CAN-SPAM Act

Citation: CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography and Marketing Act), Pub.L. 108-187, § 1, Dec. 16, 2003, 117 Stat. 2699, codified at 15 U.S.C. §7701 et seq.

Introduction
In 2003, Congress passed a federal anti-spam law, the CAN-SPAM Act, which became effective on January 1, 2004. The Act does not ban spam. Instead, it establishes requirements for those who send commercial e-mail, spells out penalties for spammers and companies whose products are advertised in spam if they violate the law, and gives consumers the right to ask emailers to stop spamming them.

The Act preempts state laws that specifically address spam, but not state laws that are not specific to email, such as trespass, contract, or tort law, or other state laws to the extent they relate to fraud or computer crime.

It did not require a centralized “Do Not Email” registry to be created by the Federal Trade Commission (FTC), similar to the National Do Not Call registry for telemarketing. The law required only that the FTC develop a plan and timetable for establishing such a registry, and to inform Congress of any concerns it has with regard to establishing it. The FTC submitted a report to Congress on June 15, 2004, concluding that a Do Not Email registry could actually increase spam.

The Act is a federal statute intended to regulate the transmission of unsolicited commercial electronic messages (called “spam”). Under the Act, commercial electronic messages and transactional or relationship messages cannot contain materially false or materially misleading header information.

The law covers e-mail whose primary purpose is advertising or promoting a commercial product or service, including content on a website. A "transactional or relationship message" &mdash; e-mail that facilitates an agreed-upon transaction or updates a customer in an existing business relationship &mdash; may not contain false or misleading routing information, but otherwise is exempt from most provisions of the Act.

The Federal Trade Commission (FTC) is authorized to enforce the Act. The Act also gives the Department of Justice (DOJ) the authority to enforce its criminal sanctions. Other federal and state agencies can enforce the law against organizations under their jurisdiction, and companies that provide Internet access may sue violators as well.

Proponents of CAN-SPAM have argued that consumers are most irritated by fraudulent email, and that the law should reduce the volume of such email because of the civil and criminal penalties included therein. Opponents counter that consumers object to unsolicited commercial email, and since the law legitimizes commercial email (as long as it conforms with the law’s provisions), consumers actually may receive more, not fewer, UCE messages. Thus, whether or not “spam” is reduced depends in part on whether it is defined as only fraudulent commercial email, or all unsolicited commercial email. Many observers caution that consumers should not expect any law to solve the spam problem &mdash; that consumer education and technological advancements also are needed.

Requirements of the Act
The Act includes the following provisions:


 * It bans false or misleading header information. The e-mail's "From," "To," and routing information &mdash; including the originating domain name and e-mail address &mdash; must be accurate and identify the person who initiated the email.


 * It prohibits deceptive subject lines. The subject line cannot mislead the recipient about the contents or subject matter of the message.


 * It requires that the e-mail give recipients an opt-out method. The sender must provide a functioning return email address or another Internet-based response mechanism that allows a recipient to indicate he or she does not want to receive future e-mail messages from that sender at that e-mail address where the message was received, and the sender must honor the requests. The sender may create a "menu" of choices to allow a recipient to opt out of certain types of messages, but it must include the option to terminate any future commercial messages from the sender. Any opt-out mechanism offered must be able to process opt-out requests for at least 30 days after the commercial e-mail is sent. When a sender receives an opt-out request, it has 10 business days to stop sending e-mail to the requestor's e-mail address unless the recipient later gives affirmative consent to receive the e-mail (i.e., opts back in). The sender cannot help another entity send e-mail to that address, or have another entity send e-mail on the sender's behalf to that address. Finally, it is illegal for a sender to sell or transfer the e-mail addresses of people who choose not to receive its e-mail, even in the form of a mailing list, unless it transfers the addresses so another entity can comply with the law.


 * It requires that commercial e-mail be identified as an advertisement (although the legislation does not state how or where that identification must be made) and include the sender's valid physical postal address. The message must contain clear and conspicuous notice that the message is an advertisement or solicitation and that the recipient can opt out of receiving more commercial e-mail from the sender.


