UNSOLICITED COMMERCIAL ELECTRONIC MAIL
STATUS
On December 16, 2003, President
Bush signed into law the "Controlling the Assault of
Non-Solicited Pornography and Marketing (CAN-SPAM) Act of
2003," (P.L. 108-187), the first bill aimed at the regulation
of unsolicited commercial electronic mail (e-mail).
On December 16, 2004,
the
Federal Trade Commission approved the regulations explaining
what constitutes a "commercial" e-mail.
LAW
The CAN- SPAM Act creates an unfair and deceptive trade
practice act under the Federal Trade Commission’s (FTC)
jurisdiction for the sending of "commercial" e-mails. While
much of the rhetoric before passage referenced "consumers,"
the law references "recipients" of e-mail and therefore
regulates business to business e-mails as well as business to
consumer e-mails.
First, any commercial e-mail,
as well as transactional or relationship emails, sent to a
protected computer (basically any computer used in interstate
commerce) must not include misleading or false header
information and must not include deceptive or misleading
subject headings.
A commercial electronic mail
message is defined as any electronic mail message the primary
purpose of which is the commercial advertisement or promotion
of a commercial product or service (including content on an
Internet website operated for a commercial purpose). It does
not include transactional or relationship e-mails as will be
described later.
If you transmit any commercial
e-mail message the message must:
(1) provide
a clear and conspicuous identification that the message is an
advertisement or solicitation;
(2) provide
a clear and conspicuous notice of the opportunity to decline
to receive further commercial e-mail messages from the sender;
and,
(3) provide
a valid physical postal address of the sender.
If the recipient has given
prior affirmative consent, the sender does not have to comply
with the first condition, that is, you do not have to provide
a clear and conspicuous identification that the message is an
advertisement or solicitation.
The term "affirmative
consent,'' when used with respect to a commercial e-mail
message, means that the recipient expressly consented to
receive the message, either in response to a clear and
conspicuous request for such consent or at the recipient's own
initiative; and if the message is from a party other than the
party to which the recipient communicated such consent, the
recipient was given clear and conspicuous notice at the time
the consent was communicated that the recipient's e-mail
address could be transferred to such other parties for the
purpose of initiating commercial e-mail messages.
With respect to the "opt out"
mechanism, the commercial e-mail must contain a functioning
return e-mail address or other Internet-based mechanism that a
recipient may use to submit a request not to receive future
commercial e-mail from the sender. The e-mail address or
mechanism provided must be capable of receiving messages for
no less than 30 days after the transmission of the original
message. After a recipient transmits to the sender a request
not to receive future commercial e-mail messages, it is
unlawful for the sender to further transmit commercial e-mail
to the recipient more than 10 business days after receiving
such request.
The conditions noted above do
not apply if the e-mail is a transactional or relationship
message. The term "transactional or relationship message''
means an e-mail message the primary purpose of which is:
(1) to
facilitate, complete, or confirm a commercial transaction that
the recipient has previously agreed to enter into with the
sender;
(2) to
provide warranty information, product recall information, or
safety or security information with respect to a commercial
product or service used or purchased by the recipient;
(3) to
provide notification concerning a change in the terms or
features of; notification of a change in the recipient's
standing or status with respect to; at regular periodic
intervals, account balance information or other type of
account statement with respect to, a subscription, membership,
account, loan, or comparable ongoing commercial relationship
involving the ongoing purchase or use by the recipient of
products or services offered by the sender;
(4) to
provide information directly related to an employment
relationship or related benefit plan in which the recipient is
currently involved, participating, enrolled;
(5) to
deliver goods or services, including product updates or
upgrades, that the recipient is entitled to receive under the
terms of a transaction that the recipient has previously
agreed to enter into with the sender.
FTC REGULATIONS ON COMMERCIAL E-MAIL
According to the FTC rules, in
applying the term “commercial electronic mail message” defined
in the CAN-SPAM Act, the “primary purpose” of an electronic
mail message shall be deemed to be commercial based on the
criteria below:
(1) If an electronic mail message consists exclusively of the
commercial advertisement or promotion of a commercial product
or service, then the “primary purpose” of the message shall be
deemed to be commercial.
(2) If an electronic mail message contains both the commercial
advertisement or promotion of a commercial product or service
as well as transactional or relationship content as set forth
in these rules, then the “primary purpose” of the message
shall be deemed to be commercial if: (i) A recipient
reasonably interpreting the subject line of the electronic
mail message would likely conclude that the message contains
the commercial advertisement or promotion of a commercial
product or service; or (ii) The electronic mail message’s
"transactional or relationship content" as set forth by these
rules does not appear, in whole or in substantial part, at the
beginning of the body of the message.
