Federal Anti-Spam Act Imposes Uniform Requirements On Commercial E-Mails

As of January 1, 2004, federal anti-spam legislation, referred to as the CAN-SPAM Act ("the Act"), has preempted state laws seeking to regulate unsolicited, "commercial e-mails" (as defined in the Act). The CAN-SPAM Act, short for "Controlling the Assault of Non-Solicited Pornography and Marketing Act," seeks to balance the free speech and commercial interests of the senders of unsolicited e-mails or "spammers," on the one hand, with the rights of the citizenry and internet service providers to be free of what has become an "assault" on e-mail accounts, on the other hand. Many users are familiar with unsolicited e-mail messages ranging from pleas of deposed dictators to offers of medications, adult-themed products and services, and mortgages. It is not surprising that one of the "findings" of the Act reads as follows: "The convenience and efficiency of electronic mail are threatened by the extremely rapid growth in the volume of unsolicited commercial electronic mail."

Although how effective the Act will be at addressing these perceived threats remains to be seen, corporate counsel may wish to consider the many different provisions of the Act regulating the sending of unsolicited "commercial electronic mail," the various associated prohibitions, and how they may apply to corporate sales and marketing activities.

1. Key Provisions Of The Act

The Act is intended to supersede state or local anti-spam laws, with certain exceptions for state laws related to deceptive trade practices or "computer crime." For individuals and companies sending unsolicited commercial electronic mail throughout the United States, such preemption gives uniform regulation to such interstate activities. State laws which contained tougher regulations, tougher penalties, or different enforcement mechanisms are unlikely to be enforceable in view of the new federal Act.

The key provisions of the Act can be summarized as follows:

Labeling: unsolicited commercial e-mails must be clearly identified as solicitations or advertisements for products and services.

Opt-out: senders must provide easily accessible, legitimate means for recipients to "opt-out" of receiving future messages.

Sender's address: unsolicited commercial e-mails must contain legitimate return e-mail addresses, as well as the sender's postal address.

Honest subject lines: use of misleading or bogus subject lines to trick readers into opening messages is forbidden.

Accurate headers: Disguising header information, such as may occur by using foreign proxies, is prohibited.

Do not e-mail registry: within six months, FTC is to propose a plan to Congress for a "Do Not E-mail" list.

2. What Is An "Unsolicited Commercial Electronic Mail Message"?

The provisions of the Act generally apply to the sending of "commercial electronic mail message[s]," which are defined as "any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service (including content on an Internet Website operated for a commercial purpose)." (Emphasis added).

In view of this definition, for corporations who market products and services to customers and potential customers over the Internet, a threshold question would be to decide whether the particular e-mail communication at issue constitutes a "commercial electronic mail message" as defined. Was its "primary purpose" the commercial advertisement or promotion of a commercial product or service? Would a newsletter, press release, or other "news item" from a corporation or individual have as its "primary purpose" the commercial advertisement or promotion of such individual's or company's products or services? Is the sending of press releases and information protected commercial speech not properly reached by the Act?

Once there is a history of enforcement and associated regulations, the scope and definition of what constitutes a primarily commercial purpose will be more readily discernible. In fact, the Act states that the FTC shall issue regulations to define the "relevant criteria" to facilitate the determination of the primary purpose of an electronic mail message.

For the time being, there are two qualifications to the definition of a commercial electronic mail message. First, the term "commercial electronic mail message" does not include a "transactional or relationship message." A transactional or relationship message, in turn, is defined as any of the sorts of e-mail communications which would "facilitate, complete, or confirm a commercial transaction that the recipient has previously agreed to enter into with the sender." The second piece of explicit guidance under the Act is that, in an e-mail, merely referencing the sender's company or website or other commercial entity or link does not, by itself, cause the associated message to be treated as a commercial electronic mail message.

In view of the foregoing, corporate counsel may wish to consider reviewing not only the commercial or non-commercial nature of company sales and marketing communications, but also assessing whether they are to "facilitate" or follow on to a transaction previously agreed upon by the consumer.

