Enterprise Email: Managing Risks and Liabilities Avoiding Common Pitfalls under the Federal CAN-SPAM Act

Enterprise Email: Managing Risks and Liabilities Avoiding Common Pitfalls under the Federal CAN-SPAM Act These materials do not constitute specific legal advice and may not address all aspects of a legal development relevant to the reader's circumstances. The reader should consult legal counsel to determine how laws apply to specific situations. Further, these materials are not intended to create, and receipt of them does not constitute, a lawyer client relationship. If you would like an Ice Miller attorney to review any materials for you, please contact one of our attorneys prior to forwarding any information. 1

Overview The CAN-SPAM Act of 2003 passed with a nearly unanimous vote in both the House and the Senate and was signed into law by President Bush in December of 2003. The Act, effective as of January 1, 2004, is a huge win for enterprises due to the fact that it targets the most egregious spammers and their fraudulent and deceptive practices, rather than hindering the sending practices of legitimate businesses. However, in addition to these advantages of the Act come some potential pitfalls for the unwary enterprise. Businesses that fail to implement and manage best practices to minimize the inherent risks of email in their own organizations could face fines, a costly lawsuit, or worse yet, prison. Although the requirements of the CAN-SPAM Act seem fairly basic, the question of how to implement changes may be a challenge for many enterprises especially those who do not realize that their organization may be at risk. Essentially, any organization sending outbound email whether in the form of promotions, updates, educational pieces, etc. may be at risk, and should therefore protect itself by becoming familiar with the regulations surrounding the law. Businesses must also understand that the scrutiny of email marketing takes the form of not only legislation and litigation, but the email processing industry's own procedures. The broad majority of Internet Service Providers (ISP s) and anti-spam filtering technology, with added encouragement from anti-spam action groups, set the bar much higher than the laws promulgated in various states and now at the federal level. The primary goal is to reduce the amount of spam received, meaning that organizations generating high rates of undeliverable email or numerous spam complaints will experience some level of email filtering at the hands of ISPs. To avoid action by ISP s, the key is to not look like a spammer. Failure to follow the unwritten ethics of the email receiving and filtering community can have an extremely negative effect on an enterprise sending any sort of outbound email. This paper explores both the practical and legal aspects of the email processing industry and provides advice as to how an organization can best manage the risks inherent in this medium. Email is arguably the strongest vehicle for marketing, communication, and customer retention ever developed, and organizations that take the proper steps to overcome challenges and risks will certainly reap its rewards. Section I: CAN-SPAM Act Overview This section summarizes the major provisions of the CAN-SPAM Act of 2003 (the "Act" or the "CAN-SPAM Act"), including an outline of the prohibitions and required content of commercial email under the Act, criminal and civil penalties including imprisonment, fines, and forfeiture, and who can sue to enforce the Act. The Act generally prohibits predatory and abusive commercial email practices. The Act restricts transmission of certain emails that do not include proper disclosures regarding their nature or origin. The Act specifically prohibits transmissions by initiators of commercial emails when a recipient has "opted-out" of receiving such transmissions from the sender. The CAN-SPAM Act supersedes at least parts of the laws enacted by 37 states that currently regulate email. One example of such a law, at least a portion of which will be superseded by the Act is California s stringent SB 186, which required an email recipient s direct consent or a prior business relationship before a commercial email could be sent. The CAN-SPAM Act, on the other hand, is essentially an opt-out law and does not require the opt-in or business relationship 2

