Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM)

• No private right to action

• Preempts most state spam laws

• State spam laws are not superseded to the extent that such laws prohibit false or deceptive activity

• Enforcement: FTC, other federal regulators, state AGs and other state officials

• Violation: fines up to $40,654/violation. For those authorized to sue (ISP’s can sue violators), the

act provides for injunctive relief and damages up to $250/violation with a max of $2 mil. A court

may increase a damage aware up to three times the amount in cases of willful or aggravated

violations

• Covers transmission of commercial email messages whose primary purpose is advertising or

promoting a product or service

• o Prohibits false or misleading headers

• o Prohibits deceptive subject lines

• o Requires commercial emails to contain a functioning, clearly and conspicuously

• displayed return email address that allows the recipient to contact the sender

• o Requires clear and conspicuous notice of the opportunity to opt out such as by return

• email or an opt out link

• o Prohibits sending commercial email (following a grace period of 10 business days) to an

• individual who has asked to not receive future email

• o Requires all commercial email to include:

  • • ▪ Clear and conspicuous identification that the message is a commercial message (unless affirmative consent was provided) and

    • A valid physical address of the sender

• Prohibits aggravated violations relating to commercial email such as

  • • ▪ Address-harvesting and dictionary attacks

    • ▪ Automated creation of multiple email accounts

    • ▪ Retransmission of commercial email through unauthorized accounts

• o Requires all email containing sexually oriented material to include a warning label (unless the recipient has provided prior affirmative consent to receive the email)

• Rules cover messages sent using SMS but do not cover phone to phone messag

• Prohibits senders from sending MSCMs without the subscriber’s express prior authorization

  • • o Must be opt in (check box on a website can’t be pre-checked)

    • o Authorization must be given prior to the sending of any MSCMs

    • o Consumers must not bear any costs with authorization/revocation

    • o Each authorization must include certain required disclosure stating:

    • ▪ The subscriber is agreeing to receive MSCMs sent to his or her wireless device from a particular (identified) sender

    • ▪ The subscriber may be charged by his or her wireless provider in connection with the receipt of such messages

    • ▪ The subscriber may revoke the authorization at any time

    • o Disclosures must be clear and conspicuous

    • o Authorization must be specific to the sender and must clearly identify the entity (no third parties)

    • o Authorization must be obtained in any format and must be documented

    • o Senders must enable consumers to revoke authorizations by the same means of revocation

    • o MSCMs themselves must include functioning return email addresses or another Internet based mechanism that is clearly and conspicuously displayed for the purpose of receiving opt outs

    • o 10 business day grace period following revoked authorization