 |
 |
 |
 |
 |
 |
|||||||
 |
|
|
|
|
|
|
|
|
|
|
|
|
The CAN-SPAM Act of 2003 (Controlling the Assault of Non-Solicited Pornography and Marketing Act), also dubbed the “You can spam Act” has provided comedians with material for many jokes. Its ability to stop or reduce the flood of unwanted communications about get rich schemes, less expensive pharmaceutical products, and other illegal or annoying proposals has been questioned by the press and in the professional publications. The law, which became effective January 1, 2004, prohibits sending unsolicited commercial emails to individuals who have opted-out of receiving such communications. It spells out penalties for spammers and gives consumers the right and ability to ask emailers to stop sending unwanted messages. While numerous enforcement actions have taken place in the past two years, jurisdiction constraints and the lack of personnel have hampered the government’s efforts to enforce the law. Further, government actions and private lawsuits have not yet targeted legitimate businesses - with a small number of exceptions -, and instead have limited their actions to the most prolific bulk emailers. Nevertheless, the CAN SPAM Act is part of the legislative landscape that regulates how companies do business. Unsubscribe notices at the bottom of most email messages we receive show a general awareness of the existence of the CAN SPAM Act. However, the ubiquitous presence of these notices, and the number of unwanted messages from organizations with which we have opted out, would seem to indicate, unfortunately, that most companies still ignore, or do not understand, the provisions of the law. The CAN SPAM Act establishes requirements for electronic communications. It also indirectly affects the marketing, contracting, information systems, and other key functions of most US companies. To keep organized and stay focused, companies must develop and use CAN SPAM Compliance Programs that will help their marketing and communications practices comply with the law. Failure to abide by the law exposes companies to government enforcement actions, civil suits, and potentially private class actions. In addition to the substantial litigation expenses and penalties, these disputes would likely cause public relations disasters and great embarrassment for having been suspected of reckless behavior. They might also drastically affect the value of the company stock. This article looks at the CAN SPAM Act from the perspective of the legitimate company with typical business development needs. It analyses how the CAN SPAM Act affects the marketing and communication landscape. It also looks at the benefits of CAN SPAM Compliance Programs as a way to structure communication policies and practices to help reduce the risk of liability or exposure. The article also provides practical suggestions and guidance for incorporating CAN SPAM Act compliance within the different facets of business operations, from communicating with prospects and clients, to commercial contracts or corporate transactions as part of an enterprise CAN SPAM Compliance Program. TABLE OF CONTENTS 1. Need for A CAN SPAM Compliance Program 2. Building A CAN SPAM Compliance Program 2.1 METHOD AND Goals 2.2 DEVELOPING A PLAN OF ACTION 3. Assessment and Analysis 4. Information Systems 5. Legal Considerations 5.1 SUMMARY of THE CAN SPAM ACT 5.2 COMMERCIAL OR TRANSACTIONAL MESSAGE? 5.3 UNSOLICITED COMMERCIAL MESSAGES A. Rules for Unsolicited Messages B. Permitted Addressees and Exclusion Lists C. Content of Commercial Electronic Messages D. Permitted Methods for Sending Commercial Messages E. Recordation of Mailings 5.4 TRANSACTIONAL OR RELATIONSHIP MESSAGES 6. TRANSACTIONAL ASPECTS Of CAN SPAM COMPLIANCE 6.1 DUE DILIGENCE 6.2 CONTRACT PROVISIONS 6.3 MERGERS & ACQUISITIONS AND OTHER TRANSACTIONS 7. TECHNICAL CONSIDERATIONS 7.1 CREATION AND MANAGEMENT OF EXCLUSION DATABASES 8. DISPUTES AND PROBLEMS 9. POLICIES AND PROCEDURES 10. IMPLEMENTATION & MAINTENANCE 11. CONCLUSION
1. Need for A CAN SPAM Compliance Program In order to maintain or expand their markets, companies must remain in quasi-permanent contact with its customers and prospects. Businesses rely on targeted mailings or similar communication strategies as part of their marketing, sales, or communication efforts. Electronic communications and databases of contact information are their lifeblood, their link to the purchase order pipelines. The CAN SPAM Act and its related regulations creates restrictions on the manner in which companies communicate with third parties, and create rules that must be followed when sending electronic messages to clients, prospects, registered users, or other third parties. Complying with the law may cause some frustrations. Identifying who may or may not send what, at what time or for which purpose is certainly a burden. Marketing departments may complain of delays caused by legal review. On the other hand, customer service representatives may be concerned with bad publicity backlash when an email campaign failed to properly follow the rules or other legal requirements. However, electing to ignore the nuances of the law, and treating all messages as “commercial messages,” would be counter-productive, and would submit the communication, de facto, to the most stringent standard. The CAN SPAM Act affects many aspects of the life of a business and requires the reevaluation of business communications practices. It greatly influences how companies create, manage, or modify their contact information databases. It also has an indirect effect wherever marketing databases are being exploited, monetized, or transferred: the marketing, contracting, information systems, and other key functions of the company. This viral effect reaches into companies’ corporate or commercial transactions that pertain to the use, creation, ownership, or maintenance of these databases. Since electronic communications and databases of contact information are the lifeblood of companies, any corporate or commercial transaction must ensure that contact information databases are adequately valued, transferred, or integrated with the other company crown jewels. When retaining subcontractors to assist in marketing campaigns based on the prospect of accessing millions of potential buyers through their own databases, prudence is de rigueur. Relying on a third party might put the company at risk if it has little control over the content and “hygiene” of the third party’s database. Companies must keep in mind how the restrictions set forth in CAN SPAM Act may hamper or enhance their proposed deal. Otherwise, they may end-up acquiring an empty shell Due diligence or contract negotiations should be thorough and careful. The implementation of a mergers, acquisitions, joint ventures, strategic alliances, and outsourcing agreements might also be affected by restriction on marketing databases. The combination of seller and buyer’s (or client and vendor's) marketing databases could expose to unexpected liabilities or delays resulting from discrepancies or inconsistencies, for example. There might be technical or legal incompatibilities. The CAN SPAM Act and the reports of litigation and enforcement by government agencies compel companies to pay serious attention to their communications practices. Failure to comply with the law could, as well, expose the company to great pain and suffering. First, the law provides stiff penalties for violations. While the penalties for the most egregious claims might reach up to $6 million, there are also substantial costs to expect in responding to an enforcement action or defending a suit. Further, CAN SPAM Act violations also expose companies to private suits grounded on claims such as that the company’s failure to comply with the law is an unlawful, unfair, fraudulent and deceptive practice in violation of California’s Business & Professional Code Section 17200. Finally, any such action or threatened action could also cause a public relations disaster, or great embarrassment for having been suspected of reckless spamming and other nuisances. The tarnished reputation might also drastically affect the value of the company stock down and take it to subzero levels. Without a general structure and organization to address or anticipate the CAN SPAM Act requirements, in their day-to-day business or in the strategic corporate transactions, companies will suffer from erratic behaviors and expose themselves to great financial and legal risks. Having a CAN SPAM Compliance Program in place helps businesses organize the pieces of the puzzle and understand how they interact with each other. It also helps address in a structured way the viral, endemic effect of the CAN SPAM legislation over each area of the business, so that they can better focus on their clients instead of worrying about the message they are sending.
