Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act), 15 U.S.C. §§ 7701–7713
The CAN-SPAM RULE Title 16: Commercial Practices PART 316 implements the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM), PUBLIC LAW 108-187–DEC. 16, 2003; 15 U.S.C. 7701-7713 regulating any entity initiating or sending email containing a Commercial Message to any email address.
Primary civil enforcement falls to The Federal Trade Commission (FTC) with penalties up to $16,000 per violation with no aggregate maximum. In February 2019 the FTC reaffirmed the Rule..
Key Definitions and Standards
Message in this context are electronic email messages
Recipient is the authorized user of the email address to which the message was sent. Each email address is considered a separate recipient.
Initiators originate or transmit messages. More than one person or entity may be considered to have initiated a message.
Commercial Messages are those reasonably inferred as advertising or promoting a product or service and complying with the following:
- Contain no misleading or spoofed header fields (e.g., date, from, to, and origination attributes)
- Subject lines clearly reflect message content
- Conspicuous opt-out mechanism and instructions
- Contains initiator’s valid physical postal address
- Message easily identified as an advertisement or solicitation
Transactional or Relationship Messages must comply with at least one of the following reasons as reasonably inferred by the recipient:
- Facilitate, complete, or confirm a transaction
- Warranty, product recall, safety, or security information
- Terms or feature changes
- Account, balance, or statements
- Membership, standing, status, subscription
- Employment relationship or benefit plan
- Goods or services delviery
Valid Physical Postal Address is either street address, Post Office box registered with the United States Postal Service, or a private mailbox registered with an agency established under United States Postal Service regulations.
Mixed Commercial / Transactional or Relationship Message primary purpose standards:
Mixed messages are considered Commercial unless the following standards are met:
- Recipient reasonably interprets subject line as non-Commercial purpose
- Message transactional or relationship content appears, in whole or in substantial part, at message beginning
- Recipient reasonably interprets message intent as primarily non-Commercial including message proportions dedicated, color, graphics, type size, and style used.
Opt-Out Mechanisms allow Recipients to terminate future messages. Commercial messages must use one of the following conspicuous methods and acti within 10 business:
- A functional return email address
- Message preferences menu with one pick allowing total termination of all commercial messages.
Opt-out mechanism must function for 30+ days after sent date; however, legitimate and unintentional technical issues beyond sender control does not violate CAN-SPAM if diligently corrected within a reasonable time period.
While the CAN-SPAM Act is enforced primarily by the FTC, other federal and state agencies and Internet service providers (ISPs) are also granted enforcement authority. There is no private right of action for consumers.
Violations penalties vary based on enforcement entity and aggravated violations may enhance penalties. Department of Justice (DOJ) may seek criminal penalties in certain circumstances.
FTC enforces CAN-SPAM violations as unfair and deceptive trade practices granted under the act creating the agency. Civil penalties up to $16,000 per CAN-SPAM violating email with no maximum aggregate penalty with injunctive relief.
Other Federal Agencies
When violations fall outside of FTC’s regulatory and jurisdictional mandate, other federal agencies step in to enforce CAN-SPAM like Securities and Exchange Commission (SEC) and Federal Communications Commission (FCC). Penalties for non-compliance vary depending on the agency and the statutes/regulations at issue.
State attorneys general and other agencies can bring CAN-SPAM violation claims affecting state residents. Such agencies can seek to recover:
- Injunctive relief
- Actual damages or statutory damages up to $250 per email, whichever is greater, up to a maximum award of $2 million
Three times the amount of statutory damages for willful, knowing, or aggravated violations like
- Address harvesting
- Dictionary attacks
- Programmatic creation of email addresses
- Internet Security – It’s on the User
- Marketing Relevant Rules under GDPR [Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
- Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act), 15 U.S.C. §§ 7701–7713
- Basic Networking, TCP/IP and Security
- IT is Not a Profit Center