New Federal Anti-Spam Law Update
Enacted to curb the growing nuisance of unsolicited commercial e-mail, or “spam,” the “Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003,” better known as the “CAN-SPAM Act,” is barely three months old. In its short life, however, the statute has already triggered a number of legal and regulatory proceedings which will ultimately define the scope of the Act, and its long-term consequences.
The most publicized of these developments have been a series of law suits filed by Internet Service Providers against leading spammers. In the first of these cases, filed February 27, California ISP Hypertouch alleged that the owner of BobVila.com violated the CAN-SPAM Act by sending Hypertouch and its customers Bob Vila’s “Home Again Newsletter.” Within a week, subsequent actions were filed by America Online, Microsoft, Earthlink and Yahoo! against sundry groups of suspected spammers who had sent unsolicited e-mails for, among other products and services, prescription drugs, cable descramblers, mortgages, diplomas and office products. In addition to named defendants, the ISPs sued over 200 other “John Doe” defendants who they contend are sending spam but whom they cannot yet identify.
In each case, the ISPs alleged that the defendants sent spam advertisements with false and misleading headers; used domain names registered to non-existent corporations; failed to provide physical addresses or mechanisms enabling recipients to “opt out” of receiving future messages; refused to honor “opt out” requests; sold or leased e-mail addresses for improper purposes; and sent e-mail to randomly generated and harvested addresses, even to addresses that had been submitted to the “opt-out” link of other spam. Violation of other federal and state statutes, including RICO laws and computer fraud and abuse statues, are alleged as well. In each case, the ISPs seek both monetary damages (including punitive damages) and injunctive relief against the spammers, as well as attorneys’ fees.
Since the enactment of the CAN-SPAM Act, the Federal Trade Commission has issued two Notices of Proposed Rulemaking and a Request for Information inviting public comment on proposed rules designed to implement and, in some cases, clarify or modify certain provisions of the Act where Congress has given the Commission authority to do so.
In a Notice of Proposed Rulemaking initiated on January 28, the FTC seeks comment on a proposal to establish a mark or notice that will be required for inclusion in spam that contains sexually oriented material. Specifically, the FTC proposes to adopt a rule prescribing the phrase “SEXUALLY-EXPLICIT CONTENT:” as the mark or notice mandated by the CAN-SPAM Act. The proposed rule also seeks to protect consumers from unwitting exposure to pornographic images in spam by requiring this mark to be included both in the subject line of any e-mail message that contains sexually oriented material, and in the electronic equivalent of a “brown paper wrapper” in the body of the message. This brown paper wrapper would be what a recipient would initially see when opening a message containing sexually oriented material. It would include the prescribed mark or notice, certain other specified information and no other information or images. The purpose of the mark or notice would be to inform the recipient that a spam message contains sexually oriented material and to facilitate filtering of such spam messages.
The CAN-SPAM Act requires the Commission to prescribe the mark or notice within 120 days after passage of the Act. Because of the statutory deadline, the comment period ended on February 17.
Do Not E-Mail Registry Pursuant to Section 9 of the CAN-SPAM Act, Congress has directed the FTC to transmit to Congress no later than June 30, a plan and timetable for establishing a nationwide marketing Do Not E-Mail Registry. In a Request for Information issued February 24, the Commission sought technical information that could assist in addressing these requirements. The RFI describes the required technical features for any registry model that involves the registration of either e-mail addresses or domains – as in a domain-wide registry. The request also outlines the technical features for any registry model that involves e-mail marketers, domain owners, including ISPs, or third party e-mail forwarding services, obtaining access to data appearing on a registry of e-mail addresses. The request addresses requirements for providing those who register for any Do Not E-Mail Registry a mechanism for filing complaints that can be used in enforcement proceedings. In addition, it describes the required technical features for any registry model that involves a registry of authenticated e-mail marketers and the Internet Protocol addresses and domains from which they send e-mail. The FTC invites potential vendors with ideas for a registry to respond to the RFI.
“Primary Purpose”/Do Not E-Mail Registry and Other Issues
In a Notice of Proposed Rulemaking (NPRM) released March 11, the FTC seeks public comment on a number of proposed rules which Congress has authorized the Commission to clarify. The issues covered in these proposals are divided into two categories – those which the CAN-SPAM Act requires the Commission to address and those which are discretionary.
- Mandatory Rulemaking The CAN-SPAM Act requires the FTC to issue regulations “defining the relevant criteria to facilitate the determination of the primary purpose of an electronic mail message.” This mandate is integral to the Act’s definition of “commercial electronic mail message” since the Act generally applies only to messages that fall within this definition. In the NPRM, the Commission invites comment on the criteria for determining whether the “primary purpose” of an electronic mail message is commercial. For example, is an e-mail’s commercial advertisement or promotion more important than any other single purpose of the e-mail, or than all the other purposes combined? Does the commercial aspect of the e-mail financially support the other aspects of the e-mail? Is the identity of the sender critical? If, for example, a professional sports league sends e-mail promoting its involvement with a charitable organization, should that e-mail be considered to have a commercial “primary purpose” under the Act based on the league’s “for profit” status?
