Understanding the CAN-SPAM Act of 2003

http://www.mofo.com/news/general.cfm?MCat= ID=3D&concentrationID=3D30&ID=3D1136&Type=3D5

Understanding the CAN-SPA= M Act of 2003 (12/03)

Congress has passed a long-awaited bill that creates a federal regime for the regula= tion of spam email. The bill, known as the “Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003” (or “CAN-S= PAM Act”), preempts many provisions of existing state anti-spam laws, including the highly restrictive California law that was set to take effect= in January 2004. Because the CAN-SPAM Act (the “Act”) is scheduled= to take effect January 1, 2004, businesses that use email as a channel of adve= rtising and communication must move quickly to comply with its requirements. <= /o:p>

The CAN-S= PAM Act does not prohibit the sending of commercial email. It does, however, prohibit certain fraudulent and misleading practices, and requires senders = of commercial emails to label these messages accordingly and give recipients a means to “opt out” of future mailings from those senders. The A= ct also authorizes the Federal Trade Commission (“FTC”) and state authorities to bring enforcement proceedings against violators, and require= s the FTC to consider the establishment of a national “do not spam” l= ist similar to the “do not call” registry that now restricts telemarketing calls.

The new A= ct will have little impact on unethical businesses that already engage in frau= d or deception by means of email. Those enterprises will locate their servers offshore or take other measures to avoid prosecution, and simply will conti= nue to operate as usual. The greatest impact will be on legitimate businesses t= hat use email as a marketing or customer service channel. Those businesses will want to study the new law thoroughly and ensure that adequate compliance measures are in place.

Unfortuna= tely, the new Act is a complex set of prohibitions and definitions that leaves businesses with a number of ambiguities--and possible pitfalls--to confront. This bulletin attempts to set out the Act’s principal provisions and identify some, if not all, of the traps it poses for the unwary. Part One of this bulletin summarizes some highlights of the Act; Part Two analyzes the Act’s provisions in detail; and, Part Three discusses some sources of possible uncertainty for businesses that wa= nt to bring their email practices into compliance with the Act.

Some Highlights Of The Can-Spam Act

The New Act Permits Email Advertising

Unlike the highly restrictive California statute that was set to take effect in January 2004, the CAN SPAM Act allows companies to send email ads to potential customers, even where the recipients have not given prior consent to such mailings and even where the sender does not have a preexisting or current business relationship with the recipient.

The Act Prohibits Misleading Headers and Other Practices That Mask the Origin of Email Ads

The CAN S= PAM Act casts a wide net over any and all attempts to conceal the origins of em= ail ads or the identities of their senders. Specific prohibited practices inclu= de falsification of header information, false registrations for email accounts= or IP addresses used in connection with email ads, and retransmissions of email ads for the purpose of concealing their origins.

Recipients Must Be Allowed to Opt Out of Future Mailings

As noted earlier, the new Act permits the mailing of email ads to persons who have n= ot agreed to receive them and who have no preexisting or current business relationship with the sender. However, the sender of such emails must give recipients the means of asking not to receive future email ads from that sender. Specifically, the email must give the recipient the ability to send= a reply message or other “Internet-based communication” that opts= out of future emails from the sender. Also, the recipient’s ability to ma= ke such an opt out response must be good for at least 30 days after the origin= al message is sent.

Email Ads May Not Be Sent to a Recipient That Has Asked Not to Receive Them

If a reci= pient of an email ad has exercised his or her right to refuse future mailings, the sender must honor that request. Specifically, the sender must cease transmission of email ads to that recipient after 10 business days from the date of receipt of the opt out request. The sender also is generally prohib= ited from selling or otherwise transferring email addresses of persons who have opted out of future mailings.

Email Ads Must Be Identified As Such

The new A= ct requires email advertisers to identify their messages as advertisements or solicitations, and to do so by means that are “clear and conspicuous.” The FTC may, if given congressional authorization, adop= t a more specific requirement that commercial emails be identified as such in t= heir subject lines.

State Anti Spam Laws Generally Are Preempted

Perhaps t= he most important provision of the new Act is its preemption language. Specifically, the CAN SPAM Act “supersedes any statute, regulation, or rule of a state or political subdivision of a state that expressly regulates the use of electronic mail to send commercial messages, except to the extent that any such statute, regulation, or rule prohibits falsity or deception in any portion of a commercial electronic mail message or information attached thereto.” By preempting state anti-spam restrictions not directly rel= ated to fraud or deception, the new Act protects legitimate businesses against m= ore restrictive state legislation and simplifies the task of compliance with an= ti spam requirements.

