Opting In: Congress Passes The CAN-SPAM Act Of 2003

Sunday, February 1, 2004 - 01:00

Has your in-box improved with the start of the New Year? Do you miss receiving the avalanche of emails pitching generic V*i*a*g*r*a, fast ways to immediate cash, and foolproof stock-picking websites? If your answer to the preceding questions is "no," then the recently-passed federal anti-spam act probably hasn't done much good. In truth, it is too early to tell whether the legislation is a panacea or a placebo.The new law appears to have been passed largely so that Congress can say it did something about the phenomenon everyone loves to hate, rather than out of a conviction that this legislation is an answer to the problem. The significant point is that companies that use email in their everyday operations may have to change their practices in order not run afoul of its provisions.

The statute under discussion is "Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003" or "CAN-SPAM Act of 2003," which was signed into law on December 16, 2003, effective January 1, 2004. The law is intended to protect consumers from emails sent by an undesired sender and from spam messages containing unmarked or misleading header information.

Why The Act Passed In 2003

No less than nineteen separate bills addressing spam had failed to pass Congress prior to enactment of the Act. Previous efforts to pass comprehensive federal legislation directed at spam were unsuccessful due in part to opposition by a strong direct marketing lobby, but also because of the inability of spam opponents to reach a consensus on an appropriate form of regulation. By late last year, opposition from the direct marketing industry could not withstand the growing public outcry for a federal legislative response to spam, particularly given that more than thirty states had already passed some form of anti-spam legislation in late 2002 and earlier in 2003. In fact, hoping that a new federal law would preempt state enactments, several direct marketing advocacy groups actually supported the passage of the CAN-SPAM Act in order to avoid having to comply with conflicting parochial state regulations. The new law also gained increased momentum and political clout as a result of the popularity and media coverage given to the "Do Not Call Registry" this past year.

What The Law Provides

The CAN-SPAM Act of 2003 is an "opt-out" law. It creates a requirement that commercial email messages must provide an effective opt-out procedure for recipients who do not wish to receive such messages in the future from that same source. Commercial email subject to the Act includes any message "the primary purpose of which is commercial advertisement or promotion of a commercial product or service." Exempt from the coverage of the Act, however, are transactional or relationship messages, defined generally as messages necessary to protect an ongoing relationship such as a commercial transaction previously agreed upon, product upgrades, ongoing services, an employment relationship, or subscription and membership information.

The Act prescribes detailed requirements for the transmission of any non-solicited commercial message. Specifically, such messages must contain a valid and functioning return email address that permits a recipient the option of notifying the sender that he does not wish to receive further emails from that sender in the future. This return address must function as an "opt-out" mechanism for a minimum of thirty days. Furthermore, the sending of any further message to the same address after receipt of such opt-out message is strictly prohibited. Therefore, it is clear that the Act provides marketers with at least one opportunity to email their former customers before a recipient will have the ability to prevent the receipt of any such future messages from that sender.

The Act also specifically mandates that an unsolicited commercial email message must include:

(1) a valid identifier that the message is an advertisement or solicitation;

(2) a clear and conspicuous notice of opportunity to opt-out; and

(3) a valid physical postal address for the sender.

The Act generally prohibits the use of "harvested" email addresses (i.e. those gleaned by robots from Internet chat rooms). Also illegal is the transmission of a non-solicited commercial email which contains false or materially misleading routing information or header data, including the transmission of sexually oriented materials that do not contain a subject matter heading indicating their sexual content. Unlike the regulatory features of the Act, violations of these provisions are criminal and can result in a three to five year prison term.

Finally, the Act provides a "good faith" defense for persons who have established and implemented practices and procedures designed to comply with these provisions. This good faith defense only reduces the amount of damages, however, and does not serve as a defense to liability all together.

One of the Act's more interesting features is its broad grant of enforcement authority to the states and to internet service providers. While the Act grants primary enforcement authority to the Federal Trade Commission, it also grants each state attorney general the right to bring suit on behalf of residents of the state. In addition, an internet service provider adversely affected by a violation of the non-criminal provisions of the Act may bring suit seeking injunctive relief, and/or the greater of either actual damages or the statutory penalty. Recognizing the broad array of resources available to potential spammers seeking to avoid compliance with the Act, Congress sought to empower those best suited to enforce its provisions.

Injunctive relief is available under the Act. In addition, the statutory penalties associated with violating the Act are potentially steep. In lawsuits brought by a state attorney general or by the Federal Trade Commission, the statutory penalty includes fine of up to up $250 per message not to exceed $2,000,000, except that this amount may be trebled for a willful and knowing violation of the Act. In cases brought by Internet service providers, the fines are up to $100 per message up to $1,000,000 or more. In addition, a reasonable attorney's fee is recoverable.

Finally, as anticipated, the Act does indeed pre-empt state laws expressly regulating commercial email.

Practical Compliance Tips

The Act's broad definition of commercial email means that nearly all business related email will be subject to the Act. This would include messages that are not obviously commercial such as newsletters and stand alone promotional emails.In fact, other than personal emails, it is probably a good idea to assume that all of business email sent to consumers is subject to regulation under the Act.

The key to complying with the Act is to have a functioning reply address or email unsubscribe system accompany every business related commercial email, as well as a valid postal address. In addition, as a practical matter, firms must employ a system that allows accurate records to be maintained regarding those recipients who have exercised the opt-out option. Just offering an opt-out option that does not record those individuals who have chosen to unsubscribe would provide little defense to a subsequent action to enforce by either the Federal Trade Commission or a state attorney general.

Also, beyond the obvious fact that a business should not engage in misleading, deceptive or criminal practices prohibited by the Act, firms should also know (i) the source of the email addresses used in commercial email messages and (ii) the email practices of direct marketing activities out-sourced to vendors. Under the Act, a company can be held liable if it procures improper harvested lists from spammers violating the Act or "knows or should have known" that it services or products are being promoted in violation of the Act. Accordingly, companies need to know the source of email addresses used by marketing departments and should monitor the activities of those individuals or entities performing marketing services using email. It may also be a good idea to include in any agreements with outside vendors language requiring the other party to comply with the Act and to specify that a violation of the Act is grounds for immediate termination of the contract or agreement.

The Do Not Email Registry

Similar to the recent "Do Not Call Registry," the Act provides for a "Do Not Email Registry." Specifically, the Act states that "not later than 6 months after the date of enactment of this Act, the [FCC] shall transmit to the Senate Committee on Commerce, Science, and Transportation and the House of Representatives Committee on Energy and Commerce a report that . . . sets forth a plan and timetable for establishing a nationwide marketing Do-Not-Email registry . . .."

Will It Work?

Critics of the Act state that it will do little to curtail the proliferation of spam in the future. They condemn its "opt-out" approach and note that most hard core spammers will simply move their operation overseas to avoid enforcement. Critics also charge that the Act has too many loopholes and that it will be impossible to enforce. Others respond that large United States-based direct marketers will not want to move overseas and, because compliance with the Act is so easy, established marketers lack a real incentive to avoid doing so. Simply put, the Act's regulatory provisions are not particularly onerous to legitimate direct marketers using established mass emailing procedures. As such, the Act is a good first step, but it also creates compliance challenges for companies that would never place themselves in the ignominious category known as "spammers."

Peter J. Pizzi is a Partner in Connell Foley LLP's Internet and Information Technology practice group. He can be reached at ppizzi@connellfoley.com and (973) 533 4221. M. Trevor Lyons is an Associate in the group.