Candid answers to CAN-SPAM questions

Share This Page

The classic 40s movie An Email to Three Wives, the R&B hit Take an Email, Maria, and C.S. Lewis’ The Screwtape Emails. The titles would have been different if they had been written recently. Email is an essential part of most companies’ marketing strategy. If you send commercial email – or have others send it for you – are you complying with the CAN-SPAM Act and the FTC's CAN-SPAM Rule? FTC attorney Christopher Brown answers some of the CAN-SPAM questions businesses are asking.

I’ve heard that the CAN-SPAM Act requires senders to identify each commercial email message as an advertisement. Do I have to use specific wording? Do I have to include it in the subject line?

CHRISTOPHER:  The CAN-SPAM Act doesn’t require senders to identify the message as an advertisement in the subject line. Initiators of commercial email only have to identify the message as an ad in a way that is “clear and conspicuous.” The law gives you flexibility in how to do that effectively, but remember that deceptive subject lines are illegal. Before the federal CAN-SPAM Act was passed in 2003, some states required unsolicited commercial email to include a label like “ADV” in the subject line. But Congress pre-empted those laws with CAN-SPAM. Here's another important point about subject lines. In the case of commercial email that contains sexually oriented material, the CAN-SPAM Act’s Adult Labeling Rule requires the phrase “SEXUALLY-EXPLICIT:” to appear in all caps as the first 19 characters in the subject line.

I plan to send commercial email to a list of people who have given prior affirmative consent to get messages from my company.  So I don’t have to worry about complying with the CAN-SPAM Act’s commercial email requirements, right?

CHRISTOPHER: Wrong. If recipients have given their prior affirmative consent to get messages from you, you’re exempt from the requirement of identifying the message as an ad or solicitation – but that’s it. All other CAN-SPAM requirements still apply. Therefore, email to those people still has to include accurate header information and subject lines and a valid physical address. And you still must include information on how to opt out of receiving future email and honor opt-out requests promptly.

I bought a list of email addresses for people likely to be interested in my niche product. If I comply with the commercial email requirements of CAN-SPAM, do I have anything to worry about?

CHRISTOPHER:  The CAN-SPAM Act doesn’t require initiators of commercial email to get recipients’ consent before sending them commercial email. In other words, there is no opt-in requirement. So in general, as long as you follow the “initiator” requirements of the Act, you can send email until the recipient asks to opt out. But buying lists like that can be risky. There is the possibility that addresses on the list belong to people who have already opted out of receiving email from your company. And there’s a risk that the list was put together using illegal means like address harvesting or dictionary attacks. Therefore, some companies choose to send marketing email only to people who have affirmatively asked to receive them or with whom the company already has a business relationship.

Instead of regular email, I’d like to market my product through social media platforms like Facebook, LinkedIn, etc.  Are there concerns I need to be aware of about messages transmitted through those forms of email?

CHRISTOPHER:  Although the FTC is the primary law enforcer of the CAN-SPAM Act, the law also authorizes certain private entities – for example, providers of internet access service – to bring lawsuits alleging violations of the Act. In those cases, some federal courts have ruled that CAN-SPAM’s definition of “electronic mail message” includes commercial messages transmitted to a social network user’s inbox, news feed, wall, etc. So if you’re thinking of marketing on social media, keep that in mind. Furthermore, have you checked the terms and conditions of social media platforms? Many have limits on how marketers can use them.

Does cell phone spam violate the CAN-SPAM Act?

CHRISTOPHER: Yes and no. Although the CAN-SPAM Act is primarily designed to curb email spam sent to computers, it still applies to some spam transmitted to wireless devices like cell phones. In 2005, the FCC adopted rules that prohibit sending unwanted commercial messages to addresses referencing an internet domain name assigned by wireless carriers for delivery to a subscriber’s wireless device. For example, FCC rules prohibit sending an unwanted text message to a cell phone using Internet-to-phone short message service (SMS) technology. But what about phone-to-phone SMS texts, the more common way of texting where messages are routed directly to the wireless carrier over a private network? In that situation, CAN-SPAM doesn’t apply, but marketers need to pay careful attention not to violate Section 5 of the FTC Act or the FCC’s rules concerning messages sent to wireless telephones under the Telephone Consumer Protection Act (TCPA).

Does the CAN-SPAM Act apply to email sent to members of online groups?

