TransactionalIn Compliance
September 2023
/cloudfront-us-east-2.images.arcpublishing.com/reuters/RUAFV5HX4JGO5A6VG2JQHG5UJQ.jpg)
CAN-SPAM Act Compliance
An overview of the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act), including its scope, enforcement, and penalties for non-compliance, as well as best practices for email marketing.
Contributors
/s3.amazonaws.com/arc-authors/reuters/dcabc5a1-bed4-40c0-8077-70aa08a71673.png)
Consumers’ widespread acceptance of online communication provides marketers with several benefits compared to traditional direct marketing campaigns, including:
- Lower costs.
- Almost instantaneous delivery.
- A more interactive experience generally allowing consumers to immediately click through to the marketer’s website.
The ease and efficiency of email marketing also has drawbacks. The high volume of unsolicited commercial email messages (spam) received by consumers makes it difficult for individual marketers to stand out. Consumers also do not want their inboxes full of spam, which may sometimes be fraudulent or contain offensive content.
In 2003, Congress enacted the CAN-SPAM Act (15 U.S.C. §§ 7701 to 7713) to regulate unsolicited commercial email. The CAN-SPAM Act does not flatly prohibit all unsolicited commercial email. Instead, it sets out specific requirements for the content of these messages and ensures that consumers can opt out of receiving them.
This article discusses:
- The scope of the CAN-SPAM Act.
- The CAN-SPAM Act’s requirements, including certain Federal Trade Commission (FTC) and Federal Communications Commission (FCC) implementing regulations and rules.
- Common marketing practices that may give rise to liability under the CAN-SPAM Act.
- Enforcement of the CAN-SPAM Act, including penalties for violations.
- The CAN-SPAM Act’s preemption of state laws.
- Best practices for marketers’ compliance with the CAN-SPAM Act.
Companies using email to market and advertise their products and services must also pay careful attention to compliance with other applicable laws, including, for example, laws addressing:
- Marketing and advertising practices (for more information, see Direct Marketing in the US: Overview and Advertising and Marketing Toolkit on Practical Law).
- Personal information collection and use (for more information, see US Privacy and Data Security Law: Overview and Internet, Mobile, and Marketing Privacy Compliance Toolkit on Practical Law).
Scope of the CAN-SPAM Act
The CAN-SPAM Act regulates the transmission of all commercial email messages, not just unsolicited messages. A commercial email message is defined as any email that has a “primary purpose of … commercial advertisement or promotion of a commercial product or service” (15 U.S.C. § 7702(2)(A)). This includes commercial emails sent to business email accounts as well as those sent to individual consumers.
The CAN-SPAM Act authorizes the FTC to issue regulations implementing the CAN-SPAM Act’s provisions (15 U.S.C. § 7711). The FTC issued final rules in 2008 (73 Fed. Reg. 29654 (May 21, 2008) (codified at 16 C.F.R. §§ 316.1 to 316.6)). The FCC has similar authority under the CAN-SPAM Act to issue rules addressing unsolicited commercial messages sent to consumers’ wireless devices (15 U.S.C. § 7712(b); see Emails Sent to a Wireless Device below).
Commercial Message
The first step in evaluating whether the CAN-SPAM Act applies to an email message is to determine whether the email is a commercial message. Not every email message from a business is deemed a commercial message under the CAN-SPAM Act. Rather, as defined above, a commercial email’s primary purpose must be the commercial advertisement or promotion of a product or service.
/cloudfront-us-east-2.images.arcpublishing.com/reuters/QMAD2U3Q2FAX5ILX3CRQE7UOIE.jpg)
If a message contains both transactional or relationship content and commercial content, the CAN-SPAM Act’s commercial email requirements apply when the message’s primary purpose is commercial.
Messages sent to consumers that have a primary purpose relating to a particular transaction or the sender and consumer’s relationship are expressly excluded from the CAN-SPAM Act’s commercial email message definition (15 U.S.C. § 7702(2)(B)). To qualify as a transactional or relationship message, the email’s primary purpose must be to do at least one of the following:
- Facilitate, complete, or confirm a commercial transaction previously agreed to by the email recipient.
- Provide warranty, product recall, safety, or security information for a product purchased by the email recipient.
- Provide certain information permitted under the CAN-SPAM Act regarding a subscription, membership, account, loan, or similar ongoing relationship concerning the email recipient’s ongoing purchase or use of the sender’s products or services (for example, notification of a change in terms or features of a membership or subscription or periodic account information).
- Provide information regarding an employment relationship or related benefit plan in which the email recipient is currently involved, participating, or enrolled.
