Ask Laura: Confused about CAN SPAM

AskLaura_Heading3

Dear Laura, 
I read your blog post about CAN SPAM earlier this week, and there’s one thing that confuses me. You never mention that harvesting addresses is a violation. I’ve seen many other people, including lawyers, assert that harvesting addresses is a violation of CAN SPAM. Why did you leave that out?
Signed,
Hopeful maker of musubi

Dear Hopeful,
The idea that harvesting is, in and of itself, a violation of CAN SPAM is one of those mis-conceptions that has become “common knowledge” and that “everyone knows.” But careful reading of the statute and the FTC rulemaking from 2008 makes it clear that harvesting is not a violation.

15 U.S. Code § 7704 Aggravated violations relating to commercial electronic mail
(A) In general It is unlawful for any person to initiate the transmission, to a protected computer, of a commercial electronic mail message that is unlawful under subsection (a), or to assist in the origination of such message through the provision or selection of addresses to which the message will be transmitted, if such person had actual knowledge, or knowledge fairly implied on the basis of objective circumstances, that—
(i) the electronic mail address of the recipient was obtained using an automated means from an Internet website or proprietary online service operated by another person, and such website or online service included, at the time the address was obtained, a notice stating that the operator of such website or online service will not give, sell, or otherwise transfer addresses maintained by such website or online service to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages; or
(ii) the electronic mail address of the recipient was obtained using an automated means that generates possible electronic mail addresses by combining names, letters, or numbers into numerous permutations.
(emphasis added)

That’s pretty clear to me. Harvesting is only an issue if the message is in violation of CAN SPAM. If you harvest an address and send CAN SPAM compliant mail, then there is no problem.
This was further clarified in the FTC Rulemaking from 2008.

[S]ection 7704(b) specifies four “aggravated violations” — practices that compound the available statutory damages when alleged and proven in combination with certain other CAN-SPAM violations. [3]
[3] 15 U.S.C. 7704(b). The four such practices set forth in the statute are: address harvesting; dictionary attacks; automated creation of multiple email accounts; and relaying or retransmitting through unauthorized access to a protected computer or network. The Act’s provisions relating to enforcement by state attorneys general and providers of Internet access service create the possibility of increased statutory damages if a court finds a defendant has engaged in one of the practices specified in section 7704(b) while also violating section 7704(a). Specifically, sections 7706(f)(3)(C) and (g)(3)(C) permit a court to increase a statutory damages award up to three times the amount that would have been granted without the commission of an aggravated violation. Sections 7706(f)(3)(C) and (g)(3)(C) also provide for this heightened statutory damages calculation when a court finds that the defendant’s violations of section 7704(a) were committed “willfully and knowingly.
(emphasis added)

Translating all of that out of legal government speak we get to the idea that only the things listed in 7704(a) are violations and there can be enhanced penalties. Also, these enhanced penalties are only available to state Attorneys General or ISPs.
It would be lovely if harvesting were a violation. It would cut out a lot of the “targeted” spam we see. I think my favorite was the time someone contacted us about advertising shovels on the domain samspade.org. Um… just because there is “spade” in the domain name doesn’t mean we’re a good target for your shovel advertising. But harvesting is only a problem if you violate CAN SPAM. That means spammers can send all the mail the want to harvested addresses as long as they include:

  • Functioning opt-out link
  • Physical address
  • Valid headers
  • Clear messaging that this is an advertisement.

Of course, most spammers don’t have functioning opt-out links and unsubscribing doesn’t actually stop spam. Harvesting would be a treble violation for much of the actual spam. But those folks who annoy the daylights out of me by scraping my address off LinkedIn and sending me their newsletter? Most of the time that’s not illegal.

Related Posts

TWSD: Don't honor opt-outs

One of the big arguments various mailers make is that they make it easy for users to opt-out of mail, so it’s not a big deal. Users who don’t want to receive the mail, can make it stop. This was one of the guiding principles of CAN SPAM. The sender can make the decision to send mail to any recipient but they have to offer an opt-out.
The problem is there are a lot of major companies out there that don’t honor opt-outs. Since earlier this year I’ve been tracking when I opt-out of mail. Why? Because I kept getting the feeling that I’d opted out of mail before, but kept getting it.
The good(?) news is that it wasn’t my imagination, some of these companies aren’t honoring their opt-outs. The bad news is that major companies are not honoring opt-outs.

Read More

Is harvesting illegal under CAN SPAM

This issue comes up repeatedly, as many people have read the CAN SPAM act and believe that CAN SPAM specifically prohibits sending mail to harvested address. This is not how I read the law.
The FTC publishes a CAN SPAM Compliance Guide for Businesses that only mentions harvesting in the context of criminal penalties for violations. They list the following 7 main requirements of CAN SPAM.

Read More

Logging in to unsubscribe

I have been talking with a company about their unsubscribe process and their placement of all email preferences behind an account login. In the process, I found a number of extremely useful links about the requirements.
The short version is: under the 2008 FTC rulemaking senders cannot require any information other than an email address and an email preference to opt-out of mail. That means senders can’t charge a fee, they can’t ask for personal information and they can’t require a password or a login to unsubscribe.
I’ve talked about requiring a login to unsubscribe in the past here on the Word to the Wise blog.
Let them go
Questions about CAN SPAM
One click, two click, red click, blue click
How not to handle unsubscribes
I’m not the only person, though, that’s written about this.
The FTC has written about it in the FTC CAN SPAM Compliance Guide for business

Read More