United States: CAN-SPAM Act of 2003—Plan to Comply Now

If you think that the new federal e-mail laws apply only to unsolicited e-mail from internet pornographers and prescription drug peddlers, think again. The new federal law covers everyone from junk and bulk e-mailers to legitimate companies that use e-mail for marketing and other commercial purposes. On December 16, 2003, President Bush signed into law the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (the "CAN-SPAM Act" or "Act"). This advisory describes the main compliance requirements of the Act.

The Act is a federal law that sets out ground rules for commercial e-mail messages sent to recipients in the United States. These rules attempt to reduce the flow of unwanted e-mail by making the senders of such e-mail transparent to, and reachable by, the recipient. This gives the recipient the ability to stop receiving, and the sender the obligation to stop sending, unwanted commercial e-mail messages. The Act also expressly prohibits a number of deceptive and fraudulent practices concerning commercial e-mail and provides criminal liability, fines and statutory damages for violations of the Act.

January 1, 2004.

The Act applies to any person, company, or organization ("person") that directly or indirectly (e.g., through a marketing partner, advertising agency or e-mail marketer) uses e-mail for marketing or other commercial purposes.

There are two primary types of e-mail messages that are regulated in the Act: (i) Commercial Electronic Mail Messages ("Commercial E-mail"), and (ii) Transactional or Relationship Messages ("T/R E-mail").

Commercial E-mail is "any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose)." The meaning of "primary purpose" is unclear at this stage, and Congress has tasked the Federal Trade Commission ("FTC") with issuing regulations to define that term. However, mere reference to a company or website in an e-mail will not, by itself, cause the e-mail to be Commercial E-mail. Commercial E-mail specifically does not include T/R E-mail.

T/R E-mail is an e-mail message whose "primary purpose" is to:

(i) "facilitate, complete or confirm a commercial transaction that the recipient has previously agreed to enter into with the sender;"

(ii) "provide warranty information , product recall information, or safety or security information with respect to a commercial product or service" used by the recipient;

(iii) to "provide notification concerning a change in the terms or features," "notification of a change in the recipient’s standing or status" or, "at regular periodic intervals, account balance information or other type[s] of account statements" with respect to "an ongoing commercial relationship involving the ongoing purchase or use by the recipient of products or services offered by the sender;"

(iv) "provide information directly related to an employment relationship or related benefit plan in which the recipient is currently involved, participating or enrolled;" or

(v) "to deliver goods or services, including product updates or upgrades, that the recipient is entitled to receive under the terms of a transaction that the recipient has previously agreed to enter into with the sender."

Except where expressly noted below, the requirements of the Act apply only to Commercial E-mail and not T/R E-mail. Finally, the Act does not apply to mobile phone text messaging and other mobile service commercial messages.

What are the general requirements for typical commercial e-mail messages?

1. No false or misleading transmission information. This is the only requirement of the Act that applies to both T/R E-mail and Commercial E-mail. Under this requirement, the source, destination, and routing information attached to an e-mail message, including the originating domain name and originating e-mail address as well as any other information that appears in the line purporting to identify a person sending an e-mail, must not be materially false or materially misleading. In addition, the Act will consider transmission information that is technically correct, but includes originating e-mail or domain name information that was obtained by false or fraudulent pretenses to be materially misleading. Also, transmission information is considered materially false or materially misleading if such information is altered or concealed in such a way that would impair the ability of a recipient of a message to respond to a person who initiated the e-mail.

2. No deceptive subject headings. This requirement applies only to Commercial E-mail. Under this requirement, a person cannot initiate the transmission of a Commercial E-mail if such person knows, or should reasonably know that the subject heading of the message is likely to mislead a recipient about a material fact regarding the contents or subject matter of the message. If a Commercial E-mail contains sexually oriented material, there is an additional requirement that the subject heading contain appropriate marks or notices (to be determined by the FTC no later than May 2004) identifying the e-mail as containing such material.