required in California s legislation. However, it does not preempt other state laws or the portions of them that prohibit falsity or deception or that are not spam-specific. The federal law s most beneficial aspect to legitimate marketers is that it preempts major portions of differing state laws, allowing marketers to be more secure in their reliance on abiding by a single law. Further, the Act should reduce the number of nuisance suits that laws providing individuals with causes of action, such as the California law, would have been likely to encourage. The CAN-SPAM Act, comparatively more business-friendly for a number of reasons, does not permit suits to be brought by individuals. Only certain federal agencies, state attorneys general, or ISP s can enforce the provisions of the Act. Further, the Act does not regulate a wide range of transactional or relationship messages of which the primary purpose is not commercial. These include customer service interactions (even if relating to a commercial transaction), health or safety updates, recall notices, or employment communications. Additionally, the Act does not prohibit initiation of certain emails when the recipient has affirmatively consented to receiving such a message. The Senate commerce committee outlined the purpose of the CAN-SPAM as follows: The purposes of this legislation are to: (i) prohibit senders of electronic mail (email) for primarily commercial advertisement or promotional purposes from deceiving intended recipients or Internet service providers as to the source or subject matter of their email messages; (ii) require such email senders to give recipients an opportunity to decline to receive future commercial email from them and to honor such requests; (iii) require senders of unsolicited commercial email (UCE) to also include a valid physical address in the email message and a clear notice that the message is an advertisement or solicitation; and (iv) prohibit businesses from knowingly promoting, or permitting the promotion of, their trade or business through email transmitted with false or misleading sender or routing information. What is Criminal Under the Act? The Act specifically prohibits and criminalizes certain "predatory and abusive commercial electronic mail." Section 4 generally addresses the manipulation of subject, header, and origination information to evade detection by ISP s and filters. Section 4 provides very specific penalties to initiators of (and conspirators to initiate) multiple emails, including imprisonment, fines, and forfeiture of property used or gained in commission of the offense. The following is prohibited under Section 4 of the Act: Hiding Email Origin Using Other Computers (Hacking and Relaying) Accessing, without authorization, a computer to initiate the transmission of multiple emails is prohibited. Similarly, using a computer to relay or retransmit multiple messages with the intent to hide the origin of the message is prohibited. Spammers sometimes use different computers, with or without permission, to hide the true origin of an email, thus evading filters and other blocking techniques used by ISP s. False or Misleading Email Header Information This is another tactic used by spammers to disguise their sending identity. The information is falsified in the header of their email, which is typically the only portion of the email that is seen by the receiving mail server. Spammers constantly change and falsify this information to evade detection, confuse spam filters, and continue sending spam. The Act prohibits initiation of multiple emails with materially falsified header information. Deception in Registration of Email and Domain Names, and Ownership of IP Addresses The Act prohibits initiating multiple emails from an account where the initiator has registered five or more email accounts or two or more domain names using information that materially falsifies the registrant's true identity. The Act further prohibits 3

initiating multiple emails from an IP address when the initiator has falsely represented he is the registrant of the address. Under the Act, violations of the provisions above can result in fines and imprisonment of between 1 and 5 years depending on the egregiousness of the violation and other factors. Section 4 of the Act provides for forfeiture of property used in connection with the commission of the offense, or gained in or traceable to the commission of the offense. The U.S. Sentencing Commission is directed under the Act to amend sentencing guidelines in accordance with the Act to provide specific, appropriate criminal penalties. Civil Actions. Section 5 of the Act provides other protections in the form of civil actions. The Act does not provide a civil cause of action for individuals against spammers. However, the Act empowers attorneys general of each state to pursue violators of certain parts of Section 5 on behalf of the residents of its state. A state attorney general can pursue money damages, injunctive relief to stop further violations of the Act, or statutory damages which can total to $2,000,000 or more for inclusion of false or misleading transmission information, or if circumstances support a finding of aggravated damages. Statutory damages can reach up to $250 per address to which an email is sent. A court may treble damages if it finds aggravating circumstances, and may in its discretion award attorney fees for successful actions. Others who have a civil cause of action under the Act include ISP s and certain federal agencies. ISP s are provided a civil cause of action against violators of certain sections of the Act. Finally, the Act generally can be enforced by a variety of federal agencies noted in the Act when the actions or actors fall within the agency's purview. What is Required in Commercial Emails Under the Act? Section 5 of the Act requires the following: All Commercial Email Must Contain a Valid Opt-out Mechanism Essentially, the Act is an opt-out law. The Act allows the sending of unsolicited email as long as the recipient is given an opportunity to opt-out of future communications. Notice of the opportunity to opt-out must be provided clearly and conspicuously. Companies can provide a generic opt-out from all communications or a more specific menu of options to permit the recipient to opt-out of certain types of commercial email, as long as the recipient is also provided the option to opt-out of all communications. Opt-out Requests Must Be Honored Within 10 Business Days Though the FTC will review the number of days and recommend another number that it may determine is more appropriate, this requirement will be the first time many companies have had to develop a process that ensures full name removal. Sender Must Include a Valid Physical Postal Address Senders should include their physical postal address. It is not certain whether a post-office or similar postal address will satisfy the requirements of the Act. As the FTC promulgates rules on the Act or actions brought under the Act provide guidance to the meaning of "valid physical postal address," more clarity on what organizations should include will be available. Email Must Provide a Clear Notice that it is an Advertisement This may be the vaguest portion of the law in that no recommendation is made for the specific language 4

