United States: An Overview of the CAN-SPAM Act of 2003

This article is co-authored by Elizabeth Pasquine

In our previous article, The Spam Battleground, published November 07 2003, we reported on the ever-growing problem of spam (unsolicited, commercial e-mail messages) and the efforts being made on the technological, legislative and litigation fronts to reduce the spam problem.¹ The purpose of this article is to provide the reader with information regarding the federal CAN-SPAM Act that was signed by the President on December 16, 2003, and generally became effective on January 1, 2004.²

The "Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003," Public Law No. 108-187, is commonly known as the CAN-SPAM Act (the "Act").³ The Act is lengthy and multi-faceted. This article presents an overview of what the authors believe are its most important and interesting provisions.

Section 2 of the Act contains 12 findings of Congress. In short, the key Congressional findings are:

• Electronic mail has become an extremely important and popular means of communication, relied on by millions of Americans for personal and commercial purposes.
• The convenience and efficiency of electronic mail are threatened by the extremely rapid growth in the volume of unsolicited commercial electronic mail (which is estimated to account for over half of all electronic mail traffic, up from an estimated 7% in 2001).
• Many senders of unsolicited commercial electronic mail (a) purposefully disguise the source of such mail and/or include misleading information in the messages’ subject lines in order to induce the recipients to view the messages; and (b) use computer programs to gather (or "harvest") large numbers of e-mail addresses on an automated basis from Internet websites where users have posted their e-mail addresses in order to make use of the website.
• Many States have enacted legislation intended to regulate or reduce unsolicited commercial electronic mail, but these statutes impose different standards and requirements and, as a result, do not appear to have been successful in addressing the problems with unsolicited commercial electronic mail.⁴
• The problems associated with the rapid growth and abuse of unsolicited commercial electronic mail cannot be solved by Federal legislation alone. Rather, technological approaches⁵ and the pursuit of cooperative efforts with other countries will also be necessary.

Section 2 of the Act also sets forth the determination of Congress that there is a substantial government interest in regulation of commercial electronic mail on a national basis; senders of such e-mail should not mislead recipients as to the e-mail’s source or content; and recipients of such e-mail must have the right to decline receipt of additional commercial electronic mail from the same source.

The Act divides commercial electronic mail into three categories, the first two of which are significantly affected by the Act:

1. Commercial Electronic Mail Message

2. Commercial Electronic Mail Message that Includes Sexually Oriented Material

3. Transactional or Relationship Message

To define "commercial electronic mail message" or "CEMM," one must first look to the definition of "electronic mail message" which is contained in Section 3 of the Act. An "electronic mail message" means "a message sent to a unique electronic mail address." The definition of "electronic mail address" is "a destination, commonly expressed as a string of characters, consisting of a unique user name or mailbox . . . and a reference to an Internet domain . . . ."⁶ A "commercial electronic mail message" is any "electronic mail message the primary purpose of which is commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose)." Section 3(2)(A) (emphasis added). The Act requires that, by December 16, 2004, the Federal Trade Commission ("FTC") issue regulations defining the relevant criteria to facilitate the determination of the "primary purpose" of an electronic mail message.

A commercial electronic message that includes sexually oriented material is a "commercial electronic mail message" (as defined above) which contains material that "depicts sexually explicit conduct (as that term is defined in section 2256 of title 18, United States Code), unless the depiction constitutes a small and insignificant part of the whole, the remainder of which is not primarily devoted to sexual matters." Section 5(d)(4). It seems inevitable that this definition is likely to result in differing conclusions as to whether a particular CEMM does in fact include sexually oriented material.

Basically, a "transactional or relationship message" is an "electronic mail message," the primary purpose of which is (1) to facilitate, complete, or confirm a commercial transaction that the recipient has previously agreed to enter into with the sender; (2) to provide warranty, product recall, safety or security information with respect to a product or service used or purchased by the recipient; (3) to provide notification concerning a subscription, membership, account, loan, or comparable ongoing commercial relationship between the sender and the recipient; (4) to provide information directly related to an employment relationship or related benefit plan involving the recipient; or (5) to deliver goods or services, including product updates, that the recipient is entitled to receive under a previously agreed to transaction with the sender. Section 3(17)(A). "Transactional or relationship messages" are expressly excluded from the definition of CEMM and are therefore minimally affected by the Act.