2. Building A CAN SPAM Compliance Program 2.1 METHOD AND Goals Developing a CAN SPAM Compliance Program allows the company to reflect on the many different aspects of a its activities and define how it intends to organize its email communications with third parties. It can help clarify the legal requirements imposed by the CAN SPAM Act and its related regulations, and other applicable legislation. It can provide a road map on how to communicate with third parties and create a structure and guidelines that ensure more efficient exchanges within the requirements of the law. Guidelines on how to approach corporate and commercial transactions while taking into account the CAN SPAM compliance issues can be created. This could include as well a plan of action and strategy to assist the company’s corporate transaction group with CAN SPAM compliance in corporate combinations, such as strategic alliances, merger & acquisitions, divestitures. Similar structures could be created to identify issues of concern to be addressed when negotiating commercial contracts, such as outsourcing or services agreements. To design a CAN SPAM Compliance Program that is consistent with the company’s actual needs, the program should be based on observations of the actual operations of the company. It first requires an assessment of the company’s practices and needs to ensure that the Program policies and procedures will adequately address how the company handles communications with outsiders, clients, prospects, and others. Interaction with members of the corporate transactions group and commercial contracts group would be required as well, to understand their needs and requirements. In addition, subcontractors, outsourcers, and other third parties that may assist in marketing campaigns, or database management, should as well be consulted, so that their practices and needs might be integrated in the evaluation. To limit risks of exposure to legal action or litigation, the CAN SPAM Compliance Program should, as well, take into account the numerous legal requirements to which the company is subject. For example, in addition to regulations that apply to email messages, which are described below, other CAN SPAM Act regulations apply to wireless communications. Further, individuals residing abroad may be protected by their local anti-spam laws, which are frequently more stringent. Technology considerations should be part of the SPAM Compliance Program, as well. Information systems and databases programmed to respond to opt-out requests are key to the interaction with the customers and prospects. They are also a necessary component for complying with the specific requirements of the law. The development plan for a CAN SPAM Compliance Program should also allocate time to explain the program and communicate it to the personnel, and conduct periodic training sessions. 2.2 DEVELOPING A PLAN OF ACTION The first step in the development of a CAN SPAM Compliance Program is to create a plan of action. The process will require the involvement of several layers of management. Providing for funding of the different activities will be crucial. Since the development of a CAN SPAM Compliance Program requires numerous activities and players, it will inevitably cost time and money. Before initiating the activities required for the establishment of a CAN SPAM Compliance Program, the company must ensure that sufficient funds are allocated to compensate for the time invested internally by company personnel, pay for the fees of the consultants and legal counsel involved, and, eventually,, the cost of additional software licenses or equipment needed to implement the policies and procedures, such as the opt-out procedures, or the management of exclusion databases.
3. Assessment and Analysis Once the general direction has been defined, and appropriate funds allocated, the definition of a CAN SPAM Compliance Program should start with the identification of the types of communications with outsiders. This would involve the participation of several divisions of the company. Legal considerations and technical considerations are also very important. A CAN SPAM Compliance Program should be based on actual operations of the company. It first requires an assessment of the company’s practices and needs to ensure that the policies and procedures developed through the Program will adequately address how the company handles communications with outsiders, clients, prospects, and others. The CAN SPAM Act defines rules and creates restrictions for sending most electronic messages to third parties, clients, or prospects, outside the corporate walls. Emails whose primary purpose is advertising or promoting a commercial product or service are especially targeted. Electronic messages that facilitate an agreed-upon transaction or update a customer in an existing business relationship – also known as "transactional or relationship messages" – are regulated as well. To be able to evaluate the current practices of the company, there should be a deep understanding of the company’s current communications, and possibly, as well, those of subcontractors or outsourcers who handle marketing and similar communications. The investigation should determine what information is needed or used, by whom, for what purposes.
