From PLI’s Online Program
CAN-SPAM Final Rule Issued: Are You Compliant?
#19517
5
INTELLECTUAL PROPERTY ASPECTS
OF DOING BUSINESS IN CHINA
Elizabeth Chien-Hale
Institute for Intellectual Property in Asia
© Copyright 2007
Attachment I: Copyright © 2006 Peter K. Yu.
Reprinted with permission of the author
Attachment II: Copyright © 2005 Peter K. Yu.
Reprinted with permission of the author.
Data Privacy & Security Law
JULY 2008
ALBANY
AMSTERDAM
ATLANTA
BOCA RATON
BOSTON
CHICAGO
DALLAS
DELAWARE
DENVER
FORT LAUDERDALE
HOUSTON
LAS VEGAS
LOS ANGELES
MIAMI
NEW JERSEY
NEW YORK
ORANGE COUNTY
ORLANDO
PHILADELPHIA
PHOENIX
SACRAMENTO
SHANGHAI
SILICON VALLEY
TALLAHASSEE
TAMPA
TOKYO
TYSONS CORNER
WASHINGTON, D.C.
WEST PALM BEACH
ZURICH
Strategic Alliances with
Independent Law Firms
BERLIN
BRUSSELS
LONDON
MILAN
ROME
TOKYO
CAN-SPAM Final Rules Enacted: Are You Complaint?
It’s been nearly five years since Congress passed The Controlling the Assault of Nonsolicited Pornography and Marketing Act, or CAN-SPAM. Delivered with some fanfare
in December 2003, CAN-SPAM was supposed to reduce the seeming endless flow of
spam. Unfortunately, it hardly appears to have made a dent. Estimates are that
spam accounted for 90 to 95 percent of all emails sent in 2007.
Nonetheless, among legitimate email marketers, compliance with CAN-SPAM and its
subsequent regulations is an important, daily consideration. On May 12, 2008, the
Federal Trade Commission (the “FTC” or the “Commission”) issued additional Final
Rules, which became effective July 8, 2008. These Rules and the related discussion
on a number of email marketing issues are critical for anyone seeking to remain in
compliance.
Reviewing the Basics
What does CAN-SPAM Cover? CAN-SPAM covers any email that has a “primary
purpose of … commercial advertisement or promotion of a commercial product or
service.” There are exemptions from this broad definition for “transactional or
relationship” messages, including messages that: (1) “facilitate, complete, or
confirm a commercial transaction;” (2) provide warranty, product recall, safety, or
security information for a product purchased by the email recipient; (3) provide
statutorily limited information regarding a continuing purchase; (4) provide
information regarding “an employment relationship or related benefit plan;” and (5)
deliver goods or service, such as updates or upgrades, that the email recipient is
entitled to receive.
“Primary purpose” is a seemingly broad definition, so the FTC has issued guidance
on the required analysis.
• If the message contains only advertising, it has a commercial primary purpose;
• If the message has advertising and transactional/relationship content, it has a
commercial primary purpose if:
ƒ The recipient would interpret the subject line as containing a commercial
advertisement, or the transactional/relationship content does not appear at
the beginning of the message;
• If the message has both advertising and content that is not
transaction/relationship, it has a commercial primary purpose if:
ƒ The recipient would interpret the subject line to mean that the message
contains commercial advertising; or
ƒ The recipient would determine that the primary purpose of the message is
commercial advertising, using such factors as placement of the commercial
content at the beginning of the message, the proportion of the message
dedicated to commercial advertising, and how that advertising is highlighted.
• Finally, messages that contain solely transactional/relationship content do not
have a commercial primary purpose.
GREENBERG TRAURIG, LLP ƒ ATTORNEYS AT LAW ƒ WWW.GTLAW.COM
- 1
Data Privacy & Security Law
JULY 2008
What does CAN-SPAM require? So, if a message has a commercial primary purpose, what does CAN-SPAM
mandate? CAN-SPAM bars (1) false or misleading transmission information, especially referencing header
information and the “from” line, and (2) deceptive subject heading. Further, the message must contain a clear
notice of the recipient’s ability to opt-out of receiving future messages, and the opt-out mechanism must work
for at least 30 days after the message was sent. If the recipient decides to opt out, that opt-out must be
effective within 10 days. Thereafter, the sender may never send the recipient another message, unless it
receives a subsequent request from the recipient. Finally, the message must contain a clear identification that
the message is advertising, and a valid physical postal address for the sender.