CHRISTOPHER:  As a general rule, online groups – mailing lists, listservs, and the like – are covered by CAN-SPAM. Of course, in many cases, the primary purpose of email sent by and to those groups isn’t commercial, and thus the Act wouldn’t apply. But when the primary purpose of the email is commercial, both initiators and senders of messages to group members are responsible for complying with the applicable provisions of CAN-SPAM. Listserv moderators should be especially careful to the extent that they manually forward email to the group on behalf of group members. If it’s a commercial email, that would meet the definition of “initiate” under the law and could result in CAN-SPAM liability.

My obligations as a marketer aside, I have a question as a consumer. Campaign season is upon us and I’ve been getting a lot of email urging me to support or donate to various political candidates. I’ve asked to be removed from their lists, but the email keeps on coming. Is this okay under the FTC’s rules?

CHRISTOPHER:  The CAN-SPAM Act applies only to commercial email, whether sent individually or in bulk. It doesn’t apply to non-commercial bulk email. Furthermore, political messages are protected under the First Amendment. Of course, many groups not covered under the law have chosen voluntarily to honor UNSUBCRIBE requests. But if you’re getting unwanted email from entities not subject to CAN-SPAM that don't offer an UNSUBSCRIBE feature, another option is to contact them directly to express your preference not to receive more messages. (Don’t just respond to the email, which may not be read.) If any group is trying to win you over – whether it's an advertiser, an advocacy group, a candidate, etc. – it could be persuasive to let them know how you feel.

Looking for more tips? Read The CAN-SPAM Act: A Compliance Guide for Business.

 

Comments

Canada's rules are much more stringent under legislation called CASL. Wouldn't that be of importance to people e-mailing into Canada?

Yes. Absolutely. The problem with buying lists, for example, is one can never be sure where the recipients are located. Excellent point.

Can you provide some guidance on what the FTC considers to be a dictionary attack?

A lot of salespeople are using new software that guesses people email addresses. So for instance, if we want to contact Bob Smith at abccompany.com the software guesses that the correct email is bob@abccompany.com and lets the salesperson know if its valid by testing the email server. This doesn't seem to meet the "numerous permutations" language of the law, since it's only guessing at a couple of permutations for one specific person.

A lot of really big companies have their sales reps use this type of software...and our small business wants to use it as well. Is it legal?

Is the FTC going to take an official stance by offering guidance in relation to social media direct messages? It seems unclear whether direct messages should have all the same traditional form and content elements, which seem clunky in social media. The court cases referenced focused on assuring direct messages were not misleading and did not seem to mention form and content requirements.

Also, I recently saw that a company has been issued a "patent" for guessing user's email addresses using dictionary attack of guessing business email domain addresses. Is this deemed legal?

As a recruiter, I send out e-mails all the time. These e-mails go to people that we have spoken to that already have given us their e-mail address. The e-mail ask them if they would have an interest in hearing about certain types of opportunities by describing a little about the opportunity. Does this fall under CAN-SPAM? Or am good. Plus can I have a hyperlink in this e-mail with my e-mail address?

I seem to remember reading that opt-out may not require the recipient to go to a web site to log on with user id and password.

As a consumer, this typically means sending in my email, waiting for my id, then logging in and saying I forgot my password, receiving that, logging in again, sometimes having to navigate to the right page, then opting out with a questionnaire as to why.

It makes it very difficult. Is this a violation? Where is this listed so I might send the rule to someone?

I gave my email address to an entity for them to contact me or for people interested in joining my organization to contact me. However, I am getting solicitation emails from vendors because my email address is published. What action can I take to stop this?

Is it legal to email to Independent school district employees (ISD) email addresses that I have received from an open records request I sent to the open records department at that ISD?

If my company obtains 10,000 email addresses from a university through an open records request, can we add those email addresses to our daily/weekly newsletter emails that are sent out automatically and contain essentially RSS feeds of content on our website?

If your company obtains 10,000 email addresses from a university through an open records request, your company is terrible. Forget what the law says, have some sort of ethics.

How can I report a violation of this act by a major company?

Does "each separate e-mail" mean each email or each transmission of it? So an email sent to 5 people is one violation subject to the $16,000 fine, or 5 separate violations?

Hi, Intern. Each separately addressed unlawful commercial message is treated as a separate violation.

Are Public Agencies or State/Federal Departments who use email distribution to communicate policy/procedure changes, notify members of upcoming business functions, or distribute annual statements to members or other agencies bound by contract subject to the Can-SPAM act?

My company creates software that allows the collection of multiple emails per single guest. Is CAN-SPAM at an email level or at a single person level. E.g. Andy opts out of any communication or andy@email.com opts out but andy@otheremail.com is opted in?

