The Controlling the Assault of Non-Solicited Pornography and Marketing or “CAN-SPAM” Act The Controlling the Assault of Non-Solicited Pornography and Marketing Act, (the “CAN-SPAM” Act1), establishes requirements for commercial e-mails, including prohibitions against false or misleading transmission information and deceptive subject lines and requirements that these e-mails provide opt-out information for recipients and the physical postal address of senders. Both the Federal Trade Commission (FTC) and the Department of Justice (DOJ) enforce provisions of CAN-SPAM. Other federal and state agencies can enforce the law against organizations under their jurisdiction, and companies that provide Internet access may sue violators as well. While CAN-SPAM includes provisions generally preempting state law in this area, there are state laws governing some aspects of email marketing. Publishers should consult with counsel to ensure that marketing campaigns comply with federal and state law. Types of E-mail Covered by CAN-SPAM CAN-SPAM governs “commercial” e-mail messages, and—to a lesser extent— so-called “transactional or relationship messages.” Commercial e-mail must comply with all of the provisions described below, while transactional or relationship e-mail must comply only with the law’s provisions prohibiting false or misleading transmission or “header” information. A “commercial electronic mail message” is defined as: “[A]ny electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose).” A “transactional or relationship message” is defined as an electronic mail message, the primary purpose of which is: 1. “to facilitate, complete, or confirm a commercial transaction that the recipient has previously agreed to enter into with the sender;” 2. to provide warranty information, product recall information, or safety or security information with respect to a commercial product or service used or purchased by the recipient; 3. to provide notification of changes in terms or features, a change in the recipient’s standing or status, or regular, periodic account balance information or statements for ongoing commercial relationships (including subscriptions); 1 15 U.S.C. § § 7701-7713 4. to provide information related directly to an employment relationship or related benefit plan in which the recipient is currently involved, participating, or enrolled; or 5. to deliver goods or services—including product upgrades and updates— that the recipient is entitled to receive under the terms of a previous agreement between the sender and the recipient. Determining the Type of E-mail: The Primary Purpose Rule As noted above, CAN-SPAM’s definitions of commercial e-mail messages and transactional/relationship messages both focus on the “primary purpose” of the email. In December 2004, the FTC issued a final rule, known commonly as the “Primary Purpose Rule,” to clarify the distinction between these two types of messages—especially when a message contains both commercial and noncommercial information. This clarification can assist publishers in determining whether a message must comply with the substantive requirements of CANSPAM (in the case of messages with a commercial primary purpose) or only the prohibition against deceptive transmission information (in the case of messages with a transactional/relationship primary purpose). The Primary Purpose Rule places e-mail messages into one of four categories: ● E-mail consisting exclusively of the commercial advertisement or promotion of a commercial product or service, ● E-mail containing both the commercial advertisement or promotion of a commercial product or service as well as transactional or relationship content, ● E-mail containing both the commercial advertisement or promotion of a commercial product or service as well as content that is not transactional or relationship content as defined by the law, and ● E-mail containing exclusively transactional or relationship content. The first and last categories are straightforward. If an e-mail contains exclusively commercial content, its primary purpose is deemed to be commercial, and if it contains exclusively transactional or relationship content, its primary purpose is deemed to be transactional or relationship in nature. For determining the primary purpose of the other two categories, the rule adopts a reasonable person standard, basing the determination, in part, on what a reasonable recipient would consider the message to be. For the second category—e-mail containing both commercial and transactional/relationship content—the primary purpose is commercial if a reasonable recipient interpreting the message’s subject line would likely conclude the message was commercial or if the message’s transactional/relationship content does not appear substantially at the beginning of the e-mail. For the third category—e-mail containing both commercial content and content that is not transactional or relationship in nature—the primary purpose is commercial if a reasonable recipient interpreting the subject line or body of the message would likely conclude the message was commercial. Relevant factors in this analysis include the placement of the commercial content substantially at the beginning of the message, the proportion of commercial content in the message, and the use of color, graphics, and font size to highlight the commercial content. The Types of E-Mailers Who Must Comply with CAN-SPAM CAN-SPAM applies to both “senders” and “initiators” of e-mail. An initiator is a person who transmits an e-mail message or who induces or procures the transmission of an e-mail message, while the law defines a “sender” as the person who initiates the e-mail and whose product, service, or Internet website is advertised or promoted by the e-mail. Senders must provide for and process opt-out requests, maintain and check recipient addresses against "scrub lists," and include a physical address in each message. Initiators must ensure that the e-mail message conforms to provisions of the law, including the requirements that the e-mail include all requisite disclosures and that it does not contain false or misleading transmission information or deceptive subject headings. Under CAN-SPAM, more than one person can be considered to have initiated an e-mail, and—where the manufacturer of a product has paid, provided other consideration, or has otherwise induced a third party to initiate an e-mail on its behalf—that manufacturer can be treated as if it initiated the e-mail itself. There can also be multiple senders of a commercial e-mail. In 2005, the FTC issued a notice of proposed rulemaking to clarify the definition of a “sender” where multiple advertisers are involved. The draft definition, which has not been made final, specifies that when more than one person’s products or services are advertised or promoted in a single electronic mail message, each such person who is within the Act’s definition will be deemed to be a sender—except that—if only one such person both is within the Act’s definition and meets one or more of the criteria set forth below, only that person will be deemed to be the “sender” of that message. The criteria are: (i) The person controls the content of such message; (ii) The person determines the electronic mail addresses to which such message is sent; or (iii) The person is identified in the “from” line as the sender of the message. If no one person who meets the Act’s definition of “sender” satisfies the criteria to be the sole sender , then all persons who satisfy the definition will be considered senders for purposes of CAN-SPAM compliance obligations and will be required, notably, to provide an Internet-based opt-out mechanism and a valid physical postal address, and to honor any opt-out requests. CAN-SPAM Requirements For e-mail with a commercial primary purpose, CAN-SPAM prohibits false or misleading transmission information and deceptive subject lines and requires that these e-mails provide opt-out information for recipients and the physical postal address of senders. E-mail with a transactional/relationship primary purpose is required only to comply with the prohibition against false or misleading transmission information. False or Misleading Transmission Information (Header): The transmission information or “header” includes the source, destination, and routing information attached to an e-mail. Neither commercial nor transactional/relationship e-mail may contain header information that is materially false or materially misleading, i.e., ● Header information that is technically accurate but includes an originating electronic mail address, domain name, or Internet Protocol address obtained by means of false or fraudulent pretenses or representations. ● Header information that fails to identify accurately the computer used to initiate the message because the person initiating the message knowingly uses another computer to relay or retransmit the message for purposes of disguising its origin. As noted in the previous section, in some instances, there can be more than one sender. In the header, depending on the circumstances, the sender in the “from” field can be the marketer, the company whose product is being offered, or both. Additional requirements for commercial e-mails: The Subject Line: The subject line cannot be deceptive, nor can it mislead the recipient about the contents or subject matter of the message. Opt-Out: E-mail marketers must provide a return e-mail address or another Internet-based response mechanism that allows a recipient to opt-out of future email messages to that e-mail address. E-mail senders must honor such requests. Senders may create a "menu" of choices to allow a recipient to opt out of certain types of messages, but the marketer must include the option to end any commercial messages from the sender. In situations where a business has different subsidiaries, affiliates, or lines, how the message is presented will dictate whether the business or the subsidiary is the sender responsible for ensuring opt-outs are honored. The law provides, “If an entity operates through separate lines of business or divisions and holds itself out to the recipient throughout the message as that particular line of business or division, rather than as the entity of which such line of business or division is a part, then the line of business or the division shall be treated as the sender of such message.” Any opt-out mechanism a sender offers must be active for at least 30 days after the sending of the commercial e-mail. Upon receipt of an opt-out request, marketers have 10 business days to stop sending e-mail to the requestor's e-mail address (in the 2005 Notice of Proposed Rulemaking, the FTC proposed shortening this period from 10 business days to three business days but has not finalized the change). The sender cannot help another entity send e-mail to that address or have another entity send e-mail on its behalf to that address. Finally, it's illegal for the sender to sell or transfer the e-mail addresses of recipients who choose not to receive the sender’s e-mail, even in the form of a mailing list, unless the sender transfers the addresses so another entity can comply with the law. Physical Address: address. Commercial e-mail must include a valid, physical postal Identification as Advertisement: Unless a consumer has given affirmative consent to receive commercial e-mail, commercial e-mail messages must contain clear and conspicuous notice that the messages are advertisements or solicitations and that the recipient can opt out of receiving more commercial email from the sender. Affirmative Consent: To qualify as “affirmative consent”, a consumer must agree to receive commercial e-mail in response to a clear and conspicuous request for such consent. While the law does not mandate what records must be kept as proof of this affirmative consent, marketers are encouraged to keep records of how the consent was obtained, including the date, time, and method, e.g., website, of consent. Sexually Explicit E-mail: Commercial e-mail that contains sexually explicit material must: contain a mark or notice in the message’s subject line that alerts the recipient to the message’s content; exclude from the initially viewable area of the message any sexually oriented material; and include in the initially viewable area of the message only the required mark or notice, the sender’s valid physical address, and opt-out mechanism, and instructions on how to access the sexually oriented material These provisions do not apply if the recipient has given the sender prior affirmative consent for the receipt of such a message. Penalties: CAN-SPAM has both civil and criminal penalties. Each violation of CAN-SPAM is subject to fines of up to $11,000. Deceptive commercial e-mail also is subject to laws banning false or misleading advertising. Additional fines are provided for commercial e-mailers who not only violate the rules described above, but who also commit the following “aggravated violations”: "harvest" e-mail addresses from websites or web services that have published a notice prohibiting the transfer of e-mail addresses for the purpose of sending e-mail; generate e-mail addresses using a "dictionary attack," i.e., combining names, letters, or numbers into multiple permutations; use scripts or other automated ways to register for multiple e-mail or user accounts to send commercial e-mail; relay e-mail through a computer or network without permission—for example, by taking advantage of open relays or open proxies without authorization. The law allows DOJ to seek criminal penalties, including imprisonment, for commercial e-mailers who actually commit or conspire to commit any of the following: use another computer without authorization and send commercial e-mail from or through it; use a computer to relay or retransmit multiple commercial e-mail messages to deceive or mislead recipients or an Internet access service about the origin of the message; falsify header information in multiple e-mail messages and initiate the transmission of such messages ; register for multiple e-mail accounts or domain names using information that falsifies the identity of the actual registrant; represent themselves falsely as owners of multiple Internet Protocol addresses that are used to send commercial e-mail messages.