that is to be used or how it is to be positioned in the email. However, when the FTC sets rules for the Act, they will specify what, if any, labeling is needed for commercial mail. Interestingly, Congress expressly prohibited the FTC from requiring the inclusion of specific indicators in the subject line; however, the FTC is free to suggest such inclusion in a report it is to issue regarding its recommendations. Email Must Provide an Operative Return Address To permit a recipient to opt-out, a valid return address or comparable other Internet-based communications technology must be provided for at least 30 days from the transmission of the message. The Act provides leniency for temporary outages. Senders Must Avoid False, Deceptive, or Misleading Email Transmission Info or Subject Lines Again, this requirement focuses on the deceptive practices often used by spammers to avoid filters and encourage recipients to open a message and respond to an offer or scam. Emails that contain an accurate identification of the message's initiator are not false or misleading. Senders Must Label Sexually-Oriented Messages 120 days after the law takes effect, the FTC s labeling recommendation must be implemented for emails containing adult or sexual content. In the subject field, initiators of such emails will be required to include those marks or notices required by the Commission. Additional requirements and specific penalties are provided under the Act relating to violations involving sexually oriented material. CAN-SPAM Potential Pitfalls: How Businesses Can Avoid Them At first glance, the CAN-SPAM Act establishes fairly basic rules for an organization to follow. However, given that the FTC will create rules to implement this new law and will provide reports to Congress as directed in the Act, new details and interpretation flowing from court proceedings will surely follow. Following the steps below is the first necessary action a company must take in order to avoid liability under the Act. 1) Develop and Enforce an Enterprise-wide Unsubscribe or Opt-Out Process The Act's requirement seems fairly simple: require such email senders to give recipients an opportunity to decline to receive future commercial email from them and to honor such requests. However, for a company to ensure that it is in perfect compliance of this requirement, it needs to ask itself these important questions: Is the company technically prepared to manage and maintain not just one, but potentially several suppression lists of email recipients who don t want to receive commercial email? Is there a way to control this across all departments within an enterprise? Does it have the technological capability and capacity to log and maintain a master list and several more specific suppression lists? Does it have the decision-making procedures and communications procedures in place to determine when a subscriber has opted-out of all versus only some future communications, and to inform a database administrator of which list or lists to add the subscriber? Can the company make those changes in ten (10) business days as required by the law? Is the company prepared to act faster than 10 days (given the FTC's upcoming review of this time frame)? 5

Can database updates be communicated to all locations of the company s enterprise that use this data quickly enough to prevent another area of the company from contacting an unsubscribed user after 10 days have passed? The how may become a challenge for many companies, especially those with several disparate data sources, decentralized marketing programs, several locations, or multiple divisions or processes. Now the stakes are higher, as failure to act upon a removal request may violate federal law. To solve this problem, organizations need to make concerted effort to not only implement the proper technology, but also to ensure that the philosophy of honoring the opt-out is adopted at all customer touch points from the CEO to the sales representative. A training program in which appropriate employees are educated on the potential risks associated with email should be considered if an organization's systems are not suited to centralized management of unsubscribe lists. One option for managing email unsubscribes in a central location would be outsourcing email communications to a single provider. An Email Service Provider (ESP), such as ExactTarget, has the ability to manage data in a centralized and secure location, thus providing many advantages over managing the data across multiple divisions in your own organization. In addition to the fact that an ESP has experience in managing email and the complexities of email list removal, the centralization of the data provides your organization with an easy way to manage communications and the cleansing of consumer data. It also provides enterprise-level security of your email assets in a secure, log-in encrypted environment. 2) Enforce CAN-SPAM Compliance with Every Employee: It Takes Just One Bad Email Individual employee emails present a substantial risk to companies without a central control point over their email communications. As the Act provides, organizations and their agents (employees, contractors) must honor the recipients request to stop further mailings, and legal ramifications have the potential to result from one employee s decision to send an email. Example: Widget Co. sends a commercial email and a recipient asks to be removed from future communications. Widget Co. honors the list removal request 10 business days later, and marks the recipient as unsubscribed for all future communications by adding them to their master suppression list. At this point Widget Co. has complied with the law. However, on day 12, a single sales employee at Widget sends an email to this specific customer asking if they would like to buy the latest widget 2004. One email exposes Widget Co. to liability under the Act. It just takes one. Education and enforcement are critical to strict compliance with a company s email policies and the CAN-SPAM Act. All employees must be familiar with best practices and the legal ramifications so that the consequences are understood, and unsubscribe requests are honored throughout the company and at all customer touch points. 3) Clearly and Conspicuously Label Email as an Advertisement Although no specific labeling is required under the law, all commercial email must be clearly identified as an advertisement or solicitation (the exception is to those marketers who use only opt-in lists. See step 4 for details). 6

