The CAN-SPAM ACT: What Does It Require And How Might It Impact Your Sarbanes-Oxley Obligations?

Thursday, April 1, 2004 - 01:00
Jason R. Karp

On December 16, 2003, the President signed into law the "Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003," or the "CAN-SPAM Act of 2003" ("CAN-SPAM Act" or "Act"), which is essentially the first piece of federal legislation regulating unsolicited commercial e-mail (or SPAM). The Act became effective January 1, 2004 and thus now applies to all entities that send commercial e-mail. In short, the CAN-SPAM Act essentially prohibits use of deceptive subject lines and headers in commercial e-mail messages, as well as other fraudulent or deceptive practices, and requires that unsolicited commercial e-mail messages be labeled, and include opt-out instructions, including the sender's physical address. Additional requirements are imposed for e-mail containing sexually explicit material.

The actions taken by Congress are somewhat bold in that, despite significant efforts at legislating SPAM by several state regulatory bodies, the CAN-SPAM Act has with certain permitted exceptions essentially occupied the space by preempting state law that explicitly regulates the use of e-mail to send commercial messages. As such, the "opt-in" - "opt-out" debate appears to be settled for the time being. What is also unique about the CAN-SPAM Act is that in creating this new regulatory regime, Congress has actually legalized the transmission of SPAM, at least until a recipient objects.

Based, in part, on the new obligations imposed by the Act, a strong regulatory compliance program is recommended not only to avoid violation of the CAN-SPAM Act, but, as discussed below, to ensure companies do not run afoul of the disclosure and internal control requirement of Sarbanes-Oxley.

I. Summary Of The CAN-SPAM Act

So, What Is Commercial E-Mail?

Under the Act, e-mail messages are only deemed commercial if they (1) advertise or promote a commercial product or service, and (2) are not "transactional or relationship" messages arising from a preexisting or current business relationship.

Requirements For Sending Unsolicited Commercial E-Mail

Notice and Opt-Out

Specifically, the CAN-SPAM Act makes unlawful the transmission of a commercial e-mail message unless the message:

• includes "clear and conspicuous identification" of the message as commercial;

• provides the e-mail recipient notice of the opportunity to decline to receive further commercial e-mail messages; and

• includes a "valid physical postal address" for the sender.

In addition, it is a violation of the Act for any person to "initiate" the transmission of a commercial e-mail message that does not contain either a working return e-mail address, or other Internet-based method for the recipient to respond. The opt-out mechanism must remain available for at least 30 days and all opt-out requests must be honored within 10 days of the initial request.

Fraudulent And Deceptive Practices Prohibited

The Act also precludes certain fraudulent e-mail practices, including use of

• false and misleading header information;

• header information that includes an originating e-mail address, domain name or IP address obtained though false or fraudulent means;

• header information that fails to accurately identify the computer used to originate the message in an attempt to disguise the origin of the e-mail; and

• false or misleading subject headings.

Additional prohibitions include:

• use of e-mail addresses obtained using an "automated means" from an Internet website or proprietary online service operated by a person who had agreed not to give, sell or otherwise transfer the recipients' information to another party (this practice is also known as "harvesting");

• use of e-mail addresses created automatically by combining names, letters or numbers into numerous permutations;

• accessing a computer without authorization to send e-mail messages; and

• use of an automated script or other automated means to register for multiple e-mail accounts from which to transmit such e-mail messages.

Liability To Third Parties For Promotion Of Goods And Services

Third parties may also face liability under the CAN-SPAM Act for the acts of others where such third party's goods or services are being promoted. If such third party knew or should have known its goods and services were being promoted, expected to receive an economic benefit, and took no reasonable preventative or remedial action, then liability may arise.

Penalties And Rights Of Action

The FTC has primary enforcement authority under the Act, although several additional federal agencies may bring action under the Act based on the business or trade of the violators. State attorneys general are provided a private right of action to enforce certain provisions of the Act on behalf of its citizens, and ISPs are similarly afforded a private right of action in certain circumstances.

The Act explicitly provides for injunctive relief, and monetary damages limited to the greater of those actually proven or statutory damages not to exceed $250 per e-mail or $2 million in the aggregate. As noted above, a private right of action is preserved for ISPs, but the statutory damages are limited to a maximum of $1 million. Notwithstanding these maximums, the district court is authorized to increase a damages award, up to three times, for knowing and intentional conduct, or conversely, reduce an award if there are mitigating factors. Interesting to note is that the Act authorizes the FTC to determine guidelines under which individuals may receive an award of not less than 20 percent of the total civil penalty imposed in a proceeding where such person was the first to identify the violator and provide information leading to the successful collection of the civil penalty by the FTC. So, while no private right of action generally exists, Congress has created an additional incentive for enforcement by private individuals.