4. Information Systems Another prong of the assessment of the company’s practices should include an evaluation of the databases, software applications, networks, and equipment used by the company. These are the crucial components to the processing of email communications, and the collection and handling of the opt-out requests. Of importance, as well would be how the email communications are generated and transmitted, and where the exclusion database data are stored. On the company computer systems? On laptops? Are there personal databases kept on individuals’ laptops? Are all devices backed up on a single server? Who has access to exclusion databases? Some applications or databases may not be totally integrated with the remainder of the operations. This may be a blessing, and may prevent sharing database information outside a particular division. On the other hand, this may be a curse, because all opt-in or opt-out decisions might have to be duplicated. For example, could an employee send a handful of emails to third parties using his own mail list without needed to check his list against the exclusion list? Or, the CAN SPAM Act requires that an opt-out request be implemented within ten days after the request is made. Is this possible if employees keep personal copies of their own databases, and seldom compare them against the company master? Knowledge and understanding of the company’s database management, and document retention and destruction practices are important, as well. This will allow avoiding discrepancies with legal requirements. For example, the CAN SPAM Act requires that each commercial email sent offer the ability to opt-out within 30 days after receipt of that email. Do the company procedures with respect to availability of email accounts allow for this 30-day window, even in the case of an employee departure, for example? Most companies outsource certain operations to affiliates or third party subcontractors. These outsourcers may be located within the company’s premises, or elsewhere, even in other countries. The company should understand who among these third parties might have the ability or the right to send communications on behalf of the company, and to react within the time frames imposed by law. The company should also understand its use of third party subcontractors. Who else, outside of the company, may have access to the company’s marketing and other databases?
5. Legal Considerations To limit risks of exposure to legal action or litigation, the CAN SPAM Compliance Program should, as well, take into account the numerous legal requirements to which the company is subject. The CAN SPAM Act and its related regulations are of course the main legal driver, and it would affect the handling of all types of electronic messages, including emails and wireless communications. In addition to regulations that apply to email messages, which are described below, other requirements under the CAN SPAM Act apply to wireless communications. Portions of Anti-Spam laws that are not superseded by the CAN SPAM Act would be relevant as well. Further, individuals residing abroad may be protected by their local anti-spam laws. Anti-spam laws in effect in other countries would also have to be taken into account if the company might be subject to the jurisdiction of foreign countries. Most of these laws are usually more stringent than the CAN SPAM Act. Other laws may affect the handling of email messages. Consider for example, the laws that control advertising, telemarketing, or the do-not-call legislation. Other laws set requirements with respect to the preservation of email communications. For example, the securities laws and the banking laws might require that certain messages be preserved. The company may already have in place policies and procedures for compliance with these laws. They may apply in full or in part to allow the preservation of documents within the context of the CAN SPAM Compliance Program. Moreover, companies should also assess and understand the obligations that may stem from recent jurisprudence resulting from individual cases, class actions, or government agency actions. For example, FTC or State Attorney General have begun enforcement actions against outrageous and criminal practices of certain entities. With the passage of time, it is likely that these organizations may focus on other aspects of CAN SPAM Act compliance that might have more direct bearing on the activities of legitimate businesses. Beyond the legal requirements imposed by the legislature and the judiciary, the company should also understand the promises and commitments it might have made in its contracts, such as contracts with third parties, either in a client capacity, or in a service provider capacity. There may be other restrictions established through other pre-existing company policy. 5.1 SUMMARY of THE CAN SPAM ACT The CAN SPAM Act sets forth numerous restrictions and requirements for electronic messages of any type. It also sets forth specific requirements for commercial messages. These requirements are: No false or misleading header information. The "From," "To," and routing information – including the originating domain name and email address – of an email must be accurate and identify the person who initiated the email. No deceptive subject lines. The subject line of the electronic message cannot mislead the recipient about the contents or subject matter of the message. Commercial email must give recipients an opt-out method and honor promptly opt-out requests. The electronic message must provide a return email address or another Internet-based response mechanism that allows a recipient to ask the sender of the email not to send future email messages to that email address. The law allows granularity. Instead of a YES/NO answer to an opt-out question, it is possible to provide a "menu" of choices to allow a recipient to opt out of certain types of messages. However, when using the menu format, the menu must include the option to end any commercial messages from the sender. In addition, any opt-out mechanism must be able to process opt-out requests for at least 30 days after sending a commercial message. Once an opt-out request is received, the sender has ten business days to stop sending email to the requestor's email address. Once an individual has opted-out of receiving certain types of mail, the company cannot use a third party to send emails on its behalf to that address. It is also illegal to sell or transfer the email addresses of people who choose not to receive the company’s commercial emails, even in the form of a mailing list, unless the transfer is to another entity that can comply with the law. Commercial email must be identified as an advertisement and include the sender's valid physical postal address. The commercial email message must contain clear and conspicuous notice that the message is an advertisement or solicitation and that the recipient can opt out of receiving more commercial emails. It also must include a valid physical postal address. Penalties Each violation of the above provisions is subject to serious fines. Deceptive commercial email is subject to laws banning false or misleading advertising. Additional fines are provided for companies that "harvest" email addresses from websites; or generate email addresses using a "dictionary attack" – combining names, letters, or numbers into multiple permutations; or use scripts or other automated ways to register for multiple email or user accounts to send commercial email; or relay emails through a computer or network without permission – for example, by taking advantage of open relays or open proxies without authorization. Criminal Prosecution The law allows the Department of Justice to seek criminal penalties, including imprisonment, in certain cases, such as using of third party’s computer without authorization to send commercial emails, or using a computer to relay or retransmit multiple commercial email messages to deceive or mislead recipients or an Internet access service about the origin of the message. 