The Act Does Not Give Recipients a Right to Sue Spammers

Unlike the pending California statute and some other state anti-spam laws, the new Act does not permit recipients of commercial emails to sue the senders for violations of the Act. Enforcement will be primarily by means of actions brought by the FTC or state law enforcement authorities. Internet service providers, however, have a right to bring civil lawsuits against violators = that adversely affect those providers.

The FTC May Clarify The Act’s Requirements

The Act delegates a substantial set of studies, reports, and rulemaking activities = to the FTC, including the task of defining some of the Act’s key terms. For example, the FTC will define the circumstances under which an email’s primary purpose will be found to be the promotion or advertisement of a commercial product or service – an important requirement for classification of a message as a “commercial electronic mail message” covered by the Act.

Detailed Analysis Of Can-Spam Act

The Act Applies Primarily to “Commercial Electronic Mail Messages”<= /span>

The new s= tatute applies primarily to any “commercial electronic mail message,” which is defined as “any electronic mail message the primary purpose = of which is the commercial advertisement or promotion of a commercial product = or service (including content on an Internet website operated for a commercial purpose).”[fn1] (In this bulletin, we sometimes refer to commercial electronic mail message= s as “CEMMs”.)

As we dis= cuss in Part Three, below, this definition covers the most common forms of today’s spam email, which have no purpose but to solicit the purchase= of commercial products and services. The use of the undefined terms “advertisement” and “promotion,” however, and above= all the undefined expression “primary purpose,” could have two (presumably unintended) consequences. First, illicit spammers might mix the= ir solicitations with noncommercial material and argue, on that basis, that th= eir emails’ primary purpose is not to advertise or promote a product or service. Second, the use of the expansive term “promotion” might cast doubt on legitimate business to business and other email messages that advance a business’s interests but do not expressly advertise a produ= ct or service. Lobbying of the FTC, to obtain clarifications of the Act’s terms that avoid these results, will be intense in the coming year.

Transactional and Relationship Messages

One of the Act’s surprising features is its failure to create a broad exemption = for emails sent to recipients with whom the sender has a preexisting or current business relationship. Such an exemption, which is common in state anti-spam laws, permits businesses to contact their past and present customers without observing all of the restrictions that apply to emails sent to strangers. <= o:p>

Instead of creating a preexisting or current business relationship exemption, the new = Act recognizes only a narrow category of “transactional or relationship messages,” which include:

an electronic mail message the primary purpose of which is – =

to facilitate, complete, or confirm a commer= cial transaction that the recipient has previously agreed to enter into with the sender;
to provide warranty information, product rec= all information, or safety or security information with respect to a commercial product or service used or purchased by the recipient;
to provide –

notification concerning a change in the terms or features of;
notification of a change= in the recipient’s standing or status with respect to; or
at regular periodic inte= rvals, account balance information or other type of account statement with respect to,
a subscription, membersh= ip, account, loan, or comparable ongoing commercial relationship involving the ongoing purchase or use by the recipient of products or services offered by the sender;

to provide information directly related to an employment relationship or related benefit plan in which the recipient= is currently involved, participating, or enrolled; or <= /li>
to deliver goods or services, including prod= uct updates or upgrades, that the recipient is entitled to receive under t= he terms of a transaction that the recipient has previously agreed to ent= er into with the sender.

The Act authorizes the FTC to modify this definition of “transactional or relationship message” as needed to accommodate changes in technology = and email practices and to accomplish the purpose of the Act.[fn2] Business interests should press, in the FTC proceedings that will result fr= om this Act, for a wider definition that includes all emails to recipients with whom the sender has a current or preexisting business relationship. [fn3]

Opt-Out Requirements

All recip= ients of commercial electronic mail messages must be given an effective opportuni= ty to refuse the receipt of future CEMMs from the senders of those emails. In order to ensure this “opt out” right, the Act makes it unlawful= to “initiate the transmission to a protected computer of any [CEMM] that does not contain a functioning return electronic mail address or other Inte= rnet based mechanism, clearly and conspicuously displayed,” that a recipie= nt may use to request “not to receive future [CEMMs] from that sender at the electronic mail address where the message was received . . .”[fn4] The opt out opportunity must be effective, as to each CEMM transmitted, for= at least 30 days after transmission of the original message. [fn5]

An alert = reader will have noticed that these opt out requirements involve three players: the recipient, who must be given the right to opt-out; the person who “initiates” the CEMM, who must provide the opt out mechanism th= at the recipient will use; and the “sender,” from whom the recipie= nt requests not to receive further CEMMs. An understanding of the opt out provisions (and many other elements of the Act) requires familiarity with t= hese terms.

