Internet Law Attorneys Enrico Schaefer and Timothy Walton discuss the following issues:
- Is all spam illegal?
- What do I need to do to comply with spam laws?
- What are the requirements of the Federal CAN-Spam Act?
- What Kind of domain name may qualify as deceptive under the CAN-Spam Law?
- CAN-Spam header and subject line requirements.
- Penalties for violating the CAN-Spam Act.
Welcome to Internet Law Radio where we discuss the hottest topics in Internet law. If you are facing an Internet law issue, cyber law complaint, web site or e-commerce issue, we have an Internet lawyer ready to help.
Enrico Schaefer: Welcome to Internet Law Radio. My name is Attorney Enrico Schaefer and we have a great show for you today. Today, we’re going to be talking to Attorney Timothy Walton. And Timothy is an attorney in California. He specializes in spam cases, both on advising clients and litigation; spam litigation cases. Timothy, how are you doing today?
Enrico Schaefer: Good. Good. Timothy Walton is an attorney who has a website, TimothyWalton.com, and today we want to talk a little bit about some spam basics, Timothy, so that consumers, companies and big and small businesses can understand how spam law works and what they need to be concerned about. So, let’s just start with…give me your definition of spam. When someone calls you on the phone and wants to know what is spam law, what is spam, what do you tell them?
Timothy Walton: I tell them that there are a number of different definitions of spam, but the one that is most prevalent in the law is unsolicited commercial email.
Enrico Schaefer: Unsolicited commercial email.
Timothy Walton: So this has three different aspects to it. The first is that it’s unsolicited, meaning that nobody has requested the email. If somebody makes a request to receive email, then it’s not unsolicited; that’s a solicited email. If somebody has consented to receive the email, it’s not unsolicited.
The next aspect is that it be commercial in nature. So, if somebody is sending an email that is political or religious, that is not commercial in nature and that does not run afoul of the law in most cases because of the First Amendment. So, commercial speech is regulated at a different level than other types of speech. So, if somebody sends a political ad, for example, in favor of some candidate for office, then that is not typically regulated by federal or state laws. But if it is for the purpose of generating some money income, then it’s commercial. And then the third aspect, of course, is that it be email as opposed to a text message to your iPhone or some other communication.
Enrico Schaefer: Interesting. And so that may or may not have legal issues involved but it’s technically at least not spam.
Timothy Walton: Right. And other people use different definitions for spam than I do. For example, some people might say that all bulk email is spam, but I like to adhere to what the Congress and various state legislatures have defined as spam and that is unsolicited commercial email.
Enrico Schaefer: When you hear the word spam, it’s got, of course, a very negative connotation to it. Is all spam illegal?
Timothy Walton: That depends on the law, of course. Federal law says that some spam may be lawful. Congress, in passing the CAN-Spam Act, said that it is lawful to send spam if it does not run afoul of the specifics of the law, which generally means that it’s not deceptive, false or misleading.
Enrico Schaefer: Yeah. And so, we use the word spam a lot to refer to this unsolicited email. I think in the common vernacular most consumers think of spam that way. Everyone receives spam in their email inbox most weeks, and many of us, most days. And it’s email that we didn’t ask for but somehow we ended up on a list. We end up getting the email, and then, of course, we, hopefully, maybe have some options of opting out, etc. But I think you would agree, it’s generally true, we tend to receive a lot spam each week, each day.
Timothy Walton: That’s true. And while some states like California, for example, have said that any spam, as we have just defined it, would be unlawful. Congress, for the federal level, has said that some spam may be lawful.
Enrico Schaefer: Right. Now, let’s talk a little bit, then, about the federal law; The United States CAN-Spam Act. I assume that you get a lot of calls from businesses and clients who want to send bulk unsolicited email or unsolicited email and, yet, they want to make sure that they’re complying with the CAN-Spam Act. How do you help those folks?
Timothy Walton: To comply with the Federal CAN-Spam Act, in general, you have to use accurate header information. That means that your “from”, “to”, “reply to”, “routing information”, and related information must be accurate. Those are all accurate indications of whom the spam is from and how to reply to the spam.
Enrico Schaefer: And so, one example, of course, in my email inbox, is always getting spam email from Bank of America or PayPal telling me that my account has been compromised and I need to log into the system, right? And, of course, I know that’s bogus email and the way I can always confirm it is by looking at the email from address and see that, in fact, it’s not bankofamerica.com.
Timothy Walton: If it’s not bankofamerica.com that is sending it claiming to be Bank of America, then, yes, it would be spam and that’s probably also a phishing, but that’s a whole separate thing.
Enrico Schaefer: Yes, exactly. In terms of this false and misleading header information, what kinds of things do you see in your practice that are false and misleading in the header information? What’s going on there?