5.2 COMMERCIAL OR TRANSACTIONAL MESSAGE? The CAN SPAM Act defines several key restrictions. The first important dichotomy is that different rules apply to commercial messages as opposed to transactional or relationship messages. A first step in evaluating how the CAN SPAM Act affects a specific communication is thus to determine which part of the CAN SPAM Act applies. To this end, the first step is to identify the nature of that specific message. The CAN SPAM Act creates different rules depending on the nature of an electronic message. Two categories of electronic message are affected by CAN SPAM: “commercial” electronic messages and “transactional or relationship” electronic message. Transactional or Relationship Messages A message is deemed “transactional or relationship message” when its primary purpose consists exclusively of transactional or relationship content. Transactional content is content that is used: - To facilitate, complete, or confirm a commercial transaction previously agreed upon with the sender;
- To provide warranty information, product recall information, or safety or security information with respect to a commercial product or service used or purchased by the recipient; - With respect to a subscription, membership, account, loan, or comparable ongoing commercial relationship involving the ongoing purchase or use by the recipient of products or services offered by the sender, to provide:
- To provide information directly related to an employment relationship or related benefit plan in which the recipient is currently involved, participating, or enrolled; or; - To deliver goods or services, including product updates or upgrades, that the recipient is entitled to receive under the terms of a transaction that the recipient has previously agreed to enter into with the sender; Examples of Transactional or Relationship Messages Numerous categories of communications might qualify as “transactional or relationship” messages. Examples of transactional or relationship messages would include, for instance, the following messages:
Commercial Messages A message is deemed “commercial” when its primary purpose is the commercial advertisement or commercial promotion of a commercial product or service. Transactional or relationship messages are not deemed commercial messages. Whether the content of a message is primarily for the advertisement or promotion of a product or service is based on an evaluation of the subject line of the message and its content. For messages that include mixed content, i.e. commercial and non commercial content, the relative weight of the different components of the message is weighted, and the evaluation of the message is based in part on what a “reasonable recipient” would conclude from reading the message. More precisely, the criteria for determining whether a message is or not commercial are defined as follows: - If an electronic mail message consists exclusively of the commercial advertisement or promotion of a commercial product or service, then the “primary purpose” of the message is deemed commercial. - If an electronic mail message contains both the commercial advertisement or promotion of a commercial product or service as well as transactional or relationship content, then the “primary purpose” of the message is deemed commercial if:
- If an electronic mail message contains both the commercial advertisement or promotion of a commercial product or service as well as other content that is not transactional or relationship content, then, the message is deemed commercial if:
Factors illustrative of those relevant to this interpretation include the placement of content that is the commercial advertisement or promotion of a commercial product or service, in whole or in substantial part, at the beginning of the body of the message; the proportion of the message dedicated to such content; and how color, graphics, type size, and style are used to highlight commercial content. In other words, businesses may incorporate some commercial elements in transactional or relationship messages and other messages without tipping the scale such that the message would become a commercial message provided that the relative weight of the commercial components is sufficiently small compared to the non-commercial components. Thus, when drafting mixed content electronic communications, with the intent that the message not be treated as a commercial message subject to the numerous restrictions in the CAN SPAM Act, it is useful to keep in mind that: - The subject matter of the message as described in the Subject Line of the message should not be commercial (e.g. does not indicate a promotion or advertisement) - The non-commercial aspects of the content should appear at or near the beginning of the message, while the commercial content appears at or near the end of the message - The proportion of commercial content as measured against transactional or non-commercial content should be minimal (i.e. limit the commercial content to the minimum necessary); and - The commercial content should not be highlighted or conspicuously displayed; for example, it is not displayed with different color, different graphics, or greater size font. 5.3 UNSOLICITED COMMERCIAL MESSAGES A. Rules for Unsolicited Messages Specific rules apply to commercial messages. In order to apply these rules, several steps must be taken: Identify the “Sender” of the Message Who is the legal “sender” determines to whom the message can be sent. In general, the “sender” of an electronic message is the person who initiates such a message and whose product, service, or Internet web site is advertised or promoted by the message. If a company operates through separate lines of business or divisions, and the electronic message clearly indicates that the message is being sent by a specific line of business or a specific division rather than as the entire company, then the CAN SPAM Act treats the line of business or the division as the sender of such message. Make sure that the message indicates which company or division is sending it and, if applicable, the third party who might be sending it on behalf of the company. This entity will be deemed the “sender” of the message. Identify the Recipient of the Message The “recipient” of a message is the authorized user of the electronic mail address to which the message was sent or delivered. If a person has several email addresses, his/her requests not to receive commercial emails applies only to the email address from which s/he sent the request not to receive commercial messages. The person is treated as a different “recipient” for each email address. If an email address is reassigned to a new user (e.g., a generic email address such as receptionist@store.com), the new user of that address is not treated as a recipient of any message sent or delivered to that address before it was reassigned. The opt-in and opt-out formulated by the prior custodian of the email address do not apply. The new custodian starts “fresh.” If, however, a customer has agreed to receive commercial emails, then there is no requirement that commercial emails to that customer conspicuously indicate that the email is commercial message. Identify the Subject Matter of the Message The subject matter of the message determines which exclusion lists may need to be used. Companies usually establish exclusion lists that compile information about the preferences of individuals