On January 1, 2004, commercial email became a federally regulated activity thanks to the CAN-SPAM Act. This legislation, which became significantly more potent in the course of its final revision in December 2003, provides for both civil and criminal liability for wrongdoers.
Although targeted at those whose activities were already questionable under existing laws, the CAN-SPAM Act may ensnare legitimate businesses as well, especially small businesses with no compliance experience. Every law has its first fall guy. It's only a matter of time before CNN broadcasts the first CAN-SPAM perp walk.
For this reason, companies large and small must establish compliance programs and train their employees, especially those in sales and marketing. The trick to compliance lies in interpreting the law as conservatively as possible, since no courts have yet opined on its scope. This article will help get you started.
Consent: Good to Have, but Not a Free Pass
Earlier versions of the CAN-SPAM applied primarily to unsolicited commercial email, but the final version of the law applies to all commercial email. Furthermore, the law only recognizes one form of consent—”affirmative consent” (it used to also recognize “implied consent”). Although obtaining affirmative consent enables you to bypass some of the law's requirements, no one knows how far such consent extends.
For example, suppose you publish a monthly email newsletter that uses a double-opt-in subscription process. Under the law, you likely have the affirmative consent of your subscribers to send them your newsletter every month. But what if you decide to increase the frequency to biweekly? Or what if you also periodically send standalone promotional messages to the same subscribers?
Until a court or the FTC addresses the scope of affirmative consent, take a conservative approach—treat all of your company's commercial email as unsolicited, and make sure it complies with all of the law's requirements.
Eight Not-So-Simple Rules for CAN-SPAM-Compliant Email
Complying with the CAN-SPAM Act with respect to your lists entails adhering to the eights rules discussed below. As you read through these rules, keep in mind that just one email message can trigger a CAN-SPAM violation. Therefore, you should apply these rules not only to your bulk distributions but also to individual solicitations sent by your salespeople.
1. Staying out of Prison
As bad as paying a civil fine of $250 per noncompliant email message may sound, going to prison is an order-of-magnitude worse. Therefore, it is absolutely essential to make sure that no one at your company engages in any of the five activities that the CAN-SPAM Act has criminalized:
- Intentionally sending commercial email from a foreign or domestic computer that you do not have authorization to use.
- Using a foreign or domestic computer to “relay or retransmit” commercial email “with the intent to deceive or mislead recipients or [an ISP]” as to their origin.
- Materially falsifying the header information of the commercial email you send.
- Setting up five or more email accounts or two or more domain names with materially false identities and then sending commercial mail from any of the accounts or domain names.
- Falsely claiming ownership to five or more IP addresses, and then intentionally sending commercial email from any such IP address.
Each of the crimes listed above kicks in at relatively low volumes—101 or more messages within 24 hours, 1,001 or more messages within 30 days, or 10,001 or more messages within one year. Just think—send out 100 such messages in a day and you may face civil liability; send one more, and you may find yourself behind bars.
Contrary to popular belief, the CAN-SPAM Act does not outlaw widely criticized techniques such as “address harvesting” or “dictionary attacks,” but those who use such techniques face stiffer penalties for criminal or civil violations. Because no one yet knows how courts will interpret the law, you should not use those techniques.
2. Materially Misleading Header Information
Falsifying header information is a crime. Misleading header information can result in a civil penalty. What's the difference? It's hard to say at this time, but you should undertake the following steps to ensure squeaky-clean headers:
- If you send commercial email from your own server, make sure the IP address listed in your email header has a valid “Reverse DNS Lookup” associated with your domain name. You can check the reverse lookup of your IP address for free at DNSstuff.com.
- If you send commercial email through an email distribution service, place your company name and email address in the “from” line. Most services offer this feature.
- Make sure that everyone in your company has their email accounts properly configured in their email client and their outgoing email messages list their full name and email address in the “from” line.
3. Using Descriptive Subject Headings
The CAN-SPAM Act prohibits subject lines likely to mislead recipients about a “material fact regarding the contents or subject matter of the message.” Even if you unknowingly mislead recipients, you may still be liable if under the circumstances a reasonable person would find the subject line materially misleading.
