Overview of Current Anti-Spam Regulations

The proliferation of unsolicited commercial e-mail, more commonly known as "spam," has prompted legislatures to consider, and in many cases enact, legislation banning or at least regulating spam. As a recent and extreme example of this, in September 2003, California passed S.B. 186, which prohibits unsolicited commercial e-mail messages from being sent to California e-mail addresses or from being initiated from California. And California is not alone in passing anti-spam legislation – most other states have some form of anti-spam laws, although legislation in other states so far has been in the form of spam regulation, such as requiring certain labels on the subject heading line and banning fraudulent activities, rather than banning all unsolicited commercial e-mail.

While S.B. 186 does not go into effect until January 2004, its future is uncertain at this point. Constitutional challenges to the law by marketing and industry groups are almost certain to occur, and federal legislation may preempt S.B. 186. In fact, the U.S. Senate recently passed the "CANSPAM" bill which would regulate unsolicited commercial e-mail messages but would not ban such activity other than fraudulent or deceptive messages or practices.

On the international stage, however, other countries and jurisdictions seem to favor opt-in requirements and a ban on commercial e-mail that is not sent with consent or not based on an existing relationship.

This Client Alert focuses on California’s recently passed anti-spam legislation, and also addresses legislation in other jurisdictions and in some foreign jurisdictions, along with suggestions for complying with these laws.

S.B. 186, enacted at Cal. Bus. & Prof. Code § 17529 ("California Anti-Spam Law"), was passed by the California legislature in September 2003 with an effective date of January 2004. It prohibits not only the sending of "unsolicited commercial e-mail advertisements" from California or to a "California e-mail address" but also advertising in any such unsolicited e-mail. Thus, it covers the sender of the e-mail (such as a professional spammer) as well as the entity’s whose product is the subject of the e-mail, if different from the sender.

The key definition in the California Anti-Spam Law is that of "unsolicited commercial e-mail advertisement," which means an e-mail sent for the purpose of advertising the sale of goods or services to a recipient who both (1) has not provided "direct consent" to receiving ads from the advertiser and (2) does not have a preexisting or current business relationship with the advertiser. So, if either direct consent or a pre-existing relationship can be established, then the e-mail would not constitute illegal spam under this California law.

Under the first prong of that definition, the recipient must expressly consent to receiving the e-mail from the advertiser. This consent can be obtained in response to a "clear and conspicuous" request for consent or at the recipient’s own initiative. With respect to the second prong of the definition, a relationship will be considered a "preexisting or current business relationship with the advertiser" if the recipient has made an inquiry and has provided his/her e-mail address or has made an application, purchase, or transaction regarding the advertiser’s products or services; there is no stated time period for this relationship under the California Anti-Spam Law. However, if this exception applies, the advertiser still must include in its e-mail the ability for the recipient to opt-out of receiving future commercial e-mail by calling a toll-free telephone number or by sending an "unsubscribe" e-mail to the advertiser.

"California e-mail address" means an e-mail address that is either (a) furnished by an e-mail service provider that sends bills for furnishing and maintaining that e-mail address to a mailing address in this state, (b) ordinarily accessed from a computer located in California, or (c) provided to a California resident. One issue that is not addressed by this definition is how an e-mail sender is to determine, under any parts of this definition, whether an e-mail address fits within this definition.

The recipient, the California Attorney General or an e-mail service provider may bring an action under the California Anti-Spam Law and, if successful, will be entitled to either or both of actual damages and liquidated damages in the amount of $1,000 for each unsolicited commercial e-mail advertisement transmitted in violation of the law, up to $1,000,000 per "incident," along with attorney’s fees and costs. An "incident" is defined as a single transmission or delivery to a single recipient or to multiple recipients of unsolicited commercial e-mails containing substantially similar content.

However, if the defendant who is accused of violation of this law shows that it established and implemented practices and procedures to effectively prevent illegal unsolicited commercial e-mail advertisements, the court must reduce the liquidated damages that a plaintiff can recover to a maximum of $100 for each e-mail or $100,000 per incident.

The law expressly provides that an electronic mail service provider that is only involved in automated transmission of spam over its network will not be liable for spam under this law.

Like many other anti-spam laws, the California Anti-Spam Law prohibits any person or entity from advertising using any commercial e-mail advertisement, whether unsolicited or not, from California or sent to a California e-mail address, if the e-mail (a) contains a third-party’s domain name without authorization; (b) uses false, misrepresented, obscured or forged header information; or (c) has a misleading subject line.

The California Anti-Spam Law also prohibits the collection or "harvesting" of e-mail addresses posted on the Internet, the use of an e-mail address obtained by using automated means based on a combination of names, letters or numbers, and the use of scripts or other automated means to register for multiple e-mail accounts, for the purpose of sending or advertising in illegal spam from California or sent to a California e-mail address.

The California Anti-Spam Law will almost certainly face some challenges. The California Anti- Spam Law has been criticized as being in violation of the Commerce Clause of the U.S. Constitution, which reserves to the federal government the right to control interstate commerce, since it bans unsolicited commercial e-mail advertisements initiated from outside California. Another potential challenge is that of the First Amendment.

It is also not clear, if suits are brought in California courts, whether or how the courts will assert personal jurisdiction over spammers in other states who otherwise have no connection to the state.

Approximately thirty-five other states, so far, have passed some form of anti-spam legislation. These laws range from those that require unsolicited commercial e-mail to be labeled as such, to those that prohibit and criminalize spam sent in bulk, with most legislation falling within the former category. Generally, unsolicited commercial e-mail messages, including sexually explicit e-mail, are the types of e-mail messages that are regulated under these laws.

