Before you cry SPAM, understand what the law classifies as SPAM
Spam laws below.
It's been a long time in coming, and the bill isn't all I hoped it
would be, but as of January 1, 2004, the CAN-SPAM Act of 2003
marshalled US federal law against the grossest form of spam. This gives
us a tool to begin to shut down the spammers and their merchant allies
-- at least some of them. But the law affects all online businesses
that use e-mail in their marketing. Here's how.
CAN-SPAM is an opt-out law. For most purposes, permission of the e-mail
recipient is not required, but if a recipient wants to unsubscribe or
opt-out, you'd better stop sending e-mails or be subject to severe
penalties. In short, CAN-SPAM:
Prohibits fraudulent or deceptive subject lines, headers, return
addresses, etc.
Makes it illegal to send e-mails to e-mail addresses that have been
harvested from websites.
Criminalizes sending sexually-oriented e-mails without clear markings.
Requires that your have an working unsubscribe system that makes it
easy for recipients to unsubscribe opt out of receiving your e-mails.
Requires most e-mailers to include their postal mailing address in the
message.
Implicates not only spammers, but those who procure their services.
Indeed, if you fail to prevent spammers from promoting your products
and services you can prosecuted.
Includes both criminal and civil penalties and allows suits by the
Federal Trade Commission (FTC), State Attorneys General, and Internet
Service Providers.
To Whom Does CAN-SPAM Apply?
The CAN-SPAM Act applies to essentially all businesses in the US that
use e-mail. It defines a "commercial electronic mail message" -- which
is regulated by this law -- as any e-mail message "the primary purpose
of which is the commercial advertisement or promotion of a commercial
product or service (including content on an Internet website operated
for a commercial purpose)" (Sec. 3(2)). Nearly any business e-mail
would be covered -- e-mail newsletters as well as standalone
promotional e-mails. That doesn't mean that all your e-mails are spam,
only that the Act governs them. Personal e-mails (and perhaps
non-profit organizations) don't seem to be covered. The Act's
definition of commercial e-mail explicitly excludes "a transactional or
relationship message" (Sec. 3(2)(B)), covering e-mails contacting
customers about their accounts, product upgrades, ongoing services,
etc.
An Opt-Out Approach to Spam
Unlike California's pending anti-spam legislation (which will be
superseded by federal law), the CAN-SPAM Act is an opt-out approach to
spam. California was going to require marketers to prove "direct
consent" of those to whom they e-mail. In contrast, the new federal law
will require businesses to stop sending e-mails to those who request to
be removed from a list. This requires a functioning reply address or
e-mail unsubscribe system that operates for at least 30 days after your
last mass e-mailing (Sec. 5(3)). In addition, you must include your
postal address and a clear indication that the e-mail includes a
solicitation, unless you have "prior affirmative assent" from the
recipient (Sec. 5(a)(5)).
Without having obtained "prior affirmative consent," the pornographer
also must label the subject line clearly to indicate its content. (The
wording of this is to be determined by the FTC.) With express consent
of the recipient, however, subject lines need not be labeled to
indicate sexual content.
Before you give up on permission marketing, however, realize that the
current CAN-SPAM Act is just the beginning, the lowest level of spam
protection that could be pushed through Congress given the various
political special interests. The new legislation directs the FTC to
investigate a "Do-Not-Email" list approach (Section 9). If such a list
is approved, then marketers wouldn't be able to send commercial e-mails
to any e-mail address on the Do-Not-Email list unless they had obtained
express consent.
Compliance Guidelines. Make sure your unsubscribe system works. Better
yet, allow people to select what kinds of messages they wish to receive
from you. That way you may keep some people that would opt-out entirely
if they didn't have a choice.
I still recommend using a confirmed or double opt-in system. It is the
only way you'll be able to prove that people gave express consent to
receive your e-mail. Yes, you may lose 30% of your new subscribers who
never confirm. But they weren't likely to be good customers anyway.
Bite the bullet and institute a confirmed opt-in system so you'll be
ahead of the curve. I fully expect express consent to be required in
the future.
E-Mail Deception Is Now a Crime
One of the most persistent problems with spam are tricks and deceptions
that prevent spam e-mails from being filtered out and refused by ISPs
and recipients. From now on, fraudsters, hackers, and tricksters can
face jail time. The CAN-SPAM Act (Sections 4(a) and 5(a)) prohibits
such spammer tricks as:
Hijacking another e-mail server to send or relay spam.
Falsifying e-mail headers or e-mail addresses to hide one's identity.
Using someone else's e-mail address in the "from" field.
Registering for e-mail addresses under false identities.
Deceptive subject headings.
These crimes can get you three to five years in the federal slammer
plus confiscation of any real or personal property you've purchased
with your spam earnings. The sentence can get worse if you send to
e-mail addresses obtained through several means, such as:
Harvesting e-mail addresses that appear on websites.
Randomly generating e-mail addresses.
Knowingly linking an e-mail ad to a fraudulently registered domain.
Participating in other offenses such as fraud, identity theft,
obscenity, and child pornography and exploitation.
Compliance Guidelines. Be honest in they way you obtain e-mail
addresses and in your e-mail promotions. Honesty is just good business,
of course, since it shows respect for the customer. Business is all
about meeting customer needs -- not tricking them!
Are Harvested E-Mails Taboo?