(3) If an electronic mail message contains both the commercial
advertisement or promotion of a commercial product or service
as well as other content that is not transactional or
relationship content as set forth by these rules, then the
“primary purpose” of the message shall be deemed to be
commercial if: (i) A recipient reasonably interpreting the
subject line of the electronic mail message would likely
conclude that the message contains the commercial
advertisement or promotion of a commercial product or service;
or (ii) A recipient reasonably interpreting the body of the
message would likely conclude that the primary purpose of the
message is the commercial advertisement or promotion of a
commercial product or service. Factors illustrative of those
relevant to this interpretation include the placement of
content that is the commercial advertisement or promotion of a
commercial product or service, in whole or in substantial
part, at the beginning of the body of the message; the
proportion of the message dedicated to such content; and how
color, graphics, type size, and style are used to highlight
commercial content.
In applying the term
“transactional or relationship message” defined in the
CAN-SPAM, the “primary purpose” of an electronic mail message
shall be deemed to be transactional or relationship if the
electronic mail message consists exclusively of transactional
or relationship content.
For the various aspects of
these rules, "Transactional or relationship content" of e-mail
messages under the CAN-SPAM Act is content:
(1) To facilitate, complete, or confirm a commercial
transaction that the recipient has previously agreed to enter
into with the sender;
(2) To provide warranty information, product recall
information, or safety or security information with respect to
a commercial product or service used or purchased by the
recipient;
(3) With respect to a subscription, membership, account, loan,
or comparable ongoing commercial relationship involving the
ongoing purchase or use by the recipient of products or
services offered by the sender, to provide –(i) Notification
concerning a change in the terms or features; (ii)
Notification of a change in the recipient's standing or
status; or (iii) At regular periodic intervals, account
balance information or other type of account statement;
(4) To provide information directly related to an employment
relationship or related benefit plan in which the recipient is
currently involved, participating, or enrolled; or
(5) To deliver goods or services, including product updates or
upgrades, that the recipient is entitled to receive under the
terms of a transaction that the recipient has previously
agreed to enter into with the sender.
For further discussion of some
of the terms, the preamble in the FTC’s Federal Register
notice of the final rules may be helpful.
You can check that out
here.
ENFORCEMENT
The FTC has the primary
responsibility for enforcing this aspect of the bill.
Basically, violations will be treated as unfair or deceptive
acts or practices under the Federal Trade Commission Act.
Also, it is no excuse that the e-mails were sent out by some
other entity or provider on your behalf.
For any violation of the
provisions discussed above, an aggravated violation is
committed if the transmission involved e-mail addresses that
were "harvested" using an automated means from an Internet
website or proprietary online service, or if the address of
the recipient was obtained using an automated means that
generates possible e-mail addresses by combining names,
letters, or numbers into numerous permutations. Additionally,
the Act requires that messages containing sexually oriented
material include warning labels as to the content of the
message.
State Attorneys General also
have authority to bring civil actions for violations of
certain provisions in the Act. Actions may be brought to
recover actual monetary damages suffered by the residents of
the state or statutory damages. The state must serve prior
written notice of any action upon the FTC or other appropriate
agency. The FTC (or other agency with jurisdiction over the
entities in question) may intervene in the action, and upon
intervention, be heard on all matters involving the action,
remove the action to the appropriate United States District
Court, and file petitions for appeal. State Attorneys General
may not bring a civil action against a particular defendant if
the FTC (or another agency) has instituted a civil or
administrative action against the same defendant.
Internet service providers
(ISPs) are also allowed to bring civil actions for certain
violations to enjoin further violation, or to recover
damages. The Act does not provide for actions by private
individuals.
Generally, the Act preempts any
state law that "expressly regulates the use of e-mail to send
commercial messages." State laws that prohibit falsity or
deception in any portion of commercial e-mail messages are not
preempted. Also excluded from preemption are state laws that
are not specific to e-mail, including trespass, contract, or
tort law; or other state laws that relate to acts of fraud or
computer crime.
The
CAN-SPAM Act also amends Title 18 of the United States Code to
add a new section entitled "Fraud and related activity in
connection with electronic mail." Under this new section it
is unlawful for a person to knowingly:
(1)
access a protected
computer without authorization, and intentionally initiate the
transmission of multiple commercial e-mail messages from or
through such computer;
(2)
use a protected computer
to relay or retransmit multiple commercial e-mail messages,
with the intent to deceive or mislead recipients, or any
Internet access service, as to the origin of such messages;
(3)
materially falsify header
information in multiple commercial e-mail messages and
intentionally initiate the transmission of such messages;
(4)
register, using
information that materially falsifies the identity of the
actual registrant, for five or more e-mail accounts or online
user accounts or two or more domain names, and intentionally
initiate the transmission of multiple commercial e-mail
messages from any combination of such accounts or domain
names;
(5)
falsely represent oneself
to be the registrant or the legitimate successor in interest
to the registrant of five or more Internet Protocol (IP)
addresses, and intentionally initiate the transmission of
multiple commercial e-mail messages from such addresses.
