The U.S. Court of Appeals for the 9th Circuit has decided Gordon v. Virtumundo, Inc. in a manner that deals a serious, perhaps fatal, blow to the ability of “professional plaintiff” anti-spam activists to collect unsolicited commercial e-mails, or “spam,” and bring costly, settlement-inducing suits under the federal CAN-SPAM Act. The case addresses who has standing to sue under CAN-SPAM, what type of harm private plaintiffs must show, and how they must connect the harm to a CAN-SPAM violation for a suit to proceed. The court also found the Washington state Commercial Electronic Mail Act (CEMA) to be displaced by the CAN-SPAM Act, which preempts state laws and rules regulating commercial e-mail except insofar as they target misleading and/or false e-mails or fraud and/or computer crime generally.

Gordon v. Virtumundo is one of several cases in the 9th Circuit (while others remain in district courts in California and Washington), and the first decided, that explores whether an “Internet access service” provider (IAS) that primarily collects commercial e-mail to bring suit under the CAN-SPAM Act to seek statutory damages (or settlements of threatened or filed suits) has standing to do so under the Act. The practice is a popular tactic among anti-spam activists, who tend to believe all unsolicited commercial e-mail is “spam” that should be outlawed, and has become something of a cash cow for them and for plaintiffs’ counsel who bring the lawsuits.

It has been unclear whether such IASs have standing to sue under the CAN-SPAM Act, which along with empowering the Federal Trade Commission (FTC), state attorneys general, and other state and federal agencies to pursue enforcement, also grants a private right of action to IASs “adversely affected” by violations to seek either actual or statutory damages (the latter of which can be as much as $300 per unlawful e-mail), as well as attorneys’ fees and costs. The 9th Circuit has now answered that question with a resounding “no.”

CAN-SPAM seeks to preserve commercial e-mail as a legitimate marketing tool

The court commenced its analysis by describing the Internet as “a unique medium that offers legitimate businesses a low-cost means to promote themselves … and in turn fosters competition in the marketplace,” such that “consumers and Congress have come to view email, when fairly employed, as an established and worthwhile device [among] accepted marketing practices.” In the 9th Circuit’s view, CAN-SPAM is thus “an effort to curb the negative consequences of spam … without stifling legitimate commerce,” and consequently “does not ban spam outright, but rather provides a code of conduct to regulate” the practice. Indeed, the court observed that “despite what … anti-spam enthusiasts might contend, the purpose of the CAN-SPAM Act was not to stamp spam out of existence,” but rather “there are beneficial aspects to commercial email, even bulk messaging, that Congress wanted to preserve … as a worthwhile commercial tool.”

CAN-SPAM thus adopted “tailored regulations, which target deceptive and predatory practices and attempt to alleviate the negative effects of spam without unduly stifling lawful enterprise.” Accordingly, the 9th Circuit found, the “intent was to limit enforcement actions to those best suited to detect, investigate, and … prosecute violations,” especially as “the congressional record reveals … concern that the private [ ] action be circumscribed and confined to a narrow group of private plaintiffs,” i.e., bona fide IASs actually affected adversely by CAN-SPAM violations. These contrast, the court observed, with those lured by “the siren song of substantial statutory damages [that] would entice opportunistic plaintiffs,” which produces “undesirable results.”

Only a bona fide IAS that can show harm and causation has CAN-SPAM standing

Given these purposes of the Act, the 9th Circuit held that “[w]hile we agree that statutory standing is not limited to traditional ISPs, we reject any overly broad interpretation of ‘Internet access service’ that ignores congressional intent,” such that entities that merely carry or receive unsolicited commercial e-mail do not have standing based on that fact alone. Although the court declined to establish a general test or define the outer bounds of what it means to be an IAS, it observed that entities like “Verizon and GoDaddy might have a compelling argument that they are IAS providers within the meaning of the [ ] Act,” while those with a “nominal role in providing Internet-related services,” such as giving e-mail addresses in a domain controlled through, e.g., GoDaddy, would not suffice.

The court noted in this regard it was “troubled” by the extent to which Gordon failed to operate as a bona fide e-mail provider insofar as he “avoided taking even minimal efforts to avoid or block spam messages,” but rather “devotes his resources to adding his clients’ email addresses to mailing lists and accumulating spam through a variety of means for the purpose of facilitating litigation.”

Apart from a plaintiff’s IAS status, on whether an IAS is “adversely affected,” the court held that encountering large volumes of spam is not enough. In this regard, “the harm must be both real and of the type uniquely experienced by IASs,” and thus does “not encompass the ordinary inconveniences experienced by consumers and end users.” Nor can harm for standing purposes be merely costs of carrying spam, as that “contradicts the plain text of the statute and the legislative goal of limiting the private right of action.”

Rather, the court held, “encountering spam is merely a component of the standing equation” and “some qualifying harm must follow.” It cautioned that courts “must … be careful to distinguish ordinary costs and burdens associated with [an IAS] from actual harm” and before finding standing should “expect a legitimate service provider to secure adequate bandwidth and storage capacity and take reasonable precautions, such as implementing spam filters, as part of its normal operations.” In this regard, a court “should take an especially hard look at the cited harm if it suspects at the outset that a plaintiff is not operating a bona fide Internet access service.”

Though the court would not “enumerate every harm” that would confer standing, or “suggest that the list is finite … , the harm must be both real and of the type experienced by ISPs.” And while it “need not be significant in the sense that it is grave or serious,” it must be “something beyond the mere annoyance of spam and greater than negligible burdens typically borne by an IAS … in the ordinary course …. In most cases, evidence of some combination of operational or technical impairments and related financial costs attributable to unwanted commercial email would suffice.” As Gordon could make no such a showing, his claims could not survive.

