FIRST, the law regulates and makes criminal the following activities:
- Accessing a protected computer (basically any computer used in interstate commerce or communication) without authorization, and intentionally initiating the transmission of multiple commercial emails from or through such computer (the term “Multiple emails”means more than 100 emails during a 24-hour period, more than 1,000 emails during a 30-day period, or more than 10,000 electronic mail messages during a 1-year period);
- a protected computer to relay or retransmit multiple commercial electronic mail messages, with the intent to deceive or mislead recipients or any ISP as to the origin of the emails;
- Materially falsifying header information in multiple commercial electronic mail messages and intentionally initiating the transmission of such messages;
- Registers, using information that materially falsifies the identity of the actual registrant, for five or more electronic mail accounts or online user accounts or two or more domain names, and intentionally initiates the transmission of multiple commercial electronic mail messages from any combination of such accounts or domain names; or
- Falsely represents oneself to be the registrant or the legitimate successor in interest to the registrant of 5 or more Internet Protocol addresses, and intentionally initiates the transmission of multiple commercial electronic mail messages from such addresses,or conspires to do so.
Header information or registration information is materially falsified if it is altered or concealed in a manner “that would impair the ability of a recipient of the message, an Internet access service processing the message on behalf of a recipient, a person alleging a violation of this section, or a law enforcement agency to identify, locate, or respond to a person who initiated the electronic mail message or to investigate the alleged violation.”
Criminal penalties can range from monetary fines specified for violations of the Act and you can sentenced to jail for anywhere from up to 3 to 5 years, depending upon the specific violation above. In addition, the court can order that anyone convicted of a violation of the above restrictions to forfeit to the United States any property, real or personal, constituting or traceable to gross proceeds obtained from such offense and any equipment, software, or other technology used or intended to be used to commit or to facilitate the commission of such offense.
SECOND, the statute also prohibits sending commercial emails containing false or materially misleading headers, sender information, subject headings or inaccurate return addresses.
- Restriction against False or Misleading Transmission Information. It is unlawful for any person to send a commercial email or a transactional or relationship message that contains, or is accompanied by, header information that is materially false or materially misleading.Header information that is technically accurate but includes an originating email address, domain name, or Internet Protocol (IP) address that was accessed by means of false or fraudulent pretenses or representations for purposes of sending emails shall be considered materially misleading.The ‘from’ line (the line identifying the sender) must accurately identify any person who initiated the message or it shall be considered materially false or materially misleading. Finally, header information shall be considered materially misleading if it fails to identify accurately a protected computer used to initiate the email because the person initiating the message knowingly uses another protected computer to relay or retransmit the message to disguise its origin.
- Restriction Against Deceptive Subject Headings– It is unlawful for any person to send to a protected computer any commercial email message if you have actual or implied knowledge that a subject heading of the message would be likely to mislead the recipient, acting reasonably under the circumstances, about a material fact regarding the contents or subject matter of the message (consistent with FTC deception principles you will learn about in the next chapter).
- Including a Return Address (or comparable mechanism). It is unlawful for any person to send a commercial email that does not contain a functioning return email address or other Internet-based mechanism ((for example, a link to a separate web page containing the opt-out mechanism), that is clearly and conspicuously displayed and that: (i) a recipient may use to submit a reply e-mail or other communication requesting not to receive future emails from that sender (“opt-out”) at the address where the message was received; and(ii) remains capable of receiving replies for no less than 30 days after the original email is sent.
THIRD: The Act sets forth other opt out requirements stating that if a recipient notifies a sender that the recipient no longer wants to receive any commercial email from that sender, it is unlawful for the sender to send further emails to that party. A recipient can affirmatively consent to continue to receive such emails, including withdrawing any opt outs.
The updated rules clarify that you cannot charge a fee for the right to opt out of receiving emails, you can’t require someone to provide personally identifiable information as part of the unsubscribe process, or force your customers to take multiple steps to opt-out beyond a single reply message and visiting a single web page. In addition many businesses overlook the fact the recipient of your email has a right to opt-out from receiving future emails from the sender or anyone acting on sender’s behalf. The opt-out isn’t just for the particular list that sent the mail. The opt-out applies to your affiliates, marketers, outside sales reps, resellers, distributors, etc.
