Ask Laura: Confused about CAN SPAM

AskLaura_Heading3

Dear Laura, 
I read your blog post about CAN SPAM earlier this week, and there’s one thing that confuses me. You never mention that harvesting addresses is a violation. I’ve seen many other people, including lawyers, assert that harvesting addresses is a violation of CAN SPAM. Why did you leave that out?
Signed,
Hopeful maker of musubi

Dear Hopeful,
The idea that harvesting is, in and of itself, a violation of CAN SPAM is one of those mis-conceptions that has become “common knowledge” and that “everyone knows.” But careful reading of the statute and the FTC rulemaking from 2008 makes it clear that harvesting is not a violation.

15 U.S. Code § 7704 Aggravated violations relating to commercial electronic mail
(A) In general It is unlawful for any person to initiate the transmission, to a protected computer, of a commercial electronic mail message that is unlawful under subsection (a), or to assist in the origination of such message through the provision or selection of addresses to which the message will be transmitted, if such person had actual knowledge, or knowledge fairly implied on the basis of objective circumstances, that—
(i) the electronic mail address of the recipient was obtained using an automated means from an Internet website or proprietary online service operated by another person, and such website or online service included, at the time the address was obtained, a notice stating that the operator of such website or online service will not give, sell, or otherwise transfer addresses maintained by such website or online service to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages; or
(ii) the electronic mail address of the recipient was obtained using an automated means that generates possible electronic mail addresses by combining names, letters, or numbers into numerous permutations.
(emphasis added)

That’s pretty clear to me. Harvesting is only an issue if the message is in violation of CAN SPAM. If you harvest an address and send CAN SPAM compliant mail, then there is no problem.
This was further clarified in the FTC Rulemaking from 2008.

[S]ection 7704(b) specifies four “aggravated violations” — practices that compound the available statutory damages when alleged and proven in combination with certain other CAN-SPAM violations. [3]
[3] 15 U.S.C. 7704(b). The four such practices set forth in the statute are: address harvesting; dictionary attacks; automated creation of multiple email accounts; and relaying or retransmitting through unauthorized access to a protected computer or network. The Act’s provisions relating to enforcement by state attorneys general and providers of Internet access service create the possibility of increased statutory damages if a court finds a defendant has engaged in one of the practices specified in section 7704(b) while also violating section 7704(a). Specifically, sections 7706(f)(3)(C) and (g)(3)(C) permit a court to increase a statutory damages award up to three times the amount that would have been granted without the commission of an aggravated violation. Sections 7706(f)(3)(C) and (g)(3)(C) also provide for this heightened statutory damages calculation when a court finds that the defendant’s violations of section 7704(a) were committed “willfully and knowingly.
(emphasis added)

Translating all of that out of legal government speak we get to the idea that only the things listed in 7704(a) are violations and there can be enhanced penalties. Also, these enhanced penalties are only available to state Attorneys General or ISPs.
It would be lovely if harvesting were a violation. It would cut out a lot of the “targeted” spam we see. I think my favorite was the time someone contacted us about advertising shovels on the domain samspade.org. Um… just because there is “spade” in the domain name doesn’t mean we’re a good target for your shovel advertising. But harvesting is only a problem if you violate CAN SPAM. That means spammers can send all the mail the want to harvested addresses as long as they include:

  • Functioning opt-out link
  • Physical address
  • Valid headers
  • Clear messaging that this is an advertisement.

Of course, most spammers don’t have functioning opt-out links and unsubscribing doesn’t actually stop spam. Harvesting would be a treble violation for much of the actual spam. But those folks who annoy the daylights out of me by scraping my address off LinkedIn and sending me their newsletter? Most of the time that’s not illegal.

Related Posts

Questions about CAN SPAM.

In the US, the law governing the sending of commercial email is CAN SPAM. I’ve seen a number of questions about CAN SPAM recently.
One came from twitter, where someone was asking if just having an email address meant permission to send to it. Clearly, just being able to dig up an email address doesn’t imply permission to send marketing or commercial email to it. I can promise you April23@contact.wordtothewise.com did not sign up to receive information on increasing Facebook followers.
CAN SPAM doesn’t prohibit unsolicited email. All it says is that if you send unsolicited email you must do a few things.

Read More

Bad unsubscribe processes

We recently renewed our support contract with VMWare. It’s a weirdly complicated system, in that we can’t buy directly from VMWare, but have to buy through one of their resellers. In this case, we purchased the original hardware from Dell, so we renewed our contract through Dell.
Dell sends my email address over to VMWare as part of the transaction.
My only role in this is as CFO. I approve the purchase and pay the bill. I don’t do anything technical with the license.
The email failures start when VMWare decides that I need to receive mail about some user group meetings they’re holding all over the US. First off, I’m not the right person to be sending this mail to inside our company. I’m the billing contact, not the user contact. Then, they send me mail about meetings all over the US, when they know exactly where I’m located. Would it be so hard to do a semi-personalized version that highlighted the meetings in my local area then pointing out the other locations? Apparently, yes, it is so hard.
The biggest failures, though are in the unsubscribe process.
unsubscribe option
The unsubscribe page is no big deal. I get to unsub from all VMWare communications, and submit that request without having to figure out what my VMWare password is or anything.
After I hit submit, I’m taken to this page.
VMWareThank you
Wait? What?
“Thank you for registering?” I didn’t register! I don’t want you to contact me. Plus, this is a HP co-branded page when I’m not a customer of HP. VMWare knows this, they know they got my address from Dell.
The biggest problem is that I’m not sure that my address was actually unsubscribed. I suspect that someone copied a form from elsewhere on the site to use as an unsubscribe form. This person forgot to change the link after the “submit” button was clicked. But what else did they forget to change? Is the unsubscribe actually registered in the database?
I suppose only time will tell if VMWare actually processed my unsubscribe. If they didn’t they’re technically in violation of CAN SPAM.
The lesson, though, is someone should check unsubscribe forms. Someone in marketing should own the unsubscribe process, and that includes confirming that unsubscribe pages work well enough.

Read More

Where did you get my address?

Both Steve and I are trying to get answers from Amazon, Target and Epsilon about how Target acquired our Amazon specific email addresses. Target phone reps told us the mail we got was a phish, Epsilon is refusing to acknowledge Target is a customer and Amazon has promised us “they’re looking into it.”
Meanwhile, an address of mine was transferred from one customer of an ESP to another customer of the same ESP. At first I was told I must have signed up for the mail; as proof I was provided with the data I supposedly signed up. When I explained no that wasn’t true, the abuse desk told me they had discovered there was a mistake and that “These two clients use the same 3rd party ESP and they had mixed the files.” I’m not actually sure who “they” refers to, but as long as they’ve untangled the files I am not going to argue. The sad part is that it took an escalation to Return Path (the IP sending the mail is certified) to get anyone to actually respond to my report of an address given to Company A being mailed by Company B.
On the flip side, mail showed up today that actually had a link for “how was I added?”
Atari_Optout
When you click on the link it shows exactly where the address came from and when it was added to the list.
How_was_I_added_to_this_list_
It would be great if more companies provided this information to their recipients. I think it would probably decrease spam reports and make consumers feel more comfortable about how companies are collecting and using information.

Read More