Disclaimer: This page does not constitute legal advice. For your company's specific situation you need to consult your attorney. But this article lays out some general guidelines for understanding and conforming to the CAN-SPAM Act of 2003, the "Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003," The law took effect January 1, 2004.
You can find the text of the law here.
As of January 1, 2004, the CAN-SPAM Act of 2003 marshalled US federal law against the grossest form of spam. This gives us a tool to begin to shut down the spammers and their merchant allies. But the law affects all online businesses that use e-mail in their marketing. Here's how.
CAN-SPAM is an opt-out law. For most purposes, permission of the e-mail recipient is not required, but if a recipient wants to unsubscribe or opt-out, you'd better stop sending e-mails or be subject to severe penalties. In short, CAN-SPAM:
- Prohibits fraudulent or deceptive subject lines, headers, return addresses, etc.
- Makes it illegal to send e-mails to e-mail addresses that have been harvested from websites.
- Criminalizes sending sexually-oriented e-mails without clear markings.
- Requires that your have an working unsubscribe system that makes it easy for recipients to unsubscribe opt out of receiving your e-mails.
- Requires most e-mailers to include their postal mailing address in the message.
- Implicates not only spammers, but those who procure their services. Indeed, if you fail to prevent spammers from promoting your products and services you can prosecuted.
- Includes both criminal and civil penalties and allows suits by the Federal Trade Commission (FTC), State Attorneys General, and Internet Service Providers.
To Whom Does CAN-SPAM Apply?
The CAN-SPAM Act applies to essentially all businesses in the US that use e-mail. It defines a "commercial electronic mail message" -- which is regulated by this law -- as any e-mail message "the primary purpose of which is the commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose)" (Sec. 3(2)). Nearly any business e-mail would be covered -- e-mail newsletters as well as standalone promotional
e-mails. That doesn't mean that all your e-mails are spam, only that the Act governs them. Personal e-mails (and perhaps non-profit organizations) don't seem to be covered. The Act's definition of commercial e-mail explicitly excludes "a transactional or relationship message" (Sec. 3(2)(B)), covering e-mails contacting customers about their accounts, product upgrades, ongoing services, etc.
An Opt-Out Approach to Spam
Unlike California's pending anti-spam legislation (which will be superseded by federal law), the CAN-SPAM Act is an opt-out approach to spam. California was going to require marketers to prove "direct consent" of those to whom they e-mail. In contrast, the new federal law will require businesses to stop sending e-mails to those who request to be removed from a list. This requires a functioning reply address or e-mail unsubscribe system that operates for at least 30 days after your last
mass e-mailing (Sec. 5(3)). In addition, you must include your postal address and a clear indication that the e-mail includes a solicitation, unless you have "prior affirmative assent" from the recipient (Sec. 5(a)(5)).
Without having obtained "prior affirmative consent," the pornographer also must label the subject line clearly to indicate its content. (The wording of this is to be determined by the FTC.) With express consent of the recipient, however, subject lines need not be labeled to indicate sexual content.
Before you give up on permission marketing, however, realize that the current CAN-SPAM Act is just the beginning, the lowest level of spam protection that could be pushed through Congress given the various political special interests. The new legislation directs the FTC to investigate a "Do-Not-Email" list approach (Section 9). If such a list is approved, then marketers wouldn't be able to send commercial e-mails to any e-mail address on the Do-Not-Email list unless they had obtained
Compliance Guidelines. Make sure your unsubscribe system works. Better yet, allow people to select what kinds of messages they wish to receive from you. That way you may keep some people that would opt-out entirely if they didn't have a choice.
We recommend using a confirmed or double opt-in system. It is the only way you'll be able to prove that people gave express consent to receive your e-mail. Yes, you may lose 30% of your new subscribers who never confirm. But they weren't likely to be good customers anyway. Bite the bullet and institute a confirmed opt-in system so you'll be ahead of the curve. We fully expect express consent to be required in the future.
E-Mail Deception Is Now a Crime
One of the most persistent problems with spam are tricks and deceptions that prevent spam e-mails from being filtered out and refused by ISPs and recipients. From now on, fraudsters, hackers, and tricksters can face jail time. The CAN-SPAM Act (Sections 4(a) and 5(a)) prohibits such spammer tricks as:
- Hijacking another e-mail server to send or relay spam.
- Falsifying e-mail headers or e-mail addresses to hide one's identity.
- Using someone else's e-mail address in the "from" field.
- Registering for e-mail addresses under false identities.
- Deceptive subject headings.
These crimes can get you three to five years in the federal slammer plus confiscation of any real or personal property you've purchased with your spam earnings. The sentence can get worse if you send to e-mail addresses obtained through several means, such as:
- Harvesting e-mail addresses that appear on websites.
- Randomly generating e-mail addresses.
- Knowingly linking an e-mail ad to a fraudulently registered domain.
- Participating in other offenses such as fraud, identity theft, obscenity, and child pornography and exploitation.