Sexually Oriented Material. There are special restrictions for messages that contain sexually explicit material.
The FTC issues an “Adult Labeling Rule” under its CAN-SPAM authorization. That regulation requires that the
phrase “SEXUALLY-EXPLICIT” must appear within the first 19 characters in the subject line of any message
containing such material. Moreover, the message must be designed to prevent a recipient from viewing the
material accidentally. So, when the message is opened, it must only contain: (1) the “sexually-explicit” warning;
(2) a clear and conspicuous identifier stating that the message is a solicitation; (3) a valid opt-out; (4) the
sender’s valid physical address; and (5) instructions describing how the recipient can access the sexually
oriented material.
The Final Rule
The FTC’s new Final Rule covers a variety of areas that have been a longstanding concern among email senders.
Additionally, the comment issued along with the Final Rule provides the Commission’s analysis on a number of
additional critical issued. Below is a summary of the Rule and the commentary.
Person. In the NPRM, the FTC proposed adding a definition of “person,” which is a term used throughout the act
but undefined. It proposed to use the definition of person adopted in connection with the Telemarketing Sales
Rule – the term “person” would mean “an individual, group, unincorporated association, limited or general
partnership, corporation, or other business entity.” The FTC considered excluding non-profit associations from
that definition, but ultimately rejected that carve-out. The definition of person the Commission settled upon
advances the implementation of CAN-SPAM by clarifying that the term person is broadly construed and is not
limited to a natural person.
Multiple Senders of E-Mail Messages. CAN-SPAM defined “sender” as “a person who initiates [a commercial and
electronic mail] message and whose product, service, or Internet web site is advertised or promoted by the
message.” In the NPRM, the FTC proposed amending “sender” to adequately address the relatively common
scenario where multiple marketers use a single email message. A common example cited is an email from a
commercial airline that also contained advertisements or promotions for hotels or car rental companies.
The Final Rule defined that multiple “senders” of a commercial email, under certain conditions, may identify
one among them as the “sender” who will be deemed to be the sole “sender” of a message, or the “designated
sender.” Under the Final Rule, then, the designated sender, but not the other marketers using the same email
message, must honor opt-out requests made by recipients of the message. Further, the physical address of the
designated sender, but not the addresses of the other marketers using the same email message, must appear in
the message.
Before this Rule, under the Act, if multiple senders using a single email message met the definition of “sender,”
each would need to provide an opt-out mechanism, a valid physical postal address for each sender would have to
appear in the message, and each would be responsible for honoring an opt-out request by a recipient. This was a
needlessly complex arrangement that could often lead to unintentional violations of the Act.
GREENBERG TRAURIG, LLP ƒ ATTORNEYS AT LAW ƒ WWW.GTLAW.COM
- 2
Data Privacy & Security Law
JULY 2008
Instead, under the Final Rule, both telemarketers can designation a ‘sender’ for purposes of compliance with
CAN-SPAM, a person who: (a) meets the Act’s definition of “sender,” i.e., such a person initiates the commercial
electronic message in which it advertises or promotes its own goods, services, or internet website; (b) is
identified uniquely in the “from” line of the message; and (c) is in compliance with CAN-SPAM Sections
7704(a)(1), 7704(a)(2), 7704(a)(3)(A)(i), 7704(a)(5)(A), and 16c CFR and 316.4. These provisions apply to
initiators of commercial emails and require that the email message may not contain false and misleading
transmission information or a deceptive subject heading, but must contain a valid postal address, a working optout link, and proper identification of the message’s commercial or sexually explicit nature.
The NPRM cites one clarifying hypothetical example. If x, y and z are sellers who satisfy the CAN-SPAM’s
“sender” definition, and they designate x to be the single ‘sender’ under the Final Rule, among the three sellers,
only x may control the message’s content, control its recipient list, or appear in its “from” line. x need not
satisfy all three of these criteria, but no other seller may satisfy any of them. The sellers may use third parties
to be responsible for any criteria not satisfied by x. For example, if x appears in the from line, the sellers may
use third parties – but not y or z – to control the message’s content and recipient list. Thus, the Final Rule does
not eliminate the possibility that a message may have more than one “sender.” But marketers can use the
criteria set forth in the Rule to establish a single sender and CAN-SPAM’s compliance burdens.