First, to “initiate” a CEMM is to “originate or transmit such messa= ge or to procure the origination or transmission of such message, but [it does] not include actions that constitute routine conveyance of such message.R= 21;[fn6] To “procure” initiation of a CEMM, in turn, is “intention= ally to pay or provide other consideration to, or induce, another person to init= iate such a message on one’s behalf.” [fn7] Under this definition, when a company with a product or service to promote hires a vendor to run an email marketing campaign, both that company and its vendor are initiators. [fn8]

A “= sender,” on the other hand, is a specific kind of initiator. A sender is “a pe= rson who initiates [a CEMM] and whose product, service, or Internet web site is advertised or promoted by the message.” [fn9] Accordingly, although both an email advertising vendor and the company whose product is advertised initiate a CEMM, only the company whose product is advertised is a sender of that CEMM. [fn10]

Finally, = the Act defines the “recipient” of a CEMM as “an authorized u= ser of the electronic mail address to which the message was sent or delivered.”[fn11]

Putting a= ll of these players together, the opt out scheme of the Act appears to make both email advertising vendors and their clients responsible for ensuring that an effective opt out mechanism is implemented. The opt-out mechanism mandated = by the Act, however, must permit recipients to refuse future CEMMs from the se= nder – i.e., the person whose product or service is advertised R= 11; rather than from any non sender initiator.

The opt-o= ut requirements of the Act include a number of additional refinements. For example, the Act allows the recipient to be provided with a list or menu that allows the recipient to choose which types of CEMMs it does not wish to receive from t= he sender, as long as this menu also includes an option to opt-out from receiv= ing all CEMMs from the sender.[fn12] If the recipient only opts out from receiving certain types of CEMMs, the sender is only prohibited from sending that recipient CEMMs that fall within the scope of the opt-out request.[fn13]

A sender’s receipt of an opt out request also starts the clock running = on a 10 business day window within which CEMMs may continue to be sent to that recipient. After 10 business days, however, the sender may not initiate the transmission to the recipient of any CEMM that falls within the scope of the opt out request. [fn14]

The duty = to honor opt out requests also extends to persons that may act on behalf of the sender. Specifically, no one acting on behalf of a sender may initiate the transmission of a CEMM to an opted out recipient, more than 10 days after t= he receipt of the opt out request, if the person acting on behalf of the sender has actual or constructive knowledge that the message falls within the scop= e of the opt out request.[fn15] It also is unlawful for anyone acting on behalf of the sender to provide or select an email address to which a CEMM will be sent, if the person providi= ng or selecting the address has actual or constructive knowledge that a result= ing message would violate the opt out provisions of the Act. [fn16]

Finally, = the Act prohibits any sender, or any other person who is aware of an opt out request, from selling, leasing, exchanging or otherwise transferring the em= ail address of the recipient.[fn17] The only exceptions to this restriction are cases in which the recipient has given express consent to such a transfer of his or her email address, and c= ases in which the transfer is made for purposes of legal compliance. [fn18]

Opt out requests also may be withdrawn by “affirmative consent” of the recipient, given subsequent to the opt out request. [fn19]

Labeling Requirements

The Act a= lso requires senders of CEMMs to label those messages, by providing in each mes= sage a “clear and conspicuous identification that the message is an advertisement or solicitation.”[fn20] Initiators of CEMMs also must provide clear and conspicuous notice of the recipient’s opportunity to opt out of further CEMMs from the sender, = and must include a “valid physical postal address of the sender.” [fn21]

If the recipient has given “prior affirmative consent” to the receipt = of a message, then the message need not bear the “clear and conspicuous identification that the message is an advertisement or solicitation.” Even where affirmative consent was given, however, the message still must include notice of the opt out opportunity and a valid postal address of the sender.[fn22]

Finally, = the Act requires a special subject heading, to be specified by the FTC, for any CEMM that includes sexually oriented material.[fn23]

Aggravated Violations

Certain k= inds of conduct, in relation to the initiation of CEMMs, are defined as aggravat= ed violations that will incur heightened penalties. Specifically, penalties ma= y be increased for violations of the Act that are accompanied by any of the following:

