The federal CAN-SPAM law that went into effect on January 1, 20041 was intended to stem the tide of annoying, unsolicited emails sent by spammers, including sexually explicit email materials. While its success in accomplishing this goal has been minimal, businesses need to be mindful of CAN-SPAM requirements, because CAN-SPAM also applies to legitimate businesses that communicate or advertise via email. Because CAN-SPAM’s requirements can be easy to overlook in day-to-day activities, businesses should take the time periodically to ensure their compliance with the CAN-SPAM law, especially since violations of the law can result in both civil and criminal sanctions.
CAN-SPAM and the federal rules implementing it2 established national standards for sending unsolicited “commercial email messages,” defined as messages the primary purpose of which is the commercial advertisement or promotion of a commercial product or service, and applies to any person or entity that sends an unsolicited, commercial, email message. Businesses that send promotional email to existing or potential customers must understand the applicability, requirements, and prohibitions of CAN-SPAM. CAN-SPAM requires all unsolicited commercial email messages to be labeled, to include opt-out instructions and the sender’s postal address, and prohibits the use of deceptive subject lines and false headers.
Specifically, CAN-SPAM imposes the following obligations and prohibitions:
- Commercial email must be labeled as such and include opt-out information.
Unless recipients have given prior affirmative consent, commercial email messages must clearly and conspicuously identify the message as an advertisement or solicitation and give clear and conspicuous notice of the opportunity not to receive further email messages from the sender. In addition, commercial email messages must include the sender’s postal address and have a functioning return email address so that a recipient may send a reply message requesting not to receive commercial email messages from that sender.
- Businesses/Senders are prohibited from continuing to send commercial email to recipients who have asked not to receive it after a 10-day grace period.
If a recipient makes an “opt-out,” “do not spam,” or like request, it is unlawful for the sender (or anyone acting on behalf of the sender) to send the recipient, more than 10 business days after the receipt of such request, a commercial email that falls within the scope of the request. It is also unlawful for any person who knows that the recipient has made such a request to sell or transfer the recipient’s email address for any purpose other than compliance with the act.
- False header information and deceptive subject lines are prohibited.
CAN-SPAM prohibits commercial or transactional email messages that contain header information that is materially false or materially misleading. In addition, any person who initiates the transmission of a commercial email message with actual knowledge, or knowledge fairly implied, that the subject heading would likely mislead a recipient about a material fact regarding the contents or subject matter of the message also runs afoul of CAN-SPAM.
- Automated email address harvesting and automated spam attacks are restricted.
CAN-SPAM also makes it unlawful to send commercial email messages to addresses obtained using an automated means from an Internet website or proprietary online service when the website or online service includes a notice stating that it will not give, sell, or otherwise transfer addresses to any party for the purposes of initiating email messages. Sending commercial email messages to addresses obtained through socalled “dictionary attacks” — using an automated means that generates possible email addresses by combining names, letters, or numbers into numerous permutations — is also prohibited.
- Using other people’s computers or email accounts to send commercial email is prohibited.
It is unlawful for any person knowingly to relay or retransmit a commercial email message from a computer or computer network that such person has accessed without authorization.
CAN-SPAM gives enforcement powers to the Federal Trade Commission (“FTC”), certain other federal agencies, state attorneys general, and Internet access service providers (“ISPs”). The law provides for recovery of actual monetary damages or statutory monetary damages, and criminal penalties, including imprisonment. Statutory damages are based on the number of emails sent in violation of the statute. Violation of the statute can result in expensive judgments, including the award of treble damages and recovery of attorneys’ fees and costs. In addition, the act includes a “wireless spam” provision directing the Federal Communications Commission (“FCC”) to promulgate rules to protect consumers from unsolicited wireless messages and applies to commercial emails sent within single online social networks (such as messages originating and sent within MySpace).
Although CAN-SPAM appears to have had little effect in decreasing the amount of spam received by the average computer user, the FTC and ISPs have brought numerous successful CAN-SPAM actions against individuals and companies, with multimillion dollar judgments awarded against spammers. In addition, independent spam-tracking organizations, such as The Spamhaus Project (www.spamhaus.org), have been a source of embarrassment and negative publicity for ISPs and businesses who have engaged in, encouraged, or openly tolerated spamming.