- Deliver goods or services (for example, updates or upgrades) that the email recipient is entitled to receive as a result of a previously agreed on transaction. (15 U.S.C. § 7702(17)(A).)
A message sent only for one or more of the primary purposes described above is not a commercial message under the CAN-SPAM Act. If a message contains both transactional or relationship content and commercial content, the CAN-SPAM Act’s commercial email requirements apply when the message’s primary purpose is commercial (see Primary Purpose below).
The CAN-SPAM Act also contains compliance obligations and prohibitions for transactional or relationship messages (see Prohibition on False or Misleading Transmission Information below), but these are less rigorous than the requirements specific to commercial messages (see Commercial Message Requirements below).
Primary Purpose
Even if the email includes some commercial content, the CAN-SPAM Act’s commercial email requirements apply only if the message’s primary purpose is commercial. The FTC has identified criteria to determine the primary purpose for messages containing:
- Only advertising content. These messages have a commercial primary purpose.
- Both advertising and transactional or relationship content. These messages have a commercial primary purpose if:
- the recipient would interpret the subject line to mean that the message contains commercial advertising; or
- a substantial part of the transactional or relationship content does not appear at the beginning of the message.
- Both advertising content and other non-transactional or non-relationship content. These messages have a commercial primary purpose if the recipient would:
- interpret the subject line to mean that the message contains commercial advertising; or
- determine from the body of the message that the message’s primary purpose is commercial advertising.
- Only transactional or relationship content. These messages do not have a commercial primary purpose (see Commercial Message above). (16 C.F.R. § 316.3.)
In determining whether a message has a commercial primary purpose, the recipient may consider:
- The placement of the commercial advertising at the beginning of the message.
- The proportion of the message dedicated to commercial advertising.
- How prominent the commercial advertising is (for example, highlighted through the use of graphics or type size or style).
Regulated Entities
The CAN-SPAM Act generally applies to initiators and senders of commercial email messages. Specific issues can arise in determining whether a person is an initiator or a sender under the statute (see Forward-to-a-Friend Emails, Multiple Senders, and Affiliate Marketing below).
Initiators of Commercial Email Messages
Any person, including business entities and nonprofit associations, that initiates commercial email messages must comply with the CAN-SPAM Act requirements (see CAN-SPAM Act Requirements below). As defined by the CAN-SPAM Act, a person is an “initiator” of a commercial email message if it either:
- Originates or transmits the email.
- Procures the transmission of the email, meaning that the business either intentionally pays or provides other consideration to, or induces, another person to transmit the email on its behalf. (15 U.S.C. § 7702(9).)
/cloudfront-us-east-2.images.arcpublishing.com/reuters/Z6B5GWC3NBF6DL5JUZ4S4EC7UQ.jpg)
The CAN-SPAM Act generally applies to initiators and senders of commercial email messages. Specific issues can arise in determining whether a person is an initiator or a sender under the statute.
/cloudfront-us-east-2.images.arcpublishing.com/reuters/FP3DA6RCRFDCLLMBVRQ4J3H36Q.jpg)
However, the CAN-SPAM Act contains an exception for when the person initiating the commercial email is involved solely in routine conveyance. The exception applies when the person’s actions only relate to the transmission, routing, or storage of the message through an automatic technical process and the person is not involved in identifying or providing the recipients’ addresses for the message. (15 U.S.C. § 7702(15).)
Senders of Commercial Email Messages
Certain requirements apply specifically to “senders” (see Opt-Out Requirements and Identification and Location Requirements below). A sender is an initiator whose own product, service, or internet website is advertised or promoted in the commercial message. A commercial email can have more than one initiator or sender. For example, when a business engages a third-party service provider to send a commercial email advertising the business’s products, both parties are initiators under the CAN-SPAM Act. The business is also a sender under the CAN-SPAM Act.
CAN-SPAM Act Requirements
The CAN-SPAM Act restricts the substance and form of commercial messages, including prohibitions on false or misleading information, specific opt-out requirements, and limitations on sexually oriented material.
Prohibition on False or Misleading Transmission Information
It is a violation of the CAN-SPAM Act to initiate the transmission of a commercial message or a transactional or relationship message that contains false or misleading transmission information, which is an email’s “From,” “To,” “Reply to,” and routing information (also known as the header information). This information must be correct and identify the person initiating the message (15 U.S.C. § 7704(a)(1)).
Commercial Message Requirements
The CAN-SPAM Act prohibits commercial messages from having deceptive subject headings, and each message must comply with opt-out requirements and additional restrictions.