 * It preempts state laws that specifically address spam but not state laws that are not specific to e-mail, such as trespass, contract, or tort law, or other state laws to the extent the relate to fraud or computer crime.

The Act does NOT:


 * Create a “Do Not Email registry” where consumers can place their e-mail addresses in a centralized database to indicate they do not want commercial e-mail. The law requires only that the FTC develop a plan and timetable for establishing such a registry and to inform Congress of any concerns it has with regard to establishing it. The FTC issued its report to Congress on June 15, 2004. The report concluded that without a technical system to authenticate the origin of e-mail messages, a Do Not Email registry would not reduce the amount of spam, and, in fact, might increase it.


 * Require that consumers “opt-in” before receiving commercial e-mail.


 * Require commercial e-mail to include an identifier such as “ADV” in the subject line to indicate it is an advertisement. The law does require the FTC to report to Congress within 18 months of enactment on a plan for requiring commercial e-mail to be identifiable from its subject line through use of “ADV” or a comparable identifier, or compliance with Internet Engineering Task Force standards, or an explanation of any concerns the FTC has about such a plan.
 * Include a “bounty hunter” provision to financially reward persons who identify a violator and supply information leading to the collection of a civil penalty, although the FTC must submit a report to Congress within nine months of enactment setting forth a system for doing so.

Additional Provisions

 * Some requirements (including the prohibition on deceptive subject headings, and the opt-out requirement) do not apply if the message is a “transactional or relationship message,” which include various types of notifications, such as periodic notifications of account balance or other information regarding a subscription, membership, account, loan or comparable ongoing commercial relationship involving the ongoing purchase or use by the recipient of products or services offered by the sender; providing information directly related to an employment relationship or related benefit plan in which the recipient is currently involved, participating, or enrolled; or delivering goods or services, including product updates or upgrades, that the recipient is entitled to receive under the terms of a transaction that the recipient has previously agreed to enter into with the sender. The Act allows, but does not require, the FTC to modify that definition.


 * Sexually-oriented commercial e-mail must include, in the subject heading, a “warning label” to be prescribed by the FTC (in consultation with the Attorney General), indicating its nature. The warning label does not have to be in the subject line, however, if the message that is initially viewable by the recipient does not contain the sexually oriented material, but only a link to it. In that case, the warning label, and the identifier, opt-out, and physical address required under Section 5(a)(5) of the act; must be contained in the initially viewable e-mail message as well. Sexually oriented material is defined as any material that depicts sexually explicit conduct, unless the depiction constitutes a small and insignificant part of the whole, the remainder of which is not primarily devoted to sexual matters. These provisions do not apply, however, if the recipient has given prior affirmative consent to receiving such e-mails.


 * Businesses may not knowingly promote themselves with e-mail that has false or misleading transmission information.

Opt-In, Opt-Out, and a “Do Not Email” Registry
Much of the debate on how to stop spam focuses on whether consumers should be given the opportunity to “opt-in” (where prior consent is required) or “opt-out” (where consent is assumed unless the consumer notifies the sender that such e-mails are not desired) of receiving UCE or all commercial e-mail. The CAN-SPAM Act is an “opt-out” law, requiring senders of all commercial e-mail to provide a legitimate opt-out opportunity to recipients.

During debate on the CAN-SPAM Act, several anti-spam groups argued that the legislation should go further, and prohibit commercial e-mail from being sent to recipients unless they opt-in, similar to a policy adopted by the European Union. Eight U.S. groups, including Junkbusters, the Coalition Against Unsolicited Commercial Email (CAUCE), and the Consumer Federation of America, wrote a letter to several Members of Congress expressing their view that the opt-out approach (as in Pub. L. No. 108-187) would “undercut those businesses who respect consumer preferences and give legal protection to those who do not.” Some of the state laws adopted the opt-in approach, including California’s anti-spam law.

The European Union adopted an opt-in requirement for e-mail, which became effective October 31, 2003. Under the EU policy, prior affirmative consent of the recipient must be obtained before sending commercial e-mail unless there is an existing customer relationship. In that case, the sender must provide an opt-out opportunity. The EU directive sets the broad policy, but each member nation must pass its own law as to how to implement it.

