On today's episode of Ad Nauseam Amy and Daniel have a special guest – Allyson Himelfarb – who is joining their discussion of CAN-SPAM and FTC enforcement of email marketing rules.
Transcript
Rubenking: Thank you for joining us for another episode of BakerHosts AD Nauseam, a podcast series focusing on new and trending advertising issues with an emphasis on the FTC and the NAD. I'm Randall Rubenking, and you're listening to BakerHosts.
We are once again joined by Amy Ralph Mudge and Daniel Kaufman, two partners from BakerHostetler's Advertising, Marketing and Digital Media team. Together, they have decades of advertising experience and approach advertising issues from multiple perspectives. On today's episode of AD Nauseam, Amy and Daniel have a special guest, Allyson Himelfarb, who is joining their discussion of CAN-SPAM and FTC enforcement of e-mail marketing rules. With that, welcome to AD Nauseam, and let's turn it over to Amy and Daniel.
Kaufman: And welcome back to AD Nauseam. Thank you so much for joining us. We are real excited to dive into today's topic of renewed enforcement of CAN-SPAM and e-mail marketing. But even more excited today to introduce you to our colleague, Allyson Himelfarb. I was lucky enough to work with Allyson at the FTC when she was an investigator in marketing practices. And indeed, one of the best investigators who really helped attorneys put together their cases and even testified at trial regarding, you guessed it, spam emails. Amy was lucky enough to work with her at her prior law firm. She has a fantastic background, is an amazing attorney, and is an expert in both advertising and privacy and has experience at the FTC firms and in-house.
Mudge: Daniel, that might be the nicest thing I've ever heard you say about anyone. Wow. Okay. That is, but we are indeed very lucky to be getting the band back together with Allyson joining our team and our podcast today. And not only is she super experienced, but it is possible, Daniel, she is more sarcastic than you are. Just saying. But welcome, Allyson.
Himmelfarb: Thank you, and thanks for that introduction. I'm very happy to be here, and I say that in the most un-sarcastic way possible. Amy, it was fun to author a blog with you on the FTC's recent Verkada case. And what is interesting about this case is that if you read the complaint in order, it is really a data security case with some marketing and advertising violations thrown in. Whether that is representations about compliance with HIPAA or other privacy frameworks or online reviews and then, yes, a CAN-SPAM violation for which the company agreed to pay nearly $3 million as a civil penalty. So, as we noted in our blog, even if you're initially before the FTC on one issue, you may end up defending against a whole host of issues. And with that said, we thought it was a good time to refresh on the CAN- SPAM requirements.
Mudge: Yeah.
Kaufman: Yeah. CAN-SPAM is definitely an oldie, but a goodie. Full name, of course, is Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003. And while Amy would absolutely love to distract us by talking about porn, we are going to focus, instead, on the e-mail marketing requirements. It set up a very permissive regime that allows marketers to send commercial e-mail without first getting permission as long as receivers could opt out if they didn't want further messages.
But before we get granular, are there any emails you have opted out of, and if so, why? For me, I will say, I do at some point hit my threshold on political emails and start to opt out. And I will say, I get those Gmail messages. You haven't opened a message from so and so for several months, do you want to unsubscribe? And I rarely unsubscribe. Because I always have in the back of my head, I'm going to get a good deal. It is going to be a great offer, I'm going to buy something again. So, I'm really not an opt-outer of those emails.
Himmelfarb: And I'm with you, Daniel. Given that my personal inbox is probably sitting at upwards of about 130,000 unread emails, I can't exactly say that unsubscribing is a frequent pastime of mine. But maybe you're more diligent than both of us, Amy.
Mudge: Yeah. Well, I would say about every six months I go in and I do unsubscribe from pretty much all the emails from places I shop. Unlike Daniel, who appears to have some discretion as to when he spends his money. I get way easily distracted by ray lines that are like giant clearance sale or the best new boots of the season, just in. Get them fast! And so, I pretty easily can get into shopping I don't need. So, I use the unsubscribe more to protect myself from myself.
But Daniel, we always got to get to know each other and do a little pop culture. So, you won't let me talk about porn. I bet you won't let me play murder screw kill on AD Nauseam either. But we got to introduce Allyson to our listeners properly. So, let's go with what are you streaming now? Emily in Paris, Rings of Power, Only Murders in the Building, or something else?
