The Controlling the Assault of Non

The Controlling the Assault of Non-Solicited Pornography and Marketing
or “CAN-SPAM” Act
The Controlling the Assault of Non-Solicited Pornography and Marketing Act, (the
“CAN-SPAM” Act1), establishes requirements for commercial e-mails, including
prohibitions against false or misleading transmission information and deceptive
subject lines and requirements that these e-mails provide opt-out information for
recipients and the physical postal address of senders.
Both the Federal Trade Commission (FTC) and the Department of Justice (DOJ)
enforce provisions of CAN-SPAM. Other federal and state agencies can enforce
the law against organizations under their jurisdiction, and companies that provide
Internet access may sue violators as well. While CAN-SPAM includes provisions
generally preempting state law in this area, there are state laws governing some
aspects of email marketing. Publishers should consult with counsel to ensure
that marketing campaigns comply with federal and state law.
Types of E-mail Covered by CAN-SPAM
CAN-SPAM governs “commercial” e-mail messages, and—to a lesser extent—
so-called “transactional or relationship messages.” Commercial e-mail must
comply with all of the provisions described below, while transactional or
relationship e-mail must comply only with the law’s provisions prohibiting false or
misleading transmission or “header” information.
A “commercial electronic mail message” is defined as:
“[A]ny electronic mail message the primary purpose of which is the commercial
advertisement or promotion of a commercial product or service (including content
on an Internet website operated for a commercial purpose).”
A “transactional or relationship message” is defined as an electronic mail
message, the primary purpose of which is:
1. “to facilitate, complete, or confirm a commercial transaction that the
recipient has previously agreed to enter into with the sender;”
2. to provide warranty information, product recall information, or safety or
security information with respect to a commercial product or service used
or purchased by the recipient;
3. to provide notification of changes in terms or features, a change in the
recipient’s standing or status, or regular, periodic account balance
information or statements for ongoing commercial relationships (including
15 U.S.C. § § 7701-7713
4. to provide information related directly to an employment relationship or
related benefit plan in which the recipient is currently involved,
participating, or enrolled; or
5. to deliver goods or services—including product upgrades and updates—
that the recipient is entitled to receive under the terms of a previous
agreement between the sender and the recipient.
Determining the Type of E-mail: The Primary Purpose Rule
As noted above, CAN-SPAM’s definitions of commercial e-mail messages and
transactional/relationship messages both focus on the “primary purpose” of the email. In December 2004, the FTC issued a final rule, known commonly as the
“Primary Purpose Rule,” to clarify the distinction between these two types of
messages—especially when a message contains both commercial and noncommercial information. This clarification can assist publishers in determining
whether a message must comply with the substantive requirements of CANSPAM (in the case of messages with a commercial primary purpose) or only the
prohibition against deceptive transmission information (in the case of messages
with a transactional/relationship primary purpose).
The Primary Purpose Rule places e-mail messages into one of four categories:
● E-mail consisting exclusively of the commercial advertisement or promotion of
a commercial product or service,
● E-mail containing both the commercial advertisement or promotion of a
commercial product or service as well as transactional or relationship content,
● E-mail containing both the commercial advertisement or promotion of a
commercial product or service as well as content that is not transactional or
relationship content as defined by the law, and
● E-mail containing exclusively transactional or relationship content.
The first and last categories are straightforward. If an e-mail contains exclusively
commercial content, its primary purpose is deemed to be commercial, and if it
contains exclusively transactional or relationship content, its primary purpose is
deemed to be transactional or relationship in nature.
For determining the primary purpose of the other two categories, the rule adopts
a reasonable person standard, basing the determination, in part, on what a
reasonable recipient would consider the message to be.
For the second category—e-mail containing both commercial and
transactional/relationship content—the primary purpose is commercial if a
reasonable recipient interpreting the message’s subject line would likely conclude
the message was commercial or if the message’s transactional/relationship
content does not appear substantially at the beginning of the e-mail.
For the third category—e-mail containing both commercial content and content
that is not transactional or relationship in nature—the primary purpose is
commercial if a reasonable recipient interpreting the subject line or body of the
message would likely conclude the message was commercial. Relevant factors
in this analysis include the placement of the commercial content substantially at
the beginning of the message, the proportion of commercial content in the
message, and the use of color, graphics, and font size to highlight the
commercial content.
The Types of E-Mailers Who Must Comply with CAN-SPAM
CAN-SPAM applies to both “senders” and “initiators” of e-mail. An initiator is a
person who transmits an e-mail message or who induces or procures the
transmission of an e-mail message, while the law defines a “sender” as the
person who initiates the e-mail and whose product, service, or Internet website is
advertised or promoted by the e-mail. Senders must provide for and process
opt-out requests, maintain and check recipient addresses against "scrub lists,"
and include a physical address in each message. Initiators must ensure that the
e-mail message conforms to provisions of the law, including the requirements
that the e-mail include all requisite disclosures and that it does not contain false
or misleading transmission information or deceptive subject headings.
Under CAN-SPAM, more than one person can be considered to have initiated an
e-mail, and—where the manufacturer of a product has paid, provided other
consideration, or has otherwise induced a third party to initiate an e-mail on its
behalf—that manufacturer can be treated as if it initiated the e-mail itself.
