DECEMBER 2003 Congress Passes New Anti-Spam Legislation On December 16, 2003, President Bush signed into law the Controlling the Assault of Non-Solicited Pornography and Marketing Act (the CAN-SPAM Act of 2003 or Act ). A key effect of the Act is the establishment of criminal and civil penalties for senders of spam, or unsolicited commercial email messages, using deceptive or misleading tactics. The Act will become effective on January 1, 2004. Additionally, over a two-year period following enactment, the Federal Trade Commission ( FTC ) is required to issue various regulations and recommendations to implement and interpret the Act. The Act also authorizes the Federal Communications Commission ( FCC ) to adopt rules to protect subscribers to wireless services such as cellular and Blackberry from receiving unwanted commercial emails. 1 A summary of the Act follows: I. Scope of the Act The Act primarily regulates the transmission of unsolicited commercial electronic mail messages, defined as email having the primary purpose of advertisement or promotion of a commercial product or service. 2 Because the Act does not define the terms primary purpose, advertisement, and promotion, its scope will remain highly ambiguous until the FTC adopts its implementing regulations. For example, it is unclear whether the use of an automated signature that includes a corporate trademark or slogan that is inherently promotional at the bottom of an email (e.g., we make the best widgets ) would trigger the Act regardless of the email s content. The Act s definition of commercial electronic mail messages excludes transactional or relationship messages, which (1) facilitate, complete or confirm a prior commercial transaction entered into by the recipient; (2) provide warranty, recall or safety or security information for a product or service used or purchased by the recipient; (3) provide account information or other notifications regarding an ongoing commercial relationship with the recipient; (4) provide current employment or related benefit plan information; or (5) deliver goods or services, including product updates or upgrades, under a prior purchase agreement with the sender. 3 II. Summary of the Act s Prohibitions and Requirements The Act provides both civil and criminal penalties (up to $2 million, which can be trebled under some circumstances, or up to five years imprisonment) for a number of common tactics employed by spammers, including the use of deceptive subject header information and sender identification information, other false or misleading header information, and falsely registered email accounts and Internet Protocol ( IP ) addresses. A. Prohibited Commercial Email Practices The federal measure permits businesses to send commercial emails to customers who have not provided an opt-in consent or otherwise do not have a pre-existing commercial relationship with the sender. Rather, the basic regulatory approach of the Act is to broadly prohibit certain fraudulent and misleading email practices, and to impose upon senders of commercial email certain labeling, opt-out and related notification requirements. Note that this approach is different than California s anti-spam law, some provisions of which may be preempted by the Act. Kirkpatrick & Lockhart LLP
1. False or Misleading Header Information The Act prohibits any person from initiating the transmission to a computer 4 of either a commercial email message or a transactional or relationship message that includes materially false or misleading header information. 5 Header information is materially misleading if it fails to accurately identify the computer from which the message originated, because another computer is used to disguise a message s origin. Even where such header information is technically accurate, but the sender s originating email address, domain name or IP address was obtained falsely, such header will fall within the Act s criteria for materially misleading header information. However, if a message s from line accurately identifies any person initiating the message, such header information shall not be deemed materially false or misleading. 6 2. Deceptive Subject Headings The Act prohibits any person from initiating the transmission of a commercial email message to a computer if that person has actual or fairly implied knowledge that the subject heading of the message would likely mislead a recipient about a material fact regarding the contents or subject matter of the message. 7 3. Return Address Required Under the Act, any commercial email message must clearly and conspicuously display a return email address or other Internet-based mechanism by which a recipient may opt-out from receiving future commercial email from that sender for up to thirty (30) days following transmission of the original message. 8 4. Email Transmissions Following Objection The Act requires that a sender of any commercial email message (or its representative) comply with an opt-out request within ten (10) business days of receiving it, on a permanent basis. 9 The Act also prohibits the sale, lease, exchange, transfer or release of any user s email address for which an opt-out request is received. 10 The foregoing restrictions can be superseded by the recipient s subsequently providing an affirmative consent. 11 5. Opt-Out and Other Content Requirements The Act requires that any commercial emails clearly and conspicuously display the following: (i) identification indicating that the message is an advertisement or solicitation (except where the recipient has granted prior affirmative consent to the receipt of the message); (ii) an opt-out notice governing future messages; and (iii) a valid physical postal address of the sender. 