Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM)
• No private right to action
• Preempts most state spam laws
State spam laws are not superseded to the extent that such laws prohibit false or deceptive activity
• Enforcement: FTC, other federal regulators, state AGs and other state officials
• Violation: fines up to $40,654/violation. For those authorized to sue (ISP’s can sue violators), the
act provides for injunctive relief and damages up to $250/violation with a max of $2 mil. A court
may increase a damage aware up to three times the amount in cases of willful or aggravated
violations
• Covers transmission of commercial email messages whose primary purpose is advertising or
promoting a product or service
o Prohibits false or misleading headers
o Prohibits deceptive subject lines
o Requires commercial emails to contain a functioning, clearly and conspicuously
displayed return email address that allows the recipient to contact the sender
o Requires clear and conspicuous notice of the opportunity to opt out such as by return
email or an opt out link
o Prohibits sending commercial email (following a grace period of 10 business days) to an
individual who has asked to not receive future email
o Requires all commercial email to include:
▪ Clear and conspicuous identification that the message is a commercial message (unless affirmative consent was provided) and
A valid physical address of the sender
Prohibits aggravated violations relating to commercial email such as
▪ Address-harvesting and dictionary attacks
▪ Automated creation of multiple email accounts
▪ Retransmission of commercial email through unauthorized accounts
o Requires all email containing sexually oriented material to include a warning label (unless the recipient has provided prior affirmative consent to receive the email)
Rules cover messages sent using SMS but do not cover phone to phone messag
Prohibits senders from sending MSCMs without the subscriber’s express prior authorization
o Must be opt in (check box on a website can’t be pre-checked)
o Authorization must be given prior to the sending of any MSCMs
o Consumers must not bear any costs with authorization/revocation
o Each authorization must include certain required disclosure stating:
▪ The subscriber is agreeing to receive MSCMs sent to his or her wireless device from a particular (identified) sender
▪ The subscriber may be charged by his or her wireless provider in connection with the receipt of such messages
▪ The subscriber may revoke the authorization at any time
o Disclosures must be clear and conspicuous
o Authorization must be specific to the sender and must clearly identify the entity (no third parties)
o Authorization must be obtained in any format and must be documented
o Senders must enable consumers to revoke authorizations by the same means of revocation
o MSCMs themselves must include functioning return email addresses or another Internet based mechanism that is clearly and conspicuously displayed for the purpose of receiving opt outs
o 10 business day grace period following revoked authorization