Happy 2004 to all. This year is starting off rapidly with new developments in the area of e-mail communications. As of January 1, 2004, the new CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing) Act takes effect, the first federal legislation designed to curb unsolicited commercial email.

Ask almost any consumer or business, and you will get agreement: unsolicited commercial electronic mail, or spam, as it is more commonly called, has become a pervasive problem. MessageLabs, an email security company, found that as of the end of 2003, spam was dramatically increasing, rising from fifty percent of all business email traffic in May to about two-thirds in December. As most of us know, these unwanted emails can run the gamut from get rich schemes, often from exiled leaders in a foreign land, to suggestions on ways to improve our bodies, our mortgage rates and even our social lives. The CAN-SPAM Act was one of many bills introduced into Congress in 2003 to address this problem of unsolicited email. Congress overwhelmingly approved the legislation in December, after more than six years of unsuccessful attempts to enact laws designed to curb spam. The Act addresses how companies may use email to communicate with both existing and potential customers.

Highlights of the bill include:

• Preemption of most aspects of state spam legislation—including more stringent regulations in California, which were due to take effect on January 1, 2004
• Requirement that the Federal Trade Commission (FTC) report to Congress with a plan and timetable for a national "Do-Not-E-Mail" registry, similar to the National Do-Not-Call Registry maintained by the FTC
• Requirement that senders of spam (i.e., unsolicited commercial email) include certain notices, including proper identifiers, opt-out, and physical postal address
• Prohibition on misleading subject lines and on header information that is materially false or misleading
• Requirement that spam emails have active, monitored "Remove" or "Unsubscribe" links
• Ban on common spam techniques, such as address harvesting and dictionary attacks (e.g., using an automated means to obtain email address from an Internet web site or online service)
• Enforcement by the FTC, some state or federal government agencies, and state attorneys general (Internet Service Providers can also pursue causes of action)
• Substantial civil and criminal penalties for violations of the Act

The CAN-SPAM Act already has drawn much media attention and commentary. Some say it doesn’t go far enough, some say it goes too far, while others hail it as a major step in the war against unwanted email solicitations. Critics of the Act say that the CAN-SPAM bill legalizes non-fraudulent spam, thus allowing businesses to send non-fraudulent, unsolicited email until the recipient affirmatively opts out. Other proposed legislation would have placed stricter requirements on any sort of spam, whether fraudulent or not. Some also expect that the Act will be challenged in the courts on First Amendment grounds, a fate that has befallen other legislation designed to regulate electronic and telephone communications. In their opinion, Congress should have waited for private companies, who are not bound by the First Amendment, to solve this problem, and they contend that it is just a matter of time before we see the emergence of better technological solutions, such as address-verification technology and improved spam filters.

From a global view of combating spam, the CAN-SPAM Act also has its limitations. It is unlikely from a practical perspective that any U.S. law can have an effect on much of the unwelcome spam sent from outside the United States, though such spam may be within the jurisdictional reach of the Act. Accordingly, several members of Congress and of the U.K. Parliament have endorsed close "cross-border" cooperation between the two countries. The agenda of a United Nations summit on December 10 also urges governments to "take appropriate action on spam at national and international levels."

In any case, many companies faced with the challenge of having to comply with a patchwork quilt of law in the United States (over two-thirds of the states have spam laws) welcome the new legislation as a step in the right direction toward a uniform national standard. Given that the CAN-SPAM Act is already in effect, companies need to act quickly to determine how to comply with the new law.

Although the Act goes into effect as of January 1, 2004, full details of its implementation and requirements are still being ironed out. As an example, the FTC has not yet determined the feasibility of, or the details relating to, implementation of a "Do-Not- E-Mail Registry." It is worth noting that the CAN-SPAM Act applies to any business that sends commercial emails, not merely so-called spammers. The Act contains a detailed description of what types of emails fall under the Act as "commercial electronic mail message." Exempt emails include emails that involve "transactional or relationship messages," including messages about an existing transaction or purchased product, though even here there are prohibitions on misleading headers. The Act also contains certain exemptions for emails where the recipient has given prior affirmative consent to receipt of the message. Given the complexity of the Act’s definitions and exclusions, it’s wise to study the Act and understand the exemptions before assuming a certain type of email message is exempt.

Some basic rules of thumb for adhering to the CAN-SPAM Act:

• Do not send false or misleading emails. That includes source, destination and routing information; subject headings also cannot be deceptive or misleading.
  
• Commercial email must identify itself as such. Any "spam" should contain clear identification that it is an advertisement or a solicitation. Note: There is an exception to this "clear and conspicuous identification" rule if the recipient has affirmatively consented to the receipt of emails from the sender.

• Include both a return email and physical address. The email address must remain functional for 30 days after the transmission and must contain an opt-out procedure. Additionally, the sender must include a physical, i.e., postal, address.
  
• Honor a "remove me" request. Once a recipient has requested to be removed from further email solicitations, a company may not send emails to that person beyond ten business days after the request is submitted.
  
• Be careful about how you gather email addresses. The CAN-SPAM act contains prohibitions against the harvesting of email addresses and other automated, unauthorized methods of gathering email addresses. Use of such tactics can result in the imposition of higher penalties.

The above list is not exhaustive, and there are excellent resources available to Section members wanting further information. The resources used in preparing this article include Wiley, Rein & Fielding’s "Privacy in Focus" December 2003 newsletter, available at: http://www.wrf.com/db30/cgi-bin/pubs/PIF_0312.pdf (co-authored by Bill Baker, Vice-Chair of the E-Privacy Law Committee); Mintz Levin Cohn Ferris Glovsky and Popeo PC December 22, 2003 Client Alert, available at: http://www.mintz.com/images/dyn/publications/BFAlert122203.pdf; Baker & McKenzie’s "U.S. CAN-SPAM Act Imposes New Federal Requirements on Corporate E-Mail Marketing" alert, available at http://www.bmck.com/ecommerce/can-spam-act-memo.pdf (co-authored by Ruth Hill Bro, Chair of the E-Privacy Law Committee and moderator of the upcoming Section-sponsored ABA teleconference on the law, and Thomas J. Smedinghoff, former Section Chair, among others) ; as well as articles and editorials recently appearing in C|Net and USA Today. The complete text of the CAN-SPAM Act can be found at http://www.spamlaws.com/federal/108s877.html. For the ABA’s comments on the legislation, see also: http://www.abanet.org/poladv/letter/03dec/3.html.

If you would like to get involved with Committees within our Section active in the area of ecommerce, please contact either me (hrafter@digidesign.com; (650) 731-6603) or Section direction Shawn Taylor Kaminski (skaminski@staff.abanet.org; (312) 988-5601). We’ll be happy to provide you with additional information about the activities of various committees and information. For further questions regarding the CAN-SPAM Act, you may also contact Ruth Hill Bro directly (bro@bakernet.com; (312) 861-7985), Chair of our E-Privacy Committee. Stay tuned as well for information on our next teleconference scheduled for late February. Lots of activity is happening within our Section. We hope you will become active and take advantage of the resources we are offering.

Finally, I’d like to wish each of you a spam-free 2004!