As noted, Congress chose opt-out instead of opt-in, however. One method of implementing opt-out is to create a “Do Not Email” registry where consumers could place their names on a centralized list to opt-out of all commercial e-mail instead of being required to respond to individual e-mails. The concept is similar to the National Do Not Call registry where consumers can indicate they do not want to receive telemarketing calls. During consideration of the CAN-SPAM Act, then-FTC Chairman Timothy Muris and other FTC officials repeatedly expressed skepticism about the advisability of a Do Not Email registry despite widespread public support for it.

One worry is that the database containing the e-mail addresses of all those who do not want spam would be vulnerable to hacking, or spammers otherwise might be able to use it to obtain the e-mail addresses of individuals who explicitly do not want to receive spam. In an August 19, 2003, speech to the Aspen Institute, Mr. Muris commented that the concept of a Do Not Email registry was interesting, “but it is unclear how we can make it work” because it would not be enforceable. “If it were established, my advice to consumers would be: Don’t waste the time and effort to sign up.”

Following initial Senate passage of S. 877, an unnamed FTC official was quoted by the Washington Post as saying that the FTC’s position on the registry is unchanged, and “Congress would have to change the law” to require the FTC to create it. After the House passed S. 877, Mr. Muris released a statement complimenting Congress on taking a positive step in the fight against spam, but cautioned again that legislation alone will not solve the problem.

Labels
Another approach to restraining spam is requiring that senders of commercial e-mail use a label, such as “ADV,” in the subject line of the message, so the recipient will know before opening an e-mail message that it is an advertisement. That would also make it easier for spam filtering software to identify commercial e-mail and eliminate it. Some propose that adult-oriented spam have a special label, such as ADV-ADLT, to highlight that the e-mail may contain material or links that are inappropriate for children, such as pornography.

The CAN-SPAM Act: (1) requires clear and conspicuous identification that a commercial e-mail is an advertisement, but is not specific about how or where that identification must be made; (2) requires the FTC to prescribe warning labels for sexually-oriented e-mails within 120 days of enactment; and (3) requires the FTC to submit a report within 18 months of enactment setting forth a plan for requiring commercial e-mail to be identifiable from its subject line using ADV or a comparable identifier, or by means of compliance with Internet Engineering Task Force standards. However, the clear and conspicuous identification that a commercial e-mail is an advertisement, and the warning label for sexually-oriented material, are not required if the recipient has given prior affirmative consent to receipt of such messages.

On May 19, 2004, an FTC rule regarding labeling of sexually oriented commercial e-mail went into effect. The rule was adopted by the FTC (5-0) on April 13, 2004. A press release and the text of the ruling are available on the FTC’s website.25 The rule requires that the mark “SEXUALLY-EXPLICIT” be included both in the subject line of any commercial e-mail containing sexually oriented material, and in the body of the message in what the FTC called the “electronic equivalent of a ‘brown paper wrapper.’” The FTC explained that the “brown paper wrapper” is what a recipient initially sees when opening the e-mail, and it may not contain any other information or images except what the FTC prescribes.

The rule also clarifies that the FTC interprets the CAN-SPAM Act provisions to include both visual images and written descriptions of sexually explicit conduct. On July 20, 2005, the FTC announced that it had charged seven companies with violating federal laws requiring these labels. Four of the companies settled with the FTC, which imposed a total of $1.159 million in civil penalties. U.S. District Court suits were filed against the other three companies.26

The act also required the FTC to submit a report to Congress on a plan for making commercial e-mail identifiable from its subject line, or to explain what concerns would lead the FTC to recommend against such a plan. That report was submitted in June 2005. It concluded that requiring UCE senders to use a prefix such as ADV probably would not result in less spam.


