In the most recent round of our “Founders Series,” we examined the rapidly evolving legal and policy landscape affecting privacy and data security . Continuing our look at relevant statutes, we now examine the first federal legislation in the United States that concerns unsolicited commercial email: the “Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003” or the “CAN-SPAM Act.”
The CAN-SPAM Act
The CAN-SPAM Act requires unsolicited commercial email messages to be labeled (though not by a standard method) and to include opt-out instructions, as well as the sender’s physical address. It also prohibits the use of deceptive subject lines and false headers in such messages.
Under the law, the Federal Trade Commission (FTC) is authorized (but not required) to establish a “do-not-email” registry. Also, quite significantly, state laws that require labels on unsolicited commercial email or prohibit such messages entirely are pre-empted, although provisions merely addressing falsity and deception remain in place.
The bulk of the requirements of the CAN-SPAM Act apply only to “commercial electronic mail messages,” defined as: “emails the primary purpose of which is the commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose).” Significantly, the legislation does not prohibit the transmission of most types of commercial email. It does, however, establish rules that will apply to entities that send commercial email messages.
Based upon the requirements of the CAN-SPAM Act, we offer the following recommendations to companies that wish to send commercial messages.
1. Do not engage in any fraudulent or deceptive activity when transmitting commercial email.
The CAN-SPAM Act prohibits a variety of fraudulent activity committed in connection with email. For instance, the legislation prohibits the falsification of header information in multiple commercial emails. Likewise, the law also prohibits the use of a protected computer to relay or retransmit multiple commercial emails, with the intent to deceive or mislead recipients, or any Internet access server, as to the origin of such messages.
Penalties for violating the law’s provisions regarding fraudulent activity are rather severe and can include fines, as well as imprisonment. In addition, when contracting with any third parties to send commercial emails on their behalf, companies should ensure that all such third parties are contractually bound to comply with the requirements of the CAN-SPAM Act and all other applicable legislation.
2. Implement a system for opting-out, and honor opt-out requests.
The CAN-SPAM Act mandates the inclusion of a clear and conspicuous notice of the recipient’s right to “opt-out” from receiving future commercial emails. It also requires the inclusion of an automated feature that may be used or an email address to which a recipient may send a message requesting not to receive any future commercial emails from the sender.
Pursuant to the legislation, companies that receive opt-out requests must honor such requests and must cease the transmission of commercial emails to individuals who have opted-out within 10 business days of the sender’s receipt of the opt-out request.
3. Comply with all applicable labeling requirements.
In addition to including language regarding the individual’s right to opt-out of future transmissions of commercial emails, the CAN-SPAM Act mandates the inclusion of the following information on all commercial emails:
- A legitimate return email and physical postal address;
- A clear and conspicuous notice that the message is an advertisement or solicitation; and
- Clear notice in the subject heading if messages include pornographic or sexual content. As such, all companies should review all of the commercial emails they plan to send and ensure that each commercial email contains the foregoing information.
4. Be cautious when compiling mailing lists.
The CAN-SPAM Act also prohibits the harvesting of email addresses, including acquiring email addresses through Internet chat rooms, blogs and other sources without the permission of the website or its members/users. Accordingly, companies should be cautious about the methods used to collect email addresses. Of course, as discussed above, all companies must also ensure that they do not send commercial emails to anyone who has opted-out of receiving such emails.
Further, if obtaining email addresses from a list broker, it is very important to seek and obtain adequate warranties and indemnities regarding the data included in the lists from the list broker(s). For instance, it is important to receive adequate assurances that the data included in the purchased lists has not been compiled through harvesting and/or pursuant to a privacy policy stating that the user’s information may not be shared with third parties or similar restrictions.
We will continue our look at the Anti-SPAM Act in an upcoming post that examines instances where these recommendations are not applicable. Look for it!