The Difference Between Federal Anti-Spam Laws and State Spam Laws
Internet Law Attorneys Enrico Schaefer and Timothy Walton discuss:
- What is the difference between state and federal law regarding spam?
- How to comply with California and Washington State spam laws.
- What are the state law penalties in California for violating the spam law?
- Can I buy a list of email addresses without violating spam laws?
- If my business is located outside California, do I still have to comply with the California spam law?
- What is a false, misleading or deceptive header in an email under spam law?
- Do I have to provide an opt-out for email recipients in order to comply with spam laws?
- What are the risks of advertising using unsolicited emails?
Welcome to Internet Law Radio where we discuss the hottest topics in Internet law. If you are facing an Internet law issue, cyber law complaint, web site or e-commerce issue, we have an Internet lawyer ready to help.
Enrico Schaefer: Welcome to Internet Law Radio. My name is Internet Attorney Enrico Schaefer. Today, we are here with attorney extraordinaire Timothy Walton, who is a California attorney of counsel to Traverse Legal running a website at www.timothywalton.com, and he specializes in all things spam. How are you doing today, Timothy?
Timothy Walton: I’m good, thank you.
Enrico Schaefer: Good. Well, we’ve run some prior shows, Timothy, on the federal CAN-Spam law, and talking about some definitional aspects to what is spam. Today, I want to talk a little bit about state law, because I think what people need to realize is that it takes more than complying with the federal CAN-Spam Act if you want to be in full compliance with the various spam laws that are out there. What is going on at the state level?
Timothy Walton: Well, there’s a number of things and part of the reason that the federal CAN-Spam Act was passed was because of the variance in state laws. For example, one state law might have a labeling requirement in the subject line that contradicts another state law’s labeling requirement so that it’s impossible to comply with both at the same time. And because it’s extremely difficult to determine the exact location of the recipient, you’re not necessarily certain which state law you have to comply with. The two biggest state laws to comply with are California and Washington state simply because those have been the areas where either recipients or the government has been very active in enforcing the law. So, while Nevada state law might have some particular requirements in reality. Most people in Nevada are not going to sue for violation of the law because it’s damages of $10 per spam. But in Washington state, the damages are $500 per spam, and in California the damages can be as high as $1,000 per spam.
Enrico Schaefer: Now, let me ask you, Timothy, right there. Does that mean $1,000 per spam campaign or is that $1,000 per spam email
Timothy Walton: That’s “per spam email” up to $1 million per spam campaign.
Enrico Schaefer: That would hurt, wouldn’t it?
Timothy Walton: It would, and particularly because the spam campaign is somewhat undefined. They define it as an incident, which could mean that if you send a thousand spam emails one day and thousand the next, that could be a $1 million for the first day and $1 million for the next campaign, which is $2 million total. And since most people tend to send a lot more than a thousand at a time, they add up very, very quickly.
Enrico Schaefer: Yeah, I would think that that would be a very high-risk item. And just about everyone out there is running some sort of Constant Contact or some other email marketing campaign for their business where they’ve ended up with a whole list of email addresses, and typically the people that provide these email addresses aren’t always opting into an email list request. So, it just seems like this problem, this spam and spam compliance problem, must be really penetrating into just all forms of business.
Timothy Walton: It can if the sender is not very careful about how they acquire the email addresses. For example, you brought up Constant Contact. They have a requirement that the advertiser provide the email addresses. Constant Contact does not provide a list email addresses. So, if the advertiser wants send to a million or ten million email addresses, they have to come up with those on their own. And if they collect those email addresses from their website, that’s one thing because then they can show that there was a direct opt-in. But if they buy a list of a million email addresses from somebody else, then that is not direct opt-in, and that makes them unsolicited by definition under California law.
Enrico Schaefer: Right.
Timothy Walton: There is a Safe Harbor under California law where an advertiser can show that they have a mechanism, policies and procedures for avoiding sending email to people who don’t want it. But this is a very high standard which is typically not going to be met if you purchased the email addresses.
Enrico Schaefer: Now, under California spam law, I take it that applies to companies that may be located outside California who are sending spam email to consumers and citizens within California. Where is that line? How do I know, if I’m a New York business, I have to worry about California spam law?