The condition also noted that this rule change could lead illegitimate markers to escape liability under CANSPAM. But the FTC believed that the it had taken steps to reduce the likelihood of that abuse. First, marketers
in a single email message who are not designated senders are still “initiators” under CAN-SPAM and liable under
any other provisions that apply to initiators, such as prohibition against the use of deceptive headers and subject
lines and the requirement to include an opt-out link. Second, the Final Rule’s definition of “sender” requires
that the designated “sender” be incompliance with certain initiator provisions of the Act. If the designated
sender does not comply with these five “initiator” responsibilities, all the marketers will be liable as senders,
and not just initiators.
Safe Harbor for Email Messages Sent by Affiliates. The FTC considered, but ultimately rejected, a proposal to
adopt a “safe harbor” with respect to opt-out and other obligations for a sender whose product, service or
website is advertised by affiliates or third parties. In the FTC’s view, “affiliates” are induced to send commercial
email messages by sellers seeking to drive traffic toward websites and that sellers generally pay affiliates based
on the number of individuals who, directed by the affiliates, ultimately visit a seller’s website and/or purchase
the seller’s product or service.
The FTC noted that, with regard to whether a marketer that uses affiliates is an “initiator” under CAN-SPAM, a
person is an “initiator” if the person originates, transmits, or procures the original or transmission of a message.
In a typical affiliate marketing scenario, the affiliate is clearly an initiator, but the marketer does procure the
origination of the message. The Acts define “procure” as intending “to pay or provide other consideration to, or
induce, another person to initiate a message out of one’s behalf.” By offering in advance to pay some referral
fee, a seller or marketer create an inducement for the affiliate to originate or transmit commercial email
messages to the public. The seller thus induces another person – the affiliate – to initiate messages on the
seller’s behalf.
The Final Rule would absolve a marketer who initiated from liability if the marketer takes the prescribed steps
to ensure the affiliate complies with CAN-SPAM. Ultimately, the FTC presented against creation of a safe harbor,
relying instead on the new definition of sender to give marketers the necessary flexibility to market their
products using email on their own or in conjunction with other parties, while at the same time preserving the
protections afforded to consumers by CAN-SPAM.
GREENBERG TRAURIG, LLP ƒ ATTORNEYS AT LAW ƒ WWW.GTLAW.COM
- 3
Data Privacy & Security Law
JULY 2008
Messages Sent To Members of Online Groups. The FTC’s NPRM asked whether CAN-SPAM should apply to email
messages sent to members of online groups, more commonly referred to as discussion lists, list servs, mailing
lists, and chat groups. Although discussions groups are permission based, or “opt-in,” they often include
advertising in messages sent to subscribers. Many commenters to the Rule suggested that these lists or discussion
groups should not be subject to CAN-SPAM, because the burden of the regulations could have a chilling effect on
internet free speech. The FTC ultimately concluded that it is not unduly burdensome for online groups to comply
with CAN-SPAM. In cases where the primary purpose of email sent by and to online groups is not commercial,
the Act would not apply. But for those messages with a primary purpose that is commercial, group members
should be entitled to the benefits of CAN-SPAM’s opt-out provisions.
Definition of “Transactional or Relationship Message.” In its NPRM, the FTC proposed not to modify the CANSPAM’s definition of “transactional or relationship message.” After receiving some 50 comments on the issue,
the FTC concluded that it would not expand the definition at this time. It did take the opportunity to review a
number of categories of “transactional or relationship messages” and discuss its view on these issues.
Legally Mandated Notices. Should an email message that contains only a “legally mandated notice” – that is, a
communication mandated by state or federal law, be considered a “transactional or relationship message.” The
examples would include messages mandated by the Truth in Lending Act, the Gramm-Leach-Bliley Act, and the
US Patriot Act, and this just concerning billing errors and changes in terms or account features. Interestingly, all
thirteen commenters on this issue opposed classifying messages that solely contain legally mandated notices as
“commercial electronic messages.” But the Commission declined to take any action on the issue.
The Commission believed that, in most cases, the type of legally mandated notices covered by this definition
would be categorized as transactional or relationship messages. Those determinations, however, had to be made
on a case-by-case basis depending on the specific content and context of such messages. Further, if a message
providing a noncommercial legally mandated notice also include commercial content, it must be evaluated under
the Commission’s primary purpose criteria as a dual purpose message.