Initiating or assisting in the initiation of a CEMM with actual or constructive knowle= dge that the recipient’s email address was obtained by an automated proce= ss from on online site with a posted policy of not giving out addresses for purposes of third party emailings. [fn24]

Initiatin= g or assisting in the initiation of a CEMM with actual or constructive knowledge that the recipient’s email address was obtained by the use of a progr= am for random generation of email addresses. [fn25]

Use of sc= ripts or other automated means to register for multiple email accounts or online = user accounts from which to transmit an unlawful CEMM.[fn26]

Relaying = or retransmitting an unlawful CEMM from a protected computer or computer netwo= rk that was accessed without authorization.[fn27]

Fraudulent or Misleading Practices

A number = of provisions of the Act are intended to control the use of email to mislead recipients. Some of these anti-fraud and anti deception provisions apply on= ly to transmissions of multiple commercial electronic mail messages; other provisions apply even to the transmission of a single CEMM; and still other provisions apply even to transactional or relationship messages. Some of th= ese anti-fraud provisions are defined by amendment to the U.S. Criminal Code and carry criminal penalties.

Anti-Fraud Provisions Applicable to Multiple CEMMs

The anti-= fraud provisions affecting multiple emails, which carry significant penalties, address methods by which large-scale spammers obscure the origin of their messages. These “multiple CEMM” anti-fraud provisions consist of amendments to the chapter of the U.S. Criminal Code that prohibits various forms of criminal fraud.[fn28]

Two of the prohibited methods involve the routing or originating of spam messages thro= ugh computers, other than the originating computer, by hacking or other means. Specifically, it is unlawful knowingly to access a protected computer witho= ut authorization and intentionally initiate the transmission of multiple CEMMS from or through that computer, or knowingly to access a protected computer = to relay or transmit multiple CEMMs with the intent to deceive recipients or a= ny Internet access service as to the origin of such message.[fn29]

Another prohibited method is the material falsification of header information in multiple CEMMs and the intentional initiation of the transmission of such messages.[fn30]

Finally, = these multiple CEMM anti-fraud provisions of the Act prohibit the use of email accounts and domain names that have been obtained through the use of falsif= ied registration information. Specifically, it is unlawful to register under a false identity for 5 or more email accounts or online user accounts or 2 or more domain names, and intentionally initiate multiple CEMMs from any combination of such accounts or domain names; or to falsely claim to be the registrant or legitimate successor in interest to the registrant of 5 or mo= re Internet protocol addresses, and intentionally initiate the transfer of multiple CEMMs from such addresses.[fn31]

The Act a= lso contains specific penalty provisions for violation of the multiple-CEMM anti-fraud prohibitions. A fine and imprisonment for up to 5 years, or both, may be imposed if the offense is committed in furtherance of a state or fed= eral felony, or if the defendant has previously been convicted of one of the multiple-CEMM fraud offenses, the federal Computer Fraud and Abuse Act or t= he law of any state for similar conduct. A fine and imprisonment of up to 3 ye= ars, or both, are prescribed if: the offense involves access to a protected comp= uter without authorization; the offense involves 20 or more falsified email or online user account registrations, or 10 or more falsified domain name registrations; the volume of messages involved exceeded 2,500 during any 24-hour period, 25,000 during any 30-day period, or 250,000 during any 1-ye= ar period; the offense caused loss to 1 or more persons aggregating $5,000 or = more in value during any 1-year period; the offense resulted in the person committing the offense obtaining anything of value aggregating $5,000 or mo= re during any 1-year period; or the offense was undertaken by the defendant in concert with 3 or more other persons with respect to whom the defendant occupied a position of organizer or leader.[fn32] In all other cases, a fine or imprisonment of not more than 1 year, or both, may be imposed.[fn33]

Violation= s of the multiple-CEMM anti-fraud provisions may result in forfeiture of property used in committing, or acquired from the proceeds of, the offense.[fn34]

Anti-Fraud Provisions Applicable to All CEMMs

As noted earlier, some anti-fraud provisions of the Act apply even to a single transmission of a commercial electronic mail message. Notably, it is unlawf= ul for any person to initiate the transmission, to a protected computer, of a = CEMM if the initiator has actual or constructive knowledge that a subject headin= g of the message likely would mislead a reasonable recipient as to the contents = or subject matter of the message.[fn35]

