CBA Publications >> CBA Regulatory Compliance Bulletin >> Vol 2003 No.12
September 26, 2003

Vol 2003 No. 12 September 26, 2003

Summary of New California Spam Bill

The State of California just passed perhaps the toughest anti-spam law in the nation, which is cause for both celebration and concern. Unlike existing California law, which requires senders of unsolicited e-mail advertisements (spam) to provide a means for the recipient to opt out of further messages, SB 186 simply prohibits spam except to existing customers who have not opted out, and those who expressly consent to receive email advertisements. Because it is difficult to trace the actual sender of a message, and because it is virtually impossible to determine with certainty whether an electronic mail address belongs to a California resident, the current law is virtually ignored by unscrupulous spammers.

The new law goes a long way to shore up the weaknesses, including by imposing breathtaking penalties of $1000 per e-mail message and up to $1,000,000 per "incident" or multiple mailing. A defendant could reduce those damages to $100 per message and $100,000 per incident if it could convince a court that it had implemented practices and procedures reasonably designed to avoid violations. A suit may be brought by the recipient, the e-mail or internet service provider whose system is used to deliver spam, or the Attorney General. Of course, any person could bring an action as a "private attorney general" for a violation of SB 186 pursuant to California's Unfair Competition Law (Business & Professions Code Section 17200).

At the heart of SB 186 is a prohibition against sending an unsolicited commercial e-mail advertisement "from California" or to a California e-mail address. An unsolicited commercial e-mail advertisement is an e-mail sent to advertise or promote products and services where the recipient neither has provided direct consent to receive the message nor is a customer of the provider. The law also prohibits various means of harvesting e-mail addresses for the purpose of sending unsolicited commercial e-mails from California or to a California e-mail address. It also prohibits the practice of appropriating a third party's domain name and the use of misleading or forged header information in the sending of spam.

What banks should be concerned about is their management of e-mail messages to customers. A "preexisting or current business relationship" is defined fairly broadly as a person who has made an "inquiry and has provided his or her e-mail address, or has made an application, purchase, or transaction, with or without consideration, regarding products or services offered by the advertiser." In order to come within this safe harbor, the message must include a procedure for the recipient to opt-out of further messages by calling a toll-free telephone number or by sending an "unsubscribe" e-mail to the person offering the products or services.

There is no time period incorporated in the definition of existing customer (in contrast, for example, to the FCC do-not-call rule corresponding definition), but the exception could reasonably be applied only if the relationship is preexisting or current. Also, like the FCC do-not-fax rules, there is no test to determine whether the predominant purpose of an e-mail message or any attachments is for advertisement purposes. Thus, it is unclear whether it would be permissible to include advertisements (including messages sometimes imbedded in account statements) in e-mail messages or attachments delivered primarily for other purposes. As a precaution, it may be prudent to include an opt-out message in all bank email correspondence. But any opportunity given to opt out of mix-purpose messages raises obvious operational complexities.

The law that SB 186 repeals, codified in Business & Professions Code Section 17538.4, was intended in part to spur Congress to pass anti-spam legislation. That law, by its terms, was to become inoperative when and if federal law is enacted that regulates spam. SB 186 contains no such provision. There are presently two anti-spam bills being considered in Congress. S. 1293, which was passed by the Senate Judiciary Committee on September 25, would only prohibit the sending of bulk commercial e-mail that either conceals the source or routing information of the e-mail or is generated from multiple e-mail accounts or domain names that falsify the identity of the actual sender. Another bill, S. 877, passed the Senate Commerce Committee in June. If Congress is thoughtful about this important issue, it would seek to create a national standard and disallow states to pass their own laws, even if they are more stringent.

If you have any questions, you may call James Clark or Pat Zenzola of CBA at 916-441-7377 extensions 209 and 210, respectively.