Six Years After CAN-SPAM: Effective Spam Control Can Require Both Technical and Litigation Solutions
CAN-SPAM (15 U.S.C. § 7701-7713) was enacted in 2003 in response to a national hue and cry over spam. At the time, unsolicited commercial email was estimated to account for half of all electronic mail traffic. According to the Congressional "findings" in the preamble to the Act, the sheer quantity of spam was doing real damage to the internet, creating costs for storage, accessing, reviewing and discarding unwanted emails, and reducing the reliability and usefulness of electronic mail to the recipient. The findings further stated that "The growth in unsolicited commercial mail imposes significant monetary costs on providers of Internet access services, businesses and educational and nonprofit institutions that carry and receive such mail, as there is a finite volume of mail that such providers, businesses, and institutions can handle without further investment in infrastructure." 15 U.S.C. § 7701(a).
Given these findings, one would think that CAN-SPAM would impose onerous penalties on spammers. Au contraire, mon frere! Instead of "canning" spam, the act became known as the "Yes, You CAN SPAM Act." In fact, the Act does nothing to outlaw the sending of unsolicited emails per se.
Rather, the sending of unsolicited emails is permitted as long as a few basic rules are followed. In general: (i) the "from" and "subject matter" lines in the header must be accurate, relevant to the subject matter of the email and not misleading. A commercial advertiser must also provide its physical address, and a label must also be present if the email contains adult content; (ii) the email must contain an "opt-out" mechanism, that must be honored within 10 days; and (iii) the email must not be not sent to an email address obtained through "address harvesting" or a "dictionary attack" and must not be sent via automatically created email accounts or a computer network to which the sender has gained access without authorization.
Another important element of CAN-SPAM is that it provides that "any statute, regulation, or rule of a State . . . that expressly regulates the use of electronic mail to send commercial messages" is "superseded" -- i.e., preempted. This means that states cannot enact laws that are expressly directed at preventing the sending of unsolicited email messages or at reducing the quantity of email messages that can be sent by a single person. In other words, CAN-SPAM means that the federal government has refused to prevent spamming per se and has declared that the states can't do it either (unless the spam is accompanied by "falsity or deception"). The effect is that much of the job of preventing spam per se is in private hands.
Preventing spam has proven to be very expensive. Many IT departments have equipment and personnel dedicated full-time to the job of eliminating spam and malware -- often at the cost of tens or hundreds of thousands of dollars per year. Increasingly, the job is being outsourced to malware protection firms, who can often provide malware and spam protection service more effectively and for far less money than individual IT departments. (It's an economy of scale thing). A number of ISPs include spam protection as part of their services packages, as well.
Despite this progress, IT professionals and industry statistics indicate that the quantity of spam has actually increased in the past 6 years. And while a high percentage of spam is being caught and eliminated, a substantial portion leaks through even the most sophisticated defenses.
However, because the spammers know that sending a high volume of emails from a particular address will cause the emails to be blocked, this has "forced" them to engage in activities that are prohibited by CAN-SPAM and state laws. For example, spammers sometimes attempt to fool spam-prevention devices by inserting email addresses from a user at a company they wish to target in the "from" line, assuming that the company will not attempt to block emails sent from its own email addresses. However, this tactic is a direct violation of CAN-SPAM which prohibits the sending of email that contains materially false or misleading "header information" -- a term that includes "the originating domain name and originating electronic mail address." 15 USC § 7702(8), 7704(a)(1).
While an IT department may be able to create a "fix" for this type of security breach, it knows that the spammer will simply look -- and undoubtedly find -- another way to get its email through the system.
What this means is that if the problem is significant enough, it may make sense to bring a suit to inflict significant pain on the spammer, and perhaps put him out of business entirely. In many cases, a private suit can be brought under CAN-SPAM against the spammer. In other cases, it may be possible to bring suit under state statutes. A private CAN-SPAM suit can pose a very effective club, since it permits that plaintiff to recover the greater of its actual damages or statutory damages of up to $100 per violation, plus treble damages and attorneys fees.
When dealing with a significant spam problem, your first resort may be to a technical fix. But for problematic spammers, it also makes sense to talk to a digital media lawyer and consider whether legal options should be used as well.
If you have questions regarding the applicability to CAN-SPAM or other statutes regarding emails, please feel free to contact me.
David D. Johnson is a business lawyer whose practice focuses on litigation and other issues relating to digital media and consumer electronics companies. David can be contacted at (310) 785-5371 or DJohnson@jmbm.com.