Most state anti-spam laws give the state’s attorney general the right to go after spammers, although many also give the e-mail recipients as well as the e-mail service providers the right to sue senders of illegal unsolicited commercial e-mail. In addition, it should be noted that e-mail service providers themselves may have a no-spam policy in their "Terms of Use" or "Acceptable Use Policy" on their web site.

A few states have made sending unsolicited commercial e-mail messages a crime subject to imprisonment and/or fines, and the list of these states is growing.

While there currently is no federal law in place that specifically addresses spam, Congress has under consideration a number of anti-spam bills. In fact, on October 22, 2003, the U.S. Senate unanimously passed S.877 (entitled "Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003" or "CAN-SPAM"), a bill that, among the various anti-spam bills before the Senate, was favored by most industry groups. CAN-SPAM does not prohibit unsolicited commercial e-mail altogether but does regulate it as well as commercial e-mail generally. Under CAN-SPAM, all commercial e-mail, whether unsolicited or not, must not have false or misleading header information or otherwise be deceptive as to its origin or content. For some fraudulent activities, criminal sanctions including fines, imprisonment and forfeiture of proceeds and equipment used in committing the offense may apply. CAN-SPAM would preempt most aspects of the California Anti- Spam Law.

The U.S. House of Representatives has not passed CAN-SPAM or an equivalent anti-spam bill, although it has had a number of similar bills under consideration for some time. As of the date of this Client Alert, it is unclear whether the House will pass its version of CAN-SPAM before the end of the year.

A number of other countries have been active in the drive to reduce or eliminate spam. In many of these countries, legislation that has been introduced or adopted would ban unsolicited commercial email. For example, the European Union has adopted the Directive on Privacy and Electronic Communications (Directive 2002/58/EC) ("Directive") which was required to be implemented by member states by October 31, 2003. The Directive adopts an opt-in approach to unsolicited commercial e-mail, allowing direct marketing through electronic mail only to recipients who have given their prior (explicit) consent. However, a company that has obtained e-mail addresses within the context of existing customer relationships may use that information to offer its own similar products or services, provided that consumers must have the right to object, free of charge and in an easy manner, to receiving such materials. These provisions only apply to the e-mail addresses of individuals. However, the member states are encouraged to enact similar measures to apply to addresses of businesses. Lawmakers worldwide have recognized the fact that spam is not just a national issue, but rather a global matter, and to be successful, regulations against spam need to be based on international cooperation. Thus, various international organizations are beginning to cooperate on how to address the global issue of spam.

For companies initiating e-mail marketing campaigns in California or sending e-mail messages to California residents or e-mail addresses, the New California Anti-Spam Law requires that the recipient expressly consent to receive your e-mail messages or that you have a pre-existing or current relationship with the recipient. Thus, you must either obtain the consent of your e-mail recipients before sending them your e-mail messages or limit your e-mail marketing list to those with whom you have a business relationship. For those not meeting this requirement, traditional forms of marketing, such as telephone calls or letters, or even other forms of Internet advertising, could be used instead for your marketing campaign, or at least to obtain consent to e-mail messages, subject, of course, to compliance with applicable regulations on these forms of marketing. If you have not already done so, you should also include, on portions of your website where users register and provide e-mail addresses, a notice permitting e-mail marketing by your company (and your affiliated and partner companies, if you choose).

In addition, the following suggestions apply to your e-mail marketing campaigns generally:¹

1. Obtain affirmative consent to receiving e-mail messages from your recipient whenever you can. This is especially true if you have international marketing campaigns, since even though it appears that the opt-out regime has some chance of prevailing here in the United States (at least at this point based on the U.S. Senate’s passage of CAN-SPAM), on the international level, the trend clearly is to require opt-in. Moreover, even at the federal level, there seems to be some appetite for controlling unsolicited commercial e-mail in the form of a "Do-Not- Spam" registry.

2. Your e-mail message should clearly identify your company as the sender of the message. Use your company e-mail address as the return address, make sure it is working and that someone is responsible for monitoring it. Do not use any misleading (or false) message header information or other identifiers of the origin of the e-mail.

3. Be clear about the nature of your message - use accurate subject headings and use the "ADV" (or for sexually explicit content "ADV:ADLT") label on the subject line of the message.

4. Include an easy and obvious opt-out mechanism for the e-mail recipient. This mechanism can be simply by replying to the e-mail, by clicking on a link included in the message or some other electronic means, as well as by toll-free telephone call.

5. Comply with opt-out requests. Establish and follow procedures for removing e-mail addresses from your mailing list once the request is received. Notify anyone else to whom you have provided your e-mail address lists on a prompt and regular basis of opt-out requests received.

6. Do not provide your e-mail address list to third parties (including an affiliated entity if its line of business is not similar to yours) without at least giving notice to (and preferably getting the consent of) the e-mail address holders and the opportunity to opt-out.

7. Include in the e-mail message your company’s physical address.

8. Include in the e-mail message a link to your company’s privacy policy.

9. If you obtained e-mail addresses by renting a list from someone else, find out how the e-mail addresses were obtained. Require that they be obtained through affirmative consent and certainly not through automated means, such as harvesting or dictionary attacks, or otherwise surreptitiously or deceptively, and generally in compliance with these guidelines. Also require that the provider have appropriate procedures in place for dealing with opt-out requests and has complied with all such requests.

10. If you have another entity perform e-mail marketing campaigns for you, require their compliance with these guidelines. Conduct diligence regarding their procedures before signing them up and if you do engage them, audit their procedures from time to time. Include appropriate indemnification terms in your agreement with these marketers and the ability to terminate and other remedies for violations.

11. For unsolicited e-mail (especially bulk e-mail), it is advisable to review the policies of Internet service providers whose users you will be sending unsolicited e-mail to.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.