While the Act leaves this requirement rather vague, the FTC recommends companies follow its DotCom Disclosures as the litmus test for determining appropriate email labeling. The FTC s DotCom Disclosures were initially developed to support consumer protection relating to online advertisements, while also loosely describing other related technologies. See http://www.ftc.gov/bcp/conline/pubs/buspubs/dotcom/index.html. Essentially, the FTC's DotCom Disclosures recommends that advertisers consider whether a reasonable person would find the overall net impression of the email to be commercial. When developing an email promotion, marketers should think about the placement of the call to action or inducement to purchase, as well as prominence and repetition. The spirit of the Act is to hold companies that are using email in a deceptive manner accountable. With proper commercial branding, positioning, messaging, and prominence, the Act may well serve to legitimize the marketing of companies complying with the Act's provisions. 4) Develop a Strategy for Capturing Affirmative Consent Though CAN-SPAM is essentially an opt-out law, it does provide advantages to organizations that send only to recipients who have opted-in to receiving email messages. Affirmative consent, (also referred to as permission marketing, explicit opt-in, or direct consent in other circles) exists if a recipient has, per the Act expressly consented to receive the message, either in response to a clear and conspicuous request for such consent or at the recipient s own initiative. When affirmative consent is obtained, the commercial labeling requirement no longer applies. Example: Company XYZ promotes their product through a promotion to consumers that have willingly provided their email addresses to receive such promotions. Per the Act, XYZ does not need to provide any advertisement labeling on their emails, which will provide a significant advantage promotionally unless the FTC recommends email labeling such as ADV that was mandated in many state laws. Such labeling would no doubt be an easy target for spam filters, preventing many of these messages from ever reaching the subscriber. The new law might cause an organization to ask the following question regarding email address collection: When a consumer visits a website and provides her email as part of a request for information, does the Act require an email sent in response to the inquiry to include an opt-out, valid physical address and reply address? The answer is that the Act defines a Commercial Electronic Mail Message as "any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service." If the email is a first communication and is truly in response to the consumer's inquiry, arguably the primary purpose is not to advertise or promote but rather to respond to an inquiry from the consumer. However, further email communications or emails that promote products or services beyond the scope of the inquiry might not be excluded from the definition. Creating a method to capture affirmative consent, such as an opt-in check box on a web form, provides clarity on whether future emails to each subscriber are warranted. Though a physical postal address and unsubscribe mechanism would still be required, a company could avoid the commercial labeling requirement if affirmative consent is obtained. For more information on affirmative consent and permission based email marketing, see tip #2 from Section II, below. 7

