The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (the “CAN-Spam Act” or “Act”) takes effect January 1, 2004. This is the first federal law specifically regulating commercial e-mail. The Act, in most cases, will pre-empt the array of anti-spam legislation passed by more than 30 different states, including California’s strict anti-spam law which was also set to take effect on January 1, 21004. Provisions in state anti-spam laws that prohibit false and deceptive e-mail content and message transmission information, however, will remain in effect, as will state computer crime laws, consumer protection acts and other laws of general applicability.
The Act applies to any commercial e-mail “the primary purpose of which is the commercial advertisement or promotion of a commercial product or service.” If an e-mail is covered by the Act (seeks to advertise or promote a product or service), the Act prohibits the "sender" from using: (1) false or misleading “header” information (the “From” line) and (2) deceptive “Subject” lines. The Act further requires that such e-mail include: (1) a “clear and conspicuous identification that the message is an advertisement or solicitation;” (2) a valid physical postal address for the “sender;” and an "opt-out" mechanism for recipients to express their desire to be "removed from the list." If a recipient requests not to receive future email from the sender, the sender must comply within 10 days.
Pursuant to the Act, the "Sender" is not only the entity that initiates or transmits the e-mail message (the “Transmitter”), but also the entity whose product, service, or website is being promoted by the message (the “Seller”). Therefore, if a Seller uses an outside e-mailing company or other Transmitter to send advertisements or promotional material via e-mail, the Seller should ensure that the contract with the Transmitter requires compliance with the Act and will indemnify the Seller for any violation.
The Act does not provide a provide right of action (an individual right to sue for damages). Instead the Act is enforced by the Federal Trade Commission (“FTC”) and by State Attorney Generals who may seek injunctions, prison terms, and/or fines of up to $250 per email for violations of the Act. Triple damages are available for willful violations or violations in which e-mail addresses were “harvested” from other websites or generated by “dictionary” attack programs.
The FTC is charged with issuing additional guidance related to the Act, such as specifying the warning necessary for adult-content e-mail. The FTC is also expected to issue a report on the possibility of creating a national Do-Not-Email registry similar to the existing Do-Not-Call registry.