Prohibition on Deceptive Subject Headings
The CAN-SPAM Act prohibits a person from initiating a commercial email with a deceptive subject heading. This means that the initiator of the message cannot have actual knowledge (or knowledge fairly implied under the circumstances) that the subject heading would be likely to mislead the recipient about a material fact regarding the message’s contents or subject matter (15 U.S.C. § 7704(a)(2)).
Opt-Out Requirements
The CAN-SPAM Act requires initiators of a commercial email to include the following elements in each commercial email:
- Clear notice of the recipient’s right to not receive (opt out of) future messages from the sender of the email.
- One of the following mechanisms for opting out:
- a functional return email address, allowing the recipient to simply “reply” to the email to opt out; or
- another internet-based opt-out mechanism (for example, a link to a separate web page containing the opt-out mechanism). (15 U.S.C. § 7704(a)(3).)
The opt-out mechanism must be functional for at least 30 days after the message is sent. However, if the return email address or other mechanism is unexpectedly and temporarily unable to receive messages or process opt-out requests resulting from a technical problem beyond the sender’s control, it is not a violation of the CAN-SPAM Act’s opt-out requirements if the problem is corrected within a reasonable time (15 U.S.C. § 7704(a)(3)(C)).
A sender of a commercial email cannot require the recipient to do any of the following to submit (or have the sender honor) an opt-out request when using any of the opt-out methods required by the CAN-SPAM Act:
- Pay a fee.
- Provide any information other than the recipient’s email address and opt-out preferences.
- Take any steps other than sending a reply message or visiting a single website. (16 C.F.R. § 316.5.)
If the message recipient submits a request to opt out of receiving future messages from a sender, all of the following apply:
- The opt-out must become effective within ten business days. After this time, the sender (or anyone on its behalf) may not send further commercial email messages falling within the scope of the opt-out request to that recipient, unless the recipient subsequently requests to receive (opts in) these messages.
- The opt-out never expires.
- The sender (and any other person who knows the recipient has opted out of further commercial messages) cannot sell, exchange, or otherwise transfer the recipient’s email address except as required by law unless that recipient has explicitly opted in to permitting the sale, exchange, or transfer. (15 U.S.C. § 7704(a)(4)(A).)
Identification and Location Requirements
Initiators of a commercial email must include the following elements in each commercial email:
- Clear identification that the message is an advertisement or a solicitation.
- The sender’s valid physical postal address. This is usually the sender’s street address, but it can be a post office box that the business has accurately registered with the US Postal Service or a private mailbox that the business has accurately registered with a commercial mail receiving agency established pursuant to US Postal Service regulations. (15 U.S.C. § 7704(a)(5)(A).)
Sexually Oriented Material
The CAN-SPAM Act and the FTC’s related rules set out additional restrictions on initiators of commercial emails containing sexually oriented material. These restrictions relate to the email’s:
- Subject line.
- Content.
These restrictions do not apply, however, if the email recipient has given prior affirmative consent to receive these messages from the sender.
The CAN-SPAM Act defines sexually oriented material as any material that “depicts sexually explicit conduct … unless the depiction constitutes a small and insignificant part of the whole” when the remaining content is not primarily devoted to sexual matters (15 U.S.C. § 7704(d)(4)).
Message Subject Line
The FTC’s Adult Labeling Rule requires that:
- The subject line of a commercial email not contain any sexually oriented material.
- The phrase “SEXUALLY-EXPLICIT:” appears in capital letters as the first 19 characters in the subject line of any commercial email message that contains sexually oriented material. (16 C.F.R. § 316.4(a)(1).)
Message Content
To prevent recipients from being exposed unintentionally to sexually oriented material in a commercial message, the FTC’s Adult Labeling Rule also limits the content that can be initially visible to a recipient using the electronic equivalent of a “brown paper wrapper.” The content of these messages must only contain:
- The phrase “SEXUALLY-EXPLICIT:.”
- The same required information as other commercial emails, including:
- clear and conspicuous identification that the message is an advertisement or a solicitation;
- clear notice of the recipient’s ability to opt out of receiving future messages and a valid opt-out mechanism (either a functioning return email address or other internet-based mechanism) that remains operational for no less than 30 days after the email is sent; and
- the sender’s clearly and conspicuously displayed, valid physical postal address.
- Any necessary instructions identifying how the recipient may access the sexually oriented material. If the email includes these instructions, the instructions must come after a clear and conspicuous statement that to avoid viewing the sexually oriented material, the recipient should delete the message without following the instructions. (16 C.F.R. § 316.4(a)(2).)
Common Marketing Practices
Companies may face liability when engaging in certain marketing techniques, including “forward-to-a-friend” emails, emails containing messages from multiple senders, the use of third-party affiliate marketers, and sending messages to wireless devices.
