United States: Anti-Spam Laws: Navigating the Web of Compliance

As almost everyone with an e-mail account knows, the volume of unsolicited commercial e-mail ("UCE," more commonly referred to as "junk e-mail" or "spam") transmitted through the Internet has increased dramatically over the last two years. Analysts estimate that more than 261 billion junk e-mail messages were received by Internet users in 2002 - an 86 percent increase over the number of messages received the previous year.¹ This explosion in spam creates tremendous burdens for recipients, Internet service providers (ISPs), corporate e-mail administrators, and Internet security technicians. In fact, businesses alone are likely to spend more than $10 billion in 2003 addressing the problems associated with junk e-mail.²

In response, several states have enacted anti-spam laws which impose civil penalties for (and, in some instances, even criminalize) the transmission of certain types of UCE. Congress is also considering several proposals to restrict or prohibit the transmission of UCE. While junk e-mail promoting pyramid schemes, sexually explicit Web sites, and other dubious products and services are the principal targets of these various anti-spam initiatives, the potentially broad scope of many of these laws could implicate any entity involved in legitimate electronic marketing. Accordingly, direct marketers, advertising agents, e-mail address distributors, software manufacturers, online merchants, as well as any other entity delivering e-mail to the public through the Internet should remain mindful of the myriad restrictions on UCE.

An Overview of State Anti-Spam Laws

At least 34 states currently have adopted some type of anti-spam law. Most state anti-spam laws govern any "commercial e-mail." This term is generally defined to include any message sent to promote the sale or lease of real property, goods or services. Interestingly, most state anti-spam laws avoid placing restrictions on the permissible number of recipients to which a sender may transmit. The laws thus avoid defining the concept of "bulk" or "mass" e-mail.³ Several state laws require that the sender of any commercial e-mail message have a pre-existing business or personal relationship with the intended recipient of the message, while others simply require that the commercial e-mail message contain truthful information.

Virginia, Washington and California lead the nation in promulgating anti-spam initiatives designed to protect citizens of the respective states. The anti-spam statutes in these states serve as models for other states, as well as federal legislative proposals:

Virginia. Virginia’s anti-spam law contains both criminal and civil penalties. The transmission of e-mail containing falsified/forged transmission or routing information constitutes a misdemeanor. If the volume of e-mail transmitted exceeds certain established thresholds or the revenue generated from particular e-mail transmissions is greater than a specified amount, the conduct constitutes a Class 6 felony, punishable by up to five years of imprisonment. Selling or distributing software which falsifies e-mail routing information is also a criminal offense. These violations may also give rise to civil damages. Anyone whose property is injured as a result of a violation may bring suit for monetary damages. The law also provides that, if the transmission of particular e-mail violates an ISP’s established policy, the ISP may recover actual damages or $25,000 for each day that an attempt was made to transmit UCE (or $1 for each intended recipient of the e-mail that is an end-user of that ISP). The Virginia anti-spam statute also contains a forfeiture provision: all earned income, computer equipment, software and personal property used in connection with any violation of the statute are subject to seizure by law enforcement.

Washington. Washington was among the first states to promulgate anti-spam legislation. The state law prohibits the transmission of e-mails which (i) contain false or misleading information in the subject line; (ii) use a third party’s domain name without permission; or (iii) otherwise misrepresent transmission and routing information. The law applies to any e-mail transmitted from a computer located in Washington, or to an e-mail address that the sender knows (or has reason to know) is held by a Washington resident. The statute extends to any person who conspires with or assists another to send prohibited e-mail. Individual recipients of e-mails violating the Washington anti-spam provisions may recover up to $500, while an injured ISP may recover $1,000.

California. On September 23, 2003, California promulgated one of the strictest anti-spam laws in the country. The statute defines UCE as any commercial e-mail which is sent to a recipient (i) who has not provided direct consent to receive advertisements from the advertiser; and (ii) who has no pre-existing or current business relationship with the advertiser. Under this framework, the law prohibits any person or entity from initiating, or advertising in, any UCE sent from or to California. The law also prohibits the collection of e-mail addresses; the automatic generation of recipient e-mail addresses; and the use of scripts or other automated means to sign up for e-mail accounts. In addition, the law forbids the use of third party domain names (without permission), falsified headers and misleading subject lines. The anti-spam law imposes fines of up to $1 million for violations.⁴

