Federal Trade Commission Issues New CAN-SPAM Act Regulations - IT and Internet

After a delay of exactly three years, the FTC has provided new guidance and additional rule changes implementing the CAN-SPAM Act of 2003. The FTC's Statement is especially important for companies that engage in joint e-mail marketing campaigns, provide "forward-to-a-friend" mechanisms, or transmit any of a wide range of "transactional or relationship" messages. The following summary describes and analyzes some key provisions of the rule changes and the FTC's accompanying explanatory statement.

The CAN-SPAM Act of 2003 ("CAN-SPAM Act" or "Act") is the principal federal statute affecting the use of e-mail as an advertising and promotion channel.¹ The CAN-SPAM Act does not prohibit e-mail advertising, but it prohibits certain fraudulent and misleading practices in connection with e-mail advertising. The Act also requires e-mail advertisers to label those messages as commercial, give recipients a means to opt out of receiving future messages from those senders, and furnish a valid physical postal address.² The Federal Trade Commission ("FTC" or "Commission") and state authorities are empowered to bring enforcement actions against violators.

On May 12, 2008, the FTC issued new rule provisions implementing the CAN-SPAM Act.³ The new provisions complete a process that began exactly three years previously, when the Commission requested comments on several questions that the language of the Act had not fully addressed.⁴

In its Statement adopting the new provisions of the rule, the FTC announces the following actions:

Defines the term "person," which is used throughout the Act but not defined, as "an individual, group, unincorporated association, limited or general partnership, corporation, or other business entity."
Adopts a method for identifying a single "sender" of messages that promote the goods or services of more than one entity.
Clarifies the scope of the "transactional or relationship message" exception.
Amends the rule to provide that a "valid physical postal address" may include an accurately registered Post Office box or private mailbox.
Clarifies the status of "forward-to-a-friend" campaigns.
Declines to reduce the grace period for processing recipients' opt-out requests.
Declines to impose a time limit on the effectiveness of recipients' opt-out requests.
Prohibits the imposition of any fee or requirement to provide personal information or any other obligation as a condition for processing a recipient's opt-out request.

The following discusses each of these actions in turn.

I. Definition Of A "Person"

Following up a proposal it made in 2005, the Commission will define the term "person," which is used several times in the Act, as "an individual, group, unincorporated association, limited or general partnership, corporation, or other business entity."⁵ The definition is taken from the FTC's Telemarketing Sales Rule.⁶ The Commission declined to exclude unincorporated nonprofit associations from the definition, as requested by the Society for Human Resources Management.⁷

II. Multi-Sender Scenarios

Some of the most difficult issues under the CAN-SPAM Act arise when a single e-mail message promotes, or can be said to promote, the goods or services of more than one entity (for example,when an advertisement for a travel agency includes ads for hotels, airlines, and rental car companies). In these cases, it can be difficult to identify one entity as the sender, which is defined in the Act as "a person who initiates [a commercial electronic mail] message and whose product, service, or Internet web site is advertised or promoted by the message."⁸

Identifying the sender of a message is crucial because that entity is responsible for providing a mechanism for recipients' opt-out requests, honoring those requests, and furnishing a valid physical postal address. If a message has multiple senders, several entities might be required to provide postal addresses and collect and honor opt-out requests. It also might be necessary for the list of recipients' e-mail addresses to be "scrubbed" against the addresses of all persons who have previously opted out of receiving commercial e-mails from any of the senders. Exchanging these opt-out address lists not only is cumbersome, but also increases the risk that lists will fall into unauthorized hands and compromise the privacy of the e-mail account holders.

In its notice of May 12, 2005, the Commission proposed a complex standard for deciding which of a group of multiple advertisers acquires the obligations of a sender. Specifically, the Commission proposed to define "sender" in the following terms:

The definition of the term "sender" is the same as the definition of that term in the CAN-SPAM Act . . . provided that, when more than one person's products or services are advertised or promoted in a single commercial electronic mail message, each such person who is within the Act's definition will be deemed to be a sender, except that, if only one such person is within the Act's definition and meets one or more of the criteria set forth below, only that person will be deemed to be the "sender" of that message:

the person controls the content of such message;
the person determines the electronic mail addresses to which such message is sent; or
the person is identified in the "from" line as the sender of the message.⁹

A number of commenters on the proposed rule criticized this definition. Notably, commenters pointed out that in many joint marketing campaigns, multiple entities contribute to the content of the e-mail message and/or the list of e-mail addresses to which the message is sent. Which of these multiple entities "controls" the content and "determines" the address list? The proposed definition was too vague to provide useful guidance on these points.