The 9th Circuit went on to hold that defining the harm required for CAN-SPAM standing is “only one part of the equation,” as the Act also requires the harm to be “attributable to the type of practices circumscribed,” that is, some nexus between the harm and allegedly unlawful e-mails must be shown. “After all,” the court noted, “network slowdowns, server crashes, increased bandwidth usage, and hardware and software upgrades bear no inherent relationship to spam or spamming practices” but rather “arise as a matter of course and for legitimate reasons.”

The court thus held there must be “at bare minimum, a demonstrated relationship between purported harms and the type of email practices regulated by the Act—i.e., a showing that the identified concerns are linked in some meaningful way to unwanted spam.” That said, the court reserved for another day whether the Act imposes “a direct causation requirement.” While noting such a requirement “although not inconsistent with the statutory text, might create an unworkable standard … given the impracticability of tracing a harm to a specific email or batch of emails,” the court stated that its “holding [in Gordon] does not foreclose this possible interpretation.”

The CAN-SPAM private action was not intended as a revenue-producing device

In its ruling, the 9th Circuit took a dim view of what it called a CAN-SPAM “cottage industry” that has been set up “to profit from litigation.” The court noted that it was “readily apparent that Gordon, … who seeks out spam for the very purpose of filing lawsuits, is not the type of private plaintiff that Congress had in mind.”

While observing that “many anti-spam enthusiasts may applaud [such] zealous counter-attacks,” the court found it “compelling” that an IAS would “purposefully refuse [ ] to implement spam filters in a typical manner or otherwise make any attempt to block allegedly unwanted spam.” It observed that Gordon’s harms “almost exclusively relate to litigation preparation, not to the operation of a bona fide service,” and that he “made no real effort to avoid, block, or delete commercial email, but instead has voluntarily assumed the role of a spam sleuth” by “seeking out and capturing massive volumes of spam … for use in … lawsuits.”

The court also noted that “Gordon admits operating an anti-spam business, which entails … notifying spammers that they’re violating the law and filing lawsuits if they do not stop” and that, he “concedes he is a professional plaintiff.” In that context, the court noted that “while the term ‘professional’ as in ‘professional plaintiff,’ is not a dirty word, and should not itself undermine one’s ability to seek redress,” a plaintiff’s “status is uniquely relevant to the statutory standing question,” especially where the Act as sought to be enforced “relates more to his subjective view of what the law ought to be, and differs substantially from the law itself.”

The 9th Circuit thus suggested that courts, in trying to decide if a plaintiff purporting to be an IAS has standing, must undertake a searching review. It instructed that “where … a private plaintiff’s status as an IAS provider is questionable and reasonably contested, courts should not only inquire into the plaintiff’s purported Internet-related service operations but also closely examine the alleged harms attributable to spam.” Such examination must occur on a case-by-case basis to reach “reasoned decisions” whether a purported IAS “is truly the type of bona fide IAS provider adversely affected by commercial email messaging that Congress envisioned.”

In sum, the 9th Circuit said that it does not “discount the harmful effects spam and spamming practices, both lawful and unlawful, [on] businesses and consumers,” that it saw a “need of bona fide IAS providers, both small and large, for a legal remedy against law-breaking spammers,” and that it was “like Congress, … sympathetic to legitimate operations hampered by a deluge of unwanted email marketing.” Nonetheless, it concluded, the CAN-SPAM Act “was enacted to protect individuals and legitimate businesses—not to support a litigation mill for entrepreneurs.”

Washington law pre-empted

Finally, as to Washington state’s Commercial Electronic Mail Act (CEMA), the 9th Circuit held the statute is pre-empted by CAN-SPAM. After noting that, unlike CAN-SPAM’s narrower standing rule, CEMA allows e-mail recipients to sue, and that CEMA does not regulate the body of e-mails or opt-outs but rather only headers and subject lines, the court rejected arguments by Washington’s attorney general (who appeared as a “friend of the court”) that there was no need to analyze the CAN-SPAM Act’s preemption provision, and joined the 4th Circuit in holding Congress’ intended purpose was “to regulate … on a nationwide basis and to save from preemption only [state] statutes, regulations or rules that target fraud or deception.”

Accordingly, in view of the broad definitions ascribed to the terms “misrepresent” and “obscure” in CEMA by state courts, the 9th Circuit held the statute’s “prohibitive reach … purport[s] to regulate a vast array of non-deceptive acts and practices,” including “immaterial inaccuracies or inadvertent mistakes,” and to that extent it was pre-empted.

In reaching this decision, the 9th Circuit clarified several important points regarding when e-mail headers are “false” or “misleading” under CAN-SPAM. First, the court held “[t]here is nothing inherently deceptive in [the] use of fanciful domain names” that may be somewhat opaque regarding the identity of the sender. Rather, so long as a domain name is properly registered to the sender, who can be identified as the domain registrant by a WHOIS or similar reverse look-up, a domain name that does not contain or otherwise identify the name of the sender’s business fails to rise to the level of CAN-SPAM falsity or deception.

Instead, the court suggested, falsity or deception requires, for example, “proof that headers have been altered to impair [the] ability to identify, locate, or respond to the person who initiated the email.” It also rejected claims that the only information that may be used in the “from name” field that would not misrepresent is that of the person or entity who hired the sender to send the e-mail on their behalf, holding that “the CAN-SPAM Act does not impose such a requirement,” and that to the extent any such requirement were imposed by a state law, it would be pre-empted.