Keeping Up With CAN-SPAM Act

By Cameron Sturdevant  |  Posted 2004-02-02

Keeping Up With CAN-SPAM Act

The CAN-SPAM act was designed to curb offensive, misleading and costly bulk e-mail. However, the legislation will likely create big problems for well-meaning companies whose business model includes wide distribution of e-mail.

Staying on the right side of the CAN-SPAM Act requires the implementation of data management techniques that collect and maintain opt-out lists. The act will also require IT staffs to be vigilant in their compliance efforts and alert to further CAN-SPAM developments.

CAN-SPAM, formally known as Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, took effect Jan. 1. The CAN-SPAM Act permits damages of up to $2 million against companies that violate the provisions of the law. A federal district court can triple damages, to $6 million, if it determines that a violation is willful or meets other conditions. (Click here for the complete text of the law.)

eWEEK Labs researched the law to determine its implications for IT departments. We interviewed anti-spam experts, technology lawyers and service providers—including the newly formed CAN-SPAM Compliance Co. LLC.—to develop recommendations for what IT managers should do to make sure that their e-mail meets the laws requirements.

Bear in mind, however, that we are technology analysts, not lawyers; our interpretations of the law are not offered as legal advice.

Next page: Spam—Not


According to CAN-SPAM legislation, e-mail must meet five basic requirements to avoid being labeled "unsolicited commercial" e-mail:

  • The e-mail message must have correct header information.

  • The message must have an accurate subject line.

  • The message must contain a functioning return e-mail address.

  • Senders must not send e-mail more than 10 business days after receiving a request to be removed from a mailing list.

  • Commercial e-mail must contain a clear identification that the message is an advertisement, must contain a conspicuous notice of opportunity to decline further e-mail and must display the physical postal address of the sender.

The law appears to allow companies to send one unsolicited e-mail, but that e-mail must meet all the other criteria stated above. However, once an e-mail recipient tells the sender not to send further unsolicited e-mail, senders are obliged to comply.

This means IT departments must work to ensure that database systems storing customer information are maintained in such a way that unsubscribe requests are processed quickly.

This is where companies such as CAN-SPAM Compliance and Responsys Inc. can help. CAN-SPAM Compliance was established to help marketers comply with the new act. Responsys is a full-service provider of outsourced e-mail marketing services. Setting up and maintaining a master opt-out list can be accomplished without using these types of services, but we believe its well worth considering an outsourced solution when multiple lines of business and multiple e-mail service providers are involved in e-mail campaigns.

"Making e-mail comply with the requirements of CAN-SPAM is really quite easy," said Mike OBrien, chief technology officer of CAN-SPAM Compliance, which was formed at the end of last year. "The hard part is maintaining the opt-out list, especially if a company is using multiple advertising agencies."

CAN-SPAM Compliance and Responsys take different approaches to the issue. CAN-SPAM Compliance focuses on ensuring that client e-mail lists are not misused, whereas Responsys provides comprehensive marketing services that include guaranteed delivery of legitimate e-mail. Responsys new Deliverability service integrates with CRM (customer relationship management) systems, including those from Inc. and Siebel Systems Inc.

CAN-SPAM Compliance uses what it calls "secure seed" addresses, which it monitors to ensure that third-party e-mail senders arent misusing lists. Seeding works by inserting dummy e-mail addresses into unsubscribe lists and monitoring their use (and abuse).

Costs for services vary greatly, based in large part on list sizes, campaign frequency and other marketing services purchased along with the CAN-SPAM conformity check.

CAN-SPAM Compliances suppression list management service starts at $250 per month. Responsys Deliverability service—which includes a wide range of options, including opt-out list generation, creative assistance and multiple touches with recipients—averages $5,000 per month. These services provided on a one-time basis average $10,000 to $15,000.

Next page: Maintaining the opt-out list


However, IT managers—not outsourced companies—should ultimately maintain the master opt-out list to avoid the possibility of sending commercial e-mail to an opt-out address.

The opt-out list must be compared against any e-mail-based marketing list that is generated from either internal or external sources. This way, IT managers can help marketing efforts stay in compliance with the law.

Aside from requiring specific information in the body of an e-mail message, CAN-SPAM covers how e-mail addresses may be collected and who may be held responsible for sending commercial e-mail to a user who has requested to be removed from a list.

CAN-SPAM holds that the company that initiated the commercial e-mail is primarily responsible for any mail sent on its behalf. This means that e-mail service providers can offer protection from CAN-SPAM fines, but they are not required to do so.

In fact, it is important to note that nearly all the provisions of the law apply to the company that ultimately makes the service or product being advertised as well as actions taken by an e-mail sending service hired by that company.

IT managers should work with the marketing staff to carefully track when commercial e-mail is sent and to which names, as well as the precautions taken to ensure that opt-out requests are honored. If legal action is mounted against a company, its the company IT managers job to ensure that records exist that show the company took the correct precautions to comply with CAN-SPAM.

The Federal Trade Commission can make rules under CAN-SPAM, and IT managers should watch for the FTC report mandated by the CAN-SPAM Act regarding the creation of a national do-not-e-mail registry. The initial plan must be given to the U.S. Senate and House of Representatives by July, although many experts we interviewed think the creation of the do-not-e-mail list faces serious legal hurdles.

CAN-SPAM requirements

Here’s what a company must do to meet the message transmission requirements of the CAN-SPAM Act:

  • Header information must be correct and accurate. The originating e-mail address, domain name and IP address must be legitimate.
  • The subject line must be accurate.
  • The return e-mail address must be functional so recipients can opt out of the mailing. The return address must function for no less than 30 days after the transmission of the original message.
  • Recipients who opt out must be off the list within 10 business days.
  • Advertisement or solicitation e-mail must contain a conspicuous identifier.
  • The postal address of the sender must be included in commercial e-mail.
  • IT managers wont need to make technical changes to databases or CRM systems even by the July deadline because the report will only outline the do-not-e-mail registry requirements. However, if the law survives the expected legal challenges, these requirements will pose technical difficulties for IT managers no matter what recommendations are put forward.

    For example, the do-not-e-mail registry will be nationwide, and IT managers will need to ensure compatibility of CRM and other database systems with the national registry. In addition, the national do-not-e-mail registry will require special handling to ensure that children with e-mail accounts do not receive spam.

    IT managers should work with marketing executives to track other rules that will be made by the FTC.

    At some point during the year, the commission will develop a mark or notice that must be attached to any commercial e-mail that contains sexually oriented material. Pornography is a slippery regulation subject in any media, so IT managers should keep track of the requirements for this material if there is even a possibility that products being described in e-mail could be considered sexually oriented.

    IT managers should also keep an eye on case law that is sure to develop around e-mail distribution.

    Senior Analyst Cameron Sturdevant can be reached at

    Rocket Fuel