with the respect to the types of messages that they agree or not to receive. For example a publisher of technology related magazines and websites may offer users the ability to choose whether they are interested in communications or newsletters relating to all or some of the following subjects: wifi, voip, telecom regulations. Or, a travel website may offer users the ability to receive electronic communications that pertain to certain destinations (e.g. Europe v. Asia) or certain types of travel (e.g. ski vacation, or clubs and resort vacation). Thus when preparing an email marketing campaign, identifying the subject matter of the email has a direct effect on the mailing lists that can be used to send the email. The subject matter of the email will drive the applicability of specific exclusion list. Identify the proper Exclusion Lists The basic premise of the CAN SPAM Act is that a business cannot send a commercial electronic message to some who has opted out. Before sending a message, you must identify whether the proposed recipient has notified the company (and the third party that may be sending the message on the company’s behalf) that s/he does not wish to receive commercial electronic messages from the company or from that third party. To answer this question, the sender must consult the applicable exclusion lists. Sifting through the maze of exclusion lists and matching the categories covered by the exclusion list and a specific email communication can be a daunting task. Consider the following. To which entity do they apply? The company? A division? A third party? To which type of communications does the restriction apply? Any commercial messages? Messages with respect to certain topics? Additional Precautions If an email address is not on the exclusion list, this means that the individual has not opted out of receiving commercial communications of the type proposed to be sent. Then, it is possible to send a commercial message. The electronic communication, however, is subject to several restrictions. Specific rules apply to the header, subject line, and content of commercial electronic messages. See below. Verify the header, subject line and content of the proposed commercial message The header, subject line and content of the proposed message must comply with the relevant the company rules and guidelines and applicable laws. These requirements include at least the following: - Do not use false header information in transactional, relationship or commercial messages - Do not use false return addresses and deceptive subject lines in commercial messages - Clearly and conspicuously, label the message to indicate that it is an advertisement or a solicitation. To date, there is no requirement for any specific language or location for the labeling, such as, the use of [ADV] in the subject line of commercial emails - Provide an opt-out mechanism. The mechanism must remain operational for at least 30 days after the communication was sent. - Do not send commercial emails more than 10 days after receipt of an opt-out request - Include a valid physical postal address in the email - Oversee compliance by your email service vendors - Do not use automatic methods to harvest or randomly generate email addresses If a recipient has previously agreed to receive commercial messages When sending a commercial message, it is not necessary to indicate clearly that the message is an advertisement or a solicitation if the recipient has given prior affirmative consent to receive these messages. A recipient may have given his/her prior affirmative consent directly to the sender, or in response to a clear and conspicuous request for such consent; or at the recipient’s own initiative. In addition, the recipient may have given his consent to a third party. The recipient may have given valid consent to the use of his contact information in connection with third party information. For the person’s consent to be valid, he/she must have been given clear and conspicuous notice at the time the request for consent was communicated, that the email address could be transferred to another party for the purpose of originating a commercial email. B. Permitted Addressees and Exclusion Lists An “exclusion list” is a list of individuals who have requested not to receive commercial messages from a specific sender about a specific subject or in a specific format, or from a specific sender about any subject and/or in any format. Before sending an unsolicited commercial message, the sender should pre-qualify the recipients’ lists, for each type of mailings. This prequalification ensures that all recipients are selected in accordance with the applicable law and policy, to eliminate the email of anyone who has previously opted out of from receiving any commercial messages (or commercial messages with a specific subject matter) from the entity that proposes to send the commercial message, or individuals who appear on a Do-Not-Email list maintained by any government that regulates that person’s email address messages. It also allows identifying those potential addressees who have an email address domain (e.g. country code extension such as .uk, .nl, .it, etc.) or mail servers known to be based outside of the United States. Unless such person has provided his or her email address in the context of a previous purchase, and has given prior verifiable written consent (under the law applicable in that country) to receive commercial messages from the company on any or a specific subject matter, consider eliminating these recipient, since many foreign countries also have very stringent anti-spam legislation. In addition, you must ensure that the addresses you obtained were not collected through illegal means, and you do not use illegal means to send the messages to the proposed recipients. C. Content of Commercial Electronic Messages Message Header Header information may not be materially false or materially misleading header information. “Header information” means the source (“from”), destination (“to”) and routing information attached to the electronic message: originating domain name, originating email address, and any other information that appears in the line identifying or purporting to identify a person initiating the electronic message. The “from” line must accurately identify the person who initiated the electronic message. Header information must also accurately identify the computer used to initiate the message. For example, it is not permitted to use header information that identifies another computer used to relay or retransmit a electronic message in order to disguise its origin will be considered materially misleading. The originating email address, domain name, op IP address may not have been obtained by false or fraudulent pretenses, even if they are technically accurate. Of course, do not let third parties send an electronic message on behalf of the company if you know that they are using materially false or misleading header information. Subject Heading The subject line must clearly identify that the communication is a commercial electronic message. Be clear about the purpose of the electronic messages. Deceptive headings are illegal. The recipient of the electronic message must understand, from the subject line, what is the purpose of the electronic messages? Consider indicating the name of the company, or that of the product about which you are contacting the customer. The subject matter of the communication must be provided, and the information provided must be accurate. The subject line must reasonably relate to the content of the electronic message. Make sure that the subject line is an adequate summary of the content of the communication. Choose your words carefully, to clearly indicate that