- Discretionary Rulemaking In addition to this “mandatory” rulemaking, the Commission’s NPRM seeks comment on four other “discretionary” issues:
- “Transactional or Relationship Messages” The CAN-SPAM Act designates five categories of messages as “transactional or relationship messages,” which are exempt from the provisions of the Act. For example, messages sent “to facilitate, complete, or confirm a transaction the recipient has agreed to enter into with the sender” are deemed to be “transactional or relationship messages,” and are therefore exempt from the Act’s requirements that apply only to commercial e-mail. The Act gives the FTC authority to issue rule provisions that modify the definitions of these categories of “transactional or relationship” messages if it finds such modification is necessary to accommodate technological changes or to accomplish the purposes of the Act. The Commission seeks comment whether it should exercise this authority, and if so, how.
- Ten Business Day Rule The Act requires that e-mailers allow recipients to opt out of receiving further commercial e-mail and provides senders 10 business days to process opt out requests. The Act gives the Commission the authority to modify the 10 day period for effectuating opt-out requests. The FTC is seeking comment on the reasonableness of the 10-business-day time period and whether a different time period would be more reasonable, taking into account the interest in allowing consumers to opt out, the interests of recipients of spam, and the burdens imposed on senders of lawful commercial e-mail.
- Harvesting The Act defines certain practices, such as e-mail address “harvesting” and “dictionary attacks” as aggravated violations. The Act significantly increases the amount of damages a violator may be liable to pay if he or she engages in an aggravating violation while violating another provision of the Act. The Act authorizes the Commission to designate other practices as aggravated violations. The FTC seeks comment on what additional activities and practices, if any, should be added to the list of aggravated violations.
- Miscellaneous The Act provides that the Commission may issue regulations to implement the provisions of the Act, and the FTC is seeking comment on whether additional regulations would be helpful. The notice asks for comment on the following specific issues:
- Would it assist companies and individuals seeking to comply if the Commission were to adopt rule provisions clarifying the legal obligations of initiators and recipients who forward messages in “forward-to-a-friend” scenarios?
- Would it be helpful if the Commission were to adopt rule provisions clarifying the obligations of multiple senders of a single e-mail under the Act?
- The Commission observes that questions have arisen about whether post office boxes or commercial mail drops satisfy the Act’s requirement that commercial e-mail messages include a “valid physical postal address of the sender.” Would it would be useful for the Commission to adopt rule provisions clarifying what constitutes a “valid physical postal address?”
- The Act prohibits false or misleading transmission information, but states that a “from” line that accurately identifies any person who initiated the message will not be considered false or misleading. The notice asks whether the Act’s treatment of from line information is sufficiently clear, and whether the Act requires the from line to identify a sender by name.
The Notice also seeks comment on four reports to Congress required by the CAN-SPAM Act:
- A report on establishing a nationwide Do Not E-Mail Registry, due June 16, 2004
- A report on establishing a system for rewarding those who supply information about CAN-SPAM violations, due September 16, 2004
- A report setting forth a plan for requiring commercial e-mail to be identifiable from its subject line, due June 16, 2005
- A report on the effectiveness of CAN-SPAM, due December 16, 2005
Comments addressing the “National Do Not E-Mail” Registry must be submitted on or before March 31, 2004. Comments addressing any other aspect of the CAN-SPAM Act must be submitted on or before April 12, 2004.
On March 11, the Federal Communications Commission issued a Notice of Proposed Rulemaking and Further Notice of Proposed Rulemaking relating to protecting consumers from SPAM and unauthorized telemarketing calls on their mobile phones.
On the issue of spam, the FCC seeks comments on how to best protect consumers and businesses from the costs, inefficiencies and inconveniences of receiving unwanted electronic mail messages on wireless devices such as mobile phones. Section 14 of the Act requires the FCC to promulgate rules to protect consumers from unwanted mobile service commercial messages which it defines as a “commercial electronic mail message that is transmitted directly to a wireless device that is utilized by a subscriber of commercial mobile service” in connection with such service.
Specifically, the Commission asked for comments on, among other things:
- The ability of senders to determine whether a message is a mobile commercial electronic mail message and methods to enable the sender to make this determination; for instance, whether there should be a list of, or standard naming convention for domain names, or an individual registry of e-mail addresses. Another area for comment is that of automatic challenge-response mechanisms that alert senders they are sending their message to such a subscriber.
- How to provide subscribers with the ability to avoid receiving mobile service commercial messages sent without the subscribers’ prior consent, and how to indicate electronically a desire not to receive future mobile service commercial messages from specific senders.
- Whether commercial cellular providers should be exempted from having to obtain express prior authorization before sending a commercial message to their customers.
- How senders can comply with the Act in general, given the unique technical limitations, particularly message length limitations and the information required to be included in messages by the Act.
What the Future Holds
How effectively the CAN-SPAM Act will address the concerns of Congress only time can tell. What is clear, however, is that the statutory provisions of the CAN-SPAM Act, as detailed as they are, provide only a general outline of the rights and obligations of commercial e-mail users, and that many of the critical particulars of the new law will evolve in regulatory forums and the courts. Business should monitor these developments carefully and, where prudent, participate in the regulatory process to air their views.