There can also be multiple senders of a commercial e-mail. In 2005, the FTC
issued a notice of proposed rulemaking to clarify the definition of a “sender”
where multiple advertisers are involved. The draft definition, which has not been
made final, specifies that when more than one person’s products or services are
advertised or promoted in a single electronic mail message, each such person
who is within the Act’s definition will be deemed to be a sender—except that—if
only one such person both is within the Act’s definition and meets one or more of
the criteria set forth below, only that person will be deemed to be the “sender” of
that message. The criteria are:
(i) The person controls the content of such message;
(ii) The person determines the electronic mail addresses to which such
message is sent; or
(iii) The person is identified in the “from” line as the sender of the
If no one person who meets the Act’s definition of “sender” satisfies the criteria to
be the sole sender , then all persons who satisfy the definition will be considered
senders for purposes of CAN-SPAM compliance obligations and will be required,
notably, to provide an Internet-based opt-out mechanism and a valid physical
postal address, and to honor any opt-out requests.
CAN-SPAM Requirements
For e-mail with a commercial primary purpose, CAN-SPAM prohibits false or
misleading transmission information and deceptive subject lines and requires that
these e-mails provide opt-out information for recipients and the physical postal
address of senders. E-mail with a transactional/relationship primary purpose is
required only to comply with the prohibition against false or misleading
transmission information.
False or Misleading Transmission Information (Header): The transmission
information or “header” includes the source, destination, and routing information
attached to an e-mail. Neither commercial nor transactional/relationship e-mail
may contain header information that is materially false or materially misleading,
● Header information that is technically accurate but includes an
originating electronic mail address, domain name, or Internet Protocol
address obtained by means of false or fraudulent pretenses or
● Header information that fails to identify accurately the computer used to
initiate the message because the person initiating the message knowingly
uses another computer to relay or retransmit the message for purposes of
disguising its origin.
As noted in the previous section, in some instances, there can be more than one
sender. In the header, depending on the circumstances, the sender in the “from”
field can be the marketer, the company whose product is being offered, or both.
Additional requirements for commercial e-mails:
The Subject Line: The subject line cannot be deceptive, nor can it mislead the
recipient about the contents or subject matter of the message.
Opt-Out: E-mail marketers must provide a return e-mail address or another
Internet-based response mechanism that allows a recipient to opt-out of future email messages to that e-mail address. E-mail senders must honor such
requests. Senders may create a "menu" of choices to allow a recipient to opt out
of certain types of messages, but the marketer must include the option to end
any commercial messages from the sender.
In situations where a business has different subsidiaries, affiliates, or lines, how
the message is presented will dictate whether the business or the subsidiary is
the sender responsible for ensuring opt-outs are honored. The law provides, “If
an entity operates through separate lines of business or divisions and holds itself
out to the recipient throughout the message as that particular line of business or
division, rather than as the entity of which such line of business or division is a
part, then the line of business or the division shall be treated as the sender of
such message.”
Any opt-out mechanism a sender offers must be active for at least 30 days after
the sending of the commercial e-mail. Upon receipt of an opt-out request,
marketers have 10 business days to stop sending e-mail to the requestor's e-mail
address (in the 2005 Notice of Proposed Rulemaking, the FTC proposed
shortening this period from 10 business days to three business days but has not
finalized the change). The sender cannot help another entity send e-mail to that
address or have another entity send e-mail on its behalf to that address. Finally,
it's illegal for the sender to sell or transfer the e-mail addresses of recipients who
choose not to receive the sender’s e-mail, even in the form of a mailing list,
unless the sender transfers the addresses so another entity can comply with the
Physical Address:
Commercial e-mail must include a valid, physical postal
Identification as Advertisement: Unless a consumer has given affirmative
consent to receive commercial e-mail, commercial e-mail messages must contain
clear and conspicuous notice that the messages are advertisements or
solicitations and that the recipient can opt out of receiving more commercial email from the sender.
Affirmative Consent: To qualify as “affirmative consent”, a consumer must
agree to receive commercial e-mail in response to a clear and conspicuous
request for such consent. While the law does not mandate what records must be
kept as proof of this affirmative consent, marketers are encouraged to keep
records of how the consent was obtained, including the date, time, and method,
e.g., website, of consent.
Sexually Explicit E-mail: Commercial e-mail that contains sexually explicit
material must:
 contain a mark or notice in the message’s subject line that alerts the
recipient to the message’s content;
exclude from the initially viewable area of the message any sexually
oriented material; and
include in the initially viewable area of the message only the required mark
or notice, the sender’s valid physical address, and opt-out mechanism,
and instructions on how to access the sexually oriented material
These provisions do not apply if the recipient has given the sender prior
affirmative consent for the receipt of such a message.
Penalties: CAN-SPAM has both civil and criminal penalties. Each violation of
CAN-SPAM is subject to fines of up to $11,000. Deceptive commercial e-mail
also is subject to laws banning false or misleading advertising.
Additional fines are provided for commercial e-mailers who not only violate the
rules described above, but who also commit the following “aggravated violations”:
 "harvest" e-mail addresses from websites or web services that have
published a notice prohibiting the transfer of e-mail addresses for the
purpose of sending e-mail;
 generate e-mail addresses using a "dictionary attack," i.e., combining
names, letters, or numbers into multiple permutations;
 use scripts or other automated ways to register for multiple e-mail or user
accounts to send commercial e-mail;
 relay e-mail through a computer or network without permission—for
example, by taking advantage of open relays or open proxies without
The law allows DOJ to seek criminal penalties, including imprisonment, for
commercial e-mailers who actually commit or conspire to commit any of the
 use another computer without authorization and send commercial e-mail
from or through it;
 use a computer to relay or retransmit multiple commercial e-mail
messages to deceive or mislead recipients or an Internet access service
about the origin of the message;
 falsify header information in multiple e-mail messages and initiate the
transmission of such messages ;
 register for multiple e-mail accounts or domain names using information
that falsifies the identity of the actual registrant;
 represent themselves falsely as owners of multiple Internet Protocol
addresses that are used to send commercial e-mail messages.