Forward-to-a-Friend Emails
Marketers often enable recipients of a commercial email to forward the message (or a similar one) to one or more friends. These forward-to-a-friend emails are typically sent using either:
- A web-based mechanism provided by the business that originally sent or provided the content (either in an email or on a website).
- The recipient’s own email program.
Businesses using forward-to-a-friend emails as a marketing tool must determine whether they are an initiator or a sender of these messages under the CAN-SPAM Act (see Regulated Entities above). If the web-based mechanism merely provides a method for a recipient to forward the message to a friend, or if the recipient forwards the message using a personal email program, absent more, the originator is not likely the initiator of the forwarded message and is not subject to the CAN-SPAM Act. In this case, the business’s role would probably be considered solely routine conveyance. If the recipient forwards the message using a personal email program, without consideration or inducement, the business likely is not involved at all.
The FTC has clarified that a business’s use of language merely encouraging a consumer to forward a message to a friend does not, without more, subject the business to the CAN-SPAM Act’s requirements for commercial email senders (73 Fed. Reg. 29671).
If the business “procures” the forwarding of the message, however, the business is considered to be the initiator or sender, and the commercial message must comply with the CAN-SPAM Act. A business can procure the forwarding of a message through several actions, including by either:
- Offering the recipient money, coupons, discounts, awards, additional entries in a sweepstakes, or similar consideration for forwarding the message.
- Intentionally inducing the recipient to forward the message, for example, by paying a marketing affiliate (see Affiliate Marketing below) that in turn uses sub-affiliates to send commercial messages to drive traffic to the business’s website. Although no direct relationship between the business and the sub-affiliate exists, if the business intentionally induces the forwarding of the commercial messages through the affiliate, it is considered to be the sender.
Multiple Senders
The FTC rules clarify the CAN-SPAM Act requirements when a single email contains commercial messages from multiple senders (73 Fed. Reg. 29655).
When multiple businesses’ products, services, or internet websites are advertised or promoted in a single message, each business is a sender for purposes of CAN-SPAM Act compliance, unless the businesses have designated a single sender of the commercial message by complying with all of the following requirements. The single business must:
- Meet the CAN-SPAM Act’s definition of “sender.” This is the person who initiates the message and whose products, services, or internet websites are advertised or promoted in the message.
- Be identified in the “From” line as the sole sender of the message.
- Comply with the prohibition on:
- false or misleading transmission information; and
- deceptive subject headings.
- Comply with the requirement to include:
- a functioning opt-out mechanism;
- clear and conspicuous identification that the message is an advertisement or a solicitation, a clear and conspicuous notice of the opportunity to opt out, and a valid physical postal address of the sender; and
- warning labels on commercial email that contains sexually oriented material. (16 C.F.R. § 316.2(m); see Commercial Message Requirements and Sexually Oriented Material above.)
When a business complies with the designated single sender requirements, only that designated sender must comply with the CAN-SPAM Act’s sender requirements, including the obligation to scrub against any opt-out lists maintained by the sender and honor opt-out requests. Only the designated sender’s valid physical postal address must appear in the message. If the designated single sender requirements are not complied with, each business must individually comply with the CAN-SPAM Act’s requirements for senders, including the obligation to scrub against all of the senders’ opt-out lists.
Even when a single sender is designated, the other businesses will be deemed initiators of the commercial email for CAN-SPAM purposes (73 Fed. Reg. 29660).
Affiliate Marketing
A commercial email can have more than one initiator or sender (see Regulated Entities above). Companies often engage third-party affiliate marketers to increase traffic to the company’s website. These affiliates are typically paid based on the number of individuals who, directed by the affiliates, ultimately visit the business’s website or make a purchase on the website.
The FTC has brought several claims against both the company whose product or service was advertised in the commercial email and the affiliate that sent the message. In these situations, the company is deemed the sender of the commercial email. The affiliate that originates or transmits the email message is an initiator. If the affiliate also advertises its own services or products, it is a sender under the CAN-SPAM Act, and the rules concerning multiple senders apply (see Multiple Senders above).
A company also may be liable for violations of the CAN-SPAM Act’s prohibition on false or misleading transmission information (see Prohibition on False or Misleading Transmission Information above) by a marketing affiliate or other third party promoting the company’s business or its products or services if the company:
- Knows (or should have known) of the violations.
- Profits from the prohibited practice.
- Fails to stop or report the violations. (15 U.S.C. § 7705(a).)
Emails Sent to a Wireless Device
The CAN-SPAM Act authorizes the FCC to regulate communication to wireless devices, and the FCC has enacted rules addressing certain commercial messages sent to wireless devices (47 C.F.R. § 64.3100).