Debt Collection Emails. As for dunning notices, commenters urged that debt collection emails buyer seller from
whom the consumer made a purchase be considered transactional or relationship messages. This should be the
case, whether sent by the seller or third party on its behalf. And once again, the Commission declined to modify
the definition of “transaction or relationship messages” to include an express provision addressing debt
collection emails.
The FTC again believed that such a modification is unwarranted because debt collection messages will usually
qualify as “transactional or relationship messages” under the existing definition of the term. The primary
purpose of debt collection emails is not to “advertisement or promotion of a commercial product or service,”
and, therefore, they generally would not be commercial electronic messages under CAN-SPAM Section
7702(2)(A). The FTC believed that debt collection emails from a seller from whom the consumers made a
purchase are best understood as “completing … a commercial transaction that the email recipient has previously
agreed to enter into with the sender,” and thus aren’t “transactional or relationship messages” under Section
7702(17)(A)(i). It makes no difference whether that email comes from a third party collecting on behalf of that
seller.
Copyright Infringement Notices and Market Research. In response to the NPRM, several business organizations
urged the FTC to clarify that messages containing copyright infringement notices or marketing an opinion
research surveys are neither commercial nor transactional or relationship by nature and thus are wholly except
from the Act. As a general matter, the Commission agreed that if a sender has no previous dealings with the
GREENBERG TRAURIG, LLP ƒ ATTORNEYS AT LAW ƒ WWW.GTLAW.COM
- 4
Data Privacy & Security Law
JULY 2008
recipient – thus lacking the predicate for a message to be deemed “transactional” – and that sender’s messages
contain only a copyright infringement notice, the messages are also not primary commercial in purpose and thus
are not subject to requirements and prohibitions of CAN-SPAM. But where a copyright infringement notice also
contains information on how to obtain licensed versions of copyright materials, the FTC’s Primary Purpose Rule
Provisions governing dual purpose messages may lead to the conclusion that such messages are covered by CANSPAM. The same holds true for email messages containing opinion and research surveys. These messages may
fall outside the scope of the Act, but if any such message seeks to advertise by promoting brand, a company, or
a product or service to the recipient, it also may be primarily commercial in purpose and therefore subject to
the Act’s requirements and prohibitions.
Transactions That Do Not Involve an Exchange of Consideration. The NPRM sought comment on CAN-SPAM’s
application to messages sent pursuant to a relationship in which no consideration passes, such as messages from
any “free” internet service (such as Evite or Shutterfly). The FTC believed that the existing definition of
“transactional or relationship message” includes two categories that could include messages sent pursuant to a
relationship in which there has been no exchange of consideration – Section 7702(17)(A)(i), under which an
electronic mail message the primary purpose of which is to “facilitate, complete, or confirm a commercial
transaction that the recipient has previously agreed to enter into with the sender” is deemed transactional or
relationship in nature. And, Section 7702(17)(A)(v), which defines an email the primary purpose of which is to
“deliver goods or services, including product updates or upgrades, that the recipient is entitled to receive under
the terms of a transaction that the recipient has previously agreed to enter into with the sender which also
qualifies as transactional or relationship in nature.
The FTC concluded that, having reviewed the comments, it was persuaded that the term “commercial
transaction” in Section 7702(17)(A)(i) can encompass situations in which there have been no exchange or
consideration between the sender and the recipient.
Affiliated Third Parties Acting on Behalf of a Person. The FTC also sought comments on the applicability of
CAN-SPAM to messages sent by affiliated third parties that are acting on behalf of a party with whom the
recipient has transacted business. In the end, the FTC concluded that these messages are adequately covered by
existing regulation covering transaction/relationship messages. But it made clear that if the third-party were to
also market its own product in its such a message, the primary purpose analysis would be employed.
Messages Sent to Effectuate or Complete a Transaction. In developing the Final Rule, the FTC also sought
comment on whether an email sent to effectuate or complete a negotiation should be considered a
“transactional/relationship” message, and thus fall outside the scope of the Act. It ultimately concluded that is
did, requiring no further rule making on its part. It did make clear that an email offering to start a negotiation
was not exempt, and, if a party terminated the negotiations, an email from the sender seeking to restart the
message would not be a transactional/relationship message.