Himmelfarb: Okay. So, for me, this was pitched to me as a kid show, but I have to say that the new Time Bandits, which is a reboot of the 80s movie, is very funny. It's got a bit of a retro, Monty Python vibe which I find, very much appreciate. And since we're here today to talk about SPAM, also seems quite fitting for the topic.
Kaufman: So totally started watching Time Bandits as well, thought it was fantastic. I will say just finished watching The Boys the latest season which is incredibly violent and graphic but entertaining but speaking of the 80s, I did start rewatching Freaks and Geeks, which is again one of, I know Amy, one of our favorites. I started rewatching it and what I love about it is it is not a neon portrayal of the 80s. And the 80s, for those of us who lived through it, look, we had flashes of neon on occasion. That was not the color scheme of the 80s, and it is really realistic in terms of what they were wearing, how they're acting. So, great to be watching Freaks and Geeks again. But, Amy…
Mudge: Oh my God.
Kaufman: Yeah.
Mudge: We try to give you good advice on this podcast but let me tell you that might be the best tidbit that Daniel Kaufman has ever laid out. If you have not seen Freaks and Geeks, I think it was just one season. I mean, it is everybody's favorite. At least one of your favorite actors is on there. You got to go watch it. But you all avoided my original question. I'm going to go back. What are you watching more current? I'm big Emily and Paris fan. What is not to love about a show that is about a marketer when we support marketers all day long? I would love to be Emily's lawyer. But alright, back to marketing. As Allyson noted, the FTC did come out with that case. Well, the case also dropped like Friday of Labor Day weekend, which was, I don't know, maybe their press office needs to rethink when they announce things if they want people to pay attention to it. But I found that myself had some time on my hands and so I dove in, cause the headline was a really good headline. It was largest CAN-SPAM settlement to date. And as Alison said, it is largely, at its core, at data security place. The company Verkada makes and sells video surveillance equipment to businesses. Stuff you put outside your place of work to make sure the people you want are coming in, the people you want are staying out. So according to the complaint, the company said, look, we got best in class data security practices. The FTC question whether that was a true claim after the company had a few data breaches and really that is largely what the complaints about. But the complaint also has these accounts for violations of CAN-SPAM and for encouraging employee reviews of the service without the company requiring material connections and show the company did pay the $3,000,000, as Allyson said. All that money, every dollar they paid was, came out of the CAN-SPAM violations. But this does seem like a kitchen sink kind of case. And I like to get Daniel and Allyson's views on is this a trend?
Kaufman: Well, we are definitely seeing more and more investigations that are having advertising and privacy components. We are working on a lot of those investigations and they're really broad and they cross divisions and they cross issues. Sometimes you can, of course, when you're working with staff, convince them to let go of some of these so the case may be resolved on a narrower basis but we are definitely seeing broader investigations that are touching upon lots of different issues. Some orders as well that are far more complex in raising broader concerns than you might have seen from the FTC a few years ago.
Himmelfarb: And totally agree with that, Daniel. And it also makes sense for the FTC where it has the basis to do so to include at least one count for a violation of a rule like CAN-SPAM that will provide for civil penalties. And this way the FTC has a much clearer path to get monetary relief. As the 10s of listeners out there will know, the FTC is more limited avenues to obtaining monetary relief since the Supreme Court's AMG case and therefore, we tend to see the FTC asserting rule violations or bringing cases under statutes other than the FTC Act, which give the FTC that independent civil penalty, authority. And of course, civil penalties can quickly add up, especially when you're talking about something like millions of emails.
Mudge: So, I want to go back to Verkada. While this company may have made some mistakes, the emails that they were sending really appear to be about the companies selling of legitimate services, right? These surveillance services, most of the CAN-SPAM cases over the years have really focused on companies who are sending emails that market snake oil or really fraudulent services. We saw, I think there were a couple over COVID with bogus work from home opportunities. So, while there were these technical violations, CAN-SPAM, it seemed like the FTC was really going after not wanting those types of emails to end up in unsuspecting consumers inboxes. But do you guys think we're going to see the FTC focusing more on legitimate companies e-mail marketing practices and CAN-SPAM compliance?