 * Experience with subject line labeling requirements in the states and in other countries does not support the notion that such requirements are an effective means of reducing spam.... Indeed, spam filters widely available at little or no cost ... more effectively empower consumers to set individualized email preferences to reduce unwanted UCE from both spammers and legitimate marketers. Mandatory subject line labeling, by comparison, would be an imprecise tool ... that, at best, might make it easier to segregate labeled UCE from unlabeled UCE.... [I]t is extremely unlikely that outlaw spammers would comply with a requirement to label the email messages they send. By contrast,

legitimate marketers likely would comply.... As a result ... labeled UCE messages sent by law-abiding senders would be filtered out. Meanwhile, unlabeled UCE messages sent by outlaw spammers would still reach consumers’ in-boxes.27 (Italics in original.)

Penalties
Each violation of the above provisions is subject to fines of up to $11,000. Deceptive commercial e-mail also is subject to laws banning false or misleading advertising. Additional fines are provided for commercial e-mailers who not only violate the rules described above, but also:


 * "harvest" e-mail addresses from websites or web services that have published a notice prohibiting the transfer of e-mail addresses for the purpose of sending e-mail


 * Generate e-mail addresses using a "dictionary attack" – combining names, letters, or numbers into multiple permutations


 * Use scripts or other automated ways to register for multiple e-mail or user accounts to send commercial e-mail


 * Relay e-mails through a computer or network without permission &mdash; for example, by taking advantage of open relays or open proxies without authorization.

The law allows the DOJ to seek criminal penalties, including fine, or imprisonment of up to three or five years (depending on the offense), or both, for commercial e-mailers who do &mdash; or conspire to:


 * Use another computer without authorization and send commercial e-mail from or through it


 * Use a computer to relay or retransmit multiple commercial e-mail messages to deceive or mislead recipients or an Internet access service about the origin of the message


 * Falsify header information in multiple e-mail messages and initiate the transmission of such messages


 * Register for multiple e-mail accounts or domain names using information that falsifies the identity of the actual registrant


 * Falsely represent themselves as owners of multiple Internet Protocol addresses that are used to send commercial e-mail messages.

Support and Criticism
Many argue that technical approaches, such as authentication, and consumer education, are needed to solve the spam problem — that legislation alone is insufficient. Nonetheless, there is considerable interest in assessing how effective the CAN-SPAM Act is in reducing spam. The effectiveness of the law may be difficult to determine, however, if for no other reason than there are various definitions of spam. Proponents of the law argue that consumers are most irritated by fraudulent e-mail, and that the law should reduce the volume of such e-mail because of the civil and criminal penalties included therein. Skeptics counter that consumers object to unsolicited commercial e-mail, and since the bill legitimizes commercial e-mail (as long as it conforms with the law’s provisions), consumers actually may receive more, not fewer, unsolicited commercial e-mail messages. Thus, whether “spam” is reduced depends in part on how it is defined.

Federal Communications Commission
The law required the FCC, in consultation with the FTC, to promulgate rules within 270 days of enactment to protect consumers from unwanted “mobile service commercial messages” (MSCMs). That term is defined in the law as a commercial e-mail message “that is transmitted directly to a wireless device that is utilized by a subscriber of commercial mobile service” as defined in the 1934 Communications Act.

The FCC announced a Notice of Proposed Rulemaking on March 11, 2004. During the comment period, several wireless carriers and the CTIA urged that they be exempted from the requirement to obtain express prior authorization before sending commercial messages to their customers if the customers are not charged for them, arguing that those are carrier-customer relationship issues and are protected by the First Amendment. CTIA reportedly agreed with the FCC’s preliminary interpretation that the CAN-SPAM Act applies only to messages sent to an e-mail address consisting of two parts, a unique user name or mailbox and a reference to an Internet domain (e.g., janedoe@wirelesscarrier.com), and therefore should not apply to SMS, short code or other text messages sent using other address formats.