The Act does not prohibit the sending of spam itself; however, it does prohibit a laundry list of favorite tactics used by those who send spam. For example, it prohibits:

• Accessing a "protected computer"⁷ without authorization, and intentionally initiating the transmission of "multiple"⁸ commercial e-mail messages from or through such computer;
• Using a protected computer to relay or retransmit multiple CEMMs, with the intent to deceive or mislead recipients or any Internet access service (Internet service provider) as to the origin of such messages;
• Materially falsifying header information in multiple CEMMs and intentionally initiating the transmission of such messages; or
• registering, using information that materially falsifies the identity of the actual registrant, 5 or more e-mail accounts or 2 or more domain names, and intentionally initiating the transmission of multiple CEMMs from any combination of such accounts or domain names. Section 4(a).

The penalties for violating any of the above range from imprisonment for not more than 1 year to not more than 5 years, and/or a fine under the Act (see discussion of damages under Enforcement below), depending upon where the offense falls within the outline of penalties prescribed by the Act. In addition, the court is required to order that the convicted defendant forfeit to the United States any property constituting proceeds obtained from such offense and any equipment or technology used or intended to be used to commit or facilitate the commission of the offense.

Section 5(a)(1) of the Act prohibits the use of materially false or materially misleading header information in a CEMM, or in a transactional or relationship message. Section 6 of the Act provides that it is unlawful not only for senders to violate Section 5(a)(1), but it is also unlawful for businesses to allow themselves to be promoted by third parties that they know or should have known are using materially false or misleading header information.

With regard to CEMMs only⁹:

• Section 5(a)(2) prohibits the use of deceptive or misleading subject headings, if the person has actual knowledge, or knowledge fairly implied, that the subject heading would be likely to mislead the recipient about a material fact regarding the contents or subject matter of the message.

• Section 5(a)(3)(A) requires the use of a functional return e-mail address or other Internet-based mechanism that clearly and conspicuously allows the recipient to submit a request not to receive future CEMMs from that sender and remains capable of receiving such requests for at least 30 days after transmitting the original message.

• Section 5(a)(3)(B) allows the person initiating the CEMM to comply with subparagraph (A) by providing a list from which the recipient may choose the specific types of messages the recipient wants to receive (opt-in) or does not want to receive (opt-out), as long as the list also includes an option whereby the recipient may choose to opt-out of receiving any CEMMs from the sender.

• Once the recipient sends a request indicating that the recipient does not want to receive some or any CEMMs, then the sender (and anyone acting on behalf of the sender) must, within 10 business days¹⁰ after receipt of such request, abstain from sending the recipient any CEMMs that fall within the scope of the request. Section 5(a)(4)(A).

• Section 5(a)(5)(A) requires the use of clear and conspicuous identification that the message is an advertisement or solicitation¹¹; clear and conspicuous notice of the opportunity to decline receiving further CEMMs; and a valid physical postal address of the sender.

With regard to CEMMs that contain sexually oriented material only, Section 5(d) requires that the sender:

• Include in the subject heading the marks or notices prescribed by the FTC (the FTC shall prescribe such notices within 120 days after December 16, 2003).

• Provide that the matter in the message that is initially viewable without any further actions by the recipient include only such marks or notices, the opt-out and other information required by Section 5(a)(5), and instructions on how to access the sexually oriented material.

The above Section 5(a)(5)(A) and 5(d) restrictions do not apply if the recipient has given prior affirmative consent to receipt of the message. "Affirmative consent" is generally defined in Section 3(1) of the Act as meaning the recipient’s express consent to receive a particular e-mail message, either in response to a clear and conspicuous request for such consent, or at the recipient’s own initiative.

The Act provides that it shall be enforced by the FTC as if the violation of the Act were an unfair or deceptive act or practice under the Federal Trade Commission Act. Section 7(a). In addition, the Act states that certain other agencies shall enforce compliance with this Act, including, as applicable, the Comptroller of the Currency, the Federal Reserve Board, National Credit Union Administration, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, the Securities and Exchange Commission, State insurance authorities, the Secretary of Transportation, Secretary of Agriculture, the Farm Credit Administration, and the Federal Communications Commission ("FCC"). Section 7(b).

