Anti-spam legislation at the federal level is coming, perhaps before the next presidential election. Earlier this year, Senators Conrad Burns (Republican, MT) and Ron Wyden (Democrat, OR) introduced the CAN-SPAM Act of 2003. Thanks in part to the endorsement of the Direct Marketing Association, this bill quickly became the frontrunner and recently won approval in the Senate by a margin of 97 to 0.
Now just a House vote and a presidential signature away from becoming law, the CAN-SPAM Act merits some scrutiny by the online marketing industry to figure out where we might be headed and whether the end of spam is in sight.
Definitions: What Does It All Mean?
Definitions provide insight into the intent of the legislature, but what happens when the definitions themselves leave much to the imagination? Let's explore a few potential problem spots.
1. Affirmative Consent
Up until now, those of us in the online marketing industry have used the terms “permission” or “opt-in” to describe the process by which people join legitimate email lists.
The CAN-SPAM Act defines this process as “Affirmative Consent,” meaning that “the recipient expressly consented to receive the message, either in response to a clear and conspicuous request for such consent or at the recipient's own initiative.”
Taking the latter part of this definition first, “at the recipient's own initiative” likely encompasses the way most people sign up for email newsletters—by filling out a form on the Web.
But what about those tricky forms at online stores that require you check or uncheck a box to NOT sign up for a newsletter? Does the first part of the definition—“in response to a clear and conspicuous request for such consent” cover such situations? Unless this definition becomes more specific, expect to see litigation on what constitutes affirmative consent.
An additional component of the Affirmative Consent definition requires those who wish to rent their email lists to third parties to provide “clear and conspicuous notice” to recipients at the time they consent. Companies that wish to play it safe will no longer be able to bury such information in their privacy policy. Instead, they'll have to incorporate such notice into their registration forms.
Then again, maybe not.
This requirement contains a loophole in that it applies only to who sends the email message, not to the content of the message. Thus, as long as the company with consent does the sending, it need not provide notice about third parties even if the email messages it sends contain advertisements from third parties.
Whether by design or not, this loophole is a gift to email publishers whose newsletters often contain third-party advertisements. It also endorses a best practice for non-publishers—don't give up control of your email list.
2. Implied Consent
In addition to affirmative consent, the definitions also provide for “Implied Consent,” which enables companies to send email to people if (1) a business transaction, including free information requested by the recipient, has occurred between sender and recipient within the previous three years; and (2) the recipient has not exercised a “clear and conspicuous” opportunity to opt out of receiving such messages. Merely visiting a Web site does not qualify as a business transaction.
This provision would require online marketers to keep verifiable electronic records for each of their mailings and for all unsubscribe requests. Otherwise, unless online marketers can find a smoking gun on a recipient's hard drive, implied consent litigation will become You Say/I Say battles.
Also, why three years? Many email addresses don't even last that long. One year seems more reasonable and less likely to lead to disputes because of recipient memory lapses.
The Senate should also include a presumption of implied consent when companies keep records in accordance with published regulations.
Why? Because such regulations might ultimately result in rewriting and modernizing the email protocol, which could obviate the need for spam legislation and enforcement. Imagine building a consent component into the email protocol that would work invisibly for the most part.
3. Exceptions
The CAN-SPAM Act wisely excludes business correspondence and intra-office email from the definition of commercial email. It refers to such messages as “transactional or relationship” messages. Thanks to this exception, you get to the question of affirmative or implied consent only if a message is not a transactional or relationship message.
Still, the CAN-SPAM Act does not limit spam to bulk email, which could result in silly lawsuits over email that does not constitute spam as most of the public would define it. For example, suppose you're a Web designer and a friend of yours gives you the email address of a friend looking for someone with your skills. If you email that person, you may not be able to prove implied consent.
The Crime of the Century
The CAN-SPAM Act makes certain types of unsolicited email a crime that can result in a fine or imprisonment of up to five years. The crimes enumerated in the bill take aim at the practices that legitimate businesses and consumers have criticized, including electronically or physically hijacking someone else's computer to send messages, abusing open relays (mail servers that don't require authentication), falsifying header information, and creating email accounts with false identities.
These crimes kick in at relatively low volumes: 101 or more messages within 24 hours, 1,001 or more messages within 30 days, or 10,001 or more messages within one year.
Although the Senate has significantly improved the language describing these crimes since the first iteration of the CAN-SPAM Act, the false header crime has the potential, however slim, to result in unintended consequences. The elements of this crime consist of the following:
- Knowingly falsifying header information…
- In 101 or more email messages/day, 1,001 or more/30 days, or 10,001 or more/year…
- And intentionally “initiating the transmission of such messages.”
The CAN-SPAM Act defines “header information” as “the source, destination, and routing information attached to an electronic mail message, including the originating domain name and originating electronic mail address.”
Clearly, if you spoof the “from” address, you're in trouble. But what about a misleading “subject”?
Technically, an email header includes the subject. While the above legal definition focuses primarily on the identity of the sender, an overzealous prosecutor could make an argument for including the subject—an unsettling thought.