the electronic message promotes or advertises the company products or services. For example, the words “Special Promotion,” “Holiday Bonus” or “Discount” are clearly understood. However, this requirement does not apply if the recipient has given his prior express consent to receive commercial messages. Postal Address Required All commercial electronic messages must contain a valid physical postal address of the sender. Clearly, indicate the name of the company or entity on behalf of which the electronic message is sent and provide the postal address of this entity. Clear and Conspicuous Opt-Out Notice The electronic message must contain a clear and conspicuous notice of the opportunity to decline to receive further commercial electronic messages. Opt-Out Mechanism A functioning return email address or other internet-based mechanism, must be clearly and conspicuously displayed, and allow the sender to ask not to receive future commercial electronic messages from that sender to that email address. The unsubscribe function must remain capable of receiving such requests for at least 30 days after transmission of the original electronic message. The message must include a functioning return email address or other Internet based mechanism to allow opt-outs. Several methods can be used:
Many companies prefer to rely on a list or menu of different types of messages that the recipient may wish to receive or not to receive. This allows more granularity. The company preserves the ability to have some communication with its clients or prospects. The user can select only some of the categories of services or information without being inconvenienced with communications that are not relevant to its needs or interests. However, in this case, one of the options in the menu must be not to receive any commercial message. Opt-outs will have permanent status. An opt-out may only be reversed by the person who opted out, if that person subsequently provides an affirmative ((opt-in)) consent to receive commercial messages in the future. If a recipient unsubscribes or opts-out No unwanted commercial messages may be sent more than 10 business days after a person has communicated that s/he does not want to receive commercial communications. This prohibition applies to the “sender” of a transmission (see definition of a “Sender” above) and to any person that acts on behalf of a “sender.” Once the recipient sends an opt-out request, the company must stop sending any messages that fall within the scope of the request within 10 business days after receipt of such request. Thus, before sending a commercial electronic communication, ensure that any opt-out request that might result from the transmission of this message can be honored within the ten business day period. The ten business day limit applies BOTH to messages sent by the company, and to messages sent by a third party, on behalf of or for the benefit of the company. Thus, before allowing a third party to send an electronic message on behalf of, or for the benefit of the company, it is important to make sure that the third party will both implement the opt-out request within the ten business period, and immediately inform the company of the opt-out request, so that the company, as well, can implement the opt-out request within the ten-day period. If the recipient has previously agreed to receive commercial messages, it is not necessary to indicate clearly that the message is an advertisement or a solicitation if the recipient has given prior affirmative consent to receive these messages. A recipient may give prior affirmative consent directly to the sender, in response to a clear and conspicuous request for such consent; or at the recipient’s own initiative. The consent may be given to a third party. For the consent to be valid, the individual must have been given clear and conspicuous notice at the time the request for consent was communicated, that the email address could be transferred to another party for originating a commercial email. D. Permitted Methods for Sending Commercial Messages Emails May be sent only from a Legitimate Address The law prohibits the use of automated means to register multiple email accounts from which to transmit electronic messages. The originating email address, domain name, or IP address may not have been obtained by false or fraudulent pretense, even if they are technically accurate. Emails may be sent only through a Legitimate Internet Connection In addition, the law prohibits using a third party’s computer or computer network to relay or transmit an electronic message on behalf of the company, unless this is done in connection with telecommuting permitted by the company. In Case of Co-Marketing or if a Third Party Makes the Mailing If the company conducts a joint marketing campaign with another entity, this other entity must agree to abide by the company’s rules for electronic commercial messages and relevant guidelines, in addition to its own rules. Similarly, when using service providers, the subcontractor parties must agree to abide by the company’s rules for electronic commercial messages and relevant guidelines. E. Recordation of Mailings In the case of larger institutions, in particular, it is prudent to record all electronic messages that have been sent to promote or advertise the company’s products or services. This will allow preserving valuable evidence in the event of a dispute. Company policy might as well require that the database administrator be notified for each database that is used to generate email lists. Usually, each database administrator is responsible for maintaining records of the messages sent. When reporting the transmission of commercial electronic messages, the following information will be useful: Copy of the electronic message sent; Date when the electronic message was sent; and list of recipients. 5.4 TRANSACTIONAL OR RELATIONSHIP MESSAGES A small number of rules in the CAN SPAM Act apply to transactional or relationship electronic messages. No False or Misleading Header The header information must be accurate and not misleading. For example, the “From” line must accurately identify the person who initiates the message; and the originating email address, domain name or IP address must not have been obtained by false or fraudulent pretense, even if they are technically accurate. In addition, header information must accurately identify the computer used to initiate the message (and not, for example, a third party’s computer used to relay or retransmit the message in order to disguise its origin). The sender should be clearly identified. The Sender of the message is the person or entity that initiates the message and whose product or services is promoted or advertised by the message. If there are several business entity, the business entity is treated as “the sender” if it holds itself out to the recipient throughout the messages as that particular unit or division. While some rules distinguish who “initiates” and who actually “sends” the message, in practicality, scrutiny and attention should be the same, whether the message is sent by a third party to promote the company products. Only addresses obtained through lawful means Like for commercial electronic messages, harvesting or dictionary attacks are prohibited. Harvesting is the use of automated means of obtaining email addresses, and dictionary attacks is the use of a mechanism that generates possible electronic addresses from random combinations of characters, letters, numbers or names into numerous permutations. Send from a Legitimate Address Message must be sent through a legitimate company Internet connection. Automatic creation of multiple email addresses from which to transmit commercial messages is not permitted.
