Can SPAM Act
- Can Spam Act
- - FCC
- - Do Not Email
- - Labels
- - Proceedings
- - Primary Purpose
- - Safe Web Act
- ID Theft
- Worms & Bots
- First Amendment
- Congressional Email
The CAN-SPAM Act of 2003 (Controlling the Assault of Non-Solicited Pornography and Marketing Act) establishes requirements for those who send commercial email, spells out penalties for spammers and companies whose products are advertised in spam if they violate the law, and gives consumers the right to ask emailers to stop spamming them.
The law, which took effect January 1, 2004, covers Email that has the primary purpose of advertising or promoting a commercial product or service, including content on a Web site. A "transactional or relationship message" – Email that facilitates an agreed-upon transaction or updates a customer in an existing business relationship – may not contain false or misleading routing information, but otherwise is exempt from most provisions of the CAN-SPAM Act.
The Federal Trade Commission (FTC) is authorized to enforce the CAN-SPAM Act. CAN-SPAM also gives the Department of Justice (DOJ) the authority to enforce its criminal sanctions. Other federal and state agencies can enforce the law against organizations under their jurisdiction, and companies that provide Internet access may sue violators, as well.
What the Law Requires
It bans false or misleading header information. Your Email's "From," "To," and routing information – including the originating domain name and Email address – must be accurate and identify the person who initiated the Email. 15 U.S.C. §§ 7704(a)(1), 7704(a)(1)(C).
- ZOOBUH, INC. v. BETTER BROADCASTING, LLC, Dist. Court, D. Utah 2013 ("where an email contains a generic "from" name and is sent from a privacy-protected domain name, such that the recipient cannot identify the sender from the "from" name or the publicly available WHOIS information, such is "materially misleading" and is a violation of 15 U.S.C. § 7704(a)(1)(C).")
- Tagged, Inc. v. Does 1 through 10, No. C 09-01713 WHA, 2010 WL 370331 (N.D. Cal. Jan 25, 2010) (the emails failed to identify that they came from the defendant)
- Facebook v. Wallace, No. C 09-798 JF (RS), 2009 WL 3617789 (N.D. Cal. Oct. 29, 2009) (the emails did not accurately identify any party)
- Power Ventures, 844 F. Supp. 2d at 1034-35 (the emails contained inaccurate sender names)
- Balsam v. Trancos, 138 Cal. Rptr, 3d 108. (Cal. Ct. App. 2012) (Proxy Domain Name Services: "where the domain names in the emails did not represent a real company and could not be readily traced back to the sender, through available public databases such as WHOIS, such constituted falsification or misrepresentation for purposes of the statute. " Id. at 122-23. As to privately registered domain names, the Court held "where, as in this case, the commercial e-mailer intentionally uses privately registered domain names in its headers that neither disclose the true sender's identity on their face nor permit the recipient to readily identify the sender . . . such header information is deceptive and does constitute a falsification or misrepresentation of the sender's identity,")
- Fraudulent Pretenses 15 U.S.C. §§ 7704(a)(1)(A)
- ZOOBUH, INC. v. BETTER BROADCASTING, LLC, Dist. Court, D. Utah 2013 (finding domain names were registered with fraudulent pretenses because domains were intended to be used to send out spam, in violation of domain registration agreement and accompanying terms or service)
It prohibits deceptive subject lines. The subject line cannot mislead the recipient about the contents or subject matter of the message.
It requires that your Email give recipients an opt-out method. You must provide a return Email address or another Internet-based response mechanism that allows a recipient to ask you not to send future Email messages to that Email address, and you must honor the requests. You may create a "menu" of choices to allow a recipient to opt out of certain types of messages, but you must include the option to end any commercial messages from the sender. 15 USC § 7704(a)(5).
