Is harvesting illegal under CAN SPAM

This issue comes up repeatedly, as many people have read the CAN SPAM act and believe that CAN SPAM specifically prohibits sending mail to harvested address. This is not how I read the law.
The FTC publishes a CAN SPAM Compliance Guide for Businesses that only mentions harvesting in the context of criminal penalties for violations. They list the following 7 main requirements of CAN SPAM.

  1. Don’t use false or misleading header information.
  2. Don’t use deceptive subject lines.
  3. Identify the message as an ad.
  4. Tell recipients where you’re located.
  5. Tell recipients how to opt out of receiving future email from you.
  6. Honor opt-out requests promptly.
  7. Monitor what others are doing on your behalf.

No mention of “don’t send to harvested addresses there.”
The clause people always point to, when they’re arguing that address harvesting is illegal is subsection (b) Aggravated violations relating to commercial electronic mail

(1) Address harvesting and dictionary attacks
(A) In general
It is unlawful for any person to initiate the transmission, to a protected computer, of a commercial electronic mail message that is unlawful under subsection (a), or to assist in the origination of such message through the provision or selection of addresses to which the message will be transmitted, if such person had actual knowledge, or knowledge fairly implied on the basis of objective circumstances, that—
(i) the electronic mail address of the recipient was obtained using an automated means from an Internet website or proprietary online service operated by another person, and such website or online service included, at the time the address was obtained, a notice stating that the operator of such website or online service will not give, sell, or otherwise transfer addresses maintained by such website or online service to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages; or
(ii) the electronic mail address of the recipient was obtained using an automated means that generates possible electronic mail addresses by combining names, letters, or numbers into numerous permutations.

To me, it’s very clear this says that it is unlawful to transmit a message to a harvested address if that message is unlawful under subsection (a). If mailing to a harvested message itself were unlawful, then I would expect the section to say it is unlawful to transmit a message to a harvested address.
I’m not a lawyer, this is not legal advice, talk to your own advisor before believing anything anyone writes on the internet. I have talked to lawyers about this, though, and they’re the ones that convinced me that the act does not prohibit harvested addresses.

Related Posts

Does CAN SPAM require multiple opt-outs on emails?

Today’s Wednesday question comes from M. B.

My company sometimes sends mail to our list on behalf of 3rd parties. A recent 3rd party told us that CAN SPAM requires the email contain their opt-out link as well as ours. Is this correct?”

Read More

Does CAN SPAM apply to individual prospecting emails

Two different people on two different mailing lists asked very similar questions recently. Are people who send individual prospecting emails required to comply with CAN SPAM.
My opinion (not a lawyer, don’t play one on TV, didn’t stay at a Holiday Inn last night) is that CAN SPAM does not mention anything about volume, and any individual unsolicited email that has a “primary purpose” of advertising is required to include a physical postal address and a way to unsubscribe.
My other take on it is for individual prospecting emails failing to comply with CAN SPAM is like speeding. It’s illegal, and you can get in legal trouble by doing it, but everyone does it and few people get caught.

Read More

Logging in to unsubscribe

I have been talking with a company about their unsubscribe process and their placement of all email preferences behind an account login. In the process, I found a number of extremely useful links about the requirements.
The short version is: under the 2008 FTC rulemaking senders cannot require any information other than an email address and an email preference to opt-out of mail. That means senders can’t charge a fee, they can’t ask for personal information and they can’t require a password or a login to unsubscribe.
I’ve talked about requiring a login to unsubscribe in the past here on the Word to the Wise blog.
Let them go
Questions about CAN SPAM
One click, two click, red click, blue click
How not to handle unsubscribes
I’m not the only person, though, that’s written about this.
The FTC has written about it in the FTC CAN SPAM Compliance Guide for business

Read More