The FCC adopted the new rules on August 4, 2004; they were released on August 12, 2004. Most went into effect on October 18, 2004, although several that deal with information collection requirements must obtain approval of the Office of Management and Budget. The FCC took the following actions:
 * Prohibited sending wireless commercial e-mail messages unless the individual addressee has given the sender express prior authorization (“opt-in”), which may be given orally or in writing, including electronically. Requests for such authorization may not be sent to a wireless subscriber’s wireless device because of the potential costs to the subscriber for receiving, accessing, reviewing and discarding such e-mail. Authorization provided to a particular sender does not entitle that sender to send wireless commercial e-mail messages on behalf of third parties, including affiliated entities and marketing partners. The request for authorization must contain specified information, such as the fact that the recipient may be charged by their wireless service provider for receiving the message, and subscribers may revoke their authorization at any time. These rules do not apply to &mdash;
 * messages that are forwarded by a subscriber to his or her own wireless device (although they do apply to any person who receives consideration or inducement to forward the message to someone else’s wireless device), or


 * phone-to-phone SMS messages if they are not autodialed (Internet-to-phone SMS messages are covered by the rules since they involve a domain name address).

The FCC also announced that it would create a publicly available FCC wireless domain names list with the domain names used for mobile service messaging so that senders of commercial mail can determine which addresses are directed at mobile services, and &mdash;


 * Prohibited sending any commercial message to addresses that have been on the list for at least 30 days, or at any time prior to 30 days if the sender otherwise knows that the message is addressed to a wireless device, and


 * Required all wireless service providers to supply the FCC with the names of all Internet domains on which they offer mobile service messaging services.


 * Determined that all autodialed calls, including SMS, are already covered by the TCPA.


 * Interpreted the definition of wireless commercial e-mail message to include any commercial message sent to an e-mail address provided by a wireless service provider (formally called a “commercial mobile radio service,” or CMRS) specifically for delivery to the subscriber’s wireless device.


 * Provided guidance on the definition of “commercial,” but noted that the Federal Trade Commission is ultimately responsible for determining the criteria for “commercial” and “transactional or relationship” messages.

As noted, some wireless service providers sought an exemption from the requirement to obtain express prior authorization for them to communicate with their own subscribers, as long as the subscribers did not incur additional costs. The FCC did not grant such as exemption, in part because it concluded that the existing exemption in the CAN-SPAM Act for transactional or relationship messages is sufficient to cover many types of communication needed between a provider and a subscriber. Furthermore, the Commission concluded that the CAN-SPAM Act required it to protect consumers from unwanted commercial messages, not only those that involve additional costs.

June 2004 Report
The FTC reported to Congress in June 2004 that without a technical system to authenticate the origin of e-mail messages, a Do Not Email registry would not reduce the amount of spam, and, in fact, might increase it. The report stated that “spammers would most likely use a Registry as a mechanism for verifying the validity of e-mail addresses and, without authentication, the Commission would be largely powerless to identify those responsible for misusing the Registry.

Moreover, a Registry-type solution to spam would raise serious security, privacy, and enforcement difficulties.” The report added that protecting children from “the Internet’s most dangerous users, including pedophiles,” would be difficult if the Registry identified accounts used by children in order to assist legitimate marketers from sending inappropriate messages to them.

The FTC described several registry models that had been suggested, and computer security techniques that some claimed would eliminate or alleviate security and privacy risks. The FTC stated that it carefully examined those techniques &mdash; a centralized scrubbing of marketers’ distribution lists, converting addresses to one-way hashes (a cryptographic approach), and seeding the Registry with “canary” e- mail addresses &mdash; to determine if they could effectively control the risks “and has concluded that none of them would be effective.”

The FTC concluded that a necessary prerequisite for a Do Not Email registry is an authentication system that prevents the origin of e-mail messages from being falsified, and proposed a program to encourage the adoption by industry of an authentication standard. If a single standard does not emerge from the private sector after a sufficient period of time, the FTC report said the Commission would initiate a process to determine if a federally mandated standard is required. If the government mandates a standard, the FTC would then consider studying whether an authentication system, coupled with enforcement or other mechanisms, had substantially reduced the amount of spam. If not, the Commission would then reconsider whether or not a Do Not Email registry is needed.

On August 1, 2005, the FTC issued a press release summarizing the results of testing it had conducted to determine if online retailers were honoring opt-out requests. The FTC found that 89% of the merchants it tested did, in fact, stop sending e-mails when requested to do so.24

Additionally, the CAN-SPAM Act included a provision requiring the FCC to establish regulations to protect wireless consumers from spam.

