The second law in our series is the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, thankfully abbreviated as "CAN-SPAM."
Statute | Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003 ("CAN-SPAM") |
Reference | 15 U.S.C. Chapter 103 |
Year Passed | 2003 |
Covered Entity | Senders of commercial e-mails |
Regulated Activity | Sending e-mails which have a primary purpose that is commercial or transactional in nature |
Private Right of Action | None |
Enforcement Agency | Federal Trade Commission and other federal agencies; States' attorneys general in some cases |
Preemption | Yes |
Remedies | $16,000 per violation |
A. Background. The CAN-SPAM Act is a U.S. federal law intended to stem the tide of unwanted or sexually explicit e-mail communications. The law has been criticized on many fronts as it fails to prohibit many types of e-mail spam and even preempts some state laws that provide better protections. One criticism of the Act is that it does not require e-mailers to get permission before they send marketing messages. It also prohibits individual recipients of non-compliant messages from suing spammers except under laws not specific to e-mail.
B. Who is covered? CAN-SPAM regulates senders of "any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service." So, covered entities include any business or individual who sends e-mail for the purposes of developing a business interest with the recipient. Liability can apply not only to the sender, but also for the owner of any product or service being promoted in the message sent.
C. What personally identifiable information is covered? CAN-SPAM's purpose is more to protect against nuisance and dissemination of potentially offensive content, as well as deter the possibility of fraud and other crimes being committed through the use of bulk e-mail. PII under the Act is not explicitly defined, so one is left to deduce the usual direct and indirect identifiers are involved, such as name, e-mail address, and other data elements that can identify one recipient of a commercial message.
D. What you can and can't do.
1. Be honest and transparent. Don't be false or misleading. Use an accurate and verifiable e-mail address and include your physical mailing address in the text of your message. Do not use deceptive subject lines, including telling the recipient in the subject line that the message is an advertisement or has a commercial purpose. If your content is sexually explicit in nature, you must provide notice of such content in the subject line.
2. Provide and honor opt-out requests. Make sure to include a clear and conspicuous explanation of how the recipient can opt out of getting email from you in the future. This is extremely important when communicating with recipients with whom you do not already have a business relationship. Make sure your message is easy to read and the opt-out options are easy to identify. Whether you use a service, or do it yourself, make sure you keep up and administer your recipients' opt-out requests in a timely manner. You should make the option available for at least 30 days after receipt of any message and process opt-out requests within 10 days.
3. Monitor your Third Parties. Like so many data governance practices, you must keep up with what any contracted third parties are doing for you. So, just like you need to pass along privacy and security obligations to any subcontractors handling information on your behalf, you also need to monitor third party opt-out management and review for CAN-SPAM compliance.
E. What happens if you don't comply. The FTC can fine your company as much as $16,000 per e-mail violation. And, if applicable, the violation can be attributed to both the owner of the product being marketed and the sender of the non-compliant email promoting said product. The CAN-SPAM Act also provides for criminal penalties, including prison, for sending spam without permission from a computer, using false information to register multiple email accounts or domains, or otherwise using computer networks or systems without authorization for the purposes of facilitating fraud or violations of the Act.
F. Risks and Recommendations
1. Are you a regulated entity? So you might be thinking, "Well, if I want to avoid compliance I will just not mark my e-mails as advertisements or commercial messages." I wouldn't recommend that (see D.1. above). Furthermore, whether you mark messages appropriately is not the only factor for determining compliance or whether "primary purpose" of your message is commercial or transactional and therefore subject to the law. Per the FTC's guidance, a regulator is going to look at the commercial content in your message, the transactional or relationship content of your message, and any other content in your message to determine if your message was sent for a commercial purpose and therefore is subject to CAN-SPAM.
2. Honor the Opt Out. In my opinion, the most important thing you can do for compliance is provide recipients an opt-out mechanism that is easy to identify and use. Once they make a choice, honor that choice. Period. Nothing is more frustrating and likely to bring negative attention to your business than not allowing people a way out of getting your messages, or making it overly complicated or deceptive. People complain when they do not feel valued or heard. A sure-fire way to generate a complaint, possibly to a regulator, is to get tricky with opt-out language or flat out not respect recipient or customer choices.
3. Should you send it? As I often state with data governance, and I have written before about e-mail marketing, your only consideration should not be IF you can do it under the law, but SHOULD you do it? Good business practice demands that you consider both the legal and the best practices within your industry.