Overview of CAM-SPAM Act

By Jonathan Bick

Summary: Since January 1, 2004, the U.S. "CAN-SPAM" Act has regulated the sending of commercial e-mail. The act requires anyone sending certain e-mail messages to take certain steps or face penalties up to $2 million. This article discusses what the CAN-SPAM Act requires and how to avoid violating it.

Author: The author of this article, Jonathan Bick, is counsel to Wolf, Block, Brach, Eichler, and an adjunct professor of Internet law at Rutgers Law School-Newark and Pace Law School. He is also the author of 101 Things You Need To Know About Internet Law (Random House 2000). He is licensed to practice law in New York, New Jersey and Pennsylvania. E-mail: bickj@bicklaw.com.

What the CAN-SPAM Act Requires

The CAN-SPAM Act -- "Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003" -- went into effect Jan. 1, 2004, and has important implications for anyone engaged in the sending of unsolicited e-mails, which are commonly known as spam. Contrary to public opinion, the act does not make spam unlawful; it attempts to regulate it.

The CAN-SPAM Act has three provisions to which spammers must adhere:

· The first is labeling. Unsolicited e-mails must be clearly identified as solicitation or advertisements for products and services.

· The second is offering an opt-out option. Senders must provide easily accessible, legitimate means for recipients to "opt-out" of receiving future messages.

· The third is the revelation of the sender's addresses. Unsolicited e-mails must contain legitimate return e-mail addresses, as well as the sender's postal address.

(It should be noted that the CAN-SPAM Act offers some exclusion from the aforementioned three requirements noted above.)

For recipients who have previously consented to receipt of unsolicited commercial e-mail, the act has two additional requirements:

· First, spammers must use honest subject lines. Use of misleading or bogus subject lines to trick readers into opening messages is forbidden.

· Second, spammers must comply with the "Do Not E-Mail Registry." The CAN-SPAM Act indicates that within six months, a proposed plan will be submitted by the Federal Trade Commission to Congress for a "Do Not E-Mail" list.

More than 30 states have enacted anti-spam legislation. The CAN-SPAM Act is intended to supersede state or local anti-spam laws, with certain exceptions for state laws related to deceptive trade practices or "computer crime."

In addition, some of the current state anti-spam laws that the act intends to pre-empt go further than the act, either in terms of regulation or in giving causes of action to individuals. The scope of the act's pre-emption is thus not clearly defined at this time. States have enacted both civil and criminal anti-spam laws. Most states' criminal anti-spam laws will not be pre-empted.

Enforcement and Penalties

The enforcement of the act is vested primarily in the FTC and states' Attorneys General. There is a private right of action, but it is limited to Internet service providers. Thus, people who receive spam may not sue Internet service providers.

The penalties associated with the CAN-SPAM Act are significant. Certain fraudulent activities and repeat offenses include the possibility of imprisonment for three to five years. Otherwise, violators of the act are subject to actual damages, statutory damages or fines of $250 per violation, with each unlawful message to each recipient being a separate violation. Statutory damages can go as high as $2 million.

Spammers who comply with the act may lawfully send "legitimate" spam, which will have more candid headers and subject lines.

Under the act, spam must be identified, though there is no uniform label required, like the "ADV" that some state laws demanded. (An "ADV" label identifies an e-mail as advertising in the e-mail header, which would allow users to employ filtering software to block the message.) And bulk e-mail must have a truthful header (address) and subject line.

However, losing the "ADV" label will make it more difficult for anti-spam software to filter spam. Nevertheless, in due course the FTC will require specific e-mail labeling, most likely starting with sexually explicit e-mail.

Most significantly, the CAN-SPAM law will affect the implementation of California's new anti-spam law, which went into effect on Jan. 1, 2004. The California law is an example of a state anti-spam law that is more restrictive than the new federal law. It bans even truthful spam, as long as it was unsolicited (unless it was from a business with which the customer had an existing relationship). The California law makes spammers, and advertisers who employ them, liable.

The Internet is not regulated or controlled by a central authority, thus spammers cannot completely control who gets their mail, nor can they completely control the receipt of "opt-out" requests. Thus the FTC and the courts will have to determine what constitutes substantial (acceptable) compliance with respect to the CAN-SPAM Act, since complete compliance is not technically possible.