6. TRANSACTIONAL ASPECTS Of CAN SPAM COMPLIANCE 6.1 DUE DILIGENCE Before entering into contractual relationship with third parties, such as service providers, thorough due diligence is recommended. The same recommendation applies if the company is contemplating a cooperate transaction, such as a merger or acquisition, or a joint venture or strategic alliance that will or may require that the third party’s contact information database be used by or transferred to the company. Before using third parties’ lists A company may use third parties lists when conducting a joint-marketing campaign with another company, or when engaging a third party to send a mailing on behalf of the company, or about the company’s products or services. Before using third parties lists, consider, for example, verifying that the third party uses for commercial electronic messages rules that are consistent with the company’s policies and procedures with respect to commercial electronic messages. The inquiry would also attempt to ascertain the origin of the information in the third party’s database. How and where was it collected or obtained? It would be prudent as well to review third party’s Privacy Policy and its commercial electronic message Policy, if any, and to compare these policies with those of the company. The third party’s policies and procedures for the handling of opt-out requests should be evaluated, to ensure compliance with the CAN SPAM or other applicable law on unsolicited commercial electronic messages. If the third party’s address list will be used, consider verifying how the addresses were obtained and whether they were obtained by lawful means? The law provides for serious penalties against companies that obtain addresses through unlawful means. In particular, the CAN SPAM Act prohibits the use of automated harvesting and dictionary attacks to obtain lists of email addresses. 6.2 CONTRACT PROVISIONS When purchasing third parties’ lists, conducting joint marketing campaigns, or using service providers to make mailings on the company’s behalf, adequate contracts must be in place to address CAN SPAM compliance concerns, in addition to the clauses that are in typical services agreement contracts. Consider the use of all or some of the following clauses to address the issues that are specific to the use of unsolicited electronic commercial messages. Scope of the Services If a third party is retained to make mailings on behalf of the company, or if in a joint marketing campaign with a third party the other party will send electronic messages on behalf of both the company and that third party, the contract should define requirements or restrictions in the services provided by the other party. For example, state the third party’s obligation to comply with the applicable law and with the company rules for electronic communications; the company’s privacy policy; or the company’s other rules and guidelines for commercial messages. The contract should define specific measures for ensuring that the lists to be used by the third party will not be inconsistent with the exclusion to which the company is subject. The contract should provide for a method to compare exclusion lists and remove individuals who have requested not to receive commercial electronic messages or instant messages from the company. If the third party will have the ability to send messages on behalf of the company, specify the nature and content of the electronic message and other electronic communications made by the third party, such as header requirement, content requirements. Ensure that the company will have the right to review and approve the content and format of commercial electronic messages that are sent about the company products or services, or provide the third party with a template that has been previously approved by the company. Implementation of Opt-Out Requests The contract should also address how the third party will implement opt-out requests, and communicate the content of such request to the company. Contract provisions should require the third party to have in place an appropriate opt-out procedure that complies with the Opt-Out rules. The CAN SPAM Act includes specific timing requirements. Any opt-out mechanism must remain able to receive opt-out requests for 30 days after the recipient has received a commercial electronic message, so that the recipient can opt-out of any future mailings. In addition, no electronic commercial message may be more than 10 business days after a recipient has notified a sender that s/he does not wish to receive any other electronic commercial messages at that address (or messages with respect to certain specific topics). These time frames must be incorporated in services and other agreements to ensure full compliance with the law. Finally, the contract could also require that the third Party periodically provide it with complete updated opt-out lists that incorporate all the changes requested during the prior period. Recordation of Mailings The companies should track what messages has been sent on its behalf. The service provider should keep track of the messages sent by its personnel and provide periodic reports of its activities. Audits As always, audits of the third parties are necessary to ensure compliance. Negotiate the right to conduct audits of the third party’s practices. Arrange for period audits, including the ability to oversee the mailing, and spot check the practices, content of messages, and creation and management of databases of contact information. Representations and Warranties Obtain adequate representations and warranties from these third parties with respect to the services to be provided. For example, consider including in the services agreement representations and warranties that:
Limitation of Liability Negotiate contract provisions that place contractual risks on the third party or the vendor, including Indemnification, Limitation of the company’s liability and Insurance clauses. 6.3 MERGERS & ACQUISITIONS AND OTHER TRANSACTIONS Mergers and acquisitions, joint venture, outsourcing and other corporate transactions present unique problems when CAN SPAM Act compliance are concerned. Issues are raised at each level of the transaction. At the due diligence stage the purchaser must understand the constraints to which marketing databases are subject, and evaluate the compatibility (or absence thereof) of the marketing functions of the two companies. Consider, for example the case of an acquisition where the target used an “all or nothing” opt-out procedures that permitted users to opt-out of all communications from the company. On the other hand, the purchaser has in place granular opt-outs with numerous layers and options for the user. Assuming that there are no other obstacles to the transfer of the databases, how would the purchaser reconcile the all-or-nothing database with its own more complex procedures? What if the entire value of the target was in its mailing list? At the contract stage, consider negotiating specific representations, warranties, and indemnification provisions for the databases if they are an asset that the company intends to continue using. Consider also other issues such as whether the transfer of the database is actually possible, or whether there are other restrictions, and specific consents must be obtained before the personal information in the database may be transferred over to the purchaser. At the integration stage, numerous issues will arise. For example, should each individual be contacted to inform of the acquisition and ask for the consent to the transfer of his information? How to address the incompatibilities between the respective companies' “menus” of options for unsubscribing? If one database allowed for granularity, and the other one does not, what choices should be made? For example, assume that David Corporation is a small corporation with limited computing capability. It has chosen an all-or-nothing opt-out system, because that it is the only one that it can easily manager. Goliath Corporation, on the other hand, is a large, global corporation with numerous businesses, subsidiaries, with a sophisticated menu system for opt-outs. When Goliath acquires David, and takes over David’s exclusion list, do the opt-out made by David Corporation’s clients before the acquisition still apply when Goliath owns the database? How do they affect the database after the acquisition is consummated?