Kaufman: I mean generally, yeah. Certainly, one theme we've seen for the past few years is for a while there was less and less traditional fraud cases coming out of the FTC. I think that's changed a little bit, but certainly they are focused much more on legitimate companies and the last CAN-SPAM case was a year ago and it involved emails to customers of Experian using their credit monitoring services and the case was exclusively a CAN-SPAM case. There was no allegation that the emails were deceptive at all. But there were allegations that the emails sent by Experian, the marketing emails did not provide an ability to unsubscribe or people who tried to unsubscribe could not get off the e-mail list. So, we don't have a lot of data points on this, but certainly the last few cases have involved large legitimate companies. Additionally, spam filters, of course, have gotten so much more sophisticated. So, the initial problem consumers had decades ago with getting a deluge of fraudulent or scandalous emails have been handled largely on the tech side, but the Act does allow the FTC to deal with issues of unwanted emails generally similar to the TCPA and the telemarketing sales rule for text messages and for phone marketing.
Himmelfarb: And I would not be surprised if we see CAN-SPAM cases or at least counts in more cases generally again because it is a clear way for the FTC to get money and then also because violations of CAN-SPAM are pretty easy to prove from a proof perspective. You send marketing emails with an unsubscribe link or you don't. You maintain an unsubscribe list or you don't. It is a far more black and white area from a proof perspective than a lot of other consumer protection cases and to Daniel's point, consumers are not shy about complaining when their inbox is flooded with these unwanted ads. So, the FTC and the states often get an earful.
Mudge: Alright, so it is going to be a priority. Everybody should wake up and be a little bit scared, but let's focus on what CAN-SPAM actually requires. So, we've talked about you got to have unsubscribe links and then, of course, if you're going to have an unsubscribe link, you have to keep those unsubscribe lists updated. But let's dive in a little bit more about the rules for honoring those opt out requests.
Himmelfarb: Okay. So, pretty straightforward. Opt out request needs to be processed in 10 business days. The opt out has to be free. You can't condition opting out on the recipient providing more personal information beyond the e-mail address. It is also got to be easy, sending a reply e-mail to opt out, or a single click that allows you to opt out of receiving any future marketing messages and once you get that opt out request, you also can't sell or transfer that e-mail address to another one of your subsidiaries.
Kaufman: And of course, an opt out link in an e-mail needs to remain active for at least 30 days after the message is sent. And one key thing, and really a predicate to all of this is properly identifying marketing emails as distinct from transactional emails.
You don't need to offer unsubscribe links and emails that confirm an online transaction, provide updates about shipping or later important information about a transaction, maybe a recall or a warranty update. And even if your customers do unsubscribe from receiving marketing emails from you, you can still of course send legitimate transactional emails.
Himmelfarb: And this is an area where we often get questions about emails that have a marketing message as well as a transactional component to it. So, under CAN- SPAM, you need to look at the primary purpose of the e-mail. I know Daniel wasn't going to let Amy talk about porn, but I will. The porn standard will…
Mudge: Oh, yes. Do dive in my friend.
Himmelfarb: So, the pornography standard plays a bit of a role here. You know it when you see it. If you send an e-mail that confirms an online order and follows up noting a big fall sale is next week, that is likely going to be an e-mail that is primarily transactional in nature. If the bulk of the e-mail is focused on other products to buy, it looks more like marketing was the primary purpose and generally I'd encourage marketers to not get too cute here and keep your transactional messages transactional and your commercial messages commercial.
Mudge: All right, Allyson, that was a very disappointing speaking of porn. The porn standard and porn are two different things, but okay, alright. I know we got to keep it clean. This is a family show. But CAN-SPAM also requires that there be a physical address of the sender. I laugh at this because I mean, you're sending an e-mail to e-commerce. Why do you need a physical address? But it is a requirement, a very clear requirement in the law and emails also have to have non deceptive headers and subject lines and maybe this goes without saying, but the Act says that the emails have to be clear that the e-mail is advertising ,alright. These things tend to get less attention, but in that Verkada case there was a separate allegation that they failed to include a physical address for their companies in their emails. Now, doesn't that seem a bit silly?
Kaufman: It totally seemed a bit silly to me. Definitely agree. But look, it is a clear express requirement and the CAN-SPAM Act. It was relevant I guess in 2003, but to Allyson's point something very easy that allows you to assess very quickly if the company is compliant or not. That said, are we going to see rush of cases involving a failure to include an address? I hope not. It is just not a consumer protection priority, nor should it be. That said, it is a simple requirement to comply with and it should of course be part of a company's CAN-SPAM compliance checklist.