Criminal penalties for
violations range from one to five years imprisonment, a fine,
or both. A term of imprisonment of up to five years may be
imposed if "(A) the offense is committed in furtherance of any
felony under the laws of the United States or of any State; or
(B) the defendant has previously been convicted under this
law, or under the law of any State for conduct involving the
transmission of multiple commercial e-mail messages or
unauthorized access to a computer system." A three-year term
may be imposed if the offense is an offense under subsection
(1) as noted above; an offense under subsection (4) as noted
above and involved 20 or more falsified e-mail or online user
account registrations, or 10 or more falsified domain name
registrations; the volume of e-mail messages transmitted in
furtherance of the offense exceeded 2,500 during any 24-hour
period, 25,000 during any 30-day period, or 250,000 during any
1-year period; the offense caused loss to one or more persons
aggregating $5,000 or more in value during any 1-year period;
as a result of the offense any individual committing the
offense obtained anything of value aggregating $5,000 or more
during any 1-year period; or the offense was undertaken by the
defendant in concert with three or more other persons with
respect to whom the defendant occupied a position of organizer
or leader. A term of imprisonment of up to one year may be
imposed in any other case. Persons convicted of an offense
under the new section will also be ordered to forfeit to the
United States any property, real or personal, constituting or
traceable to gross proceeds obtained from the offense; and any
equipment, software, or other technology used or intended to
be used to commit or to facilitate the commission of the
offense.
E-MAIL REGISTRY
The CAN-SPAM Act did not create
a do-not-e-mail registry similar to the FTC's do-not-call
registry. However, the Act does direct the FTC to transmit to
the Senate Commerce and House Energy and Commerce Committees a
report that:
(1)
sets forth a plan and a
timetable for establishing a nationwide marketing
Do-Not-E-Mail registry;
(2)
includes an explanation of
any practical, technical, security, privacy, enforceability,
or other concerns that the Commission has regarding such a
registry;
(3)
includes an explanation of
how the registry would be applied with respect to children
with e-mail accounts.
The report must be transmitted
within six months of the date of enactment of the Act. The
Act also gives the Commission the authority to establish and
implement the plan set forth in the report. Such
implementation could take place no earlier than nine months
after the date of enactment of the Act.
The Act directs the FTC to
submit three additional reports. The first, to be submitted
to the Senate Commerce and House Energy and Commerce
Committees within nine months after the date of enactment,
must set forth a system for rewarding those who supply
information about violations of the Act, including procedures
for the Commission to grant rewards to the first person that
identifies a violator and supplies information that leads to
the successful collection of a civil penalty by the
Commission. The report must also include procedures to
minimize the burden of submitting a complaint to the
Commission concerning violations of the Act, including
procedures to allow for electronic submission. A second
report, to be submitted within 18 months after the date of
enactment of the Act, must set forth a plan for requiring
commercial e-mail to be "identifiable from its subject line,
by means of compliance with Internet Engineering Task Force
Standards, the use of the characters 'ADV' in the subject
line, or other comparable identifier, or an explanation of any
concerns the Commission has that cause the Commission to
recommend against the plan." The final report, to be
submitted no later than 24 months after the date of enactment,
shall provide "a detailed analysis of the effectiveness and
enforcement of the provisions of the Act and the need (if any)
for the Congress to modify such provisions."
The Act also directs the
Federal Communications Commission (FCC) to promulgate
regulations, within 270 days of the enactment of the Act, to
protect consumers from unwanted mobile service commercial
messages.
FTC
REPORT
The FTC issued its first report
on P.L. 108-187 to Congress on June 15, 2004. The report
concluded that without a technical system to authenticate the
origin of e-mail messages, a Do Not Email registry would not
reduce the amount of spam, and, in fact, might increase it.
The FTC report stated that
"spammers would most likely use a Registry as a mechanism for
verifying the validity of e-mail addresses and, without
authentication, the Commission would be largely powerless to
identify those responsible for misusing the Registry.
Moreover, a Registry-type solution to spam would raise
serious security, privacy, and enforcement difficulties." The
FTC described several registry models that had been suggested,
and computer security techniques that some claimed would
eliminate or alleviate security and privacy risks. The FTC
stated that it carefully examined those techniques — a
centralized scrubbing of marketers' distribution lists,
converting addresses to one-way hashes (a cryptographic
approach), and seeding the Registry with "canary" e-mail
addresses — to determine if they could effectively control the
risks "and has concluded that none of them would be
effective."
The FTC concluded that a
necessary prerequisite for a Do-Not-Email registry is an
authentication system that prevents the origin of e-mail
messages from being falsified, and proposed a program to
encourage the adoption by industry of an authentication
standard. If a single standard does not emerge from the
private sector after a sufficient period of time, the FTC
report said the Commission would initiate a process to
determine if a federally mandated standard is required. If
the government mandates a standard, the FTC would then
consider studying whether an authentication system, coupled
with enforcement or other mechanisms, had substantially
reduced the amount of spam. If not, the Commission would then
reconsider whether or not a Do-Not-Email registry is needed.
OUTLOOK
The fact that this law might
cover business to business e-mails was not well publicized
before passage.
/I48100807
###
Back to Issue Papers |