If you send an email to an address from your main company database and the recipient decides to opt-out, you must remove that email address from every single promotional email that you send (or is sent on your behalf). You need to consider all the possible lists or databases the address could be contained on affiliated with your business once you receive the opt-out. The address needs to be removed and this is why you should have strict policies in place in your affiliate agreements covering this. But, ultimately it’s up to your business to notify or attempt to cross-reference an opted-out email address with another promotional list.
Even though the chances of the average spammer getting caught are very slim, you are still breaking the law. Not to mention, it’s an unethical practice.
FOURTH: The Act requires that a commercial email must contain the following elements:
-
-clear and conspicuous identification that the email is an advertisement or solicitation;
- -clear and conspicuous notice of the opportunity to decline to receive further emails from the sender; and
- -a valid physical postal address of the sender (The FTC clarified in an update to their rules that an accurately registered P.O. Box, or private mail box, may be listed as the valid physical address).
FIFTH: The Act sets forth the following as aggravated violations that may give rise to additional fines:
-
-Address harvesting. It is illegal for any person to send spam using an automated means from a third party website or proprietary online service (i.e. when computer robots to crawl webpages and make a record of any e-mail addresses that appear on those pages) which includes a notice stating that the operator of the website/online service will not give, sell, or otherwise transfer email addressed maintained on the website/service to any other party.
- -Dictionary attacks. It is illegal for any person to send spam using an automated means that generates possible email addresses by combining names, letters, or numbers into numerous permutations (i.e. “dictionary attacks”).
- -Automated Creation of Multiple E-mail Accounts. It is illegal to use scripts or other automated means to register for multiple email accounts or online user accounts to send any spam. A fake emailscript allows you to send emails to anyone, which will originate from your mail server, but it will appear to them to have appeared from the email address you make up.
- -Relay or Retransmission through Unauthorized Access-It is illegal for any person to relay or retransmit spam from a protected computer or computer network that you have accessed without authorization. This is basically done to send spam through another computer or network to mislead others about the origin of the email. In many cases, spammers gain access to individual systems by taking advantage of open relays or open proxies, which are basically security vulnerabilities in a mail server. For instance, re-routing spam through third party computers and sending unsolicited email through their mail server.
Most mail servers will not accept messages for relaying now because of this problem. But, servers that do still accept such messages are known as “open relays.” In an open relay (also known as a third-party or insecure relay), the mail server will process any e-mail message, regardless of whether it’s to or from an authorized user. A spammer who acquires the IP address of an insecure mail server can simply tell the server to send junk to any user on any mail server at any domain.
Proxy software allows computers within a network to share a connection and be recognized with the same IP address. However, open proxies will accept and process requests from users outside the network they serve. This is another way spammers hide their IP addresses. These practices are prohibited under the Act.
If your business is running its own mail server, you could be at risk of having an open relay. Check your mail server software to be sure that your server is properly and securely configured. Better yet, talk to your IT guy!
FINALLY: Separate Rules Apply to ‘Sexually Explicit’ Emails
The FTC has issued a rule under the Act that regulates sexually explicit messages. Messages with “sexually oriented material” (i.e. “actual or simulated sexual intercourse, including genital-genital, oral-genital, anal-genital, or oral-anal, whether between persons of the same or opposite sex; bestiality; masturbation; sadistic or masochistic abuse; or lascivious exhibition of the genitals or pubic area of any person.”) must include the warning “SEXUALLY-EXPLICIT” at the beginning of the subject line. In addition, the rule requires the electronic equivalent of a “brown paper wrapper” in the body of the message. According to the FTC’s guidelines on spam, once a message is opened, the only things that may be viewable on the recipient’s screen are the following items:
- -the words “SEXUALLY-EXPLICIT”; and
- -the same information required in any other commercial email: a disclosure that the message is an ad, the sender’s physical postal address, and the procedure for how recipients can opt out of receiving messages from this sender in the future.
According to the FTC’s website, no graphics are allowed on the “brown paper wrapper.” Recipients should not be able to view sexually explicit content without an affirmative act on their part. An affirmative action would include actions such as scrolling down or clicking on a link. However, this requirement does not apply if the person receiving the message has already given affirmative consent to receive the sender’s sexually oriented messages.
Whoever knowingly sends an email with sexually oriented material in violation of the Act shall be fined or imprisoned not more than 5 years, or both!