3. Which "Commercial Electronic Messages" Are Subject To The Act?

The Act's requirement to label a commercial e-mail as an advertisement or solicitation, the requirement to have an easily accessible "opt-out" for the recipient, and the requirement to include both an e-mail and postal address, apply to the sending of all e-mails with a primarily commercial purpose, as mentioned above; however, the foregoing requirements do not apply if the recipient of the e-mail has given so-called "affirmative consent."

According to the Act, "affirmative consent" means that the recipient expressly consented to receive the message, either in response to a clear and conspicuous request for such consent, or at the recipient's own initiative. If it is important for a corporation to avoid the labeling, opt-out, and postal address provisions of the Act, then it may be prudent to assure that "affirmative consent" has been obtained from the recipient(s) sufficient to satisfy the definition of such consent within the Act.

So, for example, in connection with a discreet commercial transaction, a company may obtain the customer's consent by asking the customer to "subscribe" to receiving subsequent promotions and other solicitations from the company of a general nature. If such consent satisfies requirements of the Act related to affirmative consent, it may not be necessary to label such subsequent offers as solicitations or advertisements. On the other hand, it may be administratively difficult to assess the sufficiency of an "affirmative consent" to subsequent unrelated commercial solicitations, in which case corporate counsel may wish to consider providing all commercial solicitations with labeling, opt-out, and other provisions compliant with the Act, even if not necessarily required.

4. Advising Clients On Compliance With The Labeling Requirement Of The Act

If a decision is made to identify a sender's commercial electronic mail messages as a solicitation or advertisement for products and services, the Act provides scant guidance on what constitutes sufficient identification under the Act, and, to date, there are no regulations on this matter. Many state laws expressly required the actual "Subject" lines of the electronic mail messages to include an indicator, such as "ADV" for "advertisement," corresponding to the message's unsolicited commercial nature. Significantly, the federal Act contains no such requirement (although the Act empowers the FTC to study such labeling). In fact, the FTC is prohibited from enacting regulations to require the identification to include any specific words, characters, marks, or labels in the associated commercial electronic mail message, nor can the FTC require or regulate what part of the mail message to include the required notice in, such as the subject line or body of the message. The Act states the required identification must be "clear and conspicuous."

5. Risks In Subcontracting The Sending Of Unsolicitated Commercial E-mail

A company whose products or services are marketed by third parties whose commercial e-mails violate the Act may be held accountable for such violations, if the company knew or consciously avoided knowing that the third-party mailer intended to violate the Act. In view of this, it may be important for companies to protect against possible violations by those it engages to send unsolicited commercial e-mail. For example, in contracts with such third-party e-mailers, corporate counsel may wish to consider including not only the general contract language for the third party to comply with any and all applicable regulations in conducting its activities, but also may wish to expressly require representations and warranties of compliance with the CAN-SPAM Act.

6. Enforcement And Penalties.

Enforcement of the Act is vested primarily in the FTC and States' Attorneys General. Although there is a private right of action, it is limited to internet service providers. Violators of the Act are subject to actual damages, statutory damages, or fines of $250 per violation, with each unlawful message to each recipient constituting a separate violation. Statutory damages can go as high as $2 million. Certain fraudulent activities and repeat offenses include the possibility of imprisonment for three to five years.

7. Closing Considerations.

Corporate counsel may wish to alert those company organizations responsible for, or likely to engage in, the sending of commercial electronic mail messages to customers and potential customers. In reviewing company practices, a threshold inquiry may be to determine whether the company is regularly sending primarily commercial messages to customers or potential customers. In the case of customers, they may have provided prior affirmative consent and thus subsequent e-mails may fall outside the Act. In the case of e-mails to potential customers, certain aspects of such mailings may be regulated by the Act, and require further review for compliance with the Act.

If company employees regularly send commercial electronic mail messages which are unsolicited, the company may wish to consider a policy for such communications. In the event the company wishes to rely on potential customers' affirmative consent, a company may wish to consider and devise appropriate procedures, databases, and the like, to maintain records of such consent.

Published February 1, 2004.