December 2005 Report
In December 2005, the FTC submitted a report to Congress, as required under the CAN-SPAM Act, on the Act’s effectiveness and enforcement, and whether any changes are needed. Based on information from ISPs, the general public, e-marketers, law enforcers, and technologists, the report concluded that the Act has been effective in two areas: legitimate online marketers have adopted the “best practices”  mandated by the Act, and the Act provides an additional tool for law enforcement officials and ISPs to bring suits against spammers. However, it also concluded that some aspects of the spam problem have not changed, such as its international dimension. It also reported on a number of “troubling” changes in the e-mail landscape, such as the inclusion of malicious content (“malware”) in spam messages. The report outlined three steps to further improve the effectiveness of the Act: passage of legislation to improve the FTC’s ability to trace spammers and sellers who operate outside U.S. borders; continued consumer education; and continued improvement in anti-spam technologies, especially domain-level authentication.

December 2007 Report
In December 2007, the FTC issued a staff report titled "Spam Summit: The Next Generation of Threats and Solutions." The Report described findings from the Commission's July 2007 workshop and proposed follow-up actions that stakeholders could adopt to mitigate the harmful effects of malicious spam and phishing. The report also provided an overview of the agency’s decade-long role in protecting consumers from the threats of fraudulent spam and phishing. The report also announced results from its staff’s 2007 Harvesting and Filtering Study, which suggested that ISPs' spam filters continue to serve an integral role in reducing the amount of spam that reaches consumers’ in-boxes.

FTC Enforcement Actions
Since 1997 the FTC has pursued an aggressive anti-spam program through law enforcement actions, consumer and business education efforts, research that has informed spam policy, public workshops and by spurring the development of industry-driven technology.

Since the implementation of the CAN-SPAM Act, the Commission has brought nearly thirty law enforcement actions focusing on the core protections that the CAN-SPAM Act provides to consumers: opt-out mechanisms that function; message headers that are non-deceptive; and protections against sexually explicit spam. Eighty percent of the Commission’s spam cases have alleged violations of the opt-out requirement, and more than 50 percent have alleged that email headers were deceptive. For example, in Jumpstart Technologies, the Commission alleged that the subject lines of the defendant’s emails falsely indicated that a recipient's friend was sending free tickets, and many people who tried to opt out of the promotion continued to receive similar [email]]s for weeks afterward. Under the settlement agreement, the defendant paid a $900,000 civil penalty for violating the CAN-SPAM Act, the largest penalty yet for illegal spam.

In 2007, the Commission pursued another company, Adteractive, that used deceptive subject lines in spam to market purportedly “free” products to consumers. In Adteractive, the Commission alleged that the companies violated the CAN-SPAM Act by using deceptive subject lines, and violated the FTC Act by failing to clearly and conspicuously disclose that, in many instances, consumers must spend money or incur other obligations to obtain “free” items.

In addition, some of the FTC's recent cases have highlighted various techniques used by spammers to mask their identities, including the use of botnets. For instance, in FTC v. Dugger, the Commission alleged that the defendants relayed sexually explicit commercial emails through other people’s home computers without their knowledge or consent in violation of the CAN-SPAM Act. The settlement with the defendants required them to relinquish their ill-gotten gains and bars them from violating CAN-SPAM and the Adult Labeling Rule. The settlement also requires that before the defendants use a third party’s computer to send spam, they must obtain authorization from the computer’s owner and inform the owner how the computer will be used.

The Commission’s law enforcement cases also address the increasingly global nature of spam. In October 2007, the Commission brought FTC v. Spear Systems, Inc., its first case using tools under the U.S. Safe Web Act of 2006 (“SAFE WEB”), to stop spammers operating domestically and from Canada and Australia. The Commission alleged that the defendants violated the CAN-SPAM Act by initiating commercial emails that contained false “from” addresses and deceptive subject lines, and failed to provide an opt-out link or physical postal address. In Spears Systems, the Commission’s authority under SAFE WEB enabled staff to advance the case by obtaining key information from Canadian and Australian authorities.