It's been pretty common practice for computer robots to crawl webpages
and make a record of ("harvest") any e-mail addresses that appear on
those pages. Under the new Act, such using harvested e-mail addresses
to send e-mails is illegal and can result in aggravated penalties. Does
the law exempt e-mail addresses that were harvested prior to the new
law? I don't think so. The Act states that it is unlawful to send -- or
provide e-mail addresses for an e-mailing -- "if such person had actual
knowledge, or knowledge fairly implied on the basis of objective
circumstances that the electronic mail address of the recipient was
obtained using an automated means from an Internet website..." (Sec.
5(b)(1)). Automated harvesting of e-mail addresses in not in itself
unlawful, but using those harvested addresses to send e-mails is
unlawful -- so long as the e-mailing takes place after the effective
date of the law.
Compliance Guidelines. Be aware that sending e-mails to potential
reciprocal linking partners whose e-mail address is identified by
automatic means would be illegal under the new law. For years, experts
have been recommending a personal approach to possible e-mail linking
partners. Now it's the law.
If you've been sending spam to e-mail addresses you obtained from CDs
of e-mail addresses or that you downloaded from some so-called "opt-in"
or "safe" e-mail address service, you'll be in trouble. You might
counter: "They claimed these e-mail addresses were strictly opt-in" or
"I didn't know." If you can "buy" a list so you have actual possession
of the e-mail addresses, I can almost guarantee you that the list is
neither really opt-in or safe.
The going rate for one-time rental of legitimate opt-in lists is about
6? to 10? per name for consumer lists, and 10? to 40? per name for B2B
lists. If you get a "good deal" on 1 million e-mail addresses for $25,
don't claim that you didn't realize the addresses were probably
obtained illegally. Some Attorney General may argue that any idiot
should have know they must have been illegally obtained. Even if you
were to win, defending yourself against such an accusation could be
very expensive. Sending millions of e-mails to illegally obtained
addresses -- or e-mail addresses from an unknown source -- is now too
risky for all but the most foolhardy marketers.
Who Is Liable?
The law covers both spammers and those who "procure" their services
(Secs. 3(9), 3(12), and 3(16)(A)). You can't just outsource your
spamming and get off the hook. You can be held liable if the e-mail
service you employ isn't actually using a permission-based list. Under
some parts of the law you may be found guilty if you procured an
e-mailing "with actual knowledge, or by consciously avoiding knowing,
whether such person is engaging or will engage, in a pattern or
practice that violates this Act" (Sec. 7(g)(2)).
Compliance Guidelines. You are responsible not only for the legality of
your own e-mail lists, but also the legality any lists you rent or buy.
If you do business with a shady operator, it could come back to bite
you. You might be able to claim you had "no knowledge" of this or that
they misrepresented the truth, but you might be hard-pressed prove
otherwise to a judge.
Keep Tabs on Your Affiliates' E-Mailings
If you have affiliates using e-mail marketing to promote your products,
you could be in trouble. The law stipulates that "it is unlawful for a
person to promote, or allow the promotion of, that person's trade or
business ... if that person knows, or should have known in the ordinary
course of that person's trade or business, that the goods ... were
being promoted in such a message ... and took no reasonable action to
prevent the transmission..." (Sec. 6(a)).
Compliance Guidelines. Make sure that you specify clearly in the terms
of your Affiliate Agreement that sending e-mails, except with clear
permission, is prohibited and that breach of this is considered cause
for termination. If you detect that someone is sending spam promoting
your product, the law holds you blameless only if you either (a) take
action to prevent the e-mailing or (b) report it to the FTC (Sec.
6(a)(3)). Seek legal counsel and thoroughly document any action you
take in case you have to defend yourself.
Enforcement
When the CAN-SPAM Act becomes effective it will supercede all State
anti-spam laws. Enforcement of the CAN-SPAM Act of 2003 has drawn
criticism. The Act does not allow e-mail recipients to sue spammers --
only the FTC, State Attorneys General, and Internet Service Providers.
However, statutory damages can be stiff. A State Attorney General can
sue for $250 per illegal e-mail message up to a maximum of $2 million
-- more if the offense includes certain aggravating violations (Sec.
7(f)). Internet Service Providers can sue in federal district court for
$100 per illegal e-mail message up to a maximum of $1 million or more
(Sec. 7(g)(3)).
How easy will the Act be to enforce? That remains to be seen. The
Internet Committee of the National Association of Attorneys General
warned legislators that the Act has so many loopholes, exceptions, and
standards of proof that it won't protect consumers. For example, the
AGs are concerned that they would have to prove not only that a subject
line was deceptive, but that sender was conscious it was deceptive.
They are also concerned with a somewhat ambiguous definition of
commercial e-mail and feel that the opt-out requirements weren't
realistic.
A Good First Step
Despite the criticism -- much of it on target -- I believe that the
CAN-SPAM Act is a good start. Hopefully, Congress will move swiftly to
close loopholes. They've directed the FTC to consider the possibilities
of awarding those who report infractions 20% or more of the civil
penalties collected.
The Act should induce US marketers who have engaged in spamming to
change their behavior or face prosecution. Even if foreign or offshore
e-mailers continue to bombard US recipients with e-mails, this law
should make it prohibitively risky to promote US products or services.
The Act isn't all we might have wanted. But it is still likely to take
a big bite out of spam -- so to speak.