Timothy Walton: Well, New York businesses have to worry about California spam law because under the United States Supreme Court Guidelines, if you are advertising to somebody in California, then you are subject to jurisdiction in California and subject to their laws.
Enrico Schaefer: So, if I am sending spam, even to a single person in California, I may have taken on a risk.
Timothy Walton: Yes.
Enrico Schaefer: Interesting. So, tell me what it is, as a business owner, I need to be worried about in terms of compliance with California spam law.
Timothy Walton: There are a number of different aspects here. Typically, California spam law refers to the headers of the email so that you cannot use false, misleading, or deceptive headers, including “from”, “to”, “reply to”, or “subject lines.” But, California also has other laws which apply to the body of the email so that if you are sending an email that says “you opted in” on such-and-such a date, using such-and-such an IP address, if that is false, that would run afoul of the Consumers Legal Remedies Act.
Enrico Schaefer: Wow, so you have to worry about not only California’s spam statute, but also all the unfair competition and related statutes out there that might apply to broadly deceptive advertising.
Timothy Walton: That’s right. And the fact that you believe your statements to be true, is not, generally, a defense. So, for example, one of the problems that advertisers run into is that somebody might sign up on their website using an email address that doesn’t belong to them. And so if this random person provides an email address to the advertiser, and then the advertiser sends an ad to that email address, the person who actually owns that email address will not have opted in and it will be, by definition, unsolicited commercial email.
Enrico Schaefer: I got it. Now, what are the key differences between the federal CAN-Spam law and California spam law?
Timothy Walton: There are several. The most major one is that the CAN-Spam Act requires that there be an opt-out mechanism and that the advertiser comply with opt-out requests at least within ten business days. Under California law, there is no requirement that there be an opt-out mechanism, nor is there any requirement that the recipient actually opt-out.
Enrico Schaefer: so how does that work?
Timothy Walton: That means that if somebody receives an email advertisement that they didn’t sign up for, and therefore it is unsolicited, they don’t have to opt-out. They can wait and collect lots of emails and then sue for $1,000 per email. And even if the advertiser can prove that they mechanisms in place and policies and procedures to prevent the sending of unsolicited commercial email, it is still $100 per email.
Enrico Schaefer: Wow! That is pretty serious business. I think that people generally think.
Timothy Walton: It adds up quick.
Enrico Schaefer: It adds up quick and I think people generally think that as long as I have an opt-out I’m safe. In California, that’s not true. And really, to some extent, even under the federal CAN-Spam Act, if it’s deceptive, they still have a problem.
Timothy Walton: That’s right.
Enrico Schaefer: Interesting. Anything else about California or state law spam issues that you are seeing in your practice on a regular basis.
Timothy Walton: One thing that I see often is that the senders of email will claim that the recipients of email have done something wrong. And while this may appear to be a valid defense of unclean hands, in almost every case, the court has found that the mere receipt of email is not enough to show unclean hands, and the burden is on the sender of the email to show that everything they did was correct. And they have to show not only compliance with California law, but also federal law as well.
Enrico Schaefer: Interesting. So that’s really tricky. The interesting thing I see here is that brick and mortar businesses and companies that are trying to do online advertising and marketing really need to be careful about designing their program from the ground up to be in compliance with state law, including California, Washington state and perhaps even Nevada, as well as federal law in designing these programs. Because if your first notice of a CAN-Spam or state spam law violation is getting a letter from plaintiff’s counsel, well, you can’t unring that bell; you already have a big problem, correct?
Timothy Walton: That’s right. And that’s why it’s so important that if somebody wants to advertise using unsolicited email, they need to have competent counsel that can help them not just with California law and federal law, but with other laws such as Washington and Nevada and Connecticut and New York.
Enrico Schaefer: Interesting. This has been a great show for today with Timothy Walton, attorney extraordinaire, specializing in Internet Law and especially spam law. Thanks for coming on the show today, Timothy.
Timothy Walton: Thank you.
You’ve been listening to Internet Law Radio. Whether you are facing a domain name, intellectual property or a complex litigation issue, we have an Internet law attorney ready to answer your questions.