CAN-SPAM Act

Citation: CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography and Marketing Act) (P.L. 108-187).

Introduction
In 2003, Congress passed a federal anti-spam law, the CAN-SPAM Act (P.L. 108-187), which became effective on January 1, 2004. The Act establishes requirements for those who send commercial e-mail, spells out penalties for spammers and companies whose products are advertised in spam if they violate the law, and gives consumers the right to ask emailers to stop spamming them. The law covers e-mail whose primary purpose is advertising or promoting a commercial product or service, including content on a website. A "transactional or relationship message" – e-mail that facilitates an agreed-upon transaction or updates a customer in an existing business relationship – may not contain false or misleading routing information, but otherwise is exempt from most provisions of the Act. The Federal Trade Commission (FTC) is authorized to enforce the Act. The Act also gives the Department of Justice (DOJ) the authority to enforce its criminal sanctions. Other federal and state agencies can enforce the law against organizations under their jurisdiction, and companies that provide Internet access may sue violators as well.

Requirements of the Act
The Act includes the following provisions:
 * It bans false or misleading header information. The e-mail's "From," "To," and routing information – including the originating domain name and e-mail address – must be accurate and identify the person who initiated the email.
 * It prohibits deceptive subject lines. The subject line cannot mislead the recipient about the contents or subject matter of the message.
 * It requires that the e-mail give recipients an opt-out method. The sender must provide a return email address or another Internet-based response mechanism that allows a recipient to ask you not to send future e-mail messages to that e-mail address, and the sender must honor the requests. The sender may create a "menu" of choices to allow a recipient to opt out of certain types of messages, but it must include the option to terminate any future commercial messages from the sender. Any opt-out mechanism offered must be able to process opt-out requests for at least 30 days after the commercial e-mail is sent. When a sender receives an opt-out request, it has 10 business days to stop sending e-mail to the requestor's e-mail address. The sender cannot help another entity send e-mail to that address, or have another entity send e-mail on the sender's behalf to that address. Finally, it is illegal for a sender to sell or transfer the e-mail addresses of people who choose not to receive its e-mail, even in the form of a mailing list, unless it transfers the addresses so another entity can comply with the law.
 * It preempts state laws that specifically address spam but not state laws that are not specific to e-mail, such as trespass, contract, or tort law, or other state laws to the extent the relate to fraud or computer crime.
 * It requires that commercial e-mail be identified as an advertisement and include the sender's valid physical postal address. The message must contain clear and conspicuous notice that the message is an advertisement or solicitation and that the recipient can opt out of receiving more commercial e-mail from the sender. It also must include the sender's valid physical postal address.

The Act does not ban unsolicited commercial e-mail. Rather, it allows marketers to send commercial e-mail as long as it conforms with the law, such as including a legitimate opportunity for consumers to “opt-out” of receiving future commercial e-mails from that sender. The Act does not require a centralized “do not e-mail” registry to be created by the Federal Trade Commission (FTC), similar to the National Do Not Call registry for telemarketing. The law requires only that the FTC develop a plan and timetable for establishing a “do not e-mail” registry and to inform Congress of any concerns it has with regard to establishing it.

Penalties
Each violation of the above provisions is subject to fines of up to $11,000. Deceptive commercial e-mail also is subject to laws banning false or misleading advertising. Additional fines are provided for commercial e-mailers who not only violate the rules described above, but also:


 * "harvest" e-mail addresses from websites or web services that have published a notice prohibiting the transfer of e-mail addresses for the purpose of sending e-mail
 * Generate e-mail addresses using a "dictionary attack" – combining names, letters, or numbers into multiple permutations
 * Use scripts or other automated ways to register for multiple e-mail or user accounts to send commercial e-mail
 * Relay e-mails through a computer or network without permission – for example, by taking advantage of open relays or open proxies without authorization.

The law allows the DOJ to seek criminal penalties, including imprisonment, for commercial e-mailers who do – or conspire to:


 * Use another computer without authorization and send commercial e-mail from or through it
 * Use a computer to relay or retransmit multiple commercial e-mail messages to deceive or mislead recipients or an Internet access service about the origin of the message
 * Falsify header information in multiple e-mail messages and initiate the transmission of such messages
 * Register for multiple e-mail accounts or domain names using information that falsifies the identity of the actual registrant
 * Falsely represent themselves as owners of multiple Internet Protocol addresses that are used to send commercial e-mail messages.

Support and Criticism
Many argue that technical approaches, such as authentication, and consumer education, are needed to solve the spam problem — that legislation alone is insufficient. Nonetheless, there is considerable interest in assessing how effective the CAN-SPAM Act is in reducing spam. The effectiveness of the law may be difficult to determine, however, if for no other reason than there are various definitions of spam. Proponents of the law argue that consumers are most irritated by fraudulent e-mail, and that the law should reduce the volume of such e-mail because of the civil and criminal penalties included therein. Skeptics counter that consumers object to unsolicited commercial e-mail, and since the bill legitimizes commercial e-mail (as long as it conforms with the law’s provisions), consumers actually may receive more, not fewer, unsolicited commercial e-mail messages. Thus, whether “spam” is reduced depends in part on how it is defined.

FTC Reports
The FTC reported to Congress in June 2004 that without a technical system to authenticate the origin of e-mail messages, a Do Not Email registry would not reduce the amount of spam, and, in fact, might increase it. Authentication is a technical approach that could be used to control spam that is under study by a number of groups, including Internet service providers (ISPs), who are attempting to develop a single authentication standard for the industry. Additionally, the CAN-SPAM Act included a provision requiring the FCC to establish regulations to protect wireless consumers from spam.

In December 2005, the FTC submitted a report to Congress, as required under the CAN-SPAM Act, on the Act’s effectiveness and enforcement, and whether any changes are needed. Based on information from ISPs, the general public, e-marketers, law enforcers, and technologists, the report concluded that the Act has been effective in two areas: legitimate online marketers have adopted the “best practices”  mandated by the Act, and the Act provides an additional tool for law enforcement officials and ISPs to bring suits against spammers. However, it also concluded that some aspects of the spam problem have not changed, such as its international dimension. It also reported on a number of “troubling” changes in the e-mail landscape, such as the inclusion of malicious content (“malware”) in spam messages. The report outlined three steps to further improve the effectiveness of the Act: passage of legislation to improve the FTC’s ability to trace spammers and sellers who operate outside U.S. borders; continued consumer education; and continued improvement in anti-spam technologies, especially domain-level authentication.