The FTC's new rule provisions respond to these criticisms with a substantially revised definition of "sender." The new definition says:

The definition of the term "sender" is the same as the definition of that term in the CAN-SPAM Act, . . . provided that, when one or more person's products, services, or Internet website are advertised or promoted in a single electronic mail message, each such person who is within the Act's definition will be deemed to be a "sender," except that, only one person will be deemed to be the "sender" of that message if such person: (A) is within the Act's definition of "sender"; (B) is identified in the "from" line as the sole sender of the message; and (C) is in compliance with 15 U.S.C. 7704(a)(1), 15 U.S.C. 7704(a)(2), 15 U.S.C. 7704(a)(3)(A)(i), and 16 CFR 316.4.¹⁰

The principal advantage of this definition is that it permits the various advertisers in a joint marketing campaign to select a sender, simply by putting one entity's name on the message's "from" line and ensuring that that entity complies with all of the obligations that the Act imposes on initiators of commercial e-mail messages.¹¹ The confusing elements of the FTC's earlier, proposed definition, including the need to decide which entity controls the content and which entity determines the list of recipients' e-mail addresses, are eliminated. As long as only one entity whose product or service is advertised or promoted in the e-mail appears in the from line, and as long as that entity complies with the CAN-SPAM Act formalities, the FTC now will recognize that entity as the message's sole sender.

However, as the FTC Statement points out, the new definition places a heavy burden on all participants in a joint marketing e-mail campaign to supervise the designated sender's CAN-SPAM Act compliance. The non-sender advertisers still are "initiators" of the message and as such are responsible for avoidance of false or misleading header transmission information, for proper labeling, and for other compliance actions. If "the designated sender is not in compliance with the initiator provisions, then all marketers in the message will be liable as senders" for the designated sender's failure to comply.¹²

In addition to its adoption of a "sender" definition, the FTC in its Statement addresses three other issues concerning sender obligations: duties of third-party list providers, liability for CAN-SPAM Act violations of affiliates, and application of the Act to messages sent to members of online groups.

As to the first issue, the Commission decided that third-party providers of electronic mailing lists are not required to honor opt-out requests unless they also are senders of messages that is, unless they both initiate the messages and advertise or promote their own products or services by means of those messages. Even where list owners qualify as senders, they may avoid the obligation to honor opt-out requests by designating another initiator as a sender under the revised "sender" definition.¹³

The second question involves arrangements under which a marketer agrees to pay an affiliate for referrals to the marketer's website. The affiliate typically sends e-mail messages promoting the marketer's site, with a hypertext link that takes the recipient directly to the marketer's site or to a site maintained by the affiliate. In its 2005 notice, the Commission had asked whether the marketer in such an arrangement should have "safe harbor" protection from liability for CAN-SPAM Act violations of its affiliate, dependent upon the marketer's taking certain measures to encourage the affiliate's compliance. In its May 12, 2008 Statement, the Commission declined to adopt such a safe harbor. Marketers using affiliate arrangements will continue to be classified as both initiators and senders of the affiliates' e-mails; affiliates will be classified as initiators and also will be treated as senders when they advertise or promote their own products or services along with those of the marketers. Under the new "sender" definition, marketers and affiliates that both qualify as senders may designate one of the two entities to be identified in the from line and assume the obligations of a sender. The Commission stated that it will revisit its decision on the safe harbor question if necessary.¹⁴

Finally, the Commission declined to endorse a CAN-SPAM Act exception for e-mail messages sent to members of online groups. Where such messages have a primarily commercial purpose, they must continue to provide and comply with an opt-out mechanism. As with the affiliate issue, the FTC will revisit the online groups question as circumstances warrant.¹⁵