12 Unlike ADV and similar content labeling requirements in some state anti-spam laws, the Act does not specify a method for identifying that an email message is a solicitation. This omission is significant because spam filters easily can be configured to block any message with a particular combination of characters, such as ADV in the subject heading. 6. Aggravated Violations In addition to ordinary violations set forth by its terms, the Act prohibits, and provides treble damages for, certain aggravated violations in transmitting commercial emails, including (i) the use of automated technology to generate a recipient s email address either from an unauthorized third party website or service or from combining letters and numbers into permutations (respectively referred to as address harvesting and dictionary attacks ); (ii) the use of scripts or other automated means to register multiple email or user accounts; and (iii) the relay or retransmission of a commercial email from a computer or computer network to which the sender has unauthorized access. 13 7. Warning Label Requirements for Sexually Oriented Materials The Act requires any person initiating commercial emails that include sexually oriented material to identify in the subject heading of such messages specific marks or notices to be prescribed by the FTC not later than 120 days following the Act s passage, or to provide that the material initially viewable to the recipient when the message is opened include only: (i) a mark or notice designating the message as sexually oriented; (ii) any required sender identification, opt-out notice and postal address; and (iii) instructions for accessing the sexually oriented material. 14 Such requirements do not apply where a Kirkpatrick & Lockhart LLP 2
recipient has granted the sender a prior affirmative consent to the receipt of such message. 15 B. Private Rights of Action and Enforcement of the Act The Act authorizes civil enforcement by the FTC (and in certain cases, by other appropriate federal agencies) 16 and state attorneys general and agencies. It also provides a private right of action for Internet service providers. However, individual recipients of commercial emails are barred from bringing civil lawsuits alleging violations under the Act. Because the Act does not allow private rights of action for individual recipients, such rights contained in the noted anti-spam California statute and other state anti-spam laws are likely preempted. Available equitable and statutory damages for civil violations include injunctive relief and damages of up to $250 per violation (or treble damages for willful violations), with a maximum aggregate award of $2 million. 17 C. Criminal Penalties for Email Fraud and Related Activity The Act also criminalizes certain predatory and abusive spam practices, including knowingly doing, or conspiring to do, the following: (i) obtaining unauthorized access to a computer (e.g., hacking a computer) to transmit multiple commercial emails; (ii) using a computer to transmit multiple commercial emails with the intent to deceive recipients as to the origin of such messages; (iii) materially falsifying header information in multiple commercial emails; 18 (iv) registering five or more false email accounts or domain names and transmitting multiple commercial emails from such accounts or domain names; and (v) falsely representing oneself to have registration rights to five or more IP addresses, and transmitting multiple commercial emails from such addresses. 19 Although an ordinary violation of the Act s criminal prohibitions constitutes a misdemeanor, violations involving hacking, increased volumes of commercial emails or falsified registrations, total damages or profits of $5,000 or more per year, and organized criminal spam activity are punishable under a threeyear felony penalty. A maximum five-year felony conviction is available in the event of violations committed in furtherance of another felony or by a defendant previously convicted of a hacking or criminal spam offense under federal or state law. 20 D. Businesses Knowingly Promoted by False or Misleading Email Header Information The Act makes it unlawful for any person, business, or third party representative to knowingly promote any goods, products, property or services in a commercial email, which contains false or misleading header information in violation of the Act. 21 Any third party providing goods or services to another person that violates this prohibition does not violate the Act, unless the third party (i) has a greater than 50% ownership or economic interest in the business of the person violating this prohibition; or (ii) has actual knowledge that the goods or services are promoted in violation of the Act and receives, or expects to receive, an economic benefit from such promotion. 22 III. Federal Preemptive Authority The Act preempts most pre-existing state laws that expressly regulate commercial email, except to the extent that they prohibit falsity or deception in commercial email (such as the Virginia anti-spam law), as well as state statutes and common law relating to fraud or computer crime activity. 