This requirement should not significantly impact legitimate businesses because it still allows for writing teasers and still allows for focusing on the content most likely to maximize the open rate.
For example, every Tuesday, MarketingProfs.com distributes a newsletter that summarizes and links to the latest articles. Because of technical size limitations, MarketingProfs.com could not possibly describe each article in the subject line. Fortunately, the law does not require a comprehensive description.
Instead, using “Is Your Company CAN-SPAM Compliant?—and Other Helpful Articles” for the subject of the newsletter in which this article appears would not likely raise so much as an eyebrow at the FTC (or even in Elliot Spitzer's office), yet it's a classic teaser.
Notwithstanding this freedom, you should appoint someone to review and approve subject lines for at least your bulk distributions. In addition, testing subject lines will become more important than ever.
4. Allowing Your Reply Address to Function as an Unsubscribe Mechanism
Unsolicited commercial email messages must feature either a “return address” through which someone can unsubscribe or another “Internet-based mechanism, clearly and conspicuously displayed.” If used as an unsubscribe mechanism, a return address must remain functional for 30 days after a message is sent.
Until the courts or the FTC clarify what kind of unsubscribe links qualify as “clearly and conspicuously displayed,” you should send email from an address that someone at your company checks periodically (see below for specifics on frequency) for unsubscribe requests.
This way, if the tiny unsubscribe link at the bottom of your message is someday deemed noncompliant, your messages as a whole will still be compliant thanks to the reply address. For additional insurance, list the reply address somewhere in the message as well.
5. Handling All Unsubscribe Requests on at Least a Weekly Basis
The CAN-SPAM Act mandates that companies refrain from sending unsolicited commercial email to someone more than 10 days after that person submits an unsubscribe request.
This requirement does not necessarily mean that you must act on unsubscribe requests within 10 days. If, for example, you use your house list every four weeks, you have 28 days to act on unsubscribe requests. Nonetheless, you should consider handling such requests on at least a weekly basis for foolproof protection from violations.
If possible, you should also keep a record of each unsubscribe request and the action taken. Many email distribution solutions can keep track of those who unsubscribe and the date they did so.
6. Centralizing Your Lead/Contact Database
Because the CAN-SPAM Act attributes email messages sent by an individual to the entity promoted in the message (your company or one of its divisions), the time has come for companies to rethink the way they manage the email addresses of prospects and customers.
If your company has several different lists, or if your salespeople have their own personal lists, you should centralize these disparate lists into one multiuser database.
The easiest way to accomplish this is by using an email distribution service (e.g., ActionMessage, Cheetah). If your contact/lead management needs exceed the capabilities of such services, you should implement a customer relationship management system, whether software (e.g., GoldMine, Siebel) or an online service (e.g., Salesforce.com, SalesNet.com).
The bottom line is that when someone unsubscribes, you need to make sure that no one else in your division/company (depending on the circumstances) emails that person again.
7. Creating a Standardized Identifier for Email Solicitations
Unsolicited commercial email must provide “clear and conspicuous identification that the message is an advertisement or solicitation.” The CAN-SPAM Act does not provide any specifics (except in the case of pornographic material) on how to comply with this requirement.
Although many companies will use the “ADV” abbreviation in the subject line (which arose to prominence thanks to various now-defunct state laws), the CAN-SPAM Act does not require this approach. Because many spam filters look for “ADV,” you should not use it.
A better solution is to create a standardized identifier for your company. For example, you might begin each subject line with your company's name or an abbreviation. Since there is no requirement that this identifier reside in the subject line, you could instead place something at the top of your messages.
The FTC will publish guidelines on this requirement within the next 18 months. Until then, some experimentation and testing with a company- or division-wide standard will lead you to a compliant solution with minimal or no impact on effectiveness.
Incidentally, if you have affirmative consent, you need not provide an identifier in your commercial email messages. However, until the courts address the scope of affirmative consent, your best bet is to comply with this requirement.