Anti-Fraud Provisions Applicable to CEMMs and Transactional or Relationship Messages

Some anti= -fraud provisions apply, not only to all CEMMs, but also to transactional and relationship messages. Specifically, such a message may not be sent to a protected computer if the message contains, or is accompanied by, “he= ader information that is materially false or materially misleading.”[fn36] The Act defines the expression “materially false or materially misleading” to include header information that is “technically accurate” but includes an originating email address, domain name or Internet protocol address that was obtained by false or fraudulent pretense= s.[fn37] The expression also includes messages that fail to identify a protected computer used to initiate the message because the initiator knowingly used another protected computer to relay or retransmit the message for purposes = of disguising its origin. [fn38]

How the Act Will Be Enforced

The new Act’s prohibitions will be enforced by a combination of FTC proceedin= gs, criminal prosecutions, state attorney general actions and private suits bro= ught by Internet service providers.

The FTC w= ill take the leading role. The Act specifically provides that violations of the= Act may be enforced as unfair or deceptive acts or practices under the Federal Trade Commission Act.[fn39] Pursuant to its enforcement authority, the FTC may investigate violations, enter into consent decrees, impose monetary penalties and refer violations = to the Department of Justice for criminal prosecution.

The state= s may bring actions against entities believed to have violated the provisions of = the Act regarding false or misleading transmission information or deceptive sub= ject headings, or that have engaged in a pattern or practice that violates the o= pt out provisions of the Act.[fn40] A state may bring its action in a U.S. district court and may demand injunc= tive relief, an award of damages equal to the actual monetary loss suffered, or statutory damages as set out in the Act. (Statutory damages may be increase= d by a factor of three if the court finds that the violation was committed willf= ully and knowingly, or involved one or more of the aggravating violations.)

Also, bef= ore bringing an action to enforce the Act, a state must serve prior written not= ice on the FTC or other appropriate federal agency.[fn41] The FTC or other federal agency may intervene in the case, remove the actio= n to the appropriate United States district court and file petitions for appeal. Also, states may not bring enforcement actions under the Act while a federal civil or administrative enforcement action is pending.[fn42]

Finally, a provider of Internet access service may bring a private action if it has be= en adversely affected by a use of false or misleading transmission information= , by one of the defined aggravating violations or by failure to comply with the requirements concerning sexually oriented material.[fn43] An Internet access provider also may bring an action when it has been adver= sely affected by a pattern or practice that violates the opt out provisions of t= he Act. If an Internet access provider is successful, the plaintiff may recover the greater of its actual monetary loss or statutory damages. The plaintiff= may recover up to three times the amount otherwise available if the defendant’s conduct was willful or knowing or involved aggregated conduct; and reasonable costs and attorneys’ fees may be awarded.

State Anti-Spam Laws Are Partially Preempted

A driving= force behind the passage of the Act was concern about more restrictive state anti-spam laws, particularly the stringent anti-spam legislation that would have taken effect in California on January 1, 2004. Thus, an integral provi= sion of the Act is its preemption of any state law that “expressly regulat= es the use of electronic mail to send commercial messages, except to the extent that any such statute, regulation or rule prohibits falsity or deception in= any portion of a commercial electronic mail message or information attached thereto.”[fn44] However, the Act does not preempt state laws that are not specific to electronic mail, including common law causes of action and laws that “relate to acts of fraud or computer crime.” [fn45]

Upcoming FTC Proceedings

The Act c= onfers substantial authority, as well as responsibility, on the FTC in enforcing a= nd interpreting the Act. Over a two-year period after enactment, the FTC is required to promulgate regulations and recommendations on the Act, under the following schedule:

Within 120 days of enactment, the FTC is required to prescribe warning labels for CEMMs containing sexually oriented material.[fn46]

Within 6 = months of enactment, the FTC is required to issue a plan and timetable for establishing a nationwide “Do Not E-Mail” registry.[fn47]

Within 9 = months of enactment, the FTC is required to issue a report proposing a system for rewarding those who provide information about violations of the Act, includ= ing procedures for granting a reward of 20% of the total civil penalty collected for a violation of the Act to the first person who reports the violation.[fn48]

Within 12 months of enactment, the FTC is required to issue regulations defining the criteria used to determine the “primary purpose” of a CEMM.[fn49]

Within 18 months of enactment, the FTC is required to create a plan for requiring CEM= Ms to be identifiable from their subject line, such as by use of identifiers l= ike “ADV.”[fn50]