3. Recipient opt out. All Commercial E-mails must contain a functioning return e-mail address or other Internet-based mechanism, clearly and conspicuously displayed. This address or mechanism must permit the recipient to submit an electronic request not to receive future Commercial E-mails from the sender at that particular e-mail address. In addition, the opt out mechanism must remain capable of receiving opt out requests for at least 30 days after the original transmission of the Commercial E-mail. The Act permits an opt out mechanism to provide the recipient with a menu of choices regarding which types of e-mail the recipient chooses to receive, as long as one of those choices is a complete opt out from further messages from the sender.

4. No Commercial E-mail to a recipient after opt out. The Act prohibits a sender from initiating the transmission of a Commercial E-mail more than 10 business days after receipt of an opt out request. The Act also prohibits any person acting on behalf of a sender from initiating the transmission of a Commercial E-mail more than 10 business days after receipt of an opt out request, if such person knows or reasonably should know that such Commercial E-mail falls within the scope of an opt out request. Any person who provides or selects e-mail addresses to assist in initiating the transmission of a Commercial E-mail in violation of the requirements of either of the two preceding sentences is in violation of the Act as well, if such person knows or should reasonably know that the Commercial E-mail was sent in violation of those requirements. Once a sender (or any other person that knows of the opt out request) has received an opt out request from a recipient, that sender or other person is prohibited from selling, leasing, exchanging or otherwise transferring or releasing the e-mail address of the recipient for any purpose other than compliance with the Act or other provision of applicable law. An opt out remains in effect indefinitely unless and until a recipient provides a subsequent affirmative consent (discussed more fully below) to receive Commercial E-mails from the sender.

5. Clear and conspicuous identification of an ad or solicitation. Each Commercial E-mail must contain a clear and conspicuous identification that the message is an advertisement or solicitation. This requirement does not apply to Commercial E-mail sent to a recipient who has provided an affirmative consent to receive such Commercial E-mail. The Act does not provide guidance on this identification requirement. Many state e-mail laws do require particular markings. It will take some time to determine whether these state law requirements will survive.

6. Valid Postal Address. Each Commercial E-mail must contain a valid physical postal address for the sender.

7. Special requirements for Commercial E-mail containing sexually oriented material. For Commercial E-mail containing sexually oriented material, the e-mail must comply with all of the requirements set forth above and additional requirements intended to prevent a recipient from being exposed to unwanted sexually oriented material simply by opening the e-mail. These additional requirements do not apply to Commercial E-mails for which the recipient has given prior affirmative consent.

"Affirmative consent" with respect to a Commercial E-mail means that (i) the recipient has "expressly consented to receive the message, either in response to a clear and conspicuous request for such consent or at the recipient’s own initiative;" and (ii) if the Commercial E-mail is from a party other than the party to which the recipient gave such consent, "the recipient was given clear and conspicuous notice at the time the consent was communicated that the recipient’s electronic mail address could be transferred to such other party for the purpose of initiating" Commercial E-mail messages. This definition may render certain commonly used types of "consent" invalid, such as when a person fails to check a box requesting not to receive Commercial E-mail, or a person fails to uncheck a box that requests Commercial E-mail. Companies who send Commercial E-mail will have to keep comprehensive records to be able to demonstrate that they have obtained an affirmative consent in an unambiguous manner.

Receipt of an affirmative consent from an individual has several effects under the Act. If a sender has the affirmative consent of an individual:

(i) the sender is not required to clearly and conspicuously mark a Commercial E-mail as an ad or solicitation;

(ii) affirmative consent can reverse, in whole or in part (depending on the scope of the consent) the effect of an opt out, permitting a sender to once again transmit Commercial Emails to a recipient; and

(iii) the additional requirements pertaining to Commercial E-mail with sexually oriented material do not apply.

