Many businesses use emails as a means of marketing and promotion. The instantaneous and direct nature of a targeted message to your in-box can be a powerful form of advertising. Not to mention it’s an extremely cost-effective and efficient method of advertising. In response to the explosion in the use of email mass marketing, Congress adopted the CAN-SPAM Act in 2003. The law does not restrict sending unsolicited commercial emails outright. It does, however, provide a set of regulations and rules covering commercial email communications. The Act is enforced by the Federal Trade Commission (FTC). There are also a number of state anti-spam laws that you need to become familiar with. However, the CAN-SPAM Act preempts most of those laws.
What does the Act Cover? (Commercial Emails)
The CAN-SPAM Act covers all commercial messages, which is defined as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service.” This includes email that promotes content on commercial websites. Essentially, all unsolicited commercial emails not in compliance with the CAN-SPAM Act are considered to be “spam” or junk mail and are illegal. I refer to all commercial emails not in compliance with the Act as spam throughout the remainder of this discussion. Communications with existing customers and clients are considered “transactional or relationship messages” are exempt from most provisions of the Act.
If the “primary purpose” of any email sent by your business is commercial, then it must comply with the requirements of CAM-SPAM. But, if the primary purpose is transactional or relationship in nature, then it is exempt from most provisions of the CAN-SPAM Act (you still can’t use a false or misleading heading).
According directly to the FTC’s website, “the primary purpose of an email is transactional or relationship if it consists only of content that:
- facilitates or confirms a commercial transaction that the recipient already has agreed to;
- gives warranty, recall, safety, or security information about a product or service;
- gives information about a change in terms or features or account balance information regarding a membership, subscription, account, loan or other ongoing commercial relationship;
- provides information about an employment relationship or employee benefits; or
- delivers goods or services as part of a transaction that the recipient already has agreed to.”
What about emails containing commercial and transactional/relationship content?
These messages have a commercial primary purpose if either: i) The recipient would interpret the subject line to mean that the message contains commercial advertising; or ii) a substantial part of the transactional or relationship content does not appear at the beginning of the email.
Emails containing commercial and all other content
These messages have a commercial primary purpose if either the recipient would interpret the subject line to mean that the email contains advertising or from the body of the email that it’s primary purpose is advertising. In making this determination, factors for the recipient to consider include:
- the placement of the commercial advertising at the beginning of the message;
- the proportion of the message dedicated to commercial advertising; and
- how prominent the commercial advertising is (for example, highlighted through use of graphics type size and style).
Who Must Comply With The ACT?
Any person, including business entities and nonprofit associations, that initiates commercial e-mails must comply with the Act requirements. Under the Act, a person is an “initiator” of a commercial e-mail message if it either: i) it originates or transmits the e-mail; or ii) procures the transmission of the e-mail, meaning that the business either intentionally pays or provides other consideration to, or induces, another person to transmit the e-mail on its behalf.
Other requirements apply specifically to “senders.” A sender is an initiator whose own product or service, or internet website, is advertised or promoted in the commercial message. A commercial e-mail can have more than one initiator or sender. For example, where a company engages a third-party service provider to send an email advertisement, both parties are initiators under the Act and the company is also a sender.
Exception: The Act contains an exception when the person initiating the commercial e-mail is involved solely in routine conveyance. This is when the person’s actions only relate to the transmission, routing or storage of the message through an automatic technical process and the person is not involved in identifying or providing the recipients’ addresses for the email.
Enforcement, Penalties & Fines
Violating the Act is considered to be an unfair or deceptive act or practice under the FTC Act. The FTC can prevent any person from violating the Act in the same manner, means and with the same powers and duties as though the FTC Act. The same FTC Act penalties apply to violations of the CAN-SPAM Act. Violators may be subject to cease and desist orders, injunctions and maybe even civil penalties up to $16,000 per each separate email that is in violation of the Act.
But, the state attorney generals’ are also authorized under the Act to enforce violations on behalf of the state. This means violators of the act can be subject to actual damages, statutory damages or fines of $250 per violation, with each unlawful email to each recipient being a separate violation. Statutory damages can go as high as $2 million. The state can also seek injunctions against your business preventing the activity. Also,three times the amount of statutory damages for willful, knowing or aggravated violations can be imposed.
Certain other agencies have authority under the CAN-SPAM Act to enforce it. These agencies generally regulate certain types of entities or activities outside the scope of the FTC’s jurisdiction. Penalties for non-compliance are determined by the regulatory regime enforced by the specific agency. Internet service providers (ISPs) are also authorized to bring claims under the CAN-SPAM Act for certain violations and may seek Injunctions, any actual damages or statutory damages up to either $25 or $100 per violation, depending on the violation, costs of bringing the action and reasonable attorneys’ fees as well.
