A CAN-SPAM Checklist

E-mail spam relayed by country in Q2/2007, source: http://www.sophos.com/pressoffice/news/articles/2007/07/dirtydozjul07.html (Photo credit: Wikipedia)

Today we’re going to create a checklist of things required for CAN-SPAM compliance.

So, you want to make sure that you actually comply with the CAN-SPAM Act of 2003 and not just say that you do. This post isn’t for you. You might learn something here and if you do, that’s great. But, instead, this post is really for the Delivery Professional. You know who you are. You are the one who wants a little checklist to slap your clients around with when they cry that their email isn’t getting delivered like they think it should and that it, of course, complies with CAN-SPAM.

This is your guide to CAN-SPAM.

• What email is covered.
• Understand labeling requirements
• Don’t lie
• Make it easy to leave
• Edge cases

• What email is covered. Some email is not covered by what most people think of when they think of CAN-SPAM. Email that is not covered by CAN-SPAM includes:
  • Political email
  • Relationship email
  • Transactional email
  • Personal email

  Relationship and Transactional email are special cases. They are defined by the statute. You can see my post on that here. In short, the relationship/transactional email has to be directly related to something that has happened in the past and the primary purpose of the client’s piece has to directly touch that event. If your client thinks that if they try really hard that they can shoehorn their email into that exception, slap them around. The pain that causes is never worth it.

  Also, one section of CAN-SPAM still applies to even relationship and transactional email. Section 5(a)(1), codified at 15 USC 7704(a)(1), provides: “It is unlawful for any person to initiate the transmission, to a protected computer, of a commercial electronic mail message, or a transactional or relationship message, that contains, or is accompanied by, header information that is materially false or materially misleading” (emphasis added).

  If your client is wanting to create false headers, well…. First of all, that’s what spammers do. Second of all, it’s illegal. Tell them: “Don’t. Just don’t.”

  Politicians have always exempted themselves from laws such as this one (for a variety of reasons, not all of which are self-serving), but even so, CAN-SPAM may provide them with some best practice guidelines, even though it’s not binding. And, of course, your email to your best friend from high school doesn’t have to comply with CAN-SPAM either.

  All other email must comply with CAN-SPAM.

• Labeling requirements. Email that has to comply with CAN-SPAM has to be properly labeled. So, what is “properly labeled?”Properly labeled email is email that contains a:
  • clear and conspicuous identification that the message is an advertisement or solicitation,
  • clear and conspicuous identification of a way to opt-out, and
  • proper postal address for the sender.

  We’ll talk about senders here in a bit under “edge cases” as there are some arcane rules over who is a sender and in what circumstances. But, remember that properly labeled, CAN-SPAM complaint email has a “clear and conspicuous identification” that the email is an advertisement, a “clear and conspicuous” means of opting out of further communication, and a proper postal address. Putting that information in 2pt type colored light grey on a white background separated from the body by 20 blank lines isn’t going to cut it.

• Don’t lie. Now, you might think that this one is a no-brainer, but it’s not. We quoted the relevant bits above, but we’ll do so again so you don’t have to scroll around the page:Section 5(a)(1), codified at 15 USC 7704(a)(1), provides: “It is unlawful for any person to initiate the transmission, to a protected computer, of a commercial electronic mail message, or a transactional or relationship message, that contains, or is accompanied by, header information that is materially false or materially misleading” (emphasis added).First of all, this provision (as we already mentioned) applies not only to commercial email, but also to transactional and relationship messages as well.Second, I have to admit ignorance as to the legal difference between “contains” and “is accompanied by” as it touches on email messages.Finally, since the sender of the message is going to be found in the headers, who is the sender? We’ll cover that in “edge cases” below.Now that we’ve gotten that bit out of the way, the rest of it is, in fact, a no-brainer. Clients can’t falsify what they put in their email. With apologies to Ray Gilbert and James Baskett, what you find in the email must fit into “It’s the truth, it’s actual” for everything to be “satisfactual”.Legal cases touching on this requirement include FTC v. Sili Neutraceuticals, Inc., et al., United States of America v. Ralsky, et al., and Comcast’s countersuit in e360Insight, LLC v. Comcast Corporation. None of them are quite definitive on what actually constitutes a materially misleading header as Sili Neutraceuticals was a default judgment and the other two are still being litigated.
• Make it easy to leave. With its 2008 FTC rule revision, CAN-SPAM now requires simple opt-out procedures. Requiring someone to edit settings or pay money to be removed from a list is now out. The DMA had argued to the FTC that “tracking by account information also makes it easier to honor opt-out requests for customers regardless of what they change their email address to.” The Commission did not find this argument persuasive, because, as the Commission stated in the Notice of Proposed Rulemaking (NPRM): “according to CAN-SPAM, opt-out requests are specific to a recipient’s email address, not his or her name,” and, in this case, certainly not to his or her account information. The rule is simply stated, in full legalese:
  

