a $1 million cap in most
cases. In setting a per message statutory damages award, a court may take
into account the fact that a violation occurred despite “good faith
efforts” to comply with reasonable practices to prevent violations.
A court may also treble any statutory damages award in the event of willful
violations, or the presence of aggravating circumstances such as “dictionary
attacks” and “address harvesting.”
In December 2005, the FTC issued a report to Congress on CAN-SPAM’s
effectiveness in its first two years. See http://www.ftc.gov/reports/canspam05/051220canspamrpt.pdf.
The report concludes that the legislation has been effective at providing
legitimate marketers with a roadmap for their email campaigns, but that
the spam problem will not be solved through legislation alone.
While this memo details the major aspects of CAN-SPAM,
it is certainly not an exhaustive analysis of the legislation. This memo
also is not intended and should not be interpreted to establish an attorney-client
relationship between those reading the memo and attorneys at Wilson Sonsini
Goodrich & Rosati.
1 The legislation defines “commercial email message” as a
message whose “primary purpose is the commercial advertisement or
promotion of a commercial product or service (including content on an
Internet website operated for a commercial purpose).” The definition
expressly excludes “transactional or relationship messages”
defined as messages that are sent to facilitate an agreed upon transaction
or to update a recipient on an existing business relationship. More information
on identifying the “primary purpose” of a message may be found
in the Federal Trade Commission’s Final Rule on the issue. See http://www.ftc.gov/os/2005/01/050112canspamfrn.pdf
2 The legislation defines “commercial email message” as a
message whose “primary purpose is the commercial advertisement or
promotion of a commercial product or service (including content on an
Internet website operated for a commercial purpose).” The definition
expressly excludes “transactional or relationship messages”
defined as messages that are sent to facilitate an agreed upon transaction
or to update a recipient on an existing business relationship. More information
on identifying the “primary purpose” of a message may be found
in the Federal Trade Commission’s Final Rule on the issue. See http://www.ftc.gov/os/2005/01/050112canspamfrn.pdf
3 The legislation directs the FTC to issue a report setting forth a plan
for enabling a commercial email message to be identifiable as such from
its subject line. The FTC was expressly directed to consider requiring
senders to include the label “ADV” in the subject line of
messages, but is also asked to set forth concerns that may arise from
any labeling requirement. The FTC subsequently conducted that proceeding
and issued a report recommending that Congress not require senders of
commercial email messages to include a particular subject line identifier.
See http://www.ftc.gov/reports/canspam05/050616canspamrpt.pdf. To date,
Congress has not required the use of such an identifier.
4 “Affirmative Consent” is defined as express consent from
the recipient to receive the message given in response to a clear and
conspicuous request or at the recipient’s own initiative. A recipient’s
consent may extend to third parties if, at the time the consent is given,
the recipient is given clear and conspicuous notice that his or her email
address may be transferred to others and used by them for the transmission
of commercial email.
In debates over CAN-SPAM, the question of whether to establish a national
“Do-Not Email” registry received considerable attention. Ultimately,
Congress decided to table the issue, authorizing the FTC to report to
Congress on plan for implementing such a registry, without requiring that
the registry be implemented. The FTC concluded that proceeding in June
2004 and issued a report recommending that no registry be implemented.
See http://www.ftc.gov/reports/dneregistry/report.pdf
5 “Sender” is defined in the legislation as one who originates,
transmits, pays for or induces the transmission a commercial email message
and whose product or service is promoted by the message. Thus, the advertiser
featured in a given message is the “sender.” The legislation
authorizes an entity to send messages through different divisions or lines
of business, with each such division or line constituting a separate “sender,”
provided the distinctness of the division/line is made clear throughout
each message. Under such circumstances, a recipient’s request to
opt-out of mailings from one division does not operate as an opt-out from
all divisions within the company.
