CBA Publications >> CBA Regulatory Compliance Bulletin >> Vol 2004 No.1
January 5, 2004

Vol 2004 No. 1 January 5, 2004

CAN-SPAM Act Trumps State Anti-Spam Law

Passage of the federal anti-spam legislation came on the heels of (and was spurred by) California's passage of SB 186 earlier last year (2003). For businesses both in and outside of California, creation of a workable national standard is both timely and welcomed.

Background

As reported in CBA Bulletin 2003-12, California's law, which would have gone into effect on January 1 this year, created an opt-in requirement for the sending of commercial emails. An exception was provided for messages sent to persons with whom the sender has a preexisting business relationship, and those messages were subject to an opt-out right.

SB 186 would have created a number of legal traps even for legitimate businesses. An inadvertent violation would subject a sender to penalties of $100 per message or $100,000 per incident. A message that only incidentally included an advertisement could be covered by the state law.

In contrast, the federal law, known as Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, or the "CAN-SPAM Act of 2003" (hereafter, the Act), does not prohibit the sending of legitimate email solicitations. Rather, all commercial email messages, whether to existing customers or not, must include a means for the recipient to opt-out of further commercial email messages. It also prohibits a number of fraudulent practices that would not concern legitimate businesses such as banks. These include gaining unauthorized access to another computer to initiate or retransmit multiple commercial emails, falsifying header information, registering for multiple email accounts using false identifying information, and fraudulent use of Internet Protocol addresses to send multiple commercial emails. Most importantly, the Act creates a national standard by preempting different state standards, including SB 186.

CAN-SPAM Act Requirements

The Act makes it unlawful to send a "commercial electronic mail message" without a functioning return email address or other Internet-based mechanism allowing the recipient to request not to receive future commercial emails from that sender. A commercial electronic mail message is defined as:

any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose).

In addition to the opt-out requirement, a covered email must also indicate that it is an advertisement or solicitation, and include a valid physical postal address of the sender.

The inclusion in an email of a reference to a commercial entity or a link to its website does not, in itself, make the email message subject to the Act as long as the primary purpose of the email is something other than the commercial advertisement or promotion of a commercial product or service. Note too that the definition is not limited to products or services offered by the sender, but to any commercial product or service.

Here are additional points to note:

• These requirements apply to individual email messages as well as mass mailings. Therefore, all staff who have access to company email, and not just those responsible for delivering mass emails, should be familiar with the Act.

• These requirements apply even for commercial emails sent to existing customers.

• The notice describing the right to opt-out and the labeling of the message as an advertisement or solicitation must be clearly and conspicuously displayed.

• An opt-out request applies to the email address where the message was received, and not to a particular person or the person's company, if applicable.

• An opt-out request does not bar future non-commercial emails, or other forms of solicitation, such as postal mail and faxes (telephone and fax solicitations are covered by other laws).

• The sender may not send a subsequent commercial email that falls within the scope of the request more than 10 business days after receipt of the request. The Federal Trade Commission may modify this period through rulemaking.

• The request or other opt-out mechanism must remain capable of receiving requests for at least 30 days after the original message was sent.

• The sender (or other person who is aware of the request) may not sell or otherwise transfer the email address of a recipient who has opted out. This restriction applies even if the transfer is made in connection with a "transaction" that involves email lists. This provision makes it imperative that a sender who acquires an email address or list of addresses from a third party ensure that opted-out addresses are identified and excluded, and that any sale or transfer of addresses does not include opted-out addresses.

• If an entity operates through separate lines of business or divisions and holds itself out to the recipient throughout the message as that line of business or division (rather than the larger entity), then an opt-out request applies only to that line of business or division.

When using the services of third parties to deliver a commercial email, a sender must be aware of the following:

• A person initiating a commercial email message on behalf of the sender could be in violation of initiating a subsequent commercial email if the person had actual or presumed knowledge of the prior opt-out request. Note though that an opt-out appears to apply to the sender and not the third party initiator.