III. Transactional Or Relationship Messages

Most CAN-SPAM Act obligations apply only to initiators and senders of commercial electronic mail messages (often referred to informally as "CEMMs") that have as their primary purpose the advertisement or promotion of commercial goods or services. The Act recognizes a category of transactional or relationship messages ("TORMs") that are not CEMMs, but defines that category narrowly to include only messages of which the primary purpose is: (1) to facilitate, complete, or confirm a commercial transaction that the recipient has previously agreed to enter into with the sender; (2) to provide warranty information, product recall information, or safety or security information with respect to a commercial product or service used or purchased by the recipient; (3) to provide certain notifications concerning a subscription, membership, account, loan, or comparable ongoing commercial relationship involving the ongoing purchase or use by the recipient of products or services offered by the sender; (4) to provide information directly related to an employment relationship or related benefit plan in which the recipient is currently involved, participating, or enrolled; or (5) to deliver goods or services, including product updates or upgrades, that the recipient is entitled to receive under the terms of a transaction that the recipient has previously agreed to enter into with the sender.¹⁶

The Act permits the FTC to expand the definition of transactional or relationship messages, but only as needed to accommodate changes in e-mail technology or practices and where necessary to accomplish the purposes of the Act.¹⁷ With its discretion thus limited, the Commission has so far refused to expand the statutory categories of transactional or relationship messages.

In the May 12, 2008 Statement the Commission considered and rejected 12 specific requests to extend the TORM category. The Commission's discussion of these requests, however, includes some useful observations concerning the types of communications at issue. The following briefly summarizes the Commission's comments on each of the 12 requests.

Legally Mandated Notices

The Commission agreed with commenters who stated that legally mandated notices, such as Truth-in-Lending Act messages and communications required by the Gramm-Leach-Bliley Act, will generally be classified as transactional or relationship messages. However, the Commission found no reason to conclude that a change in the transactional or relationship message definition, to accommodate this conclusion, was required by changes in e-mail technology or practice and was necessary to carry out the purposes of the Act. Accordingly, no rule change will be made.¹⁸

Debt Collection Emails

As with legally mandated notices, the FTC agreed that debt collection notices, whether sent by creditors or by third parties on behalf of creditors, generally fit within recognized TORM categories.¹⁹

Copyright Infringement Notices And Market Research

Two organizations had asked the Commission to find that messages "containing copyright infringement notices or marketing and opinion research surveys are neither commercial nor transactional or relationship in nature and thus are exempt from the Act."²⁰ In the May 12, 2008 Statement, the Commission did not disagree with this conclusion as a general matter but noted that messages in either category could contain commercial content. For example, a copyright infringement notice might include instructions on obtaining licensed content, and a market research message might advertise or promote a brand, company, or product to the recipient. The FTC declined, therefore, to expand the TORM definition so as to exclude all copyright infringement notices and market research communications from the CEMM category.²¹

Transactions That Do Not Involve An Exchange Of Consideration

The May 12, 2005 notice had invited comment on whether a message pursuant to a relationship in which no "consideration" passes, such as a message from a free Internet service, could qualify as a transactional or relationship message. The apparent concern was that providing free goods or services would not qualify as a "commercial transaction" or "transaction" for the purpose of two TORM categories that otherwise would apply.²² In the recent Statement, the Commission concludes that such communications can, in fact, be classified as TORMs. Beyond this observation, the FTC found no changes in e-mail technologies or practices that would permit it to change the TORM definition to take "no consideration" transactions into account.²³

Affiliated Third Parties Acting On Behalf Of Entities With Whom A Relationship Exists

The Commission also had asked for comment on the "transactional or relationship" status of messages sent by "affiliated third parties on behalf of an entity with whom a consumer has transacted business." As with other TORM issues, the FTC found no basis in technological changes or changes in e-mail practices for amending the statutory definition. The Commission did note, however, that although messages sent on behalf of third parties with whom a recipient has conducted business ordinarily will qualify as transactional or relationship messages, a message from an affiliate that facilitates or completes a transaction on behalf of another vendor will forfeit TORM status if the message also promotes or advertises a commercial product or service of the affiliate.²⁴

