However, IT managersnot outsourced companiesshould ultimately maintain the master opt-out list to avoid the possibility of sending commercial e-mail to an opt-out address.
The opt-out list must be compared against any e-mail-based marketing list that is generated from either internal or external sources. This way, IT managers can help marketing efforts stay in compliance with the law.
Aside from requiring specific information in the body of an e-mail message, CAN-SPAM covers how e-mail addresses may be collected and who may be held responsible for sending commercial e-mail to a user who has requested to be removed from a list.
CAN-SPAM holds that the company that initiated the commercial e-mail is primarily responsible for any mail sent on its behalf. This means that e-mail service providers can offer protection from CAN-SPAM fines, but they are not required to do so.
In fact, it is important to note that nearly all the provisions of the law apply to the company that ultimately makes the service or product being advertised as well as actions taken by an e-mail sending service hired by that company.
IT managers should work with the marketing staff to carefully track when commercial e-mail is sent and to which names, as well as the precautions taken to ensure that opt-out requests are honored. If legal action is mounted against a company, its the company IT managers job to ensure that records exist that show the company took the correct precautions to comply with CAN-SPAM.
The Federal Trade Commission can make rules under CAN-SPAM, and IT managers should watch for the FTC report mandated by the CAN-SPAM Act regarding the creation of a national do-not-e-mail registry. The initial plan must be given to the U.S. Senate and House of Representatives by July, although many experts we interviewed think the creation of the do-not-e-mail list faces serious legal hurdles.
Heres what a company must do to meet the message transmission
requirements of the CAN-SPAM Act:
Header information must be correct and accurate. The originating
e-mail address, domain name and IP address must be legitimate.
The subject line must be accurate.
The return e-mail address must be functional so recipients
can opt out of the mailing. The return address must function for
no less than 30 days after the transmission of the original message.
Recipients who opt out must be off the list within 10 business
Advertisement or solicitation e-mail must contain a conspicuous
The postal address of the sender must be included in commercial
IT managers wont need to make technical changes to databases or CRM systems even by the July deadline because the report will only outline the do-not-e-mail registry requirements. However, if the law survives the expected legal challenges, these requirements will pose technical difficulties for IT managers no matter what recommendations are put forward.
For example, the do-not-e-mail registry will be nationwide, and IT managers will need to ensure compatibility of CRM and other database systems with the national registry. In addition, the national do-not-e-mail registry will require special handling to ensure that children with e-mail accounts do not receive spam.
IT managers should work with marketing executives to track other rules that will be made by the FTC.
At some point during the year, the commission will develop a mark or notice that must be attached to any commercial e-mail that contains sexually oriented material. Pornography is a slippery regulation subject in any media, so IT managers should keep track of the requirements for this material if there is even a possibility that products being described in e-mail could be considered sexually oriented.
IT managers should also keep an eye on case law that is sure to develop around e-mail distribution.
Senior Analyst Cameron Sturdevant can be reached at firstname.lastname@example.org.