Ask Laura: Confused about CAN SPAM
I read your blog post about CAN SPAM earlier this week, and there’s one thing that confuses me. You never mention that harvesting addresses is a violation. I’ve seen many other people, including lawyers, assert that harvesting addresses is a violation of CAN SPAM. Why did you leave that out?
Hopeful maker of musubi
The idea that harvesting is, in and of itself, a violation of CAN SPAM is one of those mis-conceptions that has become “common knowledge” and that “everyone knows.” But careful reading of the statute and the FTC rulemaking from 2008 makes it clear that harvesting is not a violation.
15 U.S. Code § 7704 Aggravated violations relating to commercial electronic mail
(A) In general It is unlawful for any person to initiate the transmission, to a protected computer, of a commercial electronic mail message that is unlawful under subsection (a), or to assist in the origination of such message through the provision or selection of addresses to which the message will be transmitted, if such person had actual knowledge, or knowledge fairly implied on the basis of objective circumstances, that—
(i) the electronic mail address of the recipient was obtained using an automated means from an Internet website or proprietary online service operated by another person, and such website or online service included, at the time the address was obtained, a notice stating that the operator of such website or online service will not give, sell, or otherwise transfer addresses maintained by such website or online service to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages; or
(ii) the electronic mail address of the recipient was obtained using an automated means that generates possible electronic mail addresses by combining names, letters, or numbers into numerous permutations.
That’s pretty clear to me. Harvesting is only an issue if the message is in violation of CAN SPAM. If you harvest an address and send CAN SPAM compliant mail, then there is no problem.
This was further clarified in the FTC Rulemaking from 2008.
[S]ection 7704(b) specifies four “aggravated violations” — practices that compound the available statutory damages when alleged and proven in combination with certain other CAN-SPAM violations. 
 15 U.S.C. 7704(b). The four such practices set forth in the statute are: address harvesting; dictionary attacks; automated creation of multiple email accounts; and relaying or retransmitting through unauthorized access to a protected computer or network. The Act’s provisions relating to enforcement by state attorneys general and providers of Internet access service create the possibility of increased statutory damages if a court finds a defendant has engaged in one of the practices specified in section 7704(b) while also violating section 7704(a). Specifically, sections 7706(f)(3)(C) and (g)(3)(C) permit a court to increase a statutory damages award up to three times the amount that would have been granted without the commission of an aggravated violation. Sections 7706(f)(3)(C) and (g)(3)(C) also provide for this heightened statutory damages calculation when a court finds that the defendant’s violations of section 7704(a) were committed “willfully and knowingly.
Translating all of that out of legal government speak we get to the idea that only the things listed in 7704(a) are violations and there can be enhanced penalties. Also, these enhanced penalties are only available to state Attorneys General or ISPs.
It would be lovely if harvesting were a violation. It would cut out a lot of the “targeted” spam we see. I think my favorite was the time someone contacted us about advertising shovels on the domain samspade.org. Um… just because there is “spade” in the domain name doesn’t mean we’re a good target for your shovel advertising. But harvesting is only a problem if you violate CAN SPAM. That means spammers can send all the mail the want to harvested addresses as long as they include:
- Functioning opt-out link
- Physical address
- Valid headers
- Clear messaging that this is an advertisement.
Of course, most spammers don’t have functioning opt-out links and unsubscribing doesn’t actually stop spam. Harvesting would be a treble violation for much of the actual spam. But those folks who annoy the daylights out of me by scraping my address off LinkedIn and sending me their newsletter? Most of the time that’s not illegal.