Messages Sent To Effectuate Or Complete A Negotiation

The Commission had requested comment on the circumstances under which an e-mail sent to effectuate or complete a negotiation qualifies as a TORM: specifically, whether such a message would qualify as intended to facilitate, complete, or confirm a commercial transaction that the recipient previously had agreed to enter into. The Commission's Statement concludes that such e-mails ordinarily would qualify as TORMs, but would not so qualify if they were sent on an unsolicited basis for the purpose of opening a negotiation, or if they were sent to restart a negotiation that had terminated.²⁵

Messages Concerning Employee Discounts Or Similar Matters

The FTC Statement concludes that e-mail messages from employers to employees offering employee discounts, where those messages are sent to e-mail accounts furnished by the employer, qualify as messages that provide "information directly related to an employment relationship . . ."²⁶

Messages For Employer From Third Party

In 2005, the Commission had asked about an employer's use of third parties to send e-mails to employees about the employment relationship or about a related benefit plan in which the recipient was currently involved. In its recent Statement, the Commission concludes that if the message would be a TORM when sent directly from the employer, there is no reason for a different classification when an authorized third party sends the message.²⁷

Post-Employment Offer Messages

The FTC Statement concludes that a message from an employer to a prospective employee, sent after an offer of employment has been made but before the offer is accepted or rejected, is not subject to CAN-SPAM Act requirements unless the message contains commercial matter such as a solicitation to purchase the employer's products or services.²⁸

Electronic Newsletter Subscriptions And Similar Content

The May 12, 2008 Statement addresses but does not formally resolve the status of newsletters sent to recipients by means of e-mail. Some commenters had urged the FTC to find that where a recipient has entered into a transaction with the sender that entitles the recipient to receive a newsletter or other electronically delivered content, subsequent e-mails that deliver that information are not CEMMS because their primary purpose is not commercial, or are TORMs because they "deliver goods or services . . . that the recipient is entitled to receive" under the terms of a transaction previously agreed to.

The Commission declined to announce a rule amendment on the question of newsletters, but indicated that electronic transmission of a newsletter to which the recipient has subscribed, so long as the newsletter consists exclusively of informational content or combines information and commercial content, is a TORM. Not surprisingly, the FTC also stated that unsolicited newlsletters sent by e-mail are not likely to be classified as TORMs.²⁹

"Business Relationship" Messages

For many business people, one of the CAN-SPAM Act's startling features is its failure to distinguish between ordinary business communications and mass-market electronic mail marketing campaigns. Under the Act, an individual e-mail from a company's marketing employee to a contact at another company could be classified as a CEMM, requiring the employee initiating the e-mail to provide an opt-out mechanism, maintain a suppression list of addresses of contacts who had asked not to receive further messages from him or his employer, and comply with other CAN-SPAM Act formalities for which the employee might have neither training nor procedures in place.

The Commission was asked to create a new TORM category of "business relationship" messages to address this problem, but concluded in its May 12, 2008 Statement that it lacked any basis to do so. The FTC pointed out, however, that "to the extent an employee at one company provides affirmative consent to receive emails from an employee of another company, or from that company in general, such consent overrides any prior opt-out request." More generally, the FTC described the entire issue as possibly "overblown."³⁰

Messages From Associations To Members

The FTC Statement reiterates the Commission's tentative conclusion, in 2005, that e-mail messages from associations or membership organizations to their members typically will be classified as TORMs. The Statement expresses skepticism, however, that a message to a lapsed member, urging the sale of a new or renewed membership, would qualify as a TORM. In any case, as with all of the other requests to amend the TORM definition, the Commission found insufficient reason to support such a change under the statutory standard.³¹

IV. Valid Physical Postal Address

Under the newest rule changes, Post Office boxes and private mailboxes established pursuant to United States Postal Service regulations are recognized by the FTC as satisfying the CAN-SPAM Act's requirements for a "valid physical postal address," so long as the sender has accurately registered the mailbox.

V. Send-To-A-Friend Scenarios

Some of the most complex CAN-SPAM Act puzzles arise when a company gives individuals the means to forward promotional materials to others by e-mail. The methods vary: in the simplest scenario, a website simply provides a "forward this page" or "forward this link" mechanism, without adding any words of encouragement or tangible inducements, that a visitor to the site can use at his or her discretion. More controversially, the website might exhort the visitor to forward promotional information to others, and might even offer a reward or other inducement to visitors who use the forwarding mechanism. Other send-to-a-friend campaigns do not use websites as the main vehicle, but send e-mails directly to recipients who then may be urged, or offered inducements, to forward those messages.