• A person acting on behalf of the sender may not provide or select an email address for the sender knowing that a message would violate the opt-out provisions.

Existing customers. Unlike SB 186, the Act does not provide for different treatment of individuals with whom the sender has a preexisting business relationship. Instead, a "transactional or relationship message" is expressly excluded from the definition of a commercial electronic mail message.

A transactional or relationship message is defined as, subject to FTC modification by regulation:

an electronic mail message the primary purpose of which is --
i. to facilitate, complete, or confirm a commercial transaction that the recipient has previously agreed to enter into with the sender;
ii. to provide warranty information, product recall information, or safety or security information with respect to a commercial product or service used or purchased by the recipient;
iii. to provide--
o notification concerning a change in the terms or features of;
o notification of a change in the recipient's standing or status with respect to; or
o at regular periodic intervals, account balance information or other type of account statement with respect to,
a subscription, membership, account, loan, or comparable ongoing commercial relationship involving the ongoing purchase or use by the recipient of products or services offered by the sender;
iv. to provide information directly related to an employment relationship or related benefit plan in which the recipient is currently involved, participating, or enrolled; or
v. to deliver goods or services, including product updates or upgrades, that the recipient is entitled to receive under the terms of a transaction that the recipient has previously agreed to enter into with the sender.

Remember that an email message that does not fall within this definition is not necessarily a covered email message, but only that it is not statutorily excluded as a commercial email.

The Act includes a number of provisions that are helpful to legitimate businesses:

Affirmative consent. If a person has provided affirmative consent to receive commercial emails, the sender is not required to label an email as an advertisement or solicitation. The opt-out provision is unaffected by any affirmative consent.

Use of multiple options. The Act permits the use of a list of choices whereby the recipient may elect to receive or not to receive certain commercial emails from the sender, as long as the list includes the option not to receive any further commercial emails.

Primary purpose. The statutory "primary purpose" standard is an improvement over SB 186 because it should leave unaffected the incidental inclusion of advertising contained in automated greetings and taglines, and brief references to new products, where the purpose of the message is something other than to advertise or promote a product or service. The FTC will further define the standard within 12 months following passage of the Act.

Limited private rights of action. Unlike SB 186, enforcement of the Act rests primarily with the FTC and other governmental authorities. While the unavailability of private rights of action by recipients may limit the liability of unscrupulous spammers, it also removes the possibility of class actions against legitimate companies based on technical or inadvertent violations

Aside from the FTC, compliance with the Act may be enforced by the federal banking regulators as to banks, the SEC, and other federal agencies. State attorneys general and other state enforcement authorities also have the authority to enforce the Act in federal court. In addition, Internet service providers may bring an action against illegal spammers.

Preemption. The Act supersedes any state or local laws and regulations that regulate the use of email to send commercial messages, except to the extent that they prohibit "falsity or deception in any portion of a commercial electronic mail message or information attached thereto." The apparent intent of the quoted language is to leave intact state laws covering fraudulent acts perpetrated through email messages, though the provisions of SB 186 that cover deceptive practices also prohibited by the Act (such as the use of misleading header information) are probably superceded by virtue of subject matter preemption. What is certain, though, is that the labeling and opt-out provisions of the Act preempt state law because they do not pertain to falsity or deception.

The Act also does not preempt state laws that are not specific to email, such as laws governing trespass, contract, or tort law, or laws related to acts of fraud or computer crime. In California, it is likely that private plaintiffs can bring an action under the Unfair Competition Law under Business and Professions Code Section 17200.

Do Not Email registry. The Act puts into motion a series of studies and reports, including the forming of a national marketing Do-Not-Email registry under the auspices of the FTC. The details and timetable are to be included in a report prepared by the FTC and presented to Congress later this year, with an implementation date no later than nine months after enactment of the Act.