7. TECHNICAL CONSIDERATIONS 7.1 CREATION AND MANAGEMENT OF EXCLUSION DATABASES In order to avoid sending unsolicited commercial messages, distribution lists must be scrubbed, against exclusion lists to remove the email addresses of individuals who have requested not to receive commercial messages from a specific sender about a specific subject or in a specific format, or from a specific sender about any subject and/or in any format. This would include, for example, individuals who have previously opted out from receiving any commercial messages from the company directly, or through a third party with which the company has a co marketing agreement or which is a vendor of the company. It would also include individuals who an email address domain (e.g. country code extension such as .uk, .nl, .it, etc.) or mail servers known to be based outside of the United States, unless such person has provided his or her email address in the context of a previous purchase of the company products or services, and has given prior verifiable written consent (under the law applicable in that country) to receive commercial messages from the company Entity or about a specific subject matter. To the extent that “do-not-email” lists are maintained by any government that regulates that person’s email address messages, individuals on these lists should be excluded as well. When preparing an opt-out notice, and designing the software applications that will allow the compilation of recipient information to create exclusion lists, the following considerations may apply: (1) who is the sender; (2) who is the recipient; (3) what is the subject matter; and (4) what is the format? Distinguish who is the Sender of the Message In large companies with multiple divisions, the database should be able to distinguish who is the sender of the message. The CAN SPAM Act defines the sender as the message is the person who initiates the message and whose product or services is promoted or advertised by the message. If there are several business entity, the business entity is treated as “the sender” if the entity holds itself out to the recipient throughout the messages as that particular entity or division. Distinguish who is the Recipient of the Email The database and related software applications should also be able to distinguish who is the recipient of the email. If a person has several email addresses, that person is treated as a different “recipient” for each of the email addresses. If an email address is reassigned to a new user, any opt-in or opt-out formulated by the prior custodian of that email address do not apply to the next individual who becomes the custodian of that generic address. Distinguish Different Categories of Commercial Message The best opt-out methods are the one that offers granularity. If the recipient is provided with a list or menu of different types of messages that the recipient may wish to receive or not to the system must be able to receive these requests and record them to build the adequate distribution lists. The more options available, the more chances there are that the recipient will agree to receive some information relating to specific fields of interest. With all of these possibilities, and depending on the computing capabilities of the company and the availability of its information systems department, a company could consider using different types of exclusion lists, such as: a companywide exclusion list, a list specific to a country or region, a list specific to a division or department, or specific line of business, a list specific to a subject matter.
8. DISPUTES AND PROBLEMS A complete CAN SPAM Compliance Program should also include procedures to handle complaints or disputes. While the law provides the federal and state agencies with the majority of enforcement power, it is wise to ensure that disgruntled customer, will not bring their complaints to these agencies before first giving the company an opportunity to address them. If there are customer complaints, the company should take immediate action. The CAN SPAM Compliance policy and procedures should anticipate these events, and define as necessary the nature of the response individuals’ complaints.
9. POLICIES AND PROCEDURES With all this information in hand, the next step would include, completing an acceptable CAN SPAM Compliance Policy that incorporates the legal requirements and applies them – if possible – to the company’s practices or create new practices that are actual compliant with the law and regulations. Once the CAN SPAM policy has been approved, detailed Procedures should be established, to implement the policy. There should be detailed operational procedures, specifying the rules for drafting emails messages, the content requirements, and the approval process. Additional procedures could be created to include checklists, sample provisions, and other materials for use in due diligence, services agreements, outsourcing agreements, strategic alliances and mergers and acquisition transactions. What types of messages can be sent? To whom? What precautions are needed before transferring electronic messages to third parties? How the unsubscribe process should be handled? How the exclusion lists are created? Who is responsible for their maintenance? What are the procedure for due diligences? What contract, releases, nondisclosure agreement, or other agreement should be used with different types of subcontractors? And so on. The procedures must be sufficiently detailed to address the multiple facets of the company’s business. They must answer most questions that the staff may have on a daily basis, or occasionally, on what to do with specific communications under specific circumstances. The company’s CAN SPAM Compliance Program cannot become effective and cannot be published before there are in place adequate procedures to support the program.
10. IMPLEMENTATION & MAINTENANCE Once the CAN SPAM policies and procedures completed, the company must then implement these procedures so that the program can be launched. This will require that the program and associated restrictions or obligations be communicated to the entire company. Crucial to the process will be the training of the personnel, both before roll out, and again, later, periodically. Once the program is in place, there should be additional training, enforcement, and audit of the practices. In addition, there should be a periodic evaluation of the company’s evolving needs, as well as the additional restrictions created by new laws or contracts. A crucial component of the Program is its enforcement. The enterprise needs to have in place the necessary mechanisms and checks to monitor compliance by the personnel. Periodic audits and reviews should be made to ensure that everyone is operating as expected. Of course, do not forget the policy on a shelf. It is a living document that needs to be updated. Only part of the job is done after the initial Program is drafted. Practices change, laws change. The day-to-day application, the continued relevancy of the Program is essential to its success. The documents and related procedures must be modified frequently to adapt to changes.
11. CONCLUSION Each company has its own culture and needs. Most companies share a common element. Their most important assets are their customers and prospects. To survive and be competitive, an enterprise needs to invest the resources necessary to balance bottom line and quarterly results with more subtle messages to its customers and prospects that it respects their intelligence and their need to be left alone and will not flood them with unsolicited correspondence. This can be successfully achieved through a well thought out, comprehensive, CAN SPAM Compliance Program. CAN SPAM Compliance Programs create structures and processes that simplify and streamline compliance with the complex and ubiquitous CAN SPAM Act requirements? They help companies address in an organized manner communications with their clients, drafting of compliant messages, limitations to the use of their databases of contact information, and other issues. They can also facilitate other aspects of the company’s operations, such as mergers & acquisition and new company integration. The creation and development of a company wide CAN SPAM Compliance Program requires a great financial and time investment. The collaboration of the entire enterprise is necessary to achieve the development of policies and procedures that comply with the law, and are adapted to, and consistent with the company’s practices, expectations, and goals. To achieve such a complex endeavor, patience and attention to details are required. There must be a complete and thorough investigation of the company’s practices and actual needs. Complex legal issues are involved. They cannot be solved by the mere use of a form. // Palo Alto April 6, 2006 |
||
|
|
|
CAN SPAM Act - CAN SPAM Policies and Procedures: Practical Tips for Everyday Marketing Communications
Francoise Gilbert
© 2006 IT Law Group – All Rights Reserved