The puzzle arises when we ask who, if anyone, has CAN-SPAM Act obligations in these scenarios. Assuming that the forwarded message is commercial and therefore a CEMM within the meaning of the Act, is the person who forwards the message an "initiator" with responsibility for labeling, ensuring that an opt-out mechanism is in place, and otherwise complying with the Act? Can the visitor avoid initiator status on the ground that he or she comes within the Act's exception for "routine conveyance" of the message? And what about the company that created the content and enabled its forwarding to another? Is that company the sender of the forwarded message, and must the company therefore find a way to collect and honor opt-out requests from the ultimate recipients of those messages?

In its 2005 notice, the Commission focused on the Act's definition of "initiate" as to "originate or to transmit such message or to procure the origination or transmission of such message . . ."³² The Act defines "procure," in turn, as "intentionally to pay or provide other consideration to, or induce, another person to initiate such a message on one's behalf."³³ In the FTC's tentative view, the word "procure" should be given a broad meaning, and should include any effort to encourage the forwarding of a commercial message. On this interpretation, a company that did anything more than provide a neutrally labeled forwarding mechanism likely would have compliance responsibilities under the CAN-SPAM Act.

In its May 12, 2008 Statement, the Commission distinguished "forward-to-a-friend" transmissions that use a web-based forwarding mechanism from those transmissions that use the forwarding individual's own e-mail program.

Where a web-based mechanism is used, the Commission now retreats somewhat from its suggestion in the 2005 notice than any language exhorting a visitor to forward a communication "induces," and therefore "procures," the act of forwarding and therefore makes the advertiser an initiator. Now, the Commission says that "a seller's use of language exhorting customers to forward a message does not, absent more, subject the seller to 'sender' liability under the Act."³⁴ The Statement makes it clear; however, that any consideration paid to another in exchange for generating traffic to a website or for any form of referrals will constitute inducement and give rise to CAN-SPAM Act obligations.³⁵

Where a seller sends an e-mail to a recipient that subsequently forwards the message to a third party, the same analysis will apply. Any form of consideration offered in exchange for the act of forwarding, including coupons, discounts, or fees offered in exchange for traffic generation or referrals, will create CAN-SPAM Act liability for the original sender. Presumably, this also means that words of encouragement, not bolstered by additional consideration, do not count.³⁶

Finally, the Commission's Statement makes it clear that ordinary consumers who forward commercial messages are not intended enforcement targets under the CAN-SPAM Act and should not be liable as initiators.³⁷

VI. Reduction Of Grace Period

The Commission had asked for comment on reduction of the grace period for honoring opt-out requests from ten business days to three business days. After reviewing a large number of negative comments on this proposal, the Commission decided to leave the present deadline in place.³⁸

VII. Time Limit On Effectiveness Of Opt-Out Requests

Some commenters had urged the FTC to put a time limit on the effectiveness of recipients' opt-out requests, partly on the ground that suppression lists become unwieldy unless they can be purged at some regular interval. Finding the factual support for these claims inadequate, and noting that Congress had not provided for any such time limit and had not authorized the FTC to do so, the Commission refused these requests.³⁹

VIII. No Fee Or Other Conditions For Opt-Outs

Not surprisingly, the Commission confirmed that it is unlawful to impose a condition of any kind on the acceptance of a recipient's opt-out request. The Statement adopts Final Rule 316.4, which states that "[n]either a sender nor any person acting on behalf of a sender may require that any recipient pay any fee, provide any information other than the recipient's electronic mail address and opt-out preferences, or take any other steps except sending a reply electronic mail message or visiting a single Internet Web page," in order to submit an opt-out request or have such a request honored.⁴⁰

Conclusion

The FTC's rule changes and accompanying Statement contain some of the Commission's most important guidance on compliance with the CAN-SPAM Act. Companies that conduct advertising and promotional campaigns by means of e-mail should review their compliance programs between now and the compliance date for the new rule provisions, which is set for 45 days after publication of the new provisions in the Federal Register.