In contrast to the general opt-out requirements set out in the CAN-SPAM Act and FTC rules, the FCC has prohibited sending commercial messages to email addresses that wireless carriers specifically provide for mobile messaging services, for example, “customer@wirelesscompany.com” (referred to as mobile service commercial messages), unless the subscriber gives express written or oral prior authorization (opts in).
Specifically, the FCC maintains a list of domain names for wireless messaging services. Wireless carriers are required to update this list periodically. Unless a recipient has given express prior authorization, the FCC rules prohibit initiating commercial emails to any address with a domain name that has been on the list for at least 30 days before the message is sent or otherwise knowingly initiating a mobile service commercial message (47 C.F.R. § 64.3100(a)).
When requesting express prior authorization, an initiator of a mobile service commercial message must, among other things:
- Clearly state the identity of the entity that will be sending the messages.
- Notify the subscriber that they may be charged by the wireless carrier for receipt of these messages.
- Disclose that the subscriber can revoke their authorization at any time. (47 C.F.R. § 64.3100(d)(5).)
Once a recipient expressly authorizes these messages, similar to the FTC’s rules for commercial messages, any person initiating a mobile service commercial message must include:
- Clear notice of the recipient’s right to opt out of receiving future messages from the sender of the email.
- A clearly and conspicuously displayed functional return email address or internet-based method for the subscriber to opt out.
A sender must stop sending further messages within ten days after receiving an opt-out request. As under the FTC’s rules, the opt-out methods must be functional for at least 30 days after the message was sent.
Additionally, the FCC rule requires that recipients who have electronically provided express prior authorization (for example, by dialing a short code) must be able to opt out of future emails by the same electronic method. The initiator of the message must also ensure that at least one opt-out option is provided that does not result in additional charges to the mobile service subscriber. (47 C.F.R. § 64.3100(b).)
Enforcement and Penalties for Non-Compliance
The FTC is the primary enforcer of the CAN-SPAM Act. However, the CAN-SPAM Act also allows various federal, state, and private parties to bring claims for violations (15 U.S.C. § 7706(b), (f), (g)). Penalties for non-compliance vary based on:
- The party bringing the claim, such as:
- the FTC;
- the FCC and other federal agencies;
- state attorneys general; and
- internet service providers (ISPs) bringing private actions.
- Whether the violation was willful, knowing, or aggravated.
FTC Enforcement
The FTC has authority to enforce the CAN-SPAM Act as if a violation were an unfair or deceptive act or practice prohibited under the Federal Trade Commission Act. The FTC can seek civil penalties for CAN-SPAM Act violations as if they were violations of trade regulation rules. This includes:
- Civil penalties up to $50,120 for each separate email that violates the CAN-SPAM Act (if based on actual knowledge or knowledge fairly implied), as last adjusted for inflation in 2023.
- Injunctive relief (even without a showing of knowledge). (15 U.S.C. § 7706(a), (d), (e) and 16 C.F.R. § 1.98.)
Enforcement by the FCC and Other Agencies
Certain agencies with authority to enforce the CAN-SPAM Act generally regulate entities or activities outside the scope of the FTC’s jurisdiction. Penalties for non-compliance are determined by the specific agency’s regulatory regime. The sector-specific agencies include:
- The FCC, under the Communications Act of 1934.
- The Office of the Comptroller of the Currency, the Federal Reserve Board, the Board of Directors of the Federal Deposit Insurance Corporation, and the Director of the Office of Thrift Supervision, under the Federal Deposit Insurance Act.
- The Board of the National Credit Union Administration, under the Federal Credit Union Act (12 U.S.C. §§ 1752 to 1795k), and the Farm Credit Administration, under the Farm Credit Act of 1971 (12 U.S.C. §§ 2001 to 2279cc).
- The Securities and Exchange Commission, under the Securities Exchange Act of 1934, the Investment Company Act of 1940, and the Investment Advisors Act of 1940.
- State insurance authorities, under state insurance laws.
- The Secretary of Transportation, under the US Code’s air commerce and safety provisions (49 U.S.C. §§ 40101 to 46507).
- The Secretary of Agriculture, under the Packers and Stockyards Act, 1921 (7 U.S.C. §§ 181 to 229c). (15 U.S.C. § 7706(b).)
/cloudfront-us-east-2.images.arcpublishing.com/reuters/72DQXYXWONC7BNAQXYF7GADEDA.jpg)
The FTC is the primary enforcer of the CAN-SPAM Act. However, the CAN-SPAM Act also allows various federal, state, and private parties to bring claims for violations.