5) If Email Relates to a Particular Business Segment The Act provides, "if an entity operates through separate lines of business or divisions and holds itself out to the recipient throughout the message as that particular line of business or division rather than as the entity of which such line of business or division is a part, then the line of business or the division shall be treated as the sender of such message for purposes of this Act." Thus, if a particular business division sends an email that is consistent in its indication that it is an advertisement from that division, the parent organization will not run afoul of the Act if the recipient opts out based on that email transmission. Organizations should implement procedures and educate their divisions, business units, and other affiliates to clearly indicate who is the sender. It will also be important for organizations to specifically identify which division from which the subscriber is opting-out. If the possibility exists that a commercial email transmission might be mistakenly understood as being sent by the parent organization, care should be taken to clearly identify the particular line of business or the division as the sender. The most conservative approach would be to eliminate the recipient from all of the lists of the related companies a strategy that may be acceptable to some organizations. 6) Avoid Misleading Email Subject Lines Years ago, it was possible to achieve a significant increase in response rate by using promotional language and teasers in a subject line that tricked the user into opening the email. Example: An anti-virus software company might send and email with the subject line: Your computer may be infected. Believe it or not, such a subject line was at one time considered a brilliant marketing tactic. Now, however, subject lines such as this will most likely be targeted by email filters and may run afoul of the Act. A company needs to educate its employees and develop an internal communication process to ensure that its marketers are aware of these restrictions to their creative license. Companies should develop a review process to ensure that subject line restrictions are followed. Marketers should adopt the standpoint of the reasonable recipient to determine if a subject line is misleading or could be misinterpreted. 7) Refrain from Harvesting Email Addresses & Dictionary Attacks Email harvesting typically refers to the automated harvesting of addresses from web sites. This tactic is often used by spammers who employ software developed specifically for this purpose. Dictionary attacks refer to a spammer s tactics of guessing at email addresses by using an algorithm or dictionary type feature to search for addresses. A dictionary attack might produce an email string similar to (ajohnson@hotmail.com, bjohnson@hotmail.com, cjohnson@hotmail.com, etc.). The law generally provides for damages of $250 per violation up to $2 million dollars (or more for violations involving false or misleading transmission information), but these damages could be trebled for willful violations or violations where email harvesting or dictionary attack processes were used. For causes of action initiated by ISP s, these damage caps are somewhat reduced. 8

8) Move Wireless Communications to Opt-in The federal law mandates that the Federal Communications Commission (FCC) develop requirements for promotions to wireless devices and cell phones. The Act also encourages the FCC to adopt opt-in or affirmative consent as the standard for wireless communications, and the FCC has hinted that they may follow this encouragement. Due to the amount of consumer backlash already directed toward the small amount of wireless marketing that exists today, pursuing an opt-in system appears to be a sound, forward-looking strategy. 9) Consider Preparation for a "Do Not Email Registry" Although the FTC is not required to implement such a list, it is directed to provide a report on the implementation of such a list. The commission is already authorized under the Act to implement whatever plan it submits to the Congressional Committees, but it cannot implement the plan before nine (9) months from the enactment of the Act. Given the trends toward restriction of advertising communications, positioning your organization to be prepared to act if such a registry is implemented may prove a prudent step. Section II: Setting the Bar Higher - Permission and Deliverability One of the major concerns that opponents of the CAN-SPAM Act have is that they do not believe that the Act will reduce spam. They argue that by allowing the sending of unsolicited commercial email as long as an opt-out and physical addresses are present, the government is legalizing spam. However, the anti-spam community and ISP s have long been against anything but email marketing where affirmative consent exists. Yahoo, for example, reportedly filters over three billion spam messages every day (source: ISP CON), and the statistics are very similar at other ISP s. Spam prevention is not a game, but rather an economic challenge for ISP s and a worthy cause for millions of subscribers whose inboxes are now flooded with fraudulent emails, bogus health claims, and pornography. CAN-SPAM is somewhat sympathetic to the plight of ISP s. The Act provides that it shall have "no effect on policies of Internet access service." Thus, the Act leaves unaffected those more stringent requirements of ISP s (unlike the more stringent laws of certain states) by indicating that such policies are not to be preempted. The best way for an organization to understand the potential risks is for it to first understand the email-receiving environment today and its three major players: ISP s, email filtering companies, and anti-spam blacklist organizations. Following are recommended actions to take to improve email deliverability by compliance with the standards set by ISP s, and the rest of the email receiving world. 1) Play by the Rules of ISP s and Filtering Companies The job of ISP s has changed from merely putting connections in place for customers to fighting the daily deluge of unwanted email. Inboxes are more crowded than ever, and ISP s are blocking nearly 90% of mail because they believe it to be spam. Much of this email comes from companies who are unaware as to how ISP s' spam filtering logic works, and as a result, they encounter filtering of their legitimate business email. Such a problem is known as a filtering false positive. 9

