With the January 1, 2004, implementation of the Act formally known as the "Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003" (known simply as the "CAN-SPAM Act"), a federal law comes into play that addresses unsolicited email and marketing. The CAN-SPAM Act provides federal legislation where only a patchwork of sometimes inconsistent and in some cases, ineffectual state laws previously existed.
A vivid example of how the Act will be applied occurred recently when an employee of America Online ("AOL") was charged with violating the Act. The employee, an engineer, was alleged to have sold 93 million email names to a promoter of an internet gambling website. The promoter was also charged. The defendants face significant fines and possible incarceration.
As noted in the Senate Report, the purposes of the Act are to (i) prohibit senders of email for primarily commercial advertisement or promotional purposes from deceiving the intended recipients or Internet service providers (ISPs) as to the source or subject matter of the email messages; (ii) require email senders to give the recipient the opportunity to decline additional commercial email and the senders to honor any such requests; (iii) require senders of unsolicited commercial email (“UCE”) to include a valid physical address in the email and clearly identifying the message as an advertisement or solicitation and (iv) prohibit businesses from knowing promoting trade or business through email transmitted with false or misleading sender or routing information. In its report, the Senate reviewed the fact that email communications are sometime utilized to trick an internet user into downloading viruses, spyware or other malicious code.
The Senate noted that spam in general imposes significant costs on ISPs, consumers and businesses, referencing a European Union study that found that spam cost internet subscribers $9.4 billion worldwide. Spam traffic has grown yearly and today accounts for over 46 percent of all email traffic. The Act would increase costs to senders of commercial email but those costs were deemed to be relatively low. In its Regulatory Impact Statement, the Senate claims that CAN-SPAM legislation would provide some measure of protection of individuals against fraudulent behavior by senders of commercial email. It would also provide a mechanism for recipients to opt out of future transmissions. The opt-out mechanism together with the requirement of truthful header information would provide recipients with an additional level of privacy.
With the laudable purposes and reasoning stated and the target identified, what does the CAN-SPAM Act do or purport to do. And how does accomplish the tasks set forth (or not)? The Act addresses the issue through criminal prosecutions (as in the AOL matter noted above) and through the imposition of civil liability. The criminal liability component of the Act is found at Section 4. That section provides it is a misdemeanor for intentionally sending commercial mail with falsified information concerning the source or transmission of the message. The penalty for sending such UCE is a fine, imprisonment up to 1 year or both. It is also important to note that criminal liability can be imposed in circumstances where a hacker has correct header information and a correct email address but when he obtained access to the email address through false or fraudulent pretense or representations.
Civil liability is found at Section 5 of the CAN-SPAM Act. Section 5 identifies violations that would be deemed unfair or deceptive acts or practices (but not criminal conduct) enforceable by the Federal Trade Commission (“FTC”) or other federal agencies. Falsified transmission information is prohibited under Section 5(a)(1). The intent of this section is to eliminate the use of inaccurate originating email addresses that conceal the identities of the senders. Section 5(a) (2) prohibits the knowing use of deceptive subject headings. This does not mean that minor typographical errors or truly accidental labeling are subject to liability. However, a subject heading that was likely to mislead a reasonable recipient regarding an important component of the heading is subject to liability. Section 5(a) (3) of the Act requires a functioning return email address which must be functioning for at least 30 days from the date of the original email. While accidental outages should not subject the sender to liability, this defense is not available to a large volume sender who establishes a return email address with limited technical capacity.
The CAN-SPAM Act also requires a sender to cease transmission of UCE to the recipient within 10 business days of the request to cease transmission. This provision applies not only to the send but also to any person acting on behalf of a sender. Also, anyone acting on behalf of a sender cannot avoid liability by consciously avoiding knowledge that a recipient requested that such messages cease. The Senate noted that the intent of this requirement is to ensure that those who provide email marketing services will be responsible for making a good faith inquiry of the senders (customers) to determine when email should cease as a result of request by the recipient. Section 5 (a) also requires that UCE contain clear and conspicuous identification that the email is an advertisement or solicitation.
While the provisions of Section 5(a) deal with the simpler of the issues addressed, Section 5(b) deals with conduct that would constitute aggravated violations of the Act. Section 5(b) (1) deals with address harvesting. It is an aggravated violation to send unlawful UCE to a recipient whose address was obtained using an automatic address gathering program or process. Section 5(b)(2) makes it an aggravated violation for ISP or other email service subscribers to use an automated means to register for multiple email accounts from which to send unlawful UCE.
For violations (other than false header information) Section 5(b) provides a defense for a person charged with a violation by showing it had adopted reasonable practices and procedures to prevent violations and has made good faith efforts to comply with the CAN-SPAM Act.
Section 6 of the Act provides that it is unlawful for anyone to promote his business with false or misleading information subject to the Federal Trade Commission ("FTC") Act penalty and remedies. This would subject such businesses to enforcement whether the spammer itself could be identified or not. In addition, this section prohibits any person from promoting or knowingly permitting the promotion of that person’s trade or business in a commercial email that violates Section 5 if certain prerequisites are established. To be liable for a violation under Section 6(a), the business must be shown to: (a) know or should have known that it is being promoted by falsified spam; (b) is receiving or expects to receive an economic benefit from the promotion and (c) is taking no reasonable precautions to prevent such spam or to detect and report it to the FTC.
However liability under Section 6 is limited so as not to extend to website hosts, landlord, equipment lessors or other third parties that may provide goods or services unwittingly to a falsely promoted business. These persons are protected from an FTC enforcement action unless they are shown to own or control the promoted businesses or actually know about the falsified spam and financially benefit from it.
It is important to note that enforcement of the CAN-SPAM Act is delegated to certain federal agencies. Primarily, enforcement is delegated to the FTC. There are some exceptions related to other federal agencies that may be charged with the oversight of certain specific types of businesses such as Office of the Comptroller of the Currency in the case of national banks and the like. In addition, the enforcement provision does not seek to impede State attorneys general from bringing an action on behalf of aggrieved citizens. A private right of action is granted to ISPs who are adversely affected by violations of portions of Section 5 of the Act. Nonetheless. the difficulty with the CAN-SPAM Act hinges upon the enforcement mechanism. It fails to give a private right of action to recipients and therefore, relies upon federal agencies in the first instance and State attorneys general in the second (and ISPs only if they are adversely affected by certain conduct). Thus, the vitality of the CAN-SPAM Act will ultimately depend upon the active enforcement of the Act by these agencies and state officers.
In addition, the Act specifically preempts State laws addressing this issue. While the laws were of a varying degrees of effectiveness, they are specifically exempted by Section 8 of the Act. It appears that suits by individual litigants (albeit with limited success) may proceed under any state statutes. It is not clear whether individual suits under different theories may proceed.
In sum, the Act appears to be a positive step to address a very difficult problem. The establishment of a "Do Not Email" list as envisioned by the Act is likewise very constructive. In the end, the Act's effectiveness will be measured directly by its aggressive enforcement by federal agencies and state officials.