The CAN-SPAM Act authorizes the FCC to bring claims for violations of its rules regarding the sending of commercial email to wireless devices (see Emails Sent to a Wireless Device above). If the action is brought against a telecommunications provider (a common carrier), the FCC can seek up to $237,268 per violation with a maximum of $2,372,677 per incident, as last adjusted for inflation in 2023 (47 C.F.R. § 1.80(b)(2), (11)(ii)). If the action is brought against a marketer that is generally not a common carrier and therefore not subject to FCC jurisdiction, the FCC may first issue a citation. If additional claims are brought against a marketer that previously received a citation, the FCC can seek fines up to $23,727 per violation with a maximum of $177,951 per incident, as last adjusted for inflation in 2023 (47 C.F.R. § 1.80(b)(9), (11)(ii)).
The FCC can also bring claims for other violations of the CAN-SPAM Act (not just for commercial emails sent to wireless devices) against entities subject to its jurisdiction, such as telecommunications providers or marketers advertising telecommunications products.
State Enforcement
The CAN-SPAM Act authorizes state attorneys general, officials, and other agencies to bring claims for CAN-SPAM Act violations against residents of that state. These state agencies can seek:
- Injunctive relief.
- Damages for actual loss or statutory damages up to $250 per violation, whichever is greater, with a maximum statutory damages award of $2 million. Each separately addressed unlawful message is treated as a separate violation. Notably, claims for false or misleading transmission information are not limited by this cap (see Prohibition on False or Misleading Transmission Information above).
- Three times the amount of statutory damages for willful, knowing, or aggravated violations (see Aggravated Violations below).
- The costs of bringing the action and reasonable attorneys’ fees. (15 U.S.C. § 7706(f).)
Claims by ISPs
ISPs are authorized to bring claims under the CAN-SPAM Act for certain violations (for example, violations of the prohibition on false or misleading transmission information or the requirement to place warning labels for sexually oriented material) and may seek:
- Injunctive relief.
- Actual damages or statutory damages up to $100 per violation, whichever is greater, for false or misleading transmission information, with no limitation on the maximum award.
- Actual damages or statutory damages up to $25 per violation, whichever is greater, for all other violations, with a maximum statutory damages award of $1 million.
- Three times the amount of statutory damages for willful, knowing, or aggravated violations (see Aggravated Violations below).
- The costs of bringing the action and reasonable attorneys’ fees.
Each separately addressed unlawful message is treated as a separate violation. When an ISP is bringing a claim, the term “procure” for purposes of initiating a commercial email message (see Regulated Entities above) requires that the person providing consideration or inducing another person to initiate the email transmission has actual knowledge or consciously avoids knowing that the person transmitting the email is engaging, or will engage, in a pattern or practice of violating the CAN-SPAM Act. (15 U.S.C. § 7706(g).)
Knowing and Willful Violations: Sexually Oriented Material and Fraud
Knowing violations of the CAN-SPAM Act’s restrictions on commercial emails containing sexually oriented material (see Sexually Oriented Material above) include fines and imprisonment up to five years (15 U.S.C. § 7704(d)(5)).
The CAN-SPAM Act also carries criminal penalties for fraud and related activities. Enforced by the Department of Justice and state attorneys general, violations subject to criminal penalties include:
- Accessing a computer without authorization and using it to intentionally initiate multiple commercial email messages.
- Relaying or transmitting multiple commercial email messages intending to deceive or mislead recipients or an ISP about the messages’ origin.
- Materially falsifying header information in multiple commercial emails and intentionally initiating the transmission of these messages.
- Using materially false identifying information to register for five or more email accounts or two or more domain names, and intentionally initiating multiple commercial email messages from any combination of these accounts or domain names.
- Falsely representing oneself as the registrant of five or more Internet Protocol addresses and intentionally initiating the transmission of multiple commercial email messages from those addresses.
Criminal penalties may include:
- Fines.
- Forfeiture of assets.
- Imprisonment up to five years. (18 U.S.C. § 1037.)
Aggravated Violations
The following four specific practices are aggravated violations under the CAN-SPAM Act:
- Address harvesting. This refers to the automated capturing of email addresses posted to websites, including social networking sites, blogs, newsgroups, message boards, and chat rooms.
- Dictionary attacks. This refers to the automated process of creating possible name combinations that may be valid email addresses.
- Spoofing. This refers to the relay or retransmission of email messages through another computer that is accessed without authorization.
- Automated creation of multiple email accounts. This refers to the automated creation of a large number of email accounts so that those accounts may be used to send commercial email. (15 U.S.C. § 7704(b).)