Most ISP s have implemented a number of different methods to weed out spam. Many combine the use of content filtering mechanisms, which scan email subject lines and body content to determine which emails are spam, with other types of filters that check for number of complaints received for each specific marketer, or look at the number of undeliverable emails generated by a specific mailing. Basically, ISP s and others filtering email take note of all actions of spammers (send high quantity of promotions, send to dirty lists, generate complaints from their users, etc.), then develop mechanisms to detect emails that look like spam and block them. Though ISP filters are built on averages and are therefore imperfect, this is the reality of sending commercial email in today s environment. False positives sometimes occur with emails from legitimate marketers due to the commercial content of such emails. However, false positives are most prevalent with email that is "unwanted" in the first place. Organizations should not underestimate the power that ISP s, and other organizations using spam filtering, have over the delivery of their email messages and their resulting economic success. 2) Reduce Spam Blocking with Permission-based Email Marketing Developing a sound plan to move towards permission-based email marketing is extremely important to the success of any company s email marketing efforts, as it provides significant deliverability and economic benefits. What is permission email marketing? It is also known as opt-in email marketing and entails sending email to only those recipients who have agreed to hear from a specific company. Organizations should strive to use standards set forth by emarketing pioneer Seth Godin, author of Permission Marketing, who says that all marketing messages must be anticipated, personal and relevant. By opting-in to a company s email communications, a subscriber has given permission to receive this type of message, and it is up to a company to deliver that promise. Developing a permission-based email list is not difficult, but it takes time. However, an organization focused on it can quickly grow its list by capturing a customer s permission at each touch point. An email address and permission to send mail can be captured at the point-of-sale on a sign-up form, keyed into a kiosk, or captured on a website or over the phone. The most important ingredient for an opt-in is that it be the subscriber s choice to opt-in and receive email. Again, permission is important due to the ISP s and other receiving systems that look at a company s mail before delivering it. When permission is in place, subscribers are much less likely to complain that a message is spam, and the message is therefore less likely to be filtered to the junk folder or discarded. Email addresses gathered without the subscriber s knowledge or specific approval, however, will never qualify as permission names and will generate higher levels of complaints that could jeopardize the deliverability of future emails. Enterprises must also be wary of the ways in which their employees gather email addresses. In addition to harvesting email addresses and dictionary attacks, there are low-tech ways in which a single employee might unwittingly gather email addresses in an unsolicited fashion. Example: Joe, an employee of XYZ Company, attends a networking function. During the function, he collects business cards from several prospective clients. Although Joe has not asked each of these prospects permission to send them email communications, he returns to work the following day and adds them to his company s subscriber list. The best practices in this situation would be for Joe to either follow up with a friendly phone call to gain each user s consent and add his/her name to XYZ s mailing list, or capture written consent at 10

the networking function. Likewise, Joe could send an email to each prospective client to express his pleasure in meeting the prospect and to request permission to send information in a future communication. Not following best practices and failure to obtain permission could lead to ISP s or blocklists taking measures to block future emails from XYZ Company. 3) Move to Double Opt-in to Reduce Threat of Public Blocklists When public blocklists block email, it can have a substantial impact on email deliverability by blocking 5 10% or more of an organization s email. It is important to note that an email blocked by one employee s email address may put the entire enterprise at risk for blocking. ISP s subscribing to block lists typically screen out all mail from IP addresses listed on the list. Organizations that find the IP address of their own mail server on a list will often find the block list will require the organization prove they use permission-marketing practices before they will be approved for removal from the block list. Permission may be qualified into three categories: single, confirmed, and double opt-in. Single opt-in is simply capturing approval from a subscriber to send them email. Confirmed opt-in merely confirms the opt-in by sending an automated follow-up email to the subscriber to confirm their subscription. Double opt-in, however, carries this follow-up email a bit further. A double optin occurs when the subscriber is required to respond to the confirmation email, or click on a link, to confirm their subscription before they are actually added to a list. The benefits to an organization of using double opt-in in their name capture practices are threefold. First, by avoiding adding the address to a list initially, the organization prevents adding misspelled or fraudulent email addresses to their list. Mailing to bogus addresses raises the number of undeliverable emails and increases the likelihood of filtering, and it also can result in mailing to spamtrap addresses that are put in place by ISP s and email filtering companies to trap unwary companies. Second, double opt-in email addresses provide assurance, as well as an electronic record, that affirmative consent is in place should proof be necessary either to validate sending practices to an ISP, or to defend against potential litigation. And finally, double opt-in subscribers are much less likely to complain or misidentify an email as spam. Maintaining a low complaint rate is the key in preventing ISP blocking and filtering. 4) Maximize Delivery with Reminders of Opt-in Since subscriber complaints are a large component of the logic used by many filtering mechanisms, subscriber recognition of an organization and a recollection of their opt-in determines the likelihood that a recipient will complain about an email. Subscribers receiving mail that is expected, branded, and easy to recognize are unlikely to mistake a message as spam, which in turn, reduces the potential for filtering. Organizations can ensure their subscribers recognize them in a number of ways, perhaps the most important of which occurs at the time an email address is captured. Best practice to improve recognition at the time of web site name capture, for example, would be for an organization to list the type of email to be sent, the name of the publication, how often it will come and who it will be from. This better sets the expectation with subscribers as to exactly what they will be receiving, again, reducing the chance of complaints and filtering. Another step many organizations are taking to improve recognition and add credibility to their mailings is adding a short text reminder at the top of each email. 11