Himmelfarb: So, also on that compliance checklist, accurate headers and non-deceptive subject lines are also important ones to have on there and being clear when an e-mail is an advertisement upfront. So, enforcement of CAN-SPAM, it is important to know is limited to the FTC's state AGs and to ISPs Internet service providers. So, there is no general private right of action like there is with the TCPA. In some litigated cases, we have found that the courts found more restricted state laws preempted by CAN-SPAM, but we've also seen some class actions largely out of California related to deceptive headers under state law and we're seeing some more activity in Washington on this issue as well. Things like masking the sender of the e-mail or opening with the subject line that you have won $1,000,000. These are things legitimate marketers don't do. Sometimes we see a creative marketer trying to make a joke with a sarcastic subject line and really, these aren't great ideas.
Mudge: Yeah, that is a good, the keeping transactional emails separate from marketing emails, not getting too cute with those headers, all important parts on that CAN- SPAM checklist, but does seem relatively like CAN-SPAM is pretty easy from a compliance perspective relative to other things like reviews and subscriptions. We don't talk about it a lot, probably because it hasn't got that flood of class action cases like the text message marketing or subscription marketing has, but there are some age-old questions about and difficult questions that we get pretty frequently about e-mail marketing that we definitely should discuss for our listeners. So, Allyson, what about co-branded marketing emails, alright? So, those are things where you've got offers that are sent from two companies in one e-mail.
Himmelfarb: So, under CAN-SPAM, there is one company that can be designated as the sender, and that is the company that is going to be responsible for CAN-SPAM compliance. The e-mail needs to be clear, the company that is sending the e- mail, so it's got to promote their goods and services, provide their physical address and provide an unsubscribe link to be opted out from their future emails. So, for example, you've got coffee company and donut company. They can send a co-branded e-mail for a deal and a cup of coffee and a doughnut, but only one of the companies can be the sender. If the sender fails to comply with the CAN- SPAM requirements, both marketers can be liable, so making sure your partners are compliant is certainly important.
Mudge: Very, very good point, cause a lot of this stuff can be sent out to third parties and knowing what those folks are doing is key. Daniel, what about refer a friend programs where a company incents their customers to send e-mail offers to their friends or family.
Kaufman: Excellent question, Amy. So, under CAN-SPAM, there is one sender of an e- mail, and that sender is the one responsible for CAN-SPAM compliance. The FTC has been clear that if a company offers an incentive affiliate payment or even coupons and discounts, the company is the sender. While we have not seen a lot of enforcement in this area, it can be very challenging to comply with CAN-SPAM with such a program. Given that we're almost at time here, we will just say that if you want to set up a refer a friend kind of program, talk to your ad lawyer early and often.
Mudge: Absolutely. Alright, Allyson, bring us home. Give our listeners some take away tips, please.
Himmelfarb: So, CAN-SPAM requirements, they've not changed, but enforcement priorities have. Companies should look at their policies and practices related to e-mail marketing to make sure they're active and enforced. Often companies will work with third parties to send emails on their behalf and looking to make sure those partners have sound compliance programs. You can negotiate an indemnity clause, but you can't negotiate out of liability. And finally, if your company maintains multiple e-mail lists, such as different e-mail lists for different product lines, take a fresh look at how your company handles opt outs and opt out requests.
Mudge: And last but not least, there are very special rules if you're sending sexually explicit marketing emails, but it looks like we're out of time here to go over these. So please oh please, though, send any emails where you have questions about this particular topic to Daniel, because I love to watch him get uncomfortable. And with that, that is a wrap on another episode of AD Nauseam.
Rubenking: Thank you, Amy and Daniel. If you have any questions for Amy or Daniel, the contact information is in the show notes. For more information on the latest developments in ad law, visit our Adventures in Law blog at www.adventures-in- law.com and check out all AD Nauseam episodes by subscribing to BakerHosts wherever you get your podcast. As always, thanks for listening to BakerHosts.
Comments heard on BakerHosts are for informational purposes and should not be construed as legal advice regarding any specific facts or circumstances. Listeners should not act upon the information provided on BakerHosts without first consulting with a lawyer directly. The opinions expressed on BakerHosts are those of participants appearing on the program and do not necessarily reflect those of the firm. For more information about our practices and experience, please visit bakerlaw.com.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