  Neither a sender nor any person acting on behalf of a sender may require that any recipient pay any fee, provide any information other than the recipient’s electronic mail address and opt-out preferences, or take any other steps except sending a reply electronic mail message or visiting a single Internet Web page, in order to:

  (a) Use a return electronic mail address or other Internet-based mechanism, required by 15 U.S.C. 7704(a)(3), to submit a request not to receive future commercial electronic mail messages from a sender; or

  (b) Have such a request honored as required by 15 U.S.C. 7704(a)(3)(B) and (a)(4).
  (emphasis added)

  As a best practice, clients should not link to a subscription center for the purpose of collecting unsubscriptions. That said, I have seen at least one non-profit who provides a four-step process for opting out of communications via a subscription center as the “best way” and also provides a link to a page which fulfills the “single Internet Web page” requirement. I can’t say that what they are doing is a violation, but I also cannot say that it’s a best practice.

• Edge cases
  The only real edge cases come from having to define who a sender is. In most cases it is obvious who the sender is, which is why we didn’t discuss senders in the previous sections. There are two edge cases, though. Both of those edge cases were clarified in last year’s FTC rule updates.
  • Multiple marketers advertising in a single message CAN-SPAM now provides that multiple “senders” of a commercial email (such as newsletters with multiple content and advertising providers), under certain conditions, may identify one among them as the “sender” who will be deemed the sole “sender” of the message. This designated sender
    1. must include its non-deceptive name, trade name, product, or service in the “from” line of the email,
    2. is the only one that is charged with honoring opt-out requests made by recipients, and
    3. is the only one who must include their contact information.

    By requiring the designated sender to comply with these provisions of law, the other marketers using a single email message must ensure that the entity that is the designated “sender” complies with the Act and the Commission’s rules. Otherwise, the other marketers using the email risk losing the protections provided by the proviso and each will be a “sender” of the message.

  • Forward to a Friend In order to avoid liability for “Forward to a friend” or “Send to a friend,” there cannot be a linkage between sending the mail and any sort of enticement or offer for having done so. If the linkage does not exist, then the “sender” will be the person filling out the form. If the linkage does exist, then the “sender” will be the company. The rule here is a “bright line” rule. The FTC says that any form of enticement at all will be enough to change the “sender” from the person filling out the form to the company:
    

    CAN-SPAM defines “procure” to mean “intentionally to pay or provide other consideration to, or induce another person to initiate [a commercial email] on one’s behalf.” As explained in the NPRM, if a seller offers to “pay or provide other consideration” to a visitor to its website in exchange for forwarding a commercial message, the seller will have “procured” any such messages forwarded by the visitor. As noted in the NPRM, the term “consideration” is not defined in the Act, but is generally understood to mean ‘something of value (such as an act, a forbearance, or a return promise) received by a promisor from a promisee.’ This includes things of minimal value. Accordingly, a message has been ‘procured’ if the seller offers money, coupons, discounts, awards, additional entries in a sweepstakes, or the like in exchange for forwarding a message. Even the offer to provide de minimis consideration takes the seller beyond the mere ‘routine conveyance’ of the forwarded message and into the ‘procurement’ of the forwarded message….Likewise, if the seller ‘induces’ the forwarding of the message — such as by offering payment in exchange for generating traffic to a website — it will be an ‘initiator,’ and thus also the ‘sender,’ of the forwarded message.

    So, who should the sender be? To be safest, clients should assume that they are the sender and send accordingly. Sending with the client’s name, with perhaps “on behalf of” the friend tacked on for recognition, is probably the best way to go here.

So, that’s our CAN-SPAM checklist. Any questions?