- The notice bust be clear and conspicuous: In a commercial communication through an electronic medium "clear and conspicuous" is defined as follows: the "disclosure must be unavoidable . . . [and] [a]ny visual message shall be of a size and shade, with a degree of contrast to the background against which it appears, and shall appear on the screen for a duration and in a location sufficiently noticeable for an ordinary consumer to read and comprehend it." F.T.C. v. Affiliate Strategies, Inc., No. 5:09-CV-04104-JAR-KGS, 2011 WL 3300097, *2 (D. Kan.Aug. 1, 2011).
- ZOOBUH, INC. v. BETTER BROADCASTING, LLC, Dist. Court, D. Utah 2013 (Required Notice provided through remotely hosted images, which is blocked by most email applications consistent with US CERT recommendations, would not likely be viewed by recipient and therefore do not provide required clear and conspicuous required notice and would violate 15 U.S.C. § 7704(a)(5))
Any opt-out mechanism must be able to process opt-out requests for at least 30 days after you send your commercial Email. When you receive an opt-out request, the law gives you 10 business days to stop sending Email to the requestor's Email address. You cannot help another entity send Email to that address, or have another entity send Email on your behalf to that address. Finally, it's illegal for you to sell or transfer the Email addresses of people who choose not to receive your Email, even in the form of a mailing list, unless you transfer the addresses so another entity can comply with the law.
- It requires that commercial Email be identified as an advertisement and include the sender's valid physical postal address. Your message must contain clear and conspicuous notice that the message is an advertisement or solicitation and that the recipient can opt out of receiving more commercial Email from you. It also must include your valid physical postal address.
Each violation of the above provisions is subject to fines of up to $11,000. Deceptive commercial Email also is subject to laws banning false or misleading advertising. Additional fines are provided for commercial emailers who not only violate the rules described above, but also:
- "harvest" Email addresses from Web sites or Web services that have published a notice prohibiting the transfer of Email addresses for the purpose of sending Email [CFAA Harvesting]
- generate Email addresses using a "dictionary attack" – combining names, letters, or numbers into multiple permutations
- use scripts or other automated ways to register for multiple Email or user accounts to send commercial Email
- relay emails through a computer or network without permission – for example, by taking advantage of open relays or open proxies without authorization.
- The law allows the DOJ to seek criminal penalties, including imprisonment, for commercial emailers who do – or conspire to:
use another computer without authorization and send commercial email from or through it
- use a computer to relay or retransmit multiple commercial email messages to deceive or mislead recipients or an Internet access service about the origin of the message
- falsify header information in multiple email messages and initiate the transmission of such messages
- register for multiple email accounts or domain names using information that falsifies the identity of the actual registrant
- falsely represent themselves as owners of multiple Internet Protocol addresses that are used to send commercial email messages
The FTC will issue additional rules under the CAN-SPAM Act involving the required labeling of sexually explicit commercial email and the criteria for determining "the primary purpose" of a commercial email. Look for the rule covering the labeling of sexually explicit material in April 2004; "the primary purpose" rulemaking will be complete by the end of 2004. The Act also instructs the FTC to report to Congress in summer 2004 on a National Do Not E-Mail Registry, and issue reports in the next two years on the labeling of all commercial email, the creation of a "bounty system" to promote enforcement of the law, and the effectiveness and enforcement of the CAN-SPAM Act.
See the FTC Web site at www.ftc.gov/spam for updates on implementation of the CAN-SPAM Act.
The FTC maintains a consumer complaint database of violations of the laws that the FTC enforces. Consumers can submit complaints online at www.ftc.gov and forward unwanted commercial email to the FTC at email@example.com.
Your Opportunity to Comment
The National Small Business Ombudsman and 10 Regional Fairness Boards collect comments from small businesses about federal compliance and enforcement activities. Each year, the Ombudsman evaluates the conduct of these activities and rates each agency's responsiveness to small businesses. Small businesses can comment to the Ombudsman without fear of reprisal. To comment, call toll-free 1-888-REG-FAIR (1-888-734-3247) or go to www.sba.gov/ombudsman.
For More Information
The FTC works for the consumer to prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint or to get free information on consumer issues, visit www.ftc.gov or call toll-free, 1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.
See Next: Enforcement