Aspirin for Some, Headaches for Others


Corporate information technologists are scrambling to alter their electronic customer communications to avoid running afoul of a new federal law designed to curb unsolicited e-mail messages.

The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 — more commonly known as CAN-SPAM — is an effort to trim such unwanted e-mail. It passed the Senate on Nov. 25, the House of Representatives on Dec. 8 and was signed into law by President Bush on Dec. 16.

Some action to regulate spam was needed, attorneys noted — such messages now make up more than half of today's Internet traffic, according to estimates by law firm Cole, Raywid & Braverman.

But critics questioned whether the law actually would cut spam, predicting that the actual target of the legislation — bulk senders of e-mail — would shift their efforts to servers located outside the United States.


By 2007, some researchers have estimated, the flow of spam could still reach 4,000 messages per person, per year.

Meanwhile, legitimate companies must act to comply with the rules in the new law. The legislation demands that electronic communicators offer recipients an opportunity to "opt out" of future mailings. The opt-out alternative must be "clear and concise" and contained in the original message.

It also requires that the mailers provide a valid physical address for identification within the message.

Companies that receive an opt-out request will have 10 business days to act on it. The request is good for 30 days.

Firms that use automatic harvesting software to obtain e-mail addresses from Web sites, dictionary programs to compile probable e-mail addresses or "protected" computers to hide a sender's identity could be subject to claims of actual or statutory damages.

The new law is "somewhat burdensome" for legitimate companies, because the effective date was Jan. 1, 2004, said Jonathan Band, a partner with the law firm of Morrison & Foerster, during a recent Web seminar on the new law.


Companies will have to track the opt-outs and maintain a database noting the 30-day expiration dates, Band said. But it could have been worse, the attorneys said.

For instance, Congress could have followed California's lead. That state approved an "opt-in" law earlier this year that would prevented communications with any consumer that did not affirmatively request e-mail. That law also allowed for a private cause of action by consumers.

"That would have been a thermonuclear device for the plaintiff's bar," said Charlie Kennedy, also a Morrison & Foerster partner. Instead, the new act gives state attorneys general and Internet-service providers the authority to sue.

State spam laws, including the California measure, have been pre-empted by the federal measure.

The law provides remedies for companies victimized by bulk e-mailers, such as cable companies, but both civil and criminal actions will be difficult to pursue, according to a letter to clients from Cole, Raywid. The spammers must be identified and jurisdiction then determined.

Spammers currently hide their identities by sending messages through multiple servers. Legal experts predict they'll now utilize even more elaborate methods to hide themselves.

About half of the present-day spammers are believed to be located offshore. The new law will likely prompt more of them to go abroad.


But CAN-SPAM has left many questions unanswered, attorneys said.

Some clients — wrestling with the definition of the "sender" who must be identified in commercial e-mails — have already sent inquiries to their attorneys.

Many companies might be involved in the design and delivery of an e-mail, from the advertiser's marketing department, to a marketing partner to the company that actually pushes the button and activates delivery of the electronic message. Also unclear is whether Congress intended the identifying physical address to be a local or national office, attorneys said.

Co-marketing creates special problems under the law. As an example, attorneys described a scenario in which a hotel chain that is offering a 25% discount receives an opt-out from a customer. That company might find itself in trouble if a travel agency partner, on its own, decides to highlight the same offer within the 30-days window, using contact information it obtained from the hotel chain.

Companies that conduct joint marketing should seek indemnification from their partners as protection against CAN-SPAM violations, Kennedy recommended. Compliance mechanisms should be put in place even for so-called viral marketing programs, in which a current customer receives consideration for referring a friend to the company.

The new law regulates e-mail with the "primary purpose" of advertising, but that phrase is not specifically defined.

The attorneys had no guidance as to how much of the content in a communiqué— such as an electronic newsletter sent by advertisers, possibly including cable companies — must be informational to allow it to escape the new law's notification strictures. "Transactional" and "relationship" messages do not fit the definition of commercial spam, but those labels are also subject to interpretation.

The Federal Trade Commission is charged with tackling some of these questions. Over the next two years, it will conduct a rule-making to define "primary purpose" and "transactional messages"; determine if the 10-day opt-out window needs to be modified; and decide whether or not ADV needs to appear in subject lines of all commercial e-mail messages.


In the meantime, attorneys advise their clients to comply with the law. Even in instances in which companies are approved to contact a customer, messages should include the opt-out policy and some physical address.

The e-mail need not be branded as an advertisement if contact consent has been given, but attorneys advise companies to get e-mail specific consent. It is unwise to place the opt-out information within a company's policy page on its own Web site and require a customer to seek it out using via hyperlink, they added.

Companies that violate the new spam policy could be subject to fines as high as $3 million, and damages can be trebled if a court determines violations to be egregious.