Finally, judgments for violations under the CAN-SPAM Act cannot be discharged in bankruptcy. This means any judgment will stay with you or your business until it is satisfied, similar to a tax lien and other non-dischargeable debt. Many of my clients mistakenly believe they can simply declare bankruptcy and discharge all of their liabilities if they are ever faced with the prospect of paying a significant judgment. In light of this erroneous belief, I want to make you especially aware of this fact before you engage in any type of email marketing campaigns.
The 6 Basic Things CAN-SPAM Does:
FIRST, the law regulates and makes criminal the following activities:
- Accessing a protected computer (basically any computer used in interstate commerce or communication) without authorization, and intentionally initiating the transmission of multiple commercial emails from or through such computer (the term “Multiple emails”means more than 100 emails during a 24-hour period, more than 1,000 emails during a 30-day period, or more than 10,000 electronic mail messages during a 1-year period);
- a protected computer to relay or retransmit multiple commercial electronic mail messages, with the intent to deceive or mislead recipients or any ISP as to the origin of the emails;
- Materially falsifying header information in multiple commercial electronic mail messages and intentionally initiating the transmission of such messages;
- Registers, using information that materially falsifies the identity of the actual registrant, for five or more electronic mail accounts or online user accounts or two or more domain names, and intentionally initiates the transmission of multiple commercial electronic mail messages from any combination of such accounts or domain names; or
- Falsely represents oneself to be the registrant or the legitimate successor in interest to the registrant of 5 or more Internet Protocol addresses, and intentionally initiates the transmission of multiple commercial electronic mail messages from such addresses,or conspires to do so.
Header information or registration information is materially falsified if it is altered or concealed in a manner “that would impair the ability of a recipient of the message, an Internet access service processing the message on behalf of a recipient, a person alleging a violation of this section, or a law enforcement agency to identify, locate, or respond to a person who initiated the electronic mail message or to investigate the alleged violation.”
Criminal penalties can range from monetary fines specified for violations of the Act and you can sentenced to jail for anywhere from up to 3 to 5 years, depending upon the specific violation above. In addition, the court can order that anyone convicted of a violation of the above restrictions to forfeit to the United States any property, real or personal, constituting or traceable to gross proceeds obtained from such offense and any equipment, software, or other technology used or intended to be used to commit or to facilitate the commission of such offense.
SECOND, the statute also prohibits sending commercial emails containing false or materially misleading headers, sender information, subject headings or inaccurate return addresses.
- Restriction against False or Misleading Transmission Information. It is unlawful for any person to send a commercial email or a transactional or relationship message that contains, or is accompanied by, header information that is materially false or materially misleading.Header information that is technically accurate but includes an originating email address, domain name, or Internet Protocol (IP) address that was accessed by means of false or fraudulent pretenses or representations for purposes of sending emails shall be considered materially misleading.The ‘from’ line (the line identifying the sender) must accurately identify any person who initiated the message or it shall be considered materially false or materially misleading. Finally, header information shall be considered materially misleading if it fails to identify accurately a protected computer used to initiate the email because the person initiating the message knowingly uses another protected computer to relay or retransmit the message to disguise its origin.
- Restriction Against Deceptive Subject Headings– It is unlawful for any person to send to a protected computer any commercial email message if you have actual or implied knowledge that a subject heading of the message would be likely to mislead the recipient, acting reasonably under the circumstances, about a material fact regarding the contents or subject matter of the message (consistent with FTC deception principles you will learn about in the next chapter).
- Including a Return Address (or comparable mechanism). It is unlawful for any person to send a commercial email that does not contain a functioning return email address or other Internet-based mechanism ((for example, a link to a separate web page containing the opt-out mechanism), that is clearly and conspicuously displayed and that: (i) a recipient may use to submit a reply e-mail or other communication requesting not to receive future emails from that sender (“opt-out”) at the address where the message was received; and(ii) remains capable of receiving replies for no less than 30 days after the original email is sent.
THIRD: The Act sets forth other opt out requirements stating that if a recipient notifies a sender that the recipient no longer wants to receive any commercial email from that sender, it is unlawful for the sender to send further emails to that party. A recipient can affirmatively consent to continue to receive such emails, including withdrawing any opt outs.
