SPAM rules – CAN-SPAM Act of 2003
The CAN-SPAM Act of 2003 (15 U.S.C. 7701, et seq., Public Law No. 108-187, was S.877 of the 108th United States Congress), signed into law by President George W. Bush on December 16, 2003, establishes the United States’ first national standards for the sending of commercial e-mail and requires the Federal Trade Commission (FTC) to enforce its provisions.
The mechanics of CAN-SPAM
CAN-SPAM defines a “commercial electronic mail message” as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose).” It exempts “transactional or relationship messages.” The FTC issued final rules (16 C.F.R. 316) clarifying the phrase “primary purpose” on December 16, 2004. Previous state laws had used bulk (a number threshold), content (commercial), or unsolicited to define spam.
The bill permits e-mail marketers to send unsolicited commercial e-mail as long as it adheres to 3 basic types of compliance defined in the CAN-SPAM Act: unsubscribe, content and sending behavior compliance:
- A visible and operable unsubscribe mechanism is present in all emails.
- Consumer opt-out requests are honored within 10 days.
- Opt-out lists also known as Suppression lists are only used for compliance purposes.
- Accurate from lines (including “friendly froms”)
- Relevant subject lines (relative to offer in body content and not deceptive)
- A legitimate physical address of the publisher and/or advertiser is present. PO Box addresses are acceptable in compliance with 16 C.F.R. § 316.2(p) and if the email is sent by a third party, the legitimate physical address of the entity, whose products or services are promoted through the email should be visible.
- A label is present if the content is adult.
Sending behavior compliance
- A message cannot be sent through an open relay
- A message cannot be sent to a harvested email address
- A message cannot contain a false header
- religious messages;
- political messages;
- content that broadly complies with the marketing mechanisms specified in the law; or
- national security messages.
There are no restrictions against a company emailing its existing customers or anyone who has inquired about its products or services, even if these individuals have not given permission, as these messages are classified as “relationship” messages under CAN-SPAM. But when sending unsolicited commercial emails, it must be stated that the email is an advertisement or a marketing solicitation. Note that recipients who have signed up to receive commercial messages from you are exempt from this rule.
If a user opts out, a sender has ten days to cease sending and can only use that email address for compliance purposes. The legislation also prohibits the sale or other transfer of an e-mail address after an opt-out request. The law also requires that the unsubscribe mechanism must be able to process opt-out requests for at least 30 days after the transmission of the original message.
Use of automated means to register for multiple e-mail accounts from which to send spam compound other violations. It prohibits sending sexually-oriented spam without the label later determined by the FTC of “SEXUALLY EXPLICIT.” This label replaced the similar state labeling requirements of “ADV:ADLT” or “ADLT.”
CAN-SPAM makes it a misdemeanor to send spam with falsified header information. A host of other common spamming practices can make a CAN-SPAM violation an “aggravated offense,” including harvesting, dictionary attacks, IP address spoofing, hijacking computers through Trojan horses or worms, or using open mail relays for the purpose of sending spam.
Although according to the law, legitimate businesses and marketers should be conscientious regarding the aspects mentioned above, there are misinterpretations and fraudulent practices that are viewed as criminal offenses:
- Sending multiple spam emails with the use of a hijacked computer
- Sending multiple emails through Internet Protocol addresses that the sender represents falsely as being his/her property
- Trying to disguise the source of the email and to deceive recipients regarding the origins of the emails, by routing them through other computers
- Sending multiple spam emails via multiple mailings with falsified information in the header
- Using various email accounts obtained by falsifying account registration information, in order to send multiple spam emails.
Private right of action
CAN-SPAM provides a limited private right of action to Internet Access Services that have been adversely affected by the receipt of emails that violate the Act; and does not allow natural persons to bring suit. A CAN-SPAM plaintiff must satisfy a higher standard of proof as compared with government agencies enforcing the Act; thus, a private plaintiff must demonstrate that the defendant either sent the email at issue or paid another person to send it knowing that the sender would violate the Act. Despite this heightened standard, private CAN-SPAM lawsuits have cropped up around the country, as plaintiffs seek to take advantage of the statutory damages available under the Act.
Overriding state anti-spam laws
CAN-SPAM preempts (supersedes) state anti-spam laws that do not deal with fraud. The relevant portion of CAN-SPAM reads:
This chapter supersedes any statute, regulation, or rule of a State or political subdivision of a State that expressly regulates the use of electronic mail to send commercial messages, except to the extent that any such statute, regulation, or rule prohibits falsity or deception in any portion of a commercial electronic mail message or information attached thereto.