The Act will require businesses to establish policies and procedures to make sure that its e-mails are in compliance. A prudent business will establish safeguards to:

(i) assure that the header information and content of its e-mails are in compliance with the Act;

(ii) maintain and continuously update lists of e-mail addresses that have opted out so that Commercial E-mails are not sent by or on behalf of the business after the 10 business day grace period;

(iii) continuously share with marketing partners, and require marketing partners to share with it, e-mail addresses that have opted out so that Commercial E-mails are not sent by or on behalf of the business after the 10 business day grace period;

(iv) help detect and prevent the transmission of e-mails promoting its business that contain false or misleading header information; and

(v) review existing e-mail marketing programs, privacy notices, terms and conditions and other forms of "consent" that have been used prior to the Act.

Each of these safeguards presents its own complications, but possibly the most difficult obligation will be to comply with the provisions of the Act pertaining to recipients that have opted out, particularly if a business has multiple lines of business or divisions through which it operates.

Under the Act, if a separate line of business or a separate division of an entity holds itself out throughout an e-mail message as a particular line of business or division, and not as the whole entity, then the "sender" of the message may be the line of business or the division of the entity, and not the entity as a whole. If the e-mail message is clear regarding this point, then an opt out request may only apply to the line of business, and not to the whole entity. Obviously, this issue must be handled carefully to ensure that one business division does not inadvertently preclude e-mail marketing for an entire business. It will be important for businesses to follow a comprehensive approach to opt out compliance so that an opt out request made by a recipient is limited in scope, if that is the business intent.

The following activities are subject to fines and/or imprisonment under the Act:

(i) obtaining unauthorized access to a computer and initiating "multiple" Commercial Emails;

(ii) using a computer to relay or retransmit "multiple" Commercial E-mails with the intent to deceive or mislead as to the origin of the message;

(iii) materially falsifying header information in "multiple" Commercial E-mails and intentionally initiating the transmission of such messages;

(iv) registering, using information that materially falsifies the identity of the actual registrant, for five or more e-mail accounts or online user accounts or two or more domain names, and intentionally initiating the transmission of "multiple" Commercial E-mails from such accounts or domain names; or

(v) falsely representing oneself to be the registrant or the legitimate successor in interest to the registrant of five or more Internet Protocol addresses, and intentionally initiating the transmission of "multiple" commercial e-mails from such addresses.

Under the Act "multiple" messages means 100 or more messages in a 24-hour period, 1,000 or more messages over 30 days, or more than 10,000 messages in a year. The Act also requires convicted persons under the Act to forfeit any proceeds and property traceable to gross proceeds obtained from the offense as well as any equipment, software and technology used or intended to be used to commit the offense.

In general, federal agencies, state attorneys general and Internet Service Providers (ISPs) have a right to enforce certain civil penalties under the Act. There is no private right of action given to individuals. At the federal level, the FTC has the main responsibility for enforcement, with the following exceptions:

(i) financial institutions, banks, savings associations, credit unions and other commercial lending institutions will be subject to the enforcement of: the Office of the Comptroller of the Currency, the Federal Reserve Board, the Federal Deposit Insurance Corporation, the Director of the Office of Thrift Supervision or the Board of the National Credit Union Administration, as applicable;

(ii) investment companies, registered investment advisors, brokers and dealers will be subject to enforcement by the Securities Exchange Commission;

(iii) air carriers will be subject to enforcement by the Secretary of Transportation;

(iv) any activities subject to the Packers and Stockyards Act of 1921 (7 U.S.C. 181 et seq.) will be subject to enforcement by the Secretary of Agriculture;

(v) federal banks, credit associations or other financial institutions under the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.) will be subject to enforcement by the Farm Credit Administration, and

(vi) any person subject to the Communications Act of 1934 (47 U.S.C. 151 et seq.) will be subject to enforcement by the Federal Communications Commission.

State attorneys general or other agencies of a state (e.g. the Act specifically mentions state insurance authorities with regard to violations by insurance providers) may bring a civil enforcement action on behalf of the residents of their state. ISPs may also bring a civil enforcement action.