While these are not considered separate violations, a party may be liable for up to triple statutory damages if it commits an aggravated violation along with a violation of the requirements for commercial messages or sexually oriented material (15 U.S.C. § 7706(f)(3)(C)(ii), (g)(3)(C)(ii); see Commercial Message Requirements and Sexually Oriented Material above).
Preemption and Remaining Causes of Action
The CAN-SPAM Act preempts any state laws expressly regulating commercial email messages, except to the extent that those laws may prohibit false information or deception contained in the message itself or related attachments (15 U.S.C. § 7707(b)(1)). However, the CAN-SPAM Act does not preempt state laws that are:
- Not specific to email, including trespass, contract, or tort law.
- Related to fraudulent or deceptive acts or computer crimes. (15 U.S.C. § 7707(b)(2).)
Although some state laws are preempted by the CAN-SPAM Act, Congress has attempted to create a balance by permitting state attorneys general to bring claims under the CAN-SPAM Act for violations affecting residents in their states (see Enforcement and Penalties for Non-Compliance above).
Businesses engaged in email marketing should also be aware of Canada’s comprehensive law regulating commercial messages, the Canadian Anti-Spam Legislation (CASL). Considered one of the most stringent anti-spam regimes in the world given its scope and penalties, CASL has a significant impact on the electronic communication practices of US businesses that conduct business or have customers, contacts, or donors in Canada. (For more information, see Canada’s Anti-Spam Legislation: Overview on Practical Law.)
Best Practices for Commercial Email Marketing
Businesses should adhere to the following best practices to ensure compliance with the CAN-SPAM Act.
The Mailing List
The mailing list should:
- Include only persons who have affirmatively agreed (opted in) to receive commercial email from the business. While this is not a legal requirement under the CAN-SPAM Act, it is an industry best practice.
- Exclude any recipient who has previously asked not to receive commercial email from the business (opted out).
- Be scrubbed by initiators against the business’s “do not email” list at the last possible commercially reasonable moment before the email is sent.
The Email Message
The message must:
- Include complete and accurate transmission and header information.
- Identify the business as the sender in the “From” line. This does not have to include the business’s formal name. For example, it may contain the business’s name, trade name, or product or service name. The key requirement is that the “From” line provide the recipient with enough information to understand who is sending the message.
- Accurately describe the message’s content in the “Subject” line.
- Clearly include the business’s valid, current physical postal address. This address can be:
- a street address;
- a post office box that the business has accurately registered with the US Postal Service; or
- a private mailbox that the business has accurately registered with a commercial mail receiving agency established under US Postal Service regulations.
- Disclose that it is an advertisement or a solicitation, unless the email message is sent only to recipients who have affirmatively agreed (opted in) to receive these messages from the business.
The Opt-Out Mechanism
The message must:
- Clearly explain that the recipient may opt out of receiving future commercial messages from the business. The explanation of how a recipient can opt out must be easy to read and understand.
- Include either an email address or other online mechanism that the recipient may use to opt out. The mechanism must not require the recipient to:
- do anything more than reply to the email or visit a single web page to opt out; and
- make any payment or submit any personal information, including account information (other than an email address) to opt out.
- Have an opt-out mechanism that works for at least 30 days after the email is sent.
- Have one option that permits opting out of all commercial messages from the business. However, the business may include a menu of opt-out options that permit the recipient to select the types of commercial messages the recipient would like to continue receiving.
- Honor all opt-out requests within ten business days.
- Not let opt-out requests expire. An opt-out is overridden only by the recipient’s subsequent express (opt-in) request to receive commercial email.
- Not sell, share, or use the business’s opt-out list for any reason other than to comply with the law.
Opt-Out Capabilities
The business should implement procedures to ensure that its opt-out capabilities actually work. An example of a basic process to test the opt-out procedure is as follows:
- Establish email accounts with several major private email account providers (for example, Gmail, Yahoo, Hotmail, or AOL) and add these email addresses to the business’s mailing list.
- For each email address created for monitoring purposes, use the business’s opt-out mechanism to remove the email address from the mailing list.
- Repeat this procedure on a regular basis (for example, at least every two weeks).
- Examine the email received by the monitoring email account to confirm that:
- the opt-out mechanism works;
- the opt-out request is honored within ten business days; and
- the monitoring email account no longer receives commercial messages from the business.
- If the monitoring and testing process reveals problems, the business should immediately fix the issues.
Third-Party Marketing Affiliates or Service Providers
When using third-party service providers, including affiliate marketers, the business should:
- Ensure that the written contract with the service provider clearly sets out each party’s responsibilities for compliance with the CAN-SPAM Act and includes appropriate and adequate remedies for non-compliance.
