Thank you for sharing!

Your article was successfully shared with the contacts you provided.
Correction: “Congress Has Come to Control Spam, Not Bury It” misstates the private right of action conferred by the federal CAN-SPAM Act. The law states that Internet service providers may bring suits against spammers, not that people who receive spam may sue ISPs. (See the related Letter to the Editor, “Description of Anti-Spam Law Starts Wrong, Never Recovers,” In the March 8 issue.) The CAN-SPAM Act — Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 — took effect Jan. 1, 2004, and has important implications for anyone sending unsolicited e-mails, commonly known as spam. Contrary to public opinion, the act does not make spam unlawful; it attempts to regulate it. The CAN-SPAM Act has three provisions to which spammers must adhere. The first is labeling. Unsolicited e-mails must be clearly identified as solicitations or advertisements for products and services. The second is offering an opt-out option. Senders must provide easily accessible, legitimate means for recipients to opt-out of receiving future messages. The third is the revelation of the sender’s addresses. Unsolicited e-mails must contain legitimate return e-mail addresses, as well as the sender’s postal address. (It should be noted that the CAN-SPAM Act offers some exclusion from these three requirements.) For recipients who have previously consented to receipt of unsolicited commercial e-mail, the act has two additional requirements. First, spammers must use honest subject lines. Use of misleading or bogus subject lines to trick readers into opening messages is forbidden. Second, spammers must comply with the “Do Not E-Mail Registry.” The CAN-SPAM Act indicates that within six months, a proposed plan will be submitted by the Federal Trade Commission to Congress for a “Do Not E-Mail” list. More than 30 states have anti-spam laws. The CAN-SPAM Act is intended to supersede state or local anti-spam laws, with certain exceptions for state laws related to deceptive trade practices or computer crime. In addition, some of the current state anti-spam laws that the act intends to pre-empt go further than the act, either in terms of regulation or in giving causes of action to individuals. The scope of the act’s pre-emption is thus not clearly defined at this time. States have enacted both civil and criminal anti-spam laws. Most states’ criminal anti-spam laws will not be pre-empted. The enforcement of the act is vested primarily in the FTC and in state attorneys general. There is a private right of action, but it’s limited to Internet service providers. Thus, people who receive spam may sue Internet service providers. The penalties associated with the CAN-SPAM Act are significant. Certain fraudulent acts and repeat offenses include the possibility of three to five years’ imprisonment. Otherwise, violators are subject to actual damages, statutory damages, or fines of $250 per violation, with each unlawful message to a recipient being a separate violation. Statutory damages can go as high as $2 million. Spammers who comply with the act may lawfully send “legitimate” spam, which will have more-candid headers and subject lines. Under the act, spam must be identified, although no uniform label, like the ADV that some state laws demand, is required. (An ADV label identifies an e-mail as advertising in the e-mail header, which would allow users to employ filtering software to block the message.) And bulk e-mail must have a truthful header (address) and subject line. Yet losing the ADV label will make it more difficult for anti-spam software to filter spam. Nevertheless, the FTC in due course will require specific e-mail labeling, most likely starting with sexually explicit e-mail. Most significantly, the CAN-SPAM law will affect the implementation of California’s new anti-spam law, which went into effect Jan. 1, 2004. The California law is an example of a state anti-spam law that is more restrictive than the new federal law. It bans even truthful spam, as long as it was unsolicited (unless it was from a business with which the customer had an existing relationship). The California law makes spammers, and advertisers who employ them, liable. The Internet is not regulated or controlled by a central authority, thus spammers cannot completely control who gets their mail, nor can they completely control the receipt of opt-out requests. Thus, the FTC and the courts will have to determine what constitutes acceptable compliance with respect to the CAN-SPAM Act, since complete compliance is not technically possible. It’s likely that a spammer who uses an honest address, plus a few other things, such as providing an opt-out feature and giving their physical address, will be found to be in substantial compliance despite engaging in activity that will inevitably result in numerous instances of individuals receiving spam involuntarily. The act will likely be used in conjunction with existing state computer and computer data protection laws. Currently, Internet service providers use their terms of use agreements and service agreements to stop spammers. The CAN-SPAM