Meanwhile, much has been made of the fact that CAN-SPAM includes no right of action by private persons against spammers. This means that only the government can pursue cases. In many of the state laws, private individuals and organizations can sue spammers in court under the law. You might remember that Microsoft filed suit against several big-time spammers this past June under the Washington state law. CAN-SPAM would specifically preempt all the state laws, but it leaves in some exceptions:Microsoft also filed some cases in United Kingdom courts, so presumably the suits could continue there. There is another set of exceptions for the state law preemption related to non-spam issues. In other words, CAN-SPAM does not have an effect on state laws related to trespass, contract or torts, fraud, or general computer crimes. However, Im ambivalent about the private rights of action because there are too many lawsuits in this country. Still, in spite of the initial hostile reaction, CAN-SPAM does strike a good balanceonly time and court cases will tell in this regard. But for the most part, the law expects state attorneys general to be bringing cases in federal district court on behalf of aggrieved residents using this bill. No doubt, many of them will base their future gubernatorial bids in part on their anti-spam stance. (Maybe the legislation would be better called the Eliot Spitzer for Governor of New York Act or ES-GNY instead of CAN-SPAM.) In addition, its interesting to note that the bill bans several uses of e-mail which are provided for, explicitly or implicitly, in the SMTP specification. Perhaps this will be further incentive to change the specification itself. CAN-SPAM is not a bad thing as far as I can see, but its not going to make a big dent in the spam problem. Far too much spam comes from overseas from entities unreachable, for practical if not legal reasons, by laws in the United States. Even within the U.S. its not hard to see how spammers, who we already know to be unscrupulous, will evade effective prosecution. But at least the law will pick off some low-hanging fruit, the really-stupid amateur spammers, as well as deter some others. As Scott Petry, founder and vice president of products and engineering at Postini put it to me: Its just one more arrow in the quiver. Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer
"Section 8(b)(1)IN GENERAL. This Act supersedes any statute, regulation, or rule of a State or political subdivision of a State that expressly regulates the use of electronic mail to send commercial messages, except to the extent that any such statute, regulation, or rule prohibits falsity or deception in any portion of a commercial electronic mail message or information attached thereto."
So, the states still have some leeway to pursue claims of their own related to falsity and deception, and perhaps private rights of action can still proceed in these cases. In fact, falsity and deception were at the heart of the Microsoft cases, so I wouldnt be surprised if they are important tests of how much life is left in the state laws.