Within 24 months of enactment, the FTC is required to submit a report to Congress analyzing the effectiveness and enforcement of the Act and identifying any recommended legislative modifications.[fn51]

Beyond these mandatory steps, the Act gives the FTC the discretion to modify or ex= pand the Act’s requirements by issuing regulations on the following issues= :

The FTC may expand or contract the Act’s definition of a “transacti= onal or relationship message.”[fn52]

The FTC m= ay modify the period of ten business days for complying with an opt-out reques= t.[fn53]

The FTC m= ay classify additional activities or practices as “aggravated violations” of the Act, if the FTC determines that they are contribut= ing to the proliferation of unlawful CEMMs.[fn54]

The FTC m= ay establish and implement the “Do Not E-Mail registry,” but not earlier than nine months after the enactment of the Act.[fn55]

Traps For The Unwary

In view o= f the Act’s complexity and ambiguities, activities that we may not intuitiv= ely regard as “spamming,” and actions that may seem merely ancillar= y to the CEMM process, may fall within the prohibitions of the Act. Individuals = and businesses using CEMMs must take care to avoid falling into the traps that = the Act poses for the unwary, such as the following:

Overestimating the Scope of State Preemption

The Act&#= 8217;s preemption of specific state anti-spam laws is very useful, but companies should not be overly sanguine about its effects on state laws that may appl= y less specifically to CEMMs. State consumer protection laws, such as Section 1720= 0 of the California Business and Professions Code, generally would not be preemp= ted by the Act. The Act also would not preempt actions based on state computer fraud and abuse laws, or claims based on trespass to chattels and other common-law theories. Consequently, while the Act largely preempts spam spec= ific state laws, it does not entirely foreclose the possibility of state-law cla= ims based on CEMMs.

The Hidden Risks of the Single CEMM

While the= term “spam” is generally associated with CEMMs sent to a vast multit= ude of recipients, certain requirements of the Act apply to even a single CEMM. Some of these requirements are not necessarily intuitive. For instance, the requirement of including an opt-out mechanism in a CEMM applies even to an individual CEMM sent to a single recipient. This means that compliance with= the Act must extend to individual CEMMs sent by salespeople and other employees. Companies will want to educate their sales employees, marketing staff, and other employees who may send CEMMs about the Act’s requirements. In t= he alternative, companies may elect to comply with CEMM requirements for all emails sent to customers and prospective customers.

Centralizing Opt-Out Information

As compan= ies have only ten business days to comply with opt-out requests, it will be important to centralize marketing distribution lists so that opt-outs are handled promptly. This centralization of opt-out information also should in= clude opt-outs from any individual CEMMs sent by employees, as explained above. F= or instance, companies may want to develop a standardized opt-out mechanism th= at individual employees may insert in their CEMMs, so that all opt-out messages are sent to a centralized source rather than returned to the individual employee.

The Ambiguous “Primary Purpose” Test for CEMM Status<= span style=3D'font-size:10.0pt;font-family:Arial;color:black'>

As noted earlier, the definition of the crucial term “commercial electronic ma= il message” is somewhat confused. Part of the confusion stems from the use of two terms – “advertisement or promotion” rather than a single term = to describe the covered activities. Neither of these terms is defined, but unl= ess they are redundant (a conclusion courts will be reluctant to reach), there = must be messages that fit one category but not the other. Nothing in the Act suggests how the two activities are to be differentiated. The Act gives no guidance to businesses that want to know, for example, whether a message th= at does not directly advertise a product or service is nonetheless a “promotion” of a product or service under the Act. <= /span>

As we als= o have discussed, a message is not a commercial electronic mail message unless advertisement or promotion is the message’s primary purpose. Apparently, even an email with obvious advertising or promotional content m= ay escape the definition by including some undefined type and quantity of other content. But the Act does not suggest the quantity or quality of other cont= ent that will relegate advertising or promotion to a mere “secondary̶= 1; purpose of a message.