Footnotes:

1. Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, Pub. L. No. 108-187, 117 Stat. 2699 (2003), codified at 15 U.S.C. §§ 7701-13, 18 U.S.C. §§ 1001, 1037, 28 U.S.C. § 994, and 47 U.S.C. § 227.

2. For a more complete discussion of the Act's provisions, see Morrison & Foerster Legal Update, "Understanding the CAN-SPAM Act of 2003," available at http://www.mofo.com(December, 2003).

3. The new rule and the FTC's statement of the basis and purpose for the rule are set out in a Federal Register notice available at the Commission's website but not yet officially published in the Federal Register. See 16 CFR Part 316: Project No. R411008: "Definitions and Implementation under the Controlling the Abuse of Non-Solicited Pornography and Marketing Act of 2003 (the CAN-SPAM Act): Final Rule and Statement of Basis and Purpose," available from a link at http://ftc.gov/opa/2008/05/canspam.shtm (visited May 12, 2008). The new rule provisions become effective 45 days after publication in the Federal Register. The FTC's Statement of Basis and Purpose will be referred to herein as the "FTC Statement" or "Statement."

4. See Morrison & Foerster Legal Update, "FTC Opens New CAN-SPAM Act Proceeding," available at http://www.mofo.com (May, 2005).

5. FTC Statement at 7, 16 CFR Part 316, § 316.2(h).

6. 16 CFR § 310.2.

7. FTC Statement at 8.

8. 15 U.S.C. § 7702(16)(A).

9. See 70 FR 25426, 25428 (May 12, 2005).

10. FTC Statement at 14.

11. Any person that initiates (that is, originates, transmits, or procures the origination or transmission of) a commercial e-mail must avoid using false or misleading transmission information (15 U.S.C. § 7704(a)(1)), avoid deceptive subject headings (id. § 7704(a)(2)), furnish an opt-out mechanism (id. § 7704(a)(3)(A)(i)), label the message appropriately, ensure that the e-mail includes a valid physical postal address of the sender (id. § 7704(a)(5)(A)), and avoid charging a fee or imposing other requirements on recipients' opt-out requests (16 CFR 316.4). Senders are a specific class of initiators: they not only originate, transmit, or procure the origination or transmission of messages, but also are entities whose products or services are advertised or promoted by those e-mails. Senders have all of the obligations of other initiators, and also have the additional obligations to collect opt-out requests, honor those requests, and provide a valid sender's postal address.

12. FTC Statement at 16. The Statement also points out that in a multi-marketer e-mail, "if the designated sender receives a list of proposed email addresses from a non-designated sender, the designated sender must scrub that list against its own opt-out list before sending the message to the addresses on that list." Id. at 25.

13. FTC Statement at 28-29.

14. FTC Statement at 34.

15. FTC Statement at 36-37.

16. 15 U.S.C. § 7702(17)(A).

17. Id. § 7702(17)(B).

18. FTC Statement at 38-40.

19. FTC Statement at 41-42.

20. FTC Statement at 42.

21. FTC Statement at 43.

22. The categories are messages of which the primary purpose is to "facilitate, complete, or confirm a commercial transaction that the recipient has previously agreed to enter into with the sender" (15 U.S.C. § 7702(17)(a)(i)), and messages of which the primary purpose is to "deliver goods or services, including product updates or upgrades, that the recipient is entitled to receive under the terms of a transaction that the recipient has previously agreed to enter into with the sender" (15 U.S.C. § 7702(17)(A)(v)).

23. FTC Statement at 46.

24. FTC Statement at 48.

25. FTC Statement at 49.

26. FTC Statement at 49-51.

27. FTC Statement at 51-52.

28. FTC Statement at 52-54.

29. FTC Statement at 54-55.

30. FTC Statement at 57.

31. FTC Statement at 58-60.

32. 15 U.S.C. § 7702(9).

33. 15 U.S.C. § 7702(12).

34. FTC Statement at 76.

35. FTC Statement at 75.

36. FTC Statement at 76-77.

37. FTC Statement at 78.

38. FTC Statement at 79-87.

39. FTC Statement at 87-89.

40. FTC Statement at 91-92.

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

United States: Federal Trade Commission Issues New CAN-SPAM Act Regulations

Login to Mondaq.com

Why Register with Mondaq

Your Organisation