Compliance Guidelines. Be honest in they way you obtain e-mail addresses and in your e-mail promotions. Honesty is just good business, of course, since it shows respect for the customer. Business is all about meeting customer needs -- not tricking them!
Are Harvested E-Mails Taboo?
It's been pretty common practice for computer robots to crawl webpages and make a record of ("harvest") any e-mail addresses that appear on those pages. Under the new Act, such using harvested e-mail addresses to send e-mails is illegal and can result in aggravated penalties. Does the law exempt e-mail addresses that were harvested prior to the new law? We don't think so. The Act states that it is unlawful to send -- or provide e-mail addresses for an e-mailing -- "if such person had
actual knowledge, or knowledge fairly implied on the basis of objective circumstances that the electronic mail address of the recipient was obtained using an automated means from an Internet website..." (Sec. 5(b)(1)). Automated harvesting of e-mail addresses in not in itself unlawful, but using those harvested addresses to send e-mails is unlawful -- so long as the e-mailing takes place after the effective date of the law.
Compliance Guidelines. Be aware that sending e-mails to potential reciprocal linking partners whose e-mail address is identified by automatic means would be illegal under the new law. For years, experts have been recommending a personal approach to possible e-mail linking partners. Now it's the law.
If you've been sending spam to e-mail addresses you obtained from CDs of e-mail addresses or that you downloaded from some so-called "opt-in" or "safe" e-mail address service, you'll be in trouble. You might counter: "They claimed these e-mail addresses were strictly opt-in" or "I didn't know." If you can "buy" a list so you have actual possession of the e-mail addresses, we can almost guarantee you that the list is neither really opt-in or safe.
The going rate for one-time rental of legitimate opt-in lists is about 6¢ to 10¢ per name for consumer lists, and 10¢ to 40¢ per name for B2B lists. If you get a "good deal" on 1 million e-mail addresses for $25, don't claim that you didn't realize the addresses were probably obtained illegally. Some Attorney General may argue that any idiot should have know they must have been illegally obtained. Even if you were to win, defending yourself against
such an accusation could be very expensive. Sending millions of e-mails to illegally obtained addresses -- or e-mail addresses from an unknown source -- is now too risky for all but the most foolhardy marketers.
Who Is Liable?
The law covers both spammers and those who "procure" their services (Secs. 3(9), 3(12), and 3(16)(A)). You can't just outsource your spamming and get off the hook. You can be held liable if the e-mail service you employ isn't actually using a permission-based list. Under some parts of the law you may be found guilty if you procured an e-mailing "with actual knowledge, or by consciously avoiding knowing, whether such person is engaging or will engage, in a pattern or practice that violates
this Act" (Sec. 7(g)(2)).
Compliance Guidelines. You are responsible not only for the legality of your own e-mail lists, but also the legality any lists you rent or buy. If you do business with a shady operator, it could come back to bite you. You might be able to claim you had "no knowledge" of this or that they misrepresented the truth, but you might be hard-pressed prove otherwise to a judge.
Keep Tabs on Your Affiliates' E-Mailings
If you have affiliates using e-mail marketing to promote your products, you could be in trouble. The law stipulates that "it is unlawful for a person to promote, or allow the promotion of, that person's trade or business ... if that person knows, or should have known in the ordinary course of that person's trade or business, that the goods ... were being promoted in such a message ... and took no reasonable action to prevent the transmission..." (Sec. 6(a)).
Compliance Guidelines. Make sure that you specify clearly in the terms of your Affiliate Agreement that sending e-mails, except with clear permission, is prohibited and that breach of this is considered cause for termination. If you detect that someone is sending spam promoting your product, the law holds you blameless only if you either (a) take action to prevent the e-mailing or (b) report it to the FTC (Sec. 6(a)(3)). Seek legal counsel and thoroughly document any action you take in
case you have to defend yourself.
When the CAN-SPAM Act became effective it superceded all State anti-spam laws. Enforcement of the CAN-SPAM Act of 2003 has drawn criticism. The Act does not allow e-mail recipients to sue spammers -- only the FTC, State Attorneys General, and Internet Service Providers. However, statutory damages can be stiff. A State Attorney General can sue for $250 per illegal e-mail message up to a maximum of $2 million -- more if the offense includes certain aggravating violations
(Sec. 7(f)). Internet Service Providers can sue in federal district court for $100 per illegal e-mail message up to a maximum of $1 million or more (Sec. 7(g)(3)).
A Good First Step
Despite the criticism -- much of it on target -- we believe that the CAN-SPAM Act is a good start. Hopefully, Congress will move swiftly to close loopholes. They've directed the FTC to consider the possibilities of awarding those who report infractions 20% or more of the civil penalties collected.
The Act should induce US marketers who have engaged in spamming to change their behavior or face prosecution. Even if foreign or offshore e-mailers continue to bombard US recipients with e-mails, this law should make it prohibitively risky to promote US products or services. The Act isn't all we might have wanted. But it is still likely to take a big bite out of spam -- so to speak.