Hi - I work for a financial provider. Our website is not commercial - it is for our clients to use to manage their financial accounts or to interact with their financial advisor. Would promoting benefits available to them such as choosing e-delivery or text instead of email alerts, or registering for access to their accounts online be considered marketing activities?

In the opening paragraph of this page, should the link for "CAN-SPAM ACT" link to a specific article related to "Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act)"?

I expected a page regarding the CAN-SPAM ACT in general.

From the first paragraph - "are you complying with the CAN-SPAM Act"

If I am having users signup to receive an email newsletter from me, are there special terms and conditions I must also include in my website that will continue sending them emails in the future?

If several companies, owned by the same corporate entity, use the same servers to send email of a commercial nature, who gets "charged" with the Opt Out? The Entity that mailed it, or all of the companies under the Corporate Umbrella? My belief, (and I think there is some documentation I am not smart enough to find right now) is that it all boils down to what how the consumer perceives it. Have I got that right ? Do you have any guidance on how to determine who gets the opt out? Thanks

Do the email have to has a subject line. what about email that do not has a subject line.

It's be real nice if the FTC actually enforced the CAN-SPAM Act. It doesn't. Neither does Facebook, Twitter, or any other 3rd party. In fact, the law is completely and totally ignored by most agencies and companies that would be in the position to enforce it. This law is just as useless as the DoNotCall laws for telemarketing.

According to https://www.congress.gov/bill/108th-congress/senate-bill/877:

'if the person knows or should have known that the recipient's address was obtained from an Internet website or proprietary online service that included a notice that the operator will not provide addresses for initiating unsolicited messages'

Yet, I don't see this requirement on https://www.ftc.gov/tips-advice/business-center/guidance/can-spam-act-compliance-guide-business. Does the FTC enforce this requirement of the Can Spam Act? Thanks.

A company is selling substantially all of its assets to a third party in an asset deal (third party is buying substantially all the assets, but not the company name). As part of the deal, the buyer would like to purchase email addresses gathered from seller's customers over the years in order to send them marketing materials (similar to seller's). When seller's customers signed up for its email list, the signup form stated that seller would not sell or share the customers' email addresses with any third parties. Seller honors opt-out requests immediately.

Is it legal under the CAN-SPAM Act for seller to sell the email address list as part of the asset sale? I understand the Act prohibits selling email addresses after an opt-out is received, but I did not see any other prohibitions in the Act itself. Outside of the Act, I could imagine some sort of claim being brought against the seller outside of the Act (e.g. a contract claim) because seller said it wouldn't sell the info, but is there a claim under the Act where damages could be substantial?

Thank you very much in advance for help with this.

As a recruiter; I conduct boolean searches in career sites and JB's to find qualified candidates. I send out blast emails with a title that reads my company name and career opportunities. I list the positions, I mentioned that I came across their resume in career site and wanted to share our opportunities. I ask if they are interested, to please contact me, I provide my office number and my email address and include company name and my title. would this be considered a compliance issue? Should I include the name of the career site or the job board, so they can opt out with them or cancel their membership? When you submit your profile on these sites it is for jobs and to be contacted for job opportunities. However, I do know some forget to cancel when they find a job. What is the proper protocol? What else should be in the email to ensure I am in compliance.

I get about 20 emails a week from various job recruiters at the same company (Amazon), for generic entry-level jobs. The emails are clearly non-targeted bulk emails, but they have no unsubscribe link. I have manually replied asking to unsubscribe, but to no effect. Are they violating CAN-SPAM?

What is the law regarding emailing federal employees at work to offer retirement services to help with their TSP and life insurance needs?

If we are sending out en e-mail as an invitation for a company-sponsored event, like notification of a BBQ at one of our business locations on a specific day to a group of people, are we required to follow the CAN-SPAM Act, or are we exempt since we are not emailing about a particular service or product?

On several occasions I have reported to the Federal Trade Commission that I've asked Organize Yourself to unsubscribe me from their emailing list to no avail. What else do I need to do?.

I have requested to be taken off a email list several times and the person continues to send me unwanted emails. Is there any laws that require them to remove me?

I don't know if anyone is still responding here but I've got a question.

Is it against FTC regulations to send our e-newsletter out to our customers?

For example, could a salesperson share the email address of a contact, from a company that they were doing business with, with someone from marketing, and then could that marketing employee add that contact’s email address to the e-newsletter mailing list without violating any FTC regulations?

Thanks.

Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.