It is likely that a spammer who uses an honest address, plus a few other things, such as providing an opt-out feature and giving their physical address, will be found to be in substantial compliance despite engaging in activity that will inevitably result in numerous instances of individuals receiving spam involuntarily. The act will likely be used in conjunction with existing state computer and computer data protection laws.

Currently, Internet service providers use their terms of use agreements and service agreement to stop spammers. The CAN-SPAM Act will likely be used in combination with those agreements, so as to make it easier for ISPs to block spam. The act has a provision for ISPs to sue spammers.

The act penalizes companies whose products or services are knowingly promoted by spam. This provision will likely first be used against providers of penis enlargement and miracle weight loss products.

How to Spam, Legally

If a company intends to send unsolicited e-mails, the following actions should be considered:

· First, the firm should establish a company policy against employees sending unapproved, unsolicited commercial e-mail to others. This policy should be incorporated into the employee manual.

· Second, a firm should review all e-mail marketing campaigns. In particular, such campaigns should employ only e-mail lists of recipients who have consented to receive such mailings.

· Third, a firm should consider reviewing client consent forms. Such reviews should ensure that consent requires an "affirmative action." The use of pre-filled forms may not be acceptable. Also, such reviews should confirm that it is clear to customers of the client's business what they are going to receive via e-mail if they consent to receipt of such e-mails. Without such action, an e-mail recipient might argue that the firm failed to give full disclosure.

· Fourth, you or your firm must keep records of customers' consent or pre-existing business relationships with customers. Such relationships allow sending spam to customers.

Questionable Effectiveness

The CAN-SPAM legislation may be ineffective for several reasons. First, to a large extent, the spam that is received in the United States comes from out of the country.

Bringing international spammers to justice requires cooperation from authorities outside of the United States, which requires additional effort not envisioned by the CAN-SPAM law. International measures may be necessary to truly eradicate fraudulent spam.

Thus, the United States may have to negotiate and execute a substantial number of anti-spam bilateral treaties to require international spammers to adopt the CAN-SPAM standards.

Also, the CAN-SPAM Act may inspire some U.S.-based spammers to move their operations offshore. It should be noted that U.S.-based spammers must move more than merely their operation centers and servers to avoid the jurisdiction of the United States. The courts need look no further than their treatment of offshore Internet gambling to find a basis for jurisdiction of U.S. entities that send spam into the United States from outside the country.

Further, the FTC, which is charged with enforcing the CAN-SPAM Act against spammers within the United States, will not have the resources to enforce the law against all spammers.

It is one thing to sue a large spammer or make an example of an individual spammer, but it is quite another matter to sue all those who do not comply with the CAN-SPAM law. In short, the FTC is not likely to be inclined to sue all individuals or small businesses who engage in spamming.

Finally, the Constitution may limit the implementation of the CAN-SPAM law. In particular, the Do-Not-Spam Registry may be found to violate the First Amendment. There's no First Amendment problem with fraudulent commercial speech; the courts have not supported unlimited restrictions concerning commercial speech.

The telephone Do-Not-Call Registry has been subject to a similar legal challenge. Currently, its status is still unresolved. Thus, the destiny of an analogous spam registry is similarly an open question.

Technological, Not Legal, Solutions

In light of the aforementioned potential difficulties, the employment of both technological and legal methods must be considered.

Among the technological solutions to be considered in conjunction with the act are those that filter out spam and that help authorities implement the CAN-SPAM law. One way is to change the setting on a company's e-mail server.

In particular, a company should implement a setting that checks whether the origin of incoming e-mail has been faked. Such "spoofing" is a main reason spam goes undetected. In the event a spoof is discovered, the server should not deliver the e-mail and record it for use by authorities implementing the CAN-SPAM law.

Additionally, companies should implement a "challenge/response" system. These systems allow users to send direct messages only to people who have the sender's e-mail address in their address books. In the event a "challenge/response" system encounters an unexpected address, the system sends back a puzzle/question to which only a human, not an automated spam program, can respond with a solution.

Give the correct response, and the e-mail goes through. Such systems should record "fails" for use by authorities implementing the law.