§ 9.05 CAN-SPAM Act
| Jurisdiction | United States |
| Publication year | 2020 |
§ 9.05 CAN-SPAM Act
[1] Introduction
In response to the deluge of unsolicited commercial e-mail messages (spam51 or UCE), in 2003 Congress passed the Controlling the Assault of Non-Solicited Pornography Act (CAN-SPAM Act).52 In general, the Act prohibits the transmission of UCE that contain false or misleading header information53 and deceptive subject lines, and requires the messages to allow the recipients to be permitted to "opt-out," to identify the spam as an advertisement, and to include the sender's physical postal address.54 The Federal Trade Commission (the FTC) is authorized to enforce the civil provisions while the Department of Justice is authorized to enforce the criminal provisions of the Act.55 State officials and Internet Service Providers (ISPs) may also bring actions for violations of the statute.56 Finally, with a limited exception the CAN-Spam Act preempts state laws regulating the transmission of commercial e-mail messages.57
[2] Offenses Under the CAN-SPAM Act
Section 7704 of the CAN-SPAM Act first makes it illegal "for any person to initiate58 the transmission, to a protected computer,59 of commercial60 electronic mail message,61 or a transactional or relationship message, that contains, or is accompanied by header information62 that is materially false or materially misleading."63
This subsectionalso prohibits sending messages with accurate header information, access to which was obtained through false or fraudulent pretenses.64
Second, the Act also makes it illegal to transmit UCE where the originator "has actual knowledge, or knowledge fairly implied on the basis of objective circumstances, that a subject heading of the message would be likely to mislead a recipient, acting reasonably under the circumstances, about a material fact regarding the contents or subject matter of the message (consistent with the criteria used in enforcement of section 5 of the Federal Trade Commission Act (15 U.S.C. § 45)."65
Third, in what can be considered a subset of the above provisions, the Act also requires that all "sexually oriented"66 material carry in its subject line a mark or notice to be prescribed by the FTC,67 unless the material is not displayed automatically upon opening the message, absent some affirmative act by the recipient.68
Fourth, the Act also makes it illegal to transmit UCE "that does not contain a functioning return electronic mail address or other Internet-based mechanism, clearly and conspicuously displayed that (i) does not permit the recipient from requesting not to receive future commercial electronic mail messages from the sender at the electronic mail address where the message was received; and (ii) remain capable of receiving such messages or communications for no less than 30 days after the transmission of the original message."69
Fifth, the Act makes it unlawful to transmit UCE more than ten business days after the sender has received notice pursuant to the above subsection that the recipient does not want to receive anymore e-mail messages.70
Finally, the Act requires that all UCE include: "(i) clear and conspicuous identification that the message is an advertisement or solicitation; (ii) clear and conspicuous notice of the opportunity . . . to decline to receive further commercial electronic mail messages from the sender; and (iii) a valid physical postal address of the sender."71
In addition to imposing direct liability for the acts described above, the CAN-SPAM Act also creates vicarious liability for businesses promoted in an e-mail with false or misleading information.72 Liability attaches if the person "knows or should have known," that the person's business was promoted in an illegal e-mail and if that person "received or expected to receive an economic benefit from such promotion" and "took no reasonable action: (A) to prevent the transmission; or (B) to detect the transmission and report it to the Commission."73 The Act also extends liability to third parties that provide goods, products property or services to such business if that third party: "(A) owns, or has a greater than 50 percent ownership or economic interest in, the trade or business of the person . . . or (B)(i) has actual knowledge that goods, products, property, or services are promoted in a commercial electronic mail message the transmission of which is a violation of [§ 7704(a)]; and (ii) receives, or expects to receive, an economic benefit from such promotion."74
[3] Enforcement
Generally, the Act treats offenses as if they were unfair or deceptive acts or practices proscribed by the Federal Trade Commission Act and grants general enforcement powers to the FTC.75 It also gives enforcement powers to ten other agencies and officers where an offense involves an entity or a channel of commerce already within their jurisdictions.76 Internet Service Providers (ISPs) and states may bring suits77 to enjoin conduct prohibited by Sections 7704(a)(1) and 7704(b) or enjoin a "pattern or practice" that violates Sections 7704(a)(2) to (5) and may seek either actual or statutory damages, whichever is greater.78