8. Listing Your Company's Street Address
The Can-Spam Act Requires the Inclusion of “a Valid Physical Postal Address of the Sender” in Every Unsolicited Commercial Message But Does Not indicate Whether a Po Box will Suffice.
Until a definitive answer exists, you should use a street address. If your company does not have a street address or you do not want to list it because you work out of your home, you can rent a virtual street address for approximately $100-$200/month from companies such as HQ Global Workplaces and Regus.
Since the law applies to even a lone commercial email message, you should require all employees (or at least your salespeople) to place a company-approved signature containing your street address at the end of every email message they send. Too few companies take advantage of the marketing potential of standardized signature lines. Therefore, this requirement may boost rather than reduce sales.
Third-Party Email Lists: the Controversy and an Alternative Interpretation
The CAN-SPAM Act has implications for a common activity—third-party list rentals.
A number of marketing professionals have interpreted the CAN-SPAM Act as requiring multi-company list cleansing even when affirmative consent exists. In other words, they claim that if you run a full-message email ad (or “blast” as some refer to it) on a third-party list, and a recipient requests removal, both you and the third-party must remove that person from your respective lists.
This Draconian interpretation would set an impossible bar for many legitimate businesses, at least until they upgrade their email marketing technologies or some neutral body establishes a centralized clearinghouse. It also likely violates countless privacy policies and fails to address many common scenarios.
For example, what if the recipient subscribes to your list in the process of responding to your ad, and then unsubscribes from the third-party list? To make matters worse, what if the recipient does not click the unsubscribe link in the ad until several months after distribution?
Fortunately, a more plausible—but not yet validated (so rely on it at your own risk)—interpretation exists thanks to four key provisions:
- First, the unsubscribe provision of the CAN-SPAM Act applies only to “senders” and those who act on their behalf (i.e., the third-party list owner).
- Second, the law uses the term “initiate” to describe the act of sending commercial email oneself or through a third party.
- Third, the law defines “senders” as those who both “initiate” and “whose product, service, or Internet Web site is advertised or promoted by the message” (i.e., only you, not the third-party list owner).
- Fourth, the law circumscribes the extent to which commercial email from a “sender” can be attributed. For example, if a message makes it clear that it comes from a “division” of a larger entity, then unsubscribe requests apply only to that division, not to the entire entity.
Apply this logic to third-party lists, and if the list owner frames (wraps) your ad within its own branded template you can argue that any unsubscribe requests apply only to the list owner's lists and not your own. The list owner's branded template is key, because it essentially transforms the list owner into the “sender” or, alternatively, into a “division” of yours. Put differently, subscribers must feel that the list owner is sending them an ad as opposed to feeling that you're sending them an ad.
With this interpretation, you need not unsubscribe anyone from any of your own lists. An argument can also be made that the list owner does not have to remove those who unsubscribe from all of its future mailings, but rather only future mailings on your behalf. However, for the time being, list owners should adopt a more conservative approach and never email these people again unless they later rejoin the list.
As for you, the following guidelines will likely keep you out of trouble:
- Make sure that the list owner complies with the eight steps listed in the previous section. For good measure, make sure that you yourself comply with steps 3 (descriptive subject) and 8 (street address).
- Make sure that the list owner frames your ad within its own branded template that clearly indicates to recipients the origin of your ad and the extent to which unsubscribe requests will be attributed.
- If you run a subsequent ad on the same list more than 10 days after running the initial ad, verify that the list owner has removed previous recipients who requested removal.
A Final Word
Federal regulation is no picnic, but it need not stifle your email marketing plans. However, you should implement a compliance program and appoint a CAN-SPAM Czar to oversee your compliance program and stay abreast of new developments, such as court opinions and FTC regulations.
A compliance program will not provide you with an absolute defense to a CAN-SPAM violation, but it will significantly lessen the likelihood of such a violation in the first place; and should such a violation occur, it can significantly mitigate damages.
Disclosures: The author's employer is a customer of HQ Global Workplaces and Salesforce.com and may become a customer of ActionMessage.