Act will likely be used in combination with those agreements to make it easier for Internet service providers to block spam. The act has a provision for ISPs to sue spammers. The act penalizes companies whose products or services are knowingly promoted by spam. This provision will likely first be used against providers of penis enlargement and miracle weight loss products. WHAT TO DO A company that intends to send unsolicited e-mails should consider these actions: First, establish a company policy against employees sending unapproved, unsolicited commercial e-mail to others. This policy should be part of the employee manual. Second, review all e-mail marketing campaigns. In particular, such campaigns should employ only e-mail lists of recipients who have consented to receive such mailings. Third, consider reviewing client consent forms. Such reviews should ensure that consent requires an “affirmative action.” The use of prefilled forms may not be acceptable. Also, such reviews should confirm that it is clear to customers of the client’s business what they are going to receive if they consent to receipt of such e-mails. Without such action, an e-mail recipient might argue that the firm failed to give full disclosure. Fourth, the company must keep records of customers’ consent or of pre-existing business relationships with customers. Such relationships allow sending spam to customers. IMPLEMENTATION DIFFICULTIES The CAN-SPAM legislation may be ineffective for several reasons. First, to a large extent, the spam received in the United States comes from outside the country. Bringing international spammers to justice requires cooperation from authorities outside of the United States, which requires additional effort not envisioned by the law. International measures may be necessary to truly eradicate fraudulent spam. Thus, the United States may have to negotiate and execute a substantial number of anti-spam bilateral treaties to require international spammers to adopt the CAN-SPAM standards. Second, the CAN-SPAM Act may inspire some U.S.-based spammers to move their operations offshore. It should be noted that U.S.-based spammers must move more than merely their operation centers and servers to avoid the jurisdiction of the United States. The courts need look no further than their treatment of offshore Internet gambling to find a basis for jurisdiction of U.S. entities that send spam into the United States from outside the United States. Third, the FTC, which is charged with enforcing the act against spammers within the United States, will not have the resources to enforce the law against all spammers. It is one thing to sue a large spammer or make an example of an individual spammer, but it is quite another matter to sue all those who do not comply with the law. In short, the FTC is not likely to be inclined to sue all individuals or small businesses who engage in spamming. Fourth, the Constitution may limit the implementation of the law. In particular, the Do Not E-Mail Registry may be found to violate the First Amendment. There’s no First Amendment problem with fraudulent commercial speech; the courts have not supported unlimited restrictions concerning commercial speech. The telephone Do Not Call Registry has been subject to a similar legal challenge. Currently, its status is still unresolved. Thus, the destiny of an analogous spam registry is similarly an open question. DUAL APPROACH In light of the aforementioned potential difficulties, both technological and legal methods must be considered. Among the technological solutions to be considered in conjunction with the act are those that filter out spam and help authorities implement the law. One way is to change the setting on a company’s e-mail server. In particular, a company should implement a setting that checks whether the origin of incoming e-mail has been faked. Should such “spoofing” be discovered, the server should not deliver the e-mail, but, instead, record it for use by authorities implementing CAN-SPAM. Additionally, companies should implement a “challenge/response” system. These systems allow users to send direct messages only to people who have the sender’s e-mail address in their address books. In the event a “challenge/response” system encounters an unexpected address, the system sends back a puzzle/question to which only a human — not an automated spam program — can respond with a solution. Give the correct response, and the e-mail goes through. Such systems should record “fails” for use by authorities. Jonathan Bick is of counsel to WolfBlock Brach Eichler of Roseland, N.J., and an adjunct professor of Internet law at Pace Law School and Rutgers Law School. He is also author of 101 Things You Need To Know About Internet Law (Random House, 2000). This article first appeared in the American Lawyer Media newspaper New Jersey Law Journal, which is published in Newark.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

Reprints & Licensing
Mentioned in a Law.com story?

License our industry-leading legal content to extend your thought leadership and build your brand.


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.