23 State laws that are more stringent than the Act may be largely preempted by its terms, including California s opt-in law that otherwise would have become effective on January 1, 2004. In total, approximately 37 states had taken steps to prohibit spam emails prior to the passage of the Act. By preempting state anti-spam laws not directly related to fraud or deception, the Act seeks to create a set of national standards governing antispam requirements. The scope of the Act s preemptive effect of state anti-spam laws will remain uncertain until the Act is interpreted by the courts. It is likely that California s comprehensive anti-spam law will be the subject of one of the first court challenges of the Act s preemptive effect. IV. Do-Not-E-Mail Registry The Act requires the FTC by July 1, 2004, to set forth a plan and timetable in a report to Congress for a nationwide Do-Not-E-Mail registry, similar to the FTC s Do-Not-Call registry applicable to telemarketing practices. 24 The Do-Not-E-Mail registry plan would explain any practical, technical, security, privacy, enforceability or other concerns held by the FTC regarding such a registry, including the application of the registry to children with email Kirkpatrick & Lockhart LLP 3
accounts. 25 Although the Act empowers the FTC with the authority to establish and implement such plan beginning on October 1, 2004, the measure does not mandate the establishment of a Do-Not-E-Mail registry. 26 V. Email Sent to Wireless Devices The Act requires the FCC, in consultation with the FTC, to adopt rules to protect consumers from unwanted mobile service commercial messages. 27 The Act defines mobile service commercial messages as commercial email services, such as cellular and other handheld data services (e.g., Blackberry) ( Wireless Device ). 28 The Act requires the FCC to consider the ability of the sender to reasonably determine whether the recipient is a subscriber to a Wireless Device. 29 Generally, an email sender cannot determine whether the recipient of an email is using a Wireless Device. Therefore, the FCC could reasonably interpret this provision to mean that unless the recipient s email address indicates that the recipient is a Wireless Device subscriber (e.g., John_Doe@MobileService.com), the sender is exempt from the FCC regulations. The Act does not require the FCC to adopt rules applicable to emails transmitted wirelessly to fixed locations, as in the case of wireless local area networks. VI. Important Business Considerations Unfortunately, the Act is unlikely to have any meaningful effect on the greatest source of spam: illegitimate businesses, particularly those operating from abroad. Legitimate businesses will benefit from having a largely unified federal regulatory regime governing commercial email practices, instead of being subject to multiple and varying state laws. In the near term, however, businesses will find compliance difficult until the FTC clarifies several ambiguous provisions of the Act and other provisions are tested and interpreted by the courts. For example, the boundaries between which state laws are preempted and which are not are not completely clear and will undoubtedly be the subject of litigation. Businesses can anticipate early tests of the scope of the Act and its definitions, when a message header is misleading as to the contents of the message and what the tolerances are in the operation of the opt-out mechanism. 1 The Act does not address instant-messaging spam, commonly referred to as spim. 2 CAN-SPAM Act 3(2)(A). 3 at 3(17)(A). 4 In its use of the term computer, the Act uses the term protected computer, which includes any computer used for or by a financial institution, the United States Government or in any interstate or foreign commerce or communication. 18 U.S.C. 1030(e)(2)(B). Because any computer that is used for email or Internet access is almost assured of engaging in interstate commerce or communication, this definition essentially encompasses any computer. 5 CAN-SPAM Act 5(a)(1). 6 7 at 5(a)(2). 8 at 5(a)(3)(A). 9 at 5(a)(4)(A). 10 11 at 5(a)(4)(B). 12 at 5(a)(5). 13 at 5(b). 14 at 5(d)(1). 15 at 5(d)(2). 16 Specific federal and state agencies and officials granted enforcement authority under the Act include the Securities Exchange Commission, the Secretary of Transportation, the Secretary of Agriculture, the Federal Communications Commission, and state insurance authorities. at 7(b). 17 See generally 7 of the Act. 18 Under the Act, header or registration information is materially falsified, if it is altered or concealed in a manner that would impair the ability of a recipient of the message, or other interested party, to identify, locate, or respond to a person who initiated the electronic mail message or to investigate the alleged violation. at 4(a)(1). 19 20 21 at 6(a). 22 at 6(b). 23 at 8(b). 24 at 9(a). 25 26 at 9(b). 27 at 14(b). 28 at 14(d). 29 at 14(b). Kirkpatrick & Lockhart LLP 4
For more information regarding the CAN-SPAM Act, please contact one of the attorneys listed below: Henry L. Judy 202.778.9032 hjudy@kl.com Melanie H. Brody 202.778.9203 mbrody@kl.com Marc S. Martin 202.778.9859 mmartin@kl.com Angela Y. Ball 202.778.9022 aball@kl.com Jonathan D. Jaffe 415.249.1023 jjaffe@kl.com Franklin B. Molin 412.355.6251 fmolin@kl.com Jeffrey M. Gitchel 412.355.8618 jgitchel@kl.com Ira S. Nathenson 412.355.8921 inathenson@kl.com Benjamin S. Hayes 202.778.9884 bhayes@kl.com Kirkpatrick & Lockhart LLP Challenge us. www.kl.com BOSTON... DALLAS HARRISBURG LOS ANGELES MIAMI NEWARK NEW YORK PITTSBURGH SAN FRANCISCO WASHINGTON This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. 2003 KIRKPATRICK & LOCKHART LLP. ALL RIGHTS RESERVED.