Any entity which transmits commercial e-mail nationally must monitor developments in state anti-spam legislation. Entities which transmit commercial e-mail globally should remain mindful of international restrictions on UCE. See generally International Aspects of Spam (2002) (available online at www.adbj.se/2003/uppsats.pdf). Because of the cross-border nature of e-mail, the anti-spam laws of several different jurisdictions could potentially govern a single e-mail transmission: (i) the jurisdiction in which the message is created; (ii) the jurisdiction in which it is processed or relayed by a server; (iii) the jurisdiction in which the recipient resides; and, (iv) the jurisdiction in which the message is downloaded or opened. Complexity in determining which state’s law governs—coupled with recent judicial determinations that bulk e-mail contact is sufficient to warrant the exercise of personal jurisdiction—counsel in favor of attempting to ensure compliance with the anti-spam laws of several states.⁵

While the parameters of each state’s anti-spam law differs, most laws share common elements and—as detailed in Table 1—generally fall within one or more of five different statutory regimes:

• Contact Information. Several states’ anti-spam laws require that bulk e-mail messages contain contact information sufficient to allow the recipient to identify and communicate with the sender. This contact information may consist of a valid reply-to e-mail address or explicit disclosure of the sender’s name and address;

• Opt-Out Requests. Many laws require bulk e-mailers to inform recipients that they may request removal of their e-mail address from mailing lists. These laws mandate that the bulk e-mail message prominently display opt-out instructions. Moreover, these laws obligate bulk e-mailers to honor the recipient’s request and prohibit any further electronic communications;

• Routing Information. Recognizing that spammers often falsify or forge the routing information in the headers of their junk e-mail messages to camouflage their identity and location, some states prohibit e-mail containing false header and routing information;

• Subject Line Content. Some anti-spam laws regulate the contents of an e-mail message’s subject line. Generally, these laws require that e-mail advertisements contain "ADV" in the subject line. E-mail advertisements promoting adult products or services must contain "ADV:ADLT" in the subject line. Other anti-spam laws regulate the contents of the subject line by prohibiting any false or misleading statements in that field of the e-mail message; and

• Use of Third Party Domain Names. Many junk e-mail messages contain the domain name of an entity wholly unrelated to the transmission of its message or its contents. This tactic helps disguise the identity of the sender and sponsor of the goods or services advertised. To combat this practice, many anti-spam laws prohibit the unauthorized use of a third-party’s domain name.

Multi-jurisdictional compliance requires conformity with these statutory regimes. Accordingly, any entity that transmits commercial e-mail should ensure that its messages contain:

• Opt-out information. The text of the e-mail should provide instructions to recipients as to how to remove their address from mailing lists. This information should be featured prominently in the e-mail, preferably in a font and style to distinguish this information from the text of the message;

• Proper subject line. The subject of the e-mail should accurately reflect the contents of the message. Moreover, the sender should consider placing the "ADV" designation in the subject line;

• Contact details. The company’s name, physical address and telephone number, as well as a valid return e-mail address, ought to be included in the message;

• Truthful transmission/routing information. The e-mail’s transmission/routing information should accurately report the origin and transmission path of the message. Typically, this "header" information is generated automatically and will not be falsified or forged unless the sender manipulates technical settings; and

• Third party domains. The domain name from which the e-mail appears is sent from should be owned by or affiliated with the sender. Alternatively, the sender should have permission to use the domain to transmit e-mail. In addition, the sender ought to have an identifiable relationship with any domain names (or hypertext links) displayed in the message.

While adherence to these national guidelines is a useful anti-spam checklist, any entity engaged in e-mail marketing should consult an attorney to ensure compliance with all relevant laws and regulations.

Latham & Watkins operates as a limited liability partnership worldwide with an affiliate in the United Kingdom and Italy, where the practice is conducted through an affiliated multinational partnership. ^© Copyright 2003 Latham & Watkins. All Rights Reserved.

Latham & Watkins is an international law firm of more than 1,500 attorneys in 21 offices worldwide, including Boston, Brussels, Chicago, Frankfurt, Hamburg, Hong Kong, London, Los Angeles, Milan, Moscow, New Jersey, New York, Northern Virginia, Orange County, Paris, San Diego, San Francisco, Silicon Valley, Singapore, Tokyo, and Washington, D.C.