The attorney general of a State may bring a civil action on behalf of the residents of the State in an appropriate United States district court to enjoin further violation of Section 5 of the Act or to obtain damages in an amount equal to the greater of: (a) actual monetary loss suffered by such residents; or (b) the amount of statutory damages calculated pursuant to Section 7(f)(3). In general, statutory damages will equal the number of violations multiplied by up to $250, with each separately addressed unlawful message treated as a separate violation. The court may treble the damages award if the defendant committed the violation willfully and knowingly, or the unlawful activity included one or more of the "aggravated violations" set forth in Section 5(b). The "aggravated violations" include "harvesting," which involves automatically collecting e-mail addresses from websites and other online services that included a notice stating e-mail addresses would not be given, sold or otherwise transferred for the purpose of allowing others to send e-mail messages, and "dictionary attacks," where a computer program automatically generates potential e-mail addresses by combining names, letters and/or numbers into numerous permutations. A court, in its discretion, may also award the costs of the action and reasonable attorney[s’] fees to the State. The Act requires the establishment of scienter in order to recover monetary damages (but not injunctive relief) for certain civil actions brought by a State attorney general under the Act.

An Internet service provider may also bring a civil action; however the amount of statutory damages are more limited than those available to a State attorney general. Unlike the anti-spam laws adopted by many states,¹² an individual consumer does not have the right to sue under the Act.

The FTC is required to submit a report, within 9 months after December 16, 2003, which sets forth a system for rewarding those who supply information about violations of the Act, including procedures to award not less than 20% of the total civil penalty collected to the first person that identifies the person who violated the Act, and supplies information that leads to the successful collection of a civil penalty by the FTC. Such system shall include electronic submission of complaints concerning violations of the Act to the FTC. Section 11.

Pursuant to Section 14(b) of the Act, the FCC, in consultation with the FTC, must promulgate rules to protect consumers from receiving unwelcome mobile service commercial messages (i.e., CEMMs that are transmitted to a wireless device used by a subscriber of commercial mobile service). The FCC must announce such rules within 270 days of December 16, 2003.

The Act requires that no later than 6 months after December 16, 2003, the Federal Trade Commission submit a report that sets forth a plan for establishing a nationwide marketing Do-Not-E-Mail registry, including within the scope of the report any concerns the FTC has with the creation of such a registry. Many have expressed concern that it might be difficult to keep a national registry secure and, in the wrong hands, it would constitute the ultimate e-mail address list for spammers. The FTC may, but is not required to, implement the plan. In any event the plan may not be implemented before the expiration of 9 months after December 16, 2003. Section 9.

Those who use e-mail in personal or business communications should not expect to soon be receiving far fewer spam messages by virtue of the Act. Commentators have noted that although the potential for liability under the Act to governmental entities and Internet service providers may be a powerful compliance incentive, it will likely take a long time for the FTC and other enforcement entities to consistently and vigorously enforce the Act. In addition, the Act cannot realistically prevent the increasing amount of spam that originates from outside of the United States, and those who currently originate spam from inside the United States may very well move the origination of their spam locations to outside the United States in an effort to avoid prosecution under the Act.¹³ Technological solutions therefore remain a key component to controlling incoming spam.¹⁴

For those lawyers, law firms and clients with web sites that include e-mail addresses, the anti-"harvesting" provisions of Section 5(b) of the Act provide a reason to modify existing web sites by adding a prominent notice to the effect that the operator of the web site does not give, sell, or otherwise transfer or authorize the use of posted e-mail addresses to any party for the purpose of allowing the sending of unsolicited commercial e-mail messages.¹⁵

It is important to ascertain whether you or your clients are subject to the provisions of the Act by virtue of sending commercial electronic mail messages, as defined by the Act. If a substantial portion of your client’s advertisements and other promotional activities are being conducted via electronic mail, there is a good chance that such electronic mail falls within the purview of the Act. Consequently, such clients should become familiar with, comply with, and retain evidence of compliance with, the Act’s restrictions. Counsel will likely want to create written guidelines for such clients, tailored to the client’s business and communication needs. Clients and their counsel will also want to stay apprised of the FTC’s and FCC’s pronouncements as they may affect the client’s rights and obligations with respect to the CAN-SPAM Act.