A standing analysis under the CAN-SPAM Act consists of two parts: (1) whether the plaintiff is a bona fide Internet access service, and (2) whether the plaintiff is adversely affected by UCE.79 In order to be a bona fide Internet access service, the service must "provide actual Internet access service to customers."80 Courts have extended the definition of Internet access services to "include[ ] traditional [ISPs], any email provider, and even most website owners."81 The harm suffered by an Internet access service to meet the "adversely affected" prong "need not be significant in the sense that it is grave or serious, [but] the harm must be of significance to a bona fide IAS provider—something beyond the mere annoyance of spam. . . ."82 In most cases, evidence of some combination of operational or technical impairments and related financial costs attributable to unwanted commercial e-mail suffice.83 Such impairments "include, but are not limited to, network crashes, higher bandwidth utilization, and increased costs for hardware and software upgrades, network expansion and additional personnel."84 The CAN-SPAM Act does not require that a plaintiff prove that the e-mails at issue adversely affected the plaintiff, but rather, that "[t]he e-mails at issue in a particular case . . . contribute to a larger, collective spam problem."85
However, because Section 7704 is limited to regulating only "commercial electronic mail messages," an ISP's private right of enforcement exists only if the defendant's messages fall within this statutory definition. The Act, however, does not provide for actions by individuals.
[4] Civil Remedies
Civil remedies include injunctive relief, actual damages and statutory damages.86 Both the states and the FTC, may obtain injunctive relief and cease and desist orders without establishing knowledge on the part of the defendant in a number of instances.87 States can recover actual monetary losses suffered by their residents,88 and statutory damages of $250 per offending e-mail up to a total of $2 million.89 ISPs are entitled to recover their own actual damages but not those suffered by their customers,90 as well as statutory damages of $100 per offending e-mail that includes a false or misleading header91 or $25 per other offending e-mail,92 up to a total of $1 million.93
A court may award treble damages to the states or ISPs if the court determines that the defendant committed the violation "willfully and knowingly" or the "defendant's unlawful violations include one or more of the aggravated factors set forth in [subsection 7704(b)]."94 That Subsection makes it an "aggravated violation" to do any of the acts prohibited under the CAN-SPAM Act, if the e-mail address of the recipient was either obtained through "harvesting" which involves scanning the text of web pages, chat rooms, message boards, and other electronic media for e-mail addresses posted by users95 or "dictionary attacks" which entail systematically generating character strings in the hope that some will turn out to be valid e-mail addresses.96
States and ISPs may recover attorney fees, in the court's discretion,97 but the Act only permits a defendant to recover attorney fees from ISPs.98 The defendant may mitigate damages if the defendant "has established and implemented, with due care, commercially reasonable practices and procedures designed to effectively prevent violations of the Act or "the violations occurred despite [those] efforts."99
[5] Criminal Penalties
The CAN-SPAM Act makes criminal the following:
(1) accessing a protected computer with authorization, and intentionally initiating the transmission of multiple commercial electronic mail messages from or through such computer;
(2) using a protected computer to relay or retransmit multiple commercial electronic mail messages, with the intent to deceive or mislead recipients, or any Internet access service, as to the origin of such messages,
(3) materially falsifying header information in multiple commercial electronic mail messages and intentionally initiating the transmission of such messages,
(4) registering, using information that materially falsifies the identity of the actual registrant, for five or more electronic mail accounts or online user accounts or two or more domain names, and intentionally initiating the transmission of multiple commercial electronic mail messages from any combination of such accounts or domain names, or
(5) falsely representing oneself to be the registrant or the legitimate successor in interest to the registrant of 5 or more Internet Protocol addresses, and intentionally initiating the transmission of multiple commercial electronic mail messages from such addresses, or conspiring to do so.100
In United States v. Kilbride,101 the court rejected defendants' claim that Section 103 was unconstitutionally vague as applied to...
To continue reading
Request your trial