Civil penalties for failure to comply with the Act depend upon two things, (i) what party enforces the Act against the violator and (ii) whether any aggravating or mitigating circumstances exist. Failure to comply with the requirements of the Act with regard to Commercial E-mail and/or T/R E-mail (i.e., failure to comply with parts 1–7 discussed above) is considered an unfair or deceptive trade practice under federal law and the FTC can enforce violations of the Act as such. The FTC can use cease-and-desist orders to stop further violations and recover damages from violators, including statutory damages of $11,000 per violation for parties who knowingly violate the Act.

State attorneys general and agencies can also bring actions to enjoin further violations of the Act (discussed in parts 1–7 above) as well as obtain damages equal to the greater of the actual monetary loss suffered by the residents of the state or statutory damages. The statutory damages are $250 for each violation, with a cap of $2,000,000 for all statutory damages except those for violations relating to false or misleading header information. Statutory damages can be tripled for certain aggravated violations. Statutory damages can be mitigated by a showing that (i) the defendant implemented commercially reasonable practices and procedures to effectively prevent such violations or (ii) that the violation occurred despite the defendant’s commercially reasonable efforts to maintain compliance with its preventative practices and procedures. It is important to note that the caps and mitigating factors only apply to statutory damages, not to actual damages suffered by the residents of a state. Also, monetary damages are only recoverable by a state if it shows that the defendant knew or should have reasonably known of the act or omission that constituted a violation of the Act.

Similar to the states, ISPs can also bring actions to enjoin further violations of the Act (discussed in parts 1–7 above) as well as obtain damages equal to the greater of the actual monetary loss suffered by the ISP or statutory damages. The statutory damages are $100 for each e-mail that violates the "no false or misleading transmission information" requirement and $25 for all other violations, with a cap of $1,000,000 for all statutory damages except those for violations of the "no false or misleading header information" requirement. Similar to actions brought by states, statutory damages may be tripled for any of the aggravating circumstances identified in the preceding paragraph. Such damages also may be reduced if the mitigating factors identified in the preceding paragraph. The caps and mitigating factors only apply to statutory damages, so the actual damages recoverable by the ISP are uncapped.

All state laws that expressly regulate the use of e-mail to send commercial messages are preempted, except to the extent that any such laws prohibit falsity or deception in any portion of commercial e-mail messages or information attached thereto. This preemption acts to sweep the spam laws of more than 35 states under the rug. It is possible, though, that some of the marking requirements and other provisions designed to prevent fraud under state spam laws (e.g., all e-mail advertisements must have "ADV" in the subject line) may survive (at least until the FTC promulgates federal marking requirements) to the extent such requirement makes an e-mail not false or deceptive under state law. Fraud and computer crime laws of a state are specifically not preempted by the Act, as well as any state laws that are not specific to electronic mail.

No later than July of 2004, the FTC must report to Congress about the specifics and feasibility of implementing a national "Do-Not-E-Mail" registry that would be similar to the national "Do-Not Call" list. The FTC must also report to Congress by September of 2004 with recommendations as to how to set up a system for rewarding whistle-blowers who report violations under the Act. By October of 2004, the FCC and FTC must promulgate rules to protect consumers from unwanted mobile service commercial messages. By July of 2005, the FTC must report to Congress with recommendations and a plan for requiring Commercial E-mail to be identifiable from its subject line (e.g., by requiring the use of the characters "ADV" or some such identifier) or an explanation of any concerns that would cause the FTC to recommend against such a plan. By December of 2005, the FTC is to report on the effectiveness and enforcement of the Act and the need, if any, to modify the Act. 

Copyright © 2007, Mayer, Brown, Rowe & Maw LLP. and/or Mayer Brown International LLP. This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.

Mayer Brown is a combination of two limited liability partnerships: one named Mayer Brown LLP, established in Illinois, USA; and one named Mayer Brown International LLP, incorporated in England.