Timothy Walton: Well, there’s two different aspects of it. One is general contact information, and then the second is the subject lines. So, the contact information is the from, to and reply to and the routing information that includes the date. So, often, if a spammer is wanting to avoid being identified, then they will put somebody else’s information in those headers. They might even include the recipient’s information in the “From” address to avoid getting the bounce-backs where a bad address is in there or where somebody just simply hit reply and requests to be removed. Deceptive subject lines are sort of a separate thing where somebody might say that the subject line is about some celebrity, but, in fact, the advertisement is for Viagra, Cialis, or something like that.
Enrico Schaefer: Right. Right. Now, so, If I own a domain name and I’m going to send email out and I own the domain name, and therefore, I’m controlling the email accounts on that domain name, is that typically enough to qualify as not false or not misleading header information in my from line.
Timothy Walton: If you are actually sending it from that domain name, then that should be sufficient. If you’re hiring some other person to send the spam, then there could be a problem there.
Enrico Schaefer: Okay. Because, obviously, domain names are kind of ubiquitous and they sometimes don’t tell you much about who the sender is either.
Timothy Walton: Well, and that gets into another issue about how you registered the domain name, because some people will register a domain name and use a privacy service so that they’re not actually stating the owner of the domain name. And under CAN-Spam, if you send email from more than two domain names that are privately registered, then that is deceptive.
Enrico Schaefer: Interesting. Because I would think that’s where a lot of people would get in trouble is, you know, they figure, well, this isn’t deceptive, I own this domain name but they fail to confirm with their web folks that, in fact, their Whois information is visible from the back-end.
Timothy Walton: That’s right. That’s right. And CAN-Spam also has other requirements beyond the header information and the subject lines. For example, you have to identify the message as an advertisement somewhere in the body or the subject. You also have to provide a valid postal address. And, you have to provide opt-out information in the body of the email. So, it’s not enough to simply provide true information in the headers and assume that the recipient will reply if they want to opt-out, you have to give them a mechanism for opting out.
Enrico Schaefer: Interesting. I would think that a lot of people would get in trouble on the physical address – the postal address – part because, in the digital age, that seems to be an item that’s kind of gone by the wayside in lots of ways, and people don’t tend to think about including their physical address in an email.
Timothy Walton: Yeah, I think that’s true. I think that if somebody wants to send unsolicited commercial email, and there are valid reasons for doing so, it does make sense to hire an attorney who is familiar with CAN-Spam to make sure that you are not running afoul of these requirements.
Enrico Schaefer: Yeah, I would think that there is some pretty good penalties here. Why don’t you tell us about those?
Timothy Walton: The penalties vary depending upon who is trying to enforce the law. So, the government certainly is entitled to enforce the law, and that might be the Federal Trade Commission or Attorney General of any given state. ISP’s are also allowed to enforce the law. An ISP is an internet service provider, which is fairly broadly defined to mean that if the ISP is providing email access to others, including employees, then it’s an ISP, so it’s not simply AOL or Microsoft, but also large companies can enforce the law because they’re providing email addresses for their employees. The penalties can be huge. If the FTC sues an emailer, it could be $16,000 per message at the far end.
Enrico Schaefer: Wow! That’s a big number considering they tend to send a lot of messages out when they do this kind of thing.
Timothy Walton: That’s right. Most people who send these find that if you send a million emails, it’s not that much different in costs from sending twenty million emails. And, even an ISP can sue for $100 per email under the Can Spam Act 2003, which at a million emails, it’s still a lot of money.
Enrico Schaefer: How much activity has there been from the ISP point of view in trying to limit the amount of spam that comes through their systems in violation of the Can Spam Act 2003.
Timothy Walton: After CAN-Spam was passed, there was a lot of activity in this regard from ISPs like Microsoft and AOL. That has somewhat dropped off. AOL was very active in suing spammers before CAN-Spam was passed and they are continuing their effort. Microsoft mostly found that they were getting a lot of default judgments against people who were not paying the judgments, so they have dropped off to a certain extent. And, what we’re finding now is that the vast majority of lawsuits are for very small ISPs.
Enrico Schaefer: Right. Interesting. Well, that’s fascinating stuff Timothy. This is going to conclude our show for today. Timothy, it was great having you on the show today. We look forward to having you back and talk some more about spam and the Can Spam Act 2003 and other compliance issues that people need to be thinking about and need to be working with their attorneys very closely on in order to avoid this kind of liability.
Timothy Walton: Thank you. It was good talking to you.
You’ve been listening to Internet Law Radio. Whether you are facing a domain name, intellectual property or a complex litigation issue, we have an Internet law attorney ready to answer your questions.