Let's talk CAN SPAM

CheckboxEarlier this week I posted about the increased amount of B2B spam I’m receiving. One message is not a huge deal and I just delete and move on. But many folks are using marketing automation to send a series of emails. These emails often violate CAN SPAM in one way or another.
This has been the law for 13 years now, I find it difficult to believe marketers are still unaware of what it says. But, for the sake of argument, let’s talk about CAN SPAM.

What is CAN SPAM?

CAN SPAM is the US law regulating commercial email. It was passed and signed into law in 2003. It took effect Jan 1, 2004.
CAN SPAM is primarily enforced by the FTC, with the FCC having responsibility for email to certain domains. In 2005 FTC published clarifying rules to help businesses comply with the law.

What does it regulate?

CAN SPAM regulates commercial email. The act defines commercial email as:
The term “commercial electronic mail message” means any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose).
Commercial electronic mail messages do not include “transactional” or “relationship” messages. These messages are defined as messages related to a specific transaction (such as receipts and warranty information) or related to a membership (such as a statement or renewal notice).

What are the requirements?

CAN SPAM is pretty simple in what it regulates.

  • Commercial mail cannot have any forgeries.
  • Every email must have physical address for the sender.
  • Every email must provide a way for the recipient to unsubscribe. There are a number of requirements around the unsubscribe process.
    • Users must be able to unsubscribe over the internet, either by replying to the mail or clicking on a link.
    • The reply address or link must be active and functional for at least 30 days after the email is sent.
    • Senders must not require payment for unsubscribes.
    • Recipients only have to provide their email address. They cannot be forced to supply any additional information.
    • Recipients cannot be required to send more than one email or visit more than one webpage to unsubscribe.
  • Unsubscribes must be effective within 10 days of receiving a request.
  • Unsolicited email is prohibited to wireless domains as defined by the FCC.
  • Advertising email must be clearly marked as advertising.
  • Sexually explicit email must be labeled with SEXUALLY EXPLICIT in the subject line.

These are pretty simple requirements. Note, that most of these apply to any commercial email, not just bulk or unsolicited email.

What are the penalties?

The law provides for fines and jail time. Fines can reach $16,000 per violation. Enhanced penalties, including treble damages and jail time, take effect if certain conditions are met. Some of these conditions include harvesting addresses, using false whois information, or making up email addresses.

Who enforces CAN SPAM?

CAN SPAM doesn’t have a private right of action. Enforcement is by federal or state agencies or commercial email providers. Some of the webmail providers have sued spammers for CAN SPAM violations. Mailbox owners, such as businesses, may have standing to sue for CAN SPAM. A series of cases brought by individuals has really killed the ability of individuals to sue under the act.

Is there more?

There is, and you can read the FTC summary if you’re interested. The FTC talks about primary purpose and what’s transactional and what happens when there is more than one sender for a message.

How can you comply?

Compliance is pretty simple. I recommend clients just follow the rules for every email they send out. The rules are so basic, that there is no harm in applying them to emails that might not be covered. I tell clients to do the following for all their commercial email:

  • Include your physical address in every email.
  • Provide a simple unsubscribe link in every email, even transactional ones.
  • Use a valid address in whois, and avoid privacy protection services for email domains.

That’s really CAN SPAM compliance in a nutshell.
For many of my B2B spammers these days, compliance seems overly difficult and complicated. Most of them don’t have unsubscribes. Almost none of them have a physical address in the mail. For the senders who harvested my address off LinkedIn, enhanced penalties apply. As a business owner I could probably successfully file suit against some of these spammers. But that seems time consuming and ineffective.
I’ve been trying to work out new ways to deal with this. I’m considering supplying links to some blog posts here. I may also include a proposal for them to hire me so I can help them send mail that complies with CAN SPAM.
 

Related Posts

Who pays for spam?

A couple weeks ago, I published a blog post about monetizing the complaint stream. The premise was that ESPs could offer lower base rates for sending if the customer agreed to pay per complaint. The idea came to me while talking with a deliverability expert at a major ESP. One of their potential customer wanted the ESP to allow them to mail purchased lists. The customer even offered to indemnify the ESP and assume all legal risk for mailing purchased lists.
While on the surface this may seem like a generous offer, there aren’t many legal liabilities associated with sending email. Follow a few basic rules that most of us learn in Kindergarten (say your name, stop poking when asked, don’t lie) and there’s no chance you’ll be legally liable for your actions.
Legal liability is not really the concern for most ESPs. The bigger issues for ESPs including overall sending reputation and cost associated with resolving a block. The idea behind monetizing the complaint stream was making the customer bear some of the risk for bad sends. ESP customers do a lot of bad things, up to and including spamming, without having any financial consequences for the behavior. By sharing  in the non-legal consequences of spamming, the customer may feel some of the effect of their bad decisions.
Right now, ESPs really protect customers from consequences. The ESP pays for the compliance team. The ESP handles negotiations with ISPs and filtering companies. The cost of this is partially built into the sending pricing, but if there is a big problem, the ESP ends up shouldering the bulk of the resolution costs. In some cases, the ESP even loses revenue as they disconnect the sender.
ESPs hide the cost of bad decisions from customers and do not incentivize customers to make good decisions. Maybe if they started making customers shoulder some of the financial liability for spamming there’d be less spamming.

Read More

Papa John's settles texting suit

Last year a class action law suit was filed against Papa John’s for violation of the Telephone Consumer Protection Act (TCPA) for texts received by Papa John’s customers. Customers allege they never opted in to receive promotional text from the company. Papa John’s claim that they didn’t send the marketing, but instead was sent by third party contractors.
A blog post on lawyers.com says that Papa John’s settled the case for $16.5 million.

Read More

Canada passes anti-spam bill

Call it C-28, call it FISA, call it COPL, just don’t call it a pipe dream any longer.
Today the Canadian anti spam law received royal assent and is now law. ReturnPath is saying it will take effect September 2011, but that’s the only date I’ve seen published. The full text of the bill as passed by the House of Commons can be found at http://www2.parl.gc.ca/content/hoc/Bills/403/Government/C-28/C-28_3/C-28_3.PDF
It’s fairly dense and I’m still reading through the final version. Of critical importance for anyone marketing in Canada is that it sets requirements that commercial email be sent with the permission of the recipient. This is different from CAN SPAM here in the US which doesn’t require consent of the recipient, but allows anyone to send unsolicited email as long as it meets the standards set by the law.
CBC Story

Return Path blog post
CAUCE posts
Thin Data implementation guide

Read More