- Monitor the service providers’ compliance with the CAN-SPAM Act. Both the business whose product or service is advertised and the individual or entity sending the message are potentially liable for violations of the CAN-SPAM Act.
Additional Requirements for Messages Sent to Wireless Devices
When sending commercial messages to wireless devices, the business should ensure possession of the recipient’s prior, affirmative consent (opt in) to send the commercial message. The consent can be oral, written, or electronic. When seeking consent, the business must:
- Ask for consent in a way that involves no cost to the recipient, for example, the business:
- should not send the request to the wireless device; and
- should allow the recipient to respond in a way that involves no cost (such as to sign up online, by email, or by postal mail).
- Make it clear that the recipient:
- is agreeing to receive commercial email on a wireless device;
- may be charged to receive the email; and
- can revoke consent at any time.
/cloudfront-us-east-2.images.arcpublishing.com/reuters/BL7WVHJDQJCNLGAB3QYMB272NQ.jpg)
/cloudfront-us-east-2.images.arcpublishing.com/reuters/PXZU6HZHBFDU5K4XDNF2FCNTOU.jpeg)
/cloudfront-us-east-2.images.arcpublishing.com/reuters/KDG55G6EURBLXLCQV6SEJFP4SE.jpg)
/cloudfront-us-east-2.images.arcpublishing.com/reuters/32QIFCPBURESLLOWE7Q3XRGHZI.jpg)
/cloudfront-us-east-2.images.arcpublishing.com/reuters/AVGZQ2U3YBFCRPVFIYOXU2WGMQ.jpg)
/cloudfront-us-east-2.images.arcpublishing.com/reuters/FAXIONAEZ5G2HFDJMJ5TD6LRTY.jpg)
/cloudfront-us-east-2.images.arcpublishing.com/reuters/3Z447LEJSJAWHNDXCEB6TSHEOY.jpg)
/cloudfront-us-east-2.images.arcpublishing.com/reuters/WC2NBJUHVZHVJG5TMTHLNPYA2Y.jpg)
/cloudfront-us-east-2.images.arcpublishing.com/reuters/PDPWMM4KXFBK5LSTXPN5H6PWBM.jpg)
/cloudfront-us-east-2.images.arcpublishing.com/reuters/RBQBU57MBVBRXHEZEVL6UYUR4I.jpg)
/cloudfront-us-east-2.images.arcpublishing.com/reuters/BM4WYXWHD5G4JMVOBKWUR76LLU.jpg)
/cloudfront-us-east-2.images.arcpublishing.com/reuters/TMV3KBWH6RDYXDFPIQ5WXBTS2E.jpg)
/cloudfront-us-east-2.images.arcpublishing.com/reuters/FCVNYCN54RE2ZKR5VUFZLG7LX4.jpg)
/cloudfront-us-east-2.images.arcpublishing.com/reuters/X3CNK25TUFCHLNPF6E2SGYKADM.jpg)
/cloudfront-us-east-2.images.arcpublishing.com/reuters/YYXVJ6KG4BE5NKVRDQZJEJ4O2U.jpg)
/cloudfront-us-east-2.images.arcpublishing.com/reuters/NDCXUCUKRBGM3ICKAXB3G43RNY.jpg)
/cloudfront-us-east-2.images.arcpublishing.com/reuters/QMDVTHPS6BBGXHN43C5J2T5XVQ.jpg)
/cloudfront-us-east-2.images.arcpublishing.com/reuters/UEIAIOTEUZGRVC5AZOSOEKSIPA.jpg)
/cloudfront-us-east-2.images.arcpublishing.com/reuters/RKXCIFADMRAOTIS2Q4VRQSWROI.jpg)
/cloudfront-us-east-2.images.arcpublishing.com/reuters/EBAEDJUX6VBAZJ4E2YVSNXX4ZA.jpg)
/cloudfront-us-east-2.images.arcpublishing.com/reuters/STYKPL6QYFEOLJCQE5JUEU5HOY.jpg)
/cloudfront-us-east-2.images.arcpublishing.com/reuters/DDUGI5PSURFWJJVVRDRO3JN7UU.jpg)
/cloudfront-us-east-2.images.arcpublishing.com/reuters/VX7QZ7FWPVDBVFMCACWXDZPEYY.jpg)
/cloudfront-us-east-2.images.arcpublishing.com/reuters/YHC2SOUX55EPLJOGESZPH5RRCQ.jpg)
/cloudfront-us-east-2.images.arcpublishing.com/reuters/JNSPOXP2OZH25D72W2AXYQ2NIM.jpg)