United States: The CAN-SPAM Act: Time to Take a Look at Your E-Mail Policies

Mention the term "spam" to anyone these days and the response is likely to be very negative, possibly hostile. Spam is a nuisance suffered by millions of Americans every day. Last year, the federal government addressed the issue of spam by enacting the Controlling the Assault of Non-Solicited Pornography and Marketing Act, better known as the CAN-SPAM Act. The CAN-SPAM Act alters the playing field for any business or organization that routinely uses e-mail to communicate. Unlike the federal Do Not Call List, CAN-SPAM applies to all individuals, businesses, associations, and nonprofit organizations.

The Federal Trade Commission (the "FTC") recently issued new rules that provide guidance on how businesses can comply with the CAN-SPAM Act. The rules go into effect this spring.

The CAN-SPAM Act governs how companies communicate with existing customers and with potential customers, and it creates one national standard of spam regulation. The law, which became effective on January 1, 2004, covers e-mail whose primary purpose is advertising or promoting a commercial product or service. At its most basic level, the CAN-SPAM Act makes it legal to send unsolicited commercial e-mail so long as the sender has been accurately identified and the recipient has been provided with an opportunity to "opt out" of receiving future e-mails.

The Act defines a "commercial electronic mail message" as any e-mail message whose "primary purpose * * * is the commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose)." But the Act left important questions as to what qualifies as commercial e-mail and what "primary purpose" actually means. One of the most difficult aspects of CAN-SPAM compliance has been determining whether an e-mail is "commercial." On December 16, 2004, the FTC issued new rules designed to help e-mail senders categorize their messages and determine which CAN-SPAM requirements apply, particularly in the case of so-called dual-purpose messages, which have both commercial and noncommercial content. These new rules will take effect on March 28, 2005.

The process of determining whether an e-mail has the primary purpose of advertising or promoting a commercial product or service is an important task for compliance purposes. When reviewing your company's e-mail policies for compliance with the CAN-SPAM Act, the first step is to determine whether your company's e-mail is a commercial message or a "transactional or relationship message." Transactional or relationship messages, by definition, are not "commercial" messages.

If an e-mail consists exclusively of a commercial advertisement or promotion of a commercial product or service, then its primary purpose is obviously commercial. Such a message is subject to all the restrictions imposed by the CAN-SPAM Act.

Transactional and relationship messages, on the other hand, are exempt from most of the Act's provisions. (One provision that still applies, however, is that such e-mails cannot contain false or misleading routing information.) A transactional or relationship message facilitates an agreed-upon transaction or updates a customer in an existing business relationship. For example, providing confirmation of a purchase, shipping information, membership or account status, or anything relating to an employment relationship qualifies as transactional.

When an e-mail contains both commercial and transactional or relationship content, the analysis is a little more challenging. A dual-purpose e-mail is considered commercial if a recipient reasonably interpreting the subject line would be likely to conclude that the message contains commercial content. It is also considered commercial if the transactional or relationship content does not appear at the beginning of the body of the e-mail message. The transactional or relationship content that appears at the beginning of the message must be something recognizable as transactional or relationship content, such as account balance information.

For e-mails that contain both commercial and noncommercial content that is not transactional or relationship-related, the primary purpose is deemed commercial if a recipient reasonably interpreting the subject line or body of the message would be likely to conclude that the primary purpose is commercial. According to the new FTC rules, the sender should apply a "net impression" test to evaluate the message in its totality and look to the impression that the entire message makes on a reasonable recipient.

Key factors relevant to the "net impression" evaluation of dual-purpose e-mail include the placement of commercial content in whole or substantial part at the beginning of the body of the message, the ratio of commercial to noncommercial content in the message, and the ways that color, graphics, type size, and style are used to highlight commercial content. The FTC has noted that nothing in its rules or guidelines prohibits senders from formulating e-mails in ways that result in a net impression that is not commercial.

If your company's e-mail messages fall into the commercial category, do not despair. For most businesses, adhering to the new regulations is likely to be a simple matter. Companies can still send unsolicited bulk e-mails, even commercial ones, without violating the CAN-SPAM Act. Taking the following practical steps will help ensure that your e-mail messages comply with the Act:

• Send all e-mails from a legitimate, active e-mail address. If a recipient replies to an e-mail, that reply should go to an in-box that is monitored.

• Provide accurate header information. An e-mail's "From" and "To" fields, and the routing information that includes the originating domain name and e-mail address, must be accurate and identify the person who initiated the e-mail.

• Ensure that e-mails have accurate subject lines. A subject line must not mislead recipients about the contents or subject matter of the message. The CAN-SPAM Act does not require that "ADV:" or "Advertisement" be included in the subject line.

• Identify commercial e-mails as advertisements. Your message should contain a clear and conspicuous notice in the body of the e-mail that the message is an advertisement or solicitation and that the recipient can opt out of receiving more commercial e-mail from you.

• Provide recipients with a way to opt out of receiving future e-mails. You must provide a return e-mail address or a link to a Web site that allows recipients to unsubscribe from future e-mail messages, and you must honor the requests. You may create a "menu" of choices to allow recipients to select the types of messages they do not wish to receive, but you must include the option to end all commercial messages from the sender. The body of the message must also contain a valid physical postal address where recipients can mail requests to not receive future e-mail messages.

• When recipients opt out of future e-mails, respect their wishes. Once you receive an opt-out request from a consumer, you have ten days to remove the name from your mailing list(s).

The CAN-SPAM Act empowers a number of federal agencies, including the FTC, to bring enforcement actions under the Act. In addition, states and Internet access service providers may, with certain exceptions, sue violators of the Act. The Act does not provide for a general private cause of action for persons that receive commercial e-mail messages. Although the CAN-SPAM Act preempts most of the state anti-spam laws, state provisions addressing falsity and deception remain in place.

As an example of potential federal agency remedies, the FTC may seek injunctive relief and/or penalties for a violation of the CAN-SPAM Act. States and Internet service access providers may seek injunctions and may recover from violators of the Act either (a) the actual money loss suffered by residents of the state or users of the Internet access service, or (b) statutory damages.

Statutory damages are calculated by multiplying the number of violations by up to $250 (or, in the case of Internet service access providers, by up to $100). Each separately addressed unlawful e-mail message received by a consumer (or, in the case of Internet access service providers, each message transferred or attempted to be transferred over the facilities of the provider) is considered a separate violation, so statutory damages can mount rapidly.

Statutory damages are generally capped at $2,000,000 for actions brought by government agencies and $1,000,000 for actions brought by Internet access service providers. In extreme circumstances, however, a court may allow for the total fine to be tripled.

While it remains lawful to use e-mail, even unsolicited e-mail, to advertise a commercial product or service, the CAN-SPAM Act sets forth certain affirmative steps that companies and organizations must take to lawfully send commercial e-mail messages. The FTC's rulemaking has clarified the key CAN-SPAM criteria for determining whether an e-mail is commercial and should be applied to your organization's e-mail communications to ensure compliance with the CAN-SPAM Act. By reviewing your current e-mail policies, your organization can continue to effectively communicate with your customers via e-mail without running afoul of CAN-SPAM regulations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.