The updated rules clarify that you cannot charge a fee for the right to opt out of receiving emails, you can’t require someone to provide personally identifiable information as part of the unsubscribe process, or force your customers to take multiple steps to opt-out beyond a single reply message and visiting a single web page. In addition many businesses overlook the fact the recipient of your email has a right to opt-out from receiving future emails from the sender or anyone acting on sender’s behalf. The opt-out isn’t just for the particular list that sent the mail. The opt-out applies to your affiliates, marketers, outside sales reps, resellers, distributors, etc.
If you send an email to an address from your main company database and the recipient decides to opt-out, you must remove that email address from every single promotional email that you send (or is sent on your behalf). You need to consider all the possible lists or databases the address could be contained on affiliated with your business once you receive the opt-out. The address needs to be removed and this is why you should have strict policies in place in your affiliate agreements covering this. But, ultimately it’s up to your business to notify or attempt to cross-reference an opted-out email address with another promotional list.
Even though the chances of the average spammer getting caught are very slim, you are still breaking the law. Not to mention, it’s an unethical practice.
FOURTH: The Act requires that a commercial email must contain the following elements:
-clear and conspicuous identification that the email is an advertisement or solicitation;
- -clear and conspicuous notice of the opportunity to decline to receive further emails from the sender; and
- -a valid physical postal address of the sender (The FTC clarified in an update to their rules that an accurately registered P.O. Box, or private mail box, may be listed as the valid physical address).
FIFTH: The Act sets forth the following as aggravated violations that may give rise to additional fines:
-Address harvesting. It is illegal for any person to send spam using an automated means from a third party website or proprietary online service (i.e. when computer robots to crawl webpages and make a record of any e-mail addresses that appear on those pages) which includes a notice stating that the operator of the website/online service will not give, sell, or otherwise transfer email addressed maintained on the website/service to any other party.
- -Dictionary attacks. It is illegal for any person to send spam using an automated means that generates possible email addresses by combining names, letters, or numbers into numerous permutations (i.e. “dictionary attacks”).
- -Automated Creation of Multiple E-mail Accounts. It is illegal to use scripts or other automated means to register for multiple email accounts or online user accounts to send any spam. A fake emailscript allows you to send emails to anyone, which will originate from your mail server, but it will appear to them to have appeared from the email address you make up.
- -Relay or Retransmission through Unauthorized Access-It is illegal for any person to relay or retransmit spam from a protected computer or computer network that you have accessed without authorization. This is basically done to send spam through another computer or network to mislead others about the origin of the email. In many cases, spammers gain access to individual systems by taking advantage of open relays or open proxies, which are basically security vulnerabilities in a mail server. For instance, re-routing spam through third party computers and sending unsolicited email through their mail server.
Most mail servers will not accept messages for relaying now because of this problem. But, servers that do still accept such messages are known as “open relays.” In an open relay (also known as a third-party or insecure relay), the mail server will process any e-mail message, regardless of whether it’s to or from an authorized user. A spammer who acquires the IP address of an insecure mail server can simply tell the server to send junk to any user on any mail server at any domain.
Proxy software allows computers within a network to share a connection and be recognized with the same IP address. However, open proxies will accept and process requests from users outside the network they serve. This is another way spammers hide their IP addresses. These practices are prohibited under the Act.
If your business is running its own mail server, you could be at risk of having an open relay. Check your mail server software to be sure that your server is properly and securely configured. Better yet, talk to your IT guy!
FINALLY: Separate Rules Apply to ‘Sexually Explicit’ Emails
The FTC has issued a rule under the Act that regulates sexually explicit messages. Messages with “sexually oriented material” (i.e. “actual or simulated sexual intercourse, including genital-genital, oral-genital, anal-genital, or oral-anal, whether between persons of the same or opposite sex; bestiality; masturbation; sadistic or masochistic abuse; or lascivious exhibition of the genitals or pubic area of any person.”) must include the warning “SEXUALLY-EXPLICIT” at the beginning of the subject line. In addition, the rule requires the electronic equivalent of a “brown paper wrapper” in the body of the message. According to the FTC’s guidelines on spam, once a message is opened, the only things that may be viewable on the recipient’s screen are the following items:
- -the words “SEXUALLY-EXPLICIT”; and
- -the same information required in any other commercial email: a disclosure that the message is an ad, the sender’s physical postal address, and the procedure for how recipients can opt out of receiving messages from this sender in the future.
According to the FTC’s website, no graphics are allowed on the “brown paper wrapper.” Recipients should not be able to view sexually explicit content without an affirmative act on their part. An affirmative action would include actions such as scrolling down or clicking on a link. However, this requirement does not apply if the person receiving the message has already given affirmative consent to receive the sender’s sexually oriented messages.
Whoever knowingly sends an email with sexually oriented material in violation of the Act shall be fined or imprisoned not more than 5 years, or both!