Messages in the Employment Context. The FTC also considered but ultimately rejected possible rule changes
with respect to employment related emails. There were several categories of concern to the FTC.
First, the commission sought comments on whether emails send to employees offering discounts and the like
should be considered a communications that “provide information directly related to an employment
relationship” under 7702(17((A)(iv) and whether it mattered that the employee’s email was provided by the
employer. It ultimately concluded that such emails constitute a transactional/relationship message under CANSPAM.
GREENBERG TRAURIG, LLP ƒ ATTORNEYS AT LAW ƒ WWW.GTLAW.COM
- 5
Data Privacy & Security Law
JULY 2008
Second, the FTC sought comments on whether an email that provides information directly related to an
employment relationship or related benefit plan in which the recipient is currently involved is a
transactional/relationship message if sent by a third party. It ultimately concluded that messages that would
be considered transactional/relationship if sent by an employer would still be so considered if they were sent by
a third party on that employer’s behalf.
Third, the FTC considered how emails sent after an offer of employment is tendered but before the recipient’s
acceptance should be treated. It ultimately concluded that such messages normally would not constitute
commercial messages covered by CAN-SPAM, or would be exempt under Section 77902(17)(A)(iv), as messages
directly relating to an employment relationship or a related benefit plan.” But if the message also included the
advertisement or promotion of a commercial product, then the “Primary Purpose” provisions of the CAN-SPAM
rules would apply.
Electronic Newsletter Subscriptions and Other Content. The FTC also analyzed the CAN-SPAM implications of
electronic subscriptions. So, where a recipient enters into a transaction with a sender that entitles the recipient
to receive newsletters or other electronically delivered content in the future, should emails delivering those
messages be considered transactional/relationship messages? It concluded that such messages were indeed
transactional/relationship messages, provided it contains informational or informational and commercial
content. An unsolicited newsletter would not be so protected.
Valid Physical Address. The Final Rule makes clear that a PO Box will satisfy the “valid physical postal address”
requirement. It provides that a “valid physical postal address” means the sender’s current street address, a Post
Office box the sender has accurately registered with the US Postal Service, or a private mailbox the sender has
accurately registered with a commercial receiving agency that is established pursuant to US Postal Service
regulations.
Conclusion
There are still plenty of potential pitfalls when applying CAN-SPAM to real life marketing situations. It pays to
remain careful and ensure steps are taken to avoid being targeted as a “spammer.”
_______
This GT Alert was written by Luis Salazar, a shareholder in Greenberg Traurig’s Miami office and a member of
the firm’s Data Privacy and Security Law Taskforce. Questions about this information can be directed to Mr.
Salazar at [email protected] or 305.579.0751.
GREENBERG TRAURIG, LLP ƒ ATTORNEYS AT LAW ƒ WWW.GTLAW.COM
- 6
Data Privacy & Security Law
JULY 2008
Albany
518.689.1400
Houston
713.374.3500
Sacramento
916.442.1111
Amsterdam
+ 31 20 301 7300
Las Vegas
702.792.3773
Shanghai
+86 21 6122 1123
Atlanta
678.553.2100
Los Angeles
310.586.7700
Silicon Valley
650.328.8500
Boca Raton
561.955.7600
Miami
305.579.0500
Tallahassee
850.222.6891
Boston
617.310.6000
New Jersey
973.360.7900
Tampa
813.318.5700
Chicago
312.456.8400
New York
212.801.9200
Tysons Corner
703.749.1300
Dallas
214.665.3600
Orange County
949.732.6500
Washington, D.C.
202.331.3100
Delaware
302.661.7000
Orlando
407.420.1000
West Palm Beach
561.650.7900
Denver
303.572.6500
Philadelphia
215.988.7800
Zurich
+ 41 44 224 22 44
Fort Lauderdale
954.765.0500
Phoenix
602.445.8000
This Greenberg Traurig Alert is issued for informational purposes only and is not intended to be construed or used as general legal advice. The hiring of a
lawyer is an important decision. Before you decide, ask for written information about the lawyer’s legal qualifications and experience. Greenberg Traurig is a
trade name of Greenberg Traurig, LLP and Greenberg Traurig, P.A. ©2008 Greenberg Traurig, LLP. All rights reserved.
GREENBERG TRAURIG, LLP ƒ ATTORNEYS AT LAW ƒ WWW.GTLAW.COM
- 7