The CAN-SPAM Act of 2003
(Public Law No. 108-187, was S.877 of the 108th Congress), signed
into law by President Bush on December 16, 2003, establishes the
United States' first national standards for the sending of
commercial e-mail and requires the Federal Trade Commission (FTC) to
enforce its provisions. The bill's full name is an acronym: Controlling
the Assault of Non-Solicited Pornography
and Marketing Act of 2003. Critics of the law's
perceived weaknesses sometimes refer to it as You CAN SPAM.
It also requires the FTC to
promulgate rules to shield consumers from unwanted mobile service
commercial messages.
CAN-SPAM defines spam as "any
electronic mail message the primary purpose of which is the
commercial advertisement or promotion of a commercial product or
service (including content on an Internet website operated for a
commercial purpose)." It exempts "transactional or
relationship messages." The FTC has yet to clarify what
"primary purpose" means; it has already delayed
rule-making for this terminology. Previous state laws had used bulk
(a number threshold), content (commercial), or unsolicited to define
spam.
The bill permits e-mail marketers to
send unsolicited commercial e-mail as long as it contains all of the
following:
- an opt-out mechanism;
- a valid subject line and header
(routing) information; and
- the legitimate physical address of
the mailer.
- a label if the content is adult
If a user opts out, a sender has ten
days to remove the address. The legislation also prohibits the sale
or other transfer of an e-mail address after an opt-out request. Use
of automated means to register for multiple e-mail accounts from
which to send spam compound other violations. It prohibits sending
sexually-oriented spam without the label later determined by the FTC
of SEXUALLY-EXPLICIT. This label replaced the similar state labeling
requirements of ADV:ADLT or ADLT. Labeling regulations for general
spam will be commented on by the FTC this summer.
CAN-SPAM pre-empts existing state
anti-spam laws that do not deal with fraud. It makes it a
misdemeanor to send spam with falsified header information. A host
of other common spamming practices can make a CAN-SPAM violation an
"aggravated offense," including harvesting, dictionary
attacks, Internet protocol spoofing, hijacking computers through
Trojan horses or worms, or using open mail relays for the purpose of
sending spam.
CAN-SPAM allows the FTC to implement
a national do-not-email list similar to the FTC's popular do-not-call
registry, or to report back to Congress why the creation of such
a list is not currently feasible. The FTC soundly rejected this
proposal, and such a list will not be implemented. The FTC concluded
that the lack of authentication of email would undermine the list,
and it could raise security concerns.
The legislation does not allow e-mail
recipients to sue spammers or class-action lawsuits, but allows
enforcement by the FTC, State Attorneys General, Internet service
providers, and other federal agencies for special categories of
spammers (such as banks). An individual could still sue as an ISP if
(s)he ran a mail server, but this would likely be cost-prohibitive.
Individuals can also sue using state laws about fraud, such as
Virginia's which gives standing based on actual damages, in effect
limiting enforcement to ISPs.