That'll Be $100 Per Email Message Plus Attorney Fees
The CAN-SPAM Act also provides for civil liability, but no private right of action for the average Joe (i.e., no class action lawsuits). However, thanks no doubt to some eleventh-hour lobbying, the bill allows ISPs to pursue spammers in court (earlier versions of the bill did not provide such a right).
In addition, the Federal Trade Commission (FTC) and state governments (through their attorneys general) can file lawsuits.
To stay out of trouble, companies that wish to send unsolicited commercial email must comply with the following guidelines:
- Refrain from using “header information that is materially false or materially misleading.”
- Refrain from using “a subject heading that such person knows would be likely to mislead a recipient, acting reasonably under the circumstances, about a material fact regarding the contents or subject matter of the message.”
- Use a functional return address that recipients can use to unsubscribe (the address must remain functional for 30 days after a message is sent). A legitimate technical problem with a return address is an exception. Instead of or in addition to providing such an address, companies can provide a personalized Web page as long as it contains an option to unsubscribe from everything.
- Refrain from sending a recipient any further email more than 10 business days after the receipt of an unsubscribe request.
- Provide “clear and conspicuous identification that the message is an advertisement or solicitation.” (Those who send pornography must follow a series of more specific identification rules.)
- Provide “clear and conspicuous notice of the opportunity...to decline to receive further unsolicited commercial electronic mail messages.”
- Provide “a valid physical postal address.”
Importantly, the CAN-SPAM Act does not make it per se illegal to use widely criticized techniques such as “address harvesting” or “dictionary attacks,” but those who use such techniques without adhering to the above guidelines face stiffer civil penalties for violations. The same is true for abusing an open relay, but this particular practice could result in a criminal conviction as discussed above.
To prevent unintended consequences, the CAN-SPAM Act also provides a defense, which requires proof of the following:
- The establishment and implementation of “reasonable practices and procedures to effectively prevent violations.”
- “The violation occurred despite good faith efforts to maintain compliance with such practices and procedures.”
With one exception, the remedy awarded by a court for violations can consist of an injunction, actual damages, statutory damages of up to $100 per message with a cap of $1 million ($3 million for a willful violation or the use of address harvesting, dictionary attacks and other frowned upon practices) and attorney fees. The one exception concerns falsifying header information, which does not have a cap on damages.
The CAN-SPAM Act also lays the groundwork for a national “Do Not Email” list modeled after the FTC's “Do Not Call” list.
Unintended Consequences
As currently written, the CAN-SPAM Act could result in some unintended consequences. Consider this example. You're a marketing manager at Isuzu. You decide to revive the 1980s liar campaign in which Joe Isuzu makes absurd claims about your cars (e.g., “The top speed is 1,000 MPH... downhill in a hurricane.”). Obviously, no one believes these claims—it's just a gag to attract attention.
Suppose you launch a permission email newsletter (i.e., you only send it to people who have signed up on your Web site). You decide to tie the next issue of this newsletter to the liar campaign. The newsletter reprints a Road & Track review of your latest SUV, and also contains a gag review by Joe Isuzu. For the subject of the email newsletter, you write “New Isuzu SUV with Optional Built-In Hot Tub.”
Prior to publication, a car enthusiast signs up to your newsletter using the address of a mailing list to which he and 101 others belong. Because you use a single-opt-in process, once he signs up, these people become subscribers.
One of these unwitting subscribers files a complaint with the FTC. The next thing you know, you're calling Johnny Cochran, trying not to think about the Shawshank Redemption.
As noted earlier, the criminal portion of the CAN-SPAM Act does not expressly exclude the “subject” from the “header information.” However, the civil portion of the CAN-SPAM Act does treat the subject separately, suggesting that the Senate considers it an entity unto itself. Furthermore, the CAN-SPAM Act's civil defense would apply in the above situation, further lessening the likelihood that the FTC would seek an indictment or a civil penalty.
That said, the powers that be should expressly exclude the subject from the definition of “header information.” The subject is one of the most important components of a legitimate commercial email message. Marketers and publishers that engage in permission email marketing must have the freedom to pen creative subjects without worrying about charges of falsification or being materially misleading.
Can the Can-Spam Act Can Spam?
The CAN-SPAM Act clearly stems from good intentions, but as currently written it may result in some unintended consequences, including an increase in spam (as most would define it) thanks to its guidelines for legally sending unsolicited commercial email. With a little work, the CAN-SPAM Act might begin to do for email what the Telephone Consumer Protection Act did for faxing—save it from becoming more trouble than it's worth.
However, it will merely mark the first meaningful jab at spam rather than the knockout punch needed to bring about a spam-free world.
If Congress really wants to eliminate spam, it should introduce a bill that requires businesses to obtain permission before sending someone bulk commercial email.
Many of my peers in the online marketing industry claim that requiring permission (opting in) would destroy email's commercial potential. I disagree and can personally attest to the fact that permission is good for business. If companies produce outstanding email newsletters and promotional messages, people will subscribe in large numbers—especially in a spam-free world.