The quest= ions left unanswered by this definition will not be academic. Suppose, for examp= le, that next December a salesperson wants to send a holiday message to potenti= al customers that he has met at conventions and meetings during the past year.= He decides to send an email greeting card, along with a news item about a char= ity his company has decided to support. At the bottom of the message will be the tagline, “Alpha Company, making the world’s best widgets since 1954.” Will those messages have a purpose to promote or advertise a commercial product or service? And, assuming that the messages have such a purpose, will advertisement or promotion be their primary purpose? <= o:p>

On the qu= estion of advertisement or promotion, unless the FTC has clarified matters significantly by then, our salesperson must go to the dictionary. He will f= ind that “advertise” is commonly defined as “to tell people a= bout or praise, as through newspapers, radio, etc., usually so as to get them to buy”; [fn56] or “to call public attention to esp. by emphasizing desirable qualiti= es so as to arouse a desire to buy or patronize.”[fn57] He will find that some definitions of “promote” are no differen= t in substance from the definitions of “advertise,” [fn58] but that other definitions of “promote” are more general. Notab= ly, some definitions include any activity intended to “further the growth= or establishment of (something)” [fn59] or to “contribute to the growth or prosperity” of something.[fn59] Based upon these broader definitions, any communication that furthers the salesperson’s business, whether or not it directly encourages a purch= ase, might be said to promote the company’s product or service.

These definitions give our salesperson a number of alternatives, none of which sh= ould bring him complete peace of mind. He might decide to eliminate the tagline = at the bottom of the message, with its specific reference to his company’= ;s product, so that his message will look less like an advertisement – <= i>i.e., a message that praises his company’s widgets in order to get people to buy them. On the other hand, simply by sending a Holiday card and referring= to a charitable activity that puts his company in a favorable light, he might = be said to be promoting his company’s product, however indirectly. So, eliminating the tagline may not take his message out of the “commerci= al electronic mail message” category.

On yet an= other hand (and at least three hands are needed here), why not keep all of the proposed text, including the tagline, and be prepared to claim that Holiday good will, not advertising or promotion, was the message’s primary purpose?

Fortunate= ly, the Act requires the FTC to supply a definition of “primary purpose” within 12 months of enactment. The rulemaking proceeding addressed to that issue will be a crucial opportunity to foreclose interpretations that hamper normal--and harmless--business communications. =

Plenty of Risk to Go Around

Some of t= he Act’s most complex provisions are those that allocate responsibility-= -and liability--among various participants in the CEMM process. We already have discussed, for example, the interplay among obligations of initiators, send= ers and persons acting on their behalf for management of the opt-out process. O= ther allocations of liability also are made in the Act with varying degrees of clarity.

For examp= le, initiators are liable for aggravated violations when they know, or should h= ave known, that a CEMM was transmitted to addresses obtained by “scraping” from websites or online services in violation of the policies of those sites and services, or by using automatic address-generat= ion software.[fn61] Similarly, it is unlawful for any person to “promote, or allow the promotion of, that person’s trade or business, or goods, products, property, or services sold, [in a CEMM], the transmission of which is in violation of [the Act’s prohibition of false or misleading transmissi= on information]” if that person knew or should have known that its produ= cts were being promoted in the CEMM, that person received or expected to receiv= e an economic benefit from such promotion, and that person took no reasonable ac= tion to prevent, detect and report to the FTC, that transmission. [fn62]

These exa= mples, which are merely illustrative, should demonstrate that all participants in activities made unlawful by the new Act may, depending upon their knowledge= of and involvement in the offending activities, have potential liability under= the Act. Accordingly, businesses that use, or facilitate the use of, email as a marketing channel should carefully scrutinize the compliance practices of t= heir vendors and marketing partners.

Conclusion

The CAN-S= PAM Act is a significant advance in the standardization of anti-spam laws in the United States, but it poses many complexities and hazards for the unwary business. All businesses that use CEMMs should take prompt action to comply with the Act before it takes effect on January 1, 2004. <= /p>

Footnotes

1: CAN-SPAM Act § 3(2)(A)(emphasis added).

2: Id. § 3(17)(B).

3: Id. § 5(a)(3).

4: Id. § 5(a)(3). “Protected computer,” a term borrowed from the federal Computer Fraud and Abuse Act, is defined in that statute s= o as to include any computer connected to the public Internet.

5: Id. § 5(a)(3)(A)(ii).

6: Id. § 3(9). The “routine conveyance” language is an exemption for email providers, Internet service providers and other entities that process the automatic transmission and routing of CEMMs to addresses provided by an initiator or other party. See Id. § 3(19). =

7: Id. § 3(12).

8: As we discuss further below, anyone seeking to comply with this Act must be aware that all participants in the process that results in the sending of a CEMM – including the companies that advertise in those messages, the = providers of email address lists, the vendors of email advertising services, and suppliers of goods or services to any of those entities – may be responsible for compliance with some part of the CAN SPAM Act in some circumstances.