An ideal message would be something such as: You are receiving this mailing because you opted-in to receiving emails from xyzco.com. For best viewing of future emails, please add abc@xyzco.com as a "Safe Sender or address book. Providing text that asks each subscriber to add the sender to his or her address book will help organizations continue to deliver to the inbox, rather than having their messages routed to the bulk or junk folders. Major ISP s such as AOL, Yahoo! and MSN /Hotmail, in addition to Microsoft Outlook 2003 software, now include junk folders, but route email sent from those in a subscriber s address book pass through their spam filters. Making the appeal to the user to be added to their address book further establishes recognition and prevents the chance of future filtering. 5) Maintain a Consistent From Address and Subject Line Recognition It is important for organizations to maintain a consistent from name in their emails for a number of reasons. First, it is an important element of recognition and studies prove that a majority of email users first look at the from name when determining whether or not they open a message. Organizations that use a consistent from name also benefit from a relationship stand-point due to the fact that their subscribers grow accustomed to receiving emails from a particular address and begin to anticipate these messages. Second, maintaining a consistent from name will allow an organization to leverage the benefits of being in a subscriber s address book (as discussed in step 4 above). A final step organizations can take to ensure their subscribers recognize their emails is to include the name of their organization in the email subject line. The CAN-SPAM Act already requires that the subject line of a commercial email not be misleading or fraudulent. Adding the company name to the subject line not only adds credibility, but also increases recognition and reduces the potential for subscriber complaints and subsequent filtering. Summary With the passage of the Federal CAN-SPAM Act, marketers need to be aware of both the practical and legal aspects of sending commercial email. The requirements of the Act will have significant impact on unwary organizations or those that fail to adjust internal procedures appropriately. However, organizations that take the proper steps to overcome challenges and risks will certainly reap the rewards that email has to provide. 12

About ExactTarget ExactTarget provides powerful web-based software that enables organizations of all sizes to create, deliver, and track permission-based emails without technical assistance. ExactTarget s patent-pending solutions include point-and-click tools for quickly designing graphically rich HTML emails, customizing content to match the audience, and segmenting mailing lists to reach highly targeted groups of recipients. The privately held company is based in Indianapolis and has more than 1,500 customers around the world. Note: ExactTarget holds monthly webinars on topics of email compliance, optimization and deliverability. Sessions are free of charge. Contact info@exacttarget.com, call 317-423-3928 or visit www.exacttarget.com for registration information. About Ice Miller Ice Miller is the largest law firm in Indianapolis with a nationally recognized reputation in many of its practice areas. With additional offices in Chicago and Washington D.C., the Firm has over 225 lawyers, 40 paraprofessionals and 250 support staff members. Ice Miller offers a broad array of capabilities in virtually all areas of the legal practice, including business, intellectual property, employment and labor law, litigation, public finance and real estate. We are dedicated to providing responsive personal service to our clients and to providing them with quality legal and business advice that effectively and creatively addresses their needs. 13