Once upon a time, the word "spam" conjured up notions of processed meat in a can. Of course, with the advent of the Internet, spam has taken on a completely different meaning - namely, unsolicited commercial email. Whereas improper email messages that inundate recipients are annoying, there obviously is a place for businesses to use the Internet for commercial, and yes, marketing purposes, especially as the world moves more and more online. Still, it is critical that business get it right when it comes to commercial email. If they do not, they risk civil, and even criminal, legal repercussions. Below, a high-level view of federal, state and European law relating to commercial email is provided.
The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act), which became effective on January 1, 2004, regulates and criminalizes a variety of practices relating to unsolicited commercial electronic email messages while at the same time permitting bulk commercial email subject to opt-out and other specified requirements. It is important to note that while the Act does regulate bulk email, it does not prohibit its transmission. Moreover, non-commercial email is not subject to the Act, and transactional or relationship messages generally are not subject to the Act (apart from the prohibition against materially false or materially misleading header information).
A transactional or relationship message is defined as having the primary purpose of: a) facilitating, completing, or confirming a commercial transaction that the recipient has previously agreed to enter into with the sender; b) providing warranty information, product recall information, or safety or security information regarding a commercial product or service used or purchased by the recipient; c) providing notification concerning a change in terms of features, notification of a change in the recipient's standing or status, or at regular periodic intervals account balance information or other type of account statement relating to a subscription, membership, account, loan or comparable ongoing commercial relationship involving the ongoing purchase or use by the recipient of products or services offered by the sender; d) providing information directly relating to an employment relationship or related benefit plan in which the recipient currently is involved; or e) the delivery of goods or services, including product updates or upgrades, that the recipient is entitled to receive under the terms of a transaction that the recipient has previously agreed to enter into with the sender.
Commercial electronic email messages that are subject to the CAN-SPAM Act must comply with the prohibition against false or misleading subject header information, must be identified as advertisements, must include a valid physical postal address for the sender, and must provide a conspicuous notice of a recipient's opportunity to decline to receive further commercial messages from the sender, which must include a means to allow recipients to do so that must remain valid for at least 30 days after a message is sent. Furthermore, opt-out requests must be honored within 10 business days. However, affirmative consent may be obtained to resume the sending of emails to recipients who previously opted out.
On top of all of this, the CAN-SPAM Act, as far as commercial electronic email messages, prohibits address harvesting and dictionary attacks, the automated creation of multiple email accounts, and relay and transmission without authorized access, which constitute aggravated violations of the statute.
The majority of CAN-SPAM Act prohibitions apply to persons who initiate commercial electronic email messages, but this is broadly defined to include advertisers and third-party companies retained to send commercial email on behalf of their clients.
Violations of some of the provisions of the CAN-SPAM Act can lead to fines and imprisonment of up to 5 years. The Act generally is enforced by way of Federal Trade Commission (FTC) regulatory actions and litigation in federal court by the FTC, state attorneys general or other government officials.
The CAN-SPAM Act preempts any state statute, regulation or rule that expressly regulates the use of email to transmit commercial messages, except to the extent a state law seeks to prohibit falsity or deception in any portion of such a message. Accordingly, the Act does not preempt state laws addressing fraud, computer crime, or even tort, trespass and contract issues. It also does not preempt other federal statutes such as the Computer Fraud and Abuse Act, the Lanham Act or other federal laws that may create private causes of action.
As mentioned, notwithstanding CAN-SPAM Act preemption, state laws are still viable to the extent they regulate false and deceptive commercial email, and even non-commercial and commercial email when dealing with computer crime, fraud, tort, trespass or contract issues. Indeed, various states, including California, have adopted general computer crime statutes, and others have enacted specific computer trespass laws.
These laws differ to some extent, one from the other, but generally have targeted practices such as false header or subject line information, the use of a person's domain name to transmit messages without consent, and other such fraudulent practices. Some state laws authorize private causes of action and the possible recovery of statutory damages and attorney's fees. The laws of some states, including California, afford the potential for criminal prosecution in defined circumstances.
Practically speaking, a business that sends unsolicited commercial email to recipients in the United States really must try to comply with all state laws that are not preempted by the CAN-SPAM Act because it is possible that recipients reside in any of the states. It is beyond the current scope of this piece to summarize the laws of all states that have enacted potentially applicable laws.
In July 2002, the European Union (EU) Directive relating to the processing of personal data and the protection of privacy in electronic communications was adopted. The EU Directive provides a more restrictive approach when compared to the regulation of unsolicited commercial email communications in the United States. While the CAN-SPAM requires that recipients be given the right to opt-out of receiving unsolicited commercial email, the EU generally mandates that recipients must opt-in in advance of being sent unsolicited marketing email communications.
Indeed, the Directive specifically provides that the use of "automated calling systems without human intervention (automated calling machines), facsimile machines (fax) or electronic mail for the purposes of direct marketing may only be allowed in respect of subscribers who have given their prior consent."
There is an exception, however, for existing customers, who may be sent unsolicited direct marketing communications so long as they are provided the right to opt-out. Thus, electronic contact details previously provided by customers may be used for marketing of similar products or services as long as the customers are distinctly and clearly afforded the ability to object in an easy and free manner to this use of electronic contact details when collected and each time a message is sent.
In addition to the foregoing, the Directive requires member European States to ensure via their own national legislation that unsolicited direct marketing communications are not permitted to be sent without recipient consent or to subscribers who do not wish to receive them. Member States also are directed to ensure that the legitimate interests of subscribers other than natural persons are protected. Thus, the laws of the different European States need to be consulted under certain circumstances. It also is beyond the scope of this piece to summarize the laws of the European States.
Not surprisingly, the EU Directive also prohibits, with respect to direct marketing email, the disguising or concealment of the identity of the sender as well as the failure to provide a valid address to which the recipient may send a request that communications stop.
Finally, it is worth noting that similar to the European Union, various countries across the globe have enacted opt-in requirements relating to unsolicited commercial email.
There are many legal landmines when it comes to commercial email. Businesses would be smart to consult with skilled counsel in this area before embarking on commercial email campaigns.
Eric Sinrod is a partner in the San Francisco office of Duane Morris. His focus includes information technology and intellectual property disputes. To receive his weekly columns, send an e-mail to with the word "Subscribe" in the subject line.
Disclaimer: This column is prepared and published for informational purposes only and should not be construed as legal advice. The views expressed in this column are those of the author and do not necessarily reflect the views of the author's law firm or its individual partners.
Reprinted with permission of Findlaw.com