9: Id. § 3(16).

10: Companies that advertise on behalf of “separate lines of business or divisions” must keep track of which line of business sent a particular CEMM. Under the Act, if a company “operates through separate lines of business or divisions and holds itself out to the recipient throughout the message as that particular line of business or division rather than as the entity of which such line of business or division is a part, then the line = of business or the division shall be treated as the sender of such message for= purposes of this Act.” Id. § 3(16)(B). Among other things, this provision appears to mean that a recipient’s opt-out applies only to future messages from the line of business or division that sent the original CEMM. However, this provision also appears to mean that a recipient’s prior affirmative consent to receive CEMMs from a sender, which permits the sender to send subsequent CEMMs without labeling them as advertisements or solicitations, may apply only to messages from the line of business or divi= sion that held itself out to the recipient as the sender of the original CEMM. <= o:p>

11: Id. § 3(14).

12: Id. § 5(a)(3)(B).

13: Id. § 5(a)(4). Note that compliance with this requirement falls primarily upon the sender.

14: Id. § 5(a)(4)(A).

15: Id. § 5(a)(4)(A)(ii).

16: Id. § 5(a)(4)(A)(iii).

17: Id. § 5(a)(4)(A)(iv).

18: Id.

19: Id. § 5(a)(4)(B).

20: Id. § 5(a)(5)(A).

21: Id.

22: Id. § 5(a)(5)(B).

23: Id. § 5(d).

24: Id. § 5(b).

25: Id. The term “constructive knowledge” is used here, and elsewhere in this bulletin, as shorthand for the statutory phrase “knowledge fairly implied on the basis of objective circumstances.= 221; Id

26: Id.

27: Id.

28: Id. § 4. These provisions are codified as a new section 1037 of Chapter 47 of Title 18, U.S. Code.

29: To be codified at 18 U.S.C. sec. 1037 (a)(1)-(2).

30: Id. § 1037(a)(3).

31: Id. § 1037(a)(4)-(5).

32: Id. § 1037(b)-(c).

33: Id. § 1037(b)(3).

34: Id. § 1037(c). The Act also directs the U.S. Sentencing Commiss= ion to review its guidelines and consider sentencing enhancements for persons convicted of multiple-CEMM anti-fraud violations who obtained email address= es from websites or other online locations without consent of the persons hold= ing those addresses, or who randomly generated email addresses. Sentencing enha= ncements also are to be considered for persons who commit multiple-CEMM anti-fraud violations in connection with fraud, identity theft, obscenity, child pornography, sexual exploitation of children and other offenses. The Act al= so urges the Department of Justice to “use all existing law enforcement tools to investigate and prosecute those who send bulk commercial e-mail to facilitate the commission of Federal crimes . . .” CAN-SPAM Act §= ; 4.

35: Id. § 5(a)(2).

36: Id. § 5(a)(1).

37: Id. § 5(a)(1)(A).

38: Id. § 5(a)(1)(C).

39: Id. § 7(a). Other, industry specific agencies also may bring actions under the Act. Those agencies include the Office of the Comptroller= of the Currency, the Securities and Exchange Commission and the insurance regulators of the various states. Id. § 7(b).

40: Id. § 7(f).

41: Id. § 7(f)(5).

42: Id. § 7(f)(8).

43: Id. § 7(g).

44: Id. § 8(b)(1).

45: Id. § 8(b)(2).

46: Id. § 5(d)(3).

47: Id. § 9(a). FTC Chairman Muris has expressed skepticism, howeve= r, about the utility of such a registry.

48: Id. § 11(1).

49: Id. § 3(2)(C).

50: Id. § 11(2).

51: Id. § 10.

52: Id. § 3(17)(B).

53: Id. § 5(c)(1).

54: Id. § 5(c)(2).

55: Id. § 9(b).

56: Webster’s New World Dictionary.

57: Webster’s New Collegiate Dictionary.

58: One definition offered by Webster’s New Collegiate Dictionary is “to present (merchandise) for public acceptance through advertising a= nd publicity.”

59: Webster’s New World Dictionary.

60: Webster’s New Collegiate Dictionary.

61: CAN-SPAM Act § 5(b)(1)(A).

62: Id. § 6(a). Persons who only provide goods, products, or services to violators, however, are liable only= if they are majority owners of the violator, have actual knowledge of the violation and receive, or expect to receive, an economic benefit from the unlawful promotion. Id. § 6(b).