FTC Proposes Tightening CAN-SPAM Act

Suggested changes to the anti-spam act include shortened opt-out compliance time and clearer assignment of responsibility to companies sending marketing mail.

The Federal Trade Commission is proposing five changes to the CAN-SPAM Act and is seeking comment on these proposals by June 27. The CAN-SPAM Act of 2003 (Controlling the Assault of Non-Solicited Pornography and Marketing Act) establishes requirements for those who send commercial e-mail, spells out penalties for spammers and companies whose products are advertised with spam if they violate the law, and gives consumers the right to ask e-mailers to stop spamming them.

The law, which became effective Jan. 1, 2004, covers e-mail whose primary purpose is advertising or promoting a commercial product or service, including content on a Web site.

Rule changes proposed by the FTC could affect how the CAN-SPAM Act is enforced. The proposals include:

  • Shortening the time an e-mail sender has to comply with an opt-out request from 10 to three days.
  • Clarifying that it is illegal to require e-mail recipients wishing to opt out from marketing e-mails to pay a fee, provide information other than e-mail address and opt-out preferences, or take any action besides replying to an e-mail or visiting a Web site.
  • Clarifying that P.O. boxes and private mailboxes meet the requirement for a "valid physical address" under the CAN-SPAM Act.
  • Defining the term "sender" as used in CAN-SPAM to clarify which party associated with a marketing e-mail is responsible for compliance.
  • Defining the term "person," which is used repeatedly in the language of the CAN-SPAM Act but not clearly defined.

A "transactional or relationship message"—e-mail that facilitates an agreed-upon transaction or updates a customer in an existing business relationship—may not contain false or misleading routing information, but otherwise is exempt from most provisions of the CAN-SPAM Act.

"This act was never meant to be a silver bullet," said Trevor Hughes, director of the E-Mail Service Provider Coalition. "This gave us some good tools. CAN-SPAM gave legitimate businesses a platform and a way to comply."

The Federal Trade Commission, the nations consumer protection agency, is authorized to enforce the CAN-SPAM Act. CAN-SPAM also gives the Department of Justice the authority to enforce its criminal sanctions. Other federal and state agencies can enforce the law against organizations under their jurisdiction, and companies that provide Internet access may sue violators, as well.

These proposed changes are meant to further clarify areas of the act that have caused confusion and issues since it was enacted.

"I think its great that the FTC is getting public feedback," said David Daniels, senior analyst with Jupiter Research of Jupitermedia Corp. "Companies have done a lot already to be in compliance."

The biggest issue being tackled is how to define "sender." Is the sender the person who actually pushes the button to send the e-mail, or is it all of the parties that are in the e-mail?

/zimages/6/28571.gifClick here to read about compliance problems with the CAN-SPAM act.

"I think one thing people need to realize is that even as they define sender now, theres a part of the CAN-SPAM, called the McCain Amendment, that says that whoever benefits from the spam being sent is on the hook," said Anne Mitchell, CEO and president of the Institute for Spam and Internet Public Policy.

"Even if youre offshore and sending e-mail to this country, you have to have some link to the United States because thats how youll get paid for your product. So, although defining sender is important in some aspects to both the receivers and the senders, ultimately people should know that the advertiser who benefits from sending the e-mail is always on the hook for compliance."

/zimages/6/28571.gifRead details here about Microsofts anti-spam lawsuit.

Hughes said this will give companies some guidance on how to ensure that theres one sender being held responsible. "If there are three senders listed in an e-mail, then all three must comply and offer separate opt-out links and they must each provide an address in the e-mail. That gets confusing."

Next Page: Timely compliance could be hard to manage.