The CAN-SPAM Act also creates criminal penalties for fraudulent activity, which penalties include monetary fines, imprisonment of not more than five (5) years, and the forfeiture of any property constituting or traceable to gross proceeds obtained from the violative conduct.

Do-Not-E-Mail Registry

Within 6 months of the effective date of the Act, the FTC must recommend a plan to Congress for creating a nationwide Do-Not-E-Mail Registry, similar to the recently enacted Do-Not-Call list.

II. Sarbanes-Oxley Considerations

The CAN-SPAM Act is just one of many new pieces of legislation aimed at ensuring that corporate citizens act in good faith for the benefit of their shareholders and customers. Indeed, with the USA Patriot Act, Graham-Leach-Bliley, HIPAA, and Sarbanes-Oxley, to name a few, the compliance roadmap for today's corporate citizens, especially those that are public or planning on going public, is fraught with possible pitfalls. The key is not to try to tackle each obligation separately, but rather to develop an overall compliance program, where corporate officers understand the interplay among these varying requirements, and can ensure that they meet their legislative and regulatory obligations. In this regard, it is recommended that any public company, companies planning to go public (and any private company effected with a public interest) which does not have all of its systems of internal controls in place by November 15, 2004 (recently extended by the SEC for accelerated filers) should immediately institute procedures to conform to the letter and spirit of all applicable laws and regulations, including the new CAN-SPAM Act.

The need for compliance under new legislation, and specifically under Sarbanes-Oxley, is really rooted in three general requirements or principles - (1) internal control, process and efficiency, (2) public disclosure, and (3) corporate ethics and responsibility.

Indeed, Section 404 of the Sarbanes-Oxley Act requires management to create and maintain adequate internal controls, and present its assessment of the effectiveness of these controls in its reporting. As originally defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), and recently noted by The Public Company Accounting Oversight Board (PCAOB), "[i]nternal control is a process designed to provide reasonable assurance regarding the achievement of a company's objective in the areas of financial reporting reliability, operating efficiency and effectiveness, and compliance with applicable laws and regulations."

Similarly, Sections 302 and 906 of Sarbanes Oxley have expanded the scope of public company reporting obligations through officer certification. Indeed, issuers must now establish and maintain disclosure controls and procedures designed to ensure that financial and non-financial information is fully and accurately disclosed on a timely basis.

Appropriate compliance with the CAN-SPAM Act potentially touches on each of these areas. Indeed, while there may be some debate as to the scope of internal controls required under Section 404 of Sarbanes-Oxley, there can be no debate that to the extent a violation of the CAN-SPAM Act results in liability or potential liability impacting the financial condition of a reporting company, such information must be appropriately reflected in such company's financial statements and publicly disclosed. Indeed, as noted above, violations of the CAN-SPAM Act can result not only in civil penalties of as much as $2 million per violation (which can be trebled for intentional conduct), but criminal penalties, including incarceration and forfeiture of monetary gain resulting from the offending conduct. In this regard, any profits or revenue resulting from a reporting company's commercial e-mail activities which violate the CAN-SPAM Act are at risk of forfeiture, making all financial statements incorporating such information inaccurate and misleading. To the extent a violation of the CAN-SPAM Act can be reasonably foreseen to result in such consequences, publicly reporting companies will have obligations to make such facts public. As such, developing an internal controls program that encompasses compliance under the CAN-SPAM Act is not only a good idea in that it can significantly mitigate the potential risk to a reporting company of violations of the Act (and any resulting disclosure obligations), but can also help ensure such companies' compliance with Section 404 of the Sarbanes-Oxley Act.

Finally, violations of the CAN-SPAM Act may also result in violations of the new whistleblower protections found in Sections 806 and 1107 of the Sarbanes-Oxley Act. These provisions protect employees who report instances of corporate fraud, in the case of Section 806, and any federal offense, in the case of Section 1107. Such protections would clearly extend to reported violations of the CAN-SPAM Act. As such, a comprehensive compliance program consistent with the letter and spirit of Section 404 can provide the added protection of preventing possible violations of these whistleblower provisions.

As illustrated herein, the CAN-SPAM Act further emphasizes the need to implement comprehensive internal controls to ensure compliance not only with the Act itself, but with the reporting and other obligations required under Sarbanes-Oxley. Indeed, use of commercial e-mail by publicly reporting companies for solicitation or revenue generating activities presents yet another system that such companies' auditors must review in order to provide assurance that all internal controls are adequate and consistent with their obligations under Section 404. As such, for companies that rely on commercial e-mail for their business operation, Sarbanes-Oxley presents another set of checks and balances on the use of commercial e-mail to further their corporate enterprise.

Jason R. Karp, Special Counsel in the Vienna, Virginia office of Kelley Drye & Warren LLP, may be contacted by telephone at (703) 918-2465.

Please e-mail the author at with questions about this article.