Posts Tagged ‘CAN SPAM’

Street Legal E-mail

Tuesday, January 4th, 2011

In this third set of questions following our recent deliverability webinar, we’ll try to clarify some confusion about the current legal state of affairs where bulk commercial e-mail is concerned. We’re also about to see some big changes go into effect in Canada that may have some impact on your e-mail strategy. We received this question from a webinar participant after the live session (if you haven’t caught it yet, you can still see the recorded version):

My e-mail is CAN SPAM compliant, but it still gets bounced or filtered. It’s not spam if it complies with the law, right?

First, let’s be clear: CAN SPAM does not actually make spam illegal, a common misconception among businesses that are new to e-mail marketing. Here’s a quick, simplified checklist of what the law actually requires of bulk commercial e-mail soliciations:

Don’t lie about the content or the source of the mail: If you’re sending an advertisement for a product or service, it has to be obvious that you’re mail is a solicitation. For example, senders can’t send mail purporting to contain photos from an uncle’s birthday party, when it really contains a sales flyer.

Provide clear instructions for opting out: Online opt-outs must use a single web page to accomplish the unsubscribe request. Forcing recipients to log into an account before they can opt-out is a no-no. Any opt-out mechanism (like an unsubscribe link) must remain functioning for at least 30 days, and opt-out requests must be honored within 10 business days.

Tell recipients where you are: Senders have to include a valid physical postal address in the body of the e-mail. Your business location or headquarters should appear here. A registered post office box is fine, too, as are any of the mailbox rental firms that are established under Postal Service regulations.

Perhaps what’s most notable about this short list of requirements is what’s missing: a prohibition from sending spam (howsoever one chooses to define the term). So, even if your mail is fully CAN SPAM compliant, that doesn’t necessarily mean to the ISPs or to recipients that your mail must not be spam. In fact, ISPs see millions of unsolicited bulk e-mail messages (a common definition of spam) every day that fulfills each requirement imposed by CAN SPAM, and they devote enormous resources to filter it.

So, CAN SPAM requirements actually represent the bare minimum for e-mail marketing standards, not the guarantee of delivery to the inbox that most newcomers assume it should be. To answer the question directly, then: mail that is CAN SPAM compliant can still be filtered or bounced by ISPs. In fact, CAN SPAM includes separate language that holds ISPs harmless when they filter mail.

What about the new Canadian spam law? Do senders in the U.S. have to abide by the law if they send to recipients in Canada?

Canada recently passed the world’s most stringent anti-spam law late last year, covering a broad range of electronic messaging, and it is expected to take effect in September of 2011. The Canadian law does what CAN SPAM never did: it requires senders of e-mail within or into Canada to have or to obtain explicit permission from their intended recipients. For most ISPs and recipient domains, it is a lack of permission that turns ordinary commercial e-mail into spam.

In theory, the Canadian law is enforceable in the U.S., though it wouldn’t be cheap or easy. Canadian plaintiffs would have to obtain a judgement in Canada, then find a court with jurisdiction in the U.S. that’s willing to enforce it. This requires a great deal of time and expense, so enforcement is likely to be rare. But if you’re already CAN SPAM compliant, and have implemented other best common sender practices, you’re likely already in compliance with the Canadian law (once it takes effect). Check my earlier blog post for a more complete analysis of the Canadian law.

That wraps up our brief look at spam laws in the U.S. and Canada. In our next installment of the deliverability webinar questions series, we’ll look at various types of content filtering, and what senders can do test their content for optimal deliverability.

Andrew Barrett is Sr. Director, ISP Relations and Deliverability for Real Magnet.

Canada Passes The Ten Million Dollar Spam Law

Thursday, December 16th, 2010

Earlier this fall, we alerted our readers to the imminent passage of Canada’s strict new electronic messaging bill. On Tuesday, the Canadian Senate voted to adopt the legislation, and it was enacted by Royal Assent yesterday.

Our neighbors to the north may be the last of the G8 countries to adopt an anti-spam law, but it is the very strictest, creating penalties of up to 10-million Canadian dollars (or just under 9.87-million U.S. dollars) for businesses who send spam into or within Canada.

The new law, dubbed the “Fighting Internet and Wireless Spam Act” (or “FISA”, for short) imposes new requirements on senders of just about every type of electronic messaging, including mandates that stretch well-past the minimal requirements for e-mail under the U.S. CAN SPAM Act of 2003.

Under CAN SPAM, senders are required to abide by a series of labelling requirements, provide a working unsubscribe mechanism, and honor unsubscribe requests within ten business days. CAN SPAM, however, has never required that senders obtain prior consent from recipients. FISA requires either explicit permission, or implicit permission in the form of an existing business relationship or a conspicuous publication of the recipient e-mail address. If the publication of the address is accompanied by an instruction not to send unsolicited e-mail, it doesn’t count as implicit permission.

FISA creates a two-year window from the date an address was collected with implicit permission to try and convert it to explicit permission. If after two years explicit permission is not obtained, the sender must suppress the address. Both CAN SPAM and FISA explicitly preclude sending to addresses that have been automatically “harvested” from web sites.

CAN SPAM grants enforcement powers to the FTC, and gives ISPs the right to bring action against infringing senders themselves. FISA, in contrast, provides no criminal penalties, but allows both ISPs and individual recipients of spam to pursue civil action against senders.

The requirements seem to create significant new hurdles for senders, but authors of the Canadian law insist that the legislation is aimed squarely at only the worst of the worst offenders. FISA includes a “due diligence defense”, in which senders should not be held liable for violations if they can show they were making reasonable efforts to abide by the law when the offense was committed. Honest mistakes won’t count against senders.

Should U.S. senders be worried about the new Canadian law? Obviously, the law doesn’t apply if you’re not sending to recipients in Canada, but senders may not always know where (geopolitically speaking) the owner of a particular address receives their mail. However, if you’re already abiding by CAN SPAM and best common practices, you’re likely already in compliance.

The short answer is that (in theory at least) FISA is enforceable in the US, though the process is neither simple nor cheap. It takes about as much time and and money to obtain a judgement in Canada as it does in the U.S., so enforcement action is likely to be as rare, and therefore reserved only for the most egregious of offenders.

Canadian plaintiffs would also have to find a U.S. court willing to enforce the judgement, which is by no means a given. However, there is an open pledge between the U.S. and Canadian governments to support law enforcement efforts across borders. Earlier this year, for example, a Canadian court was willing to enforce a judgement obtained by Facebook in a California court against a Canadian spammer who racked up $873-million in fines for CAN SPAM violations. It will be instructive to see whether U.S. courts will be willing to reciprocate once FISA is enacted.

Within the e-mail community, the new law is regarded as further evidence of a trend in which legal requirements and best practices appear to be converging, albeit at a glacial pace. The take-away for senders, then, should sound familiar: adhere to CAN SPAM and best sender practices. Send to those who have granted permission, and try to engage with and obtain permission from any segments for whom you do not have it.

Andrew Barrett is Senior Director of ISP Relations & Deliverability for Real Magnet.

The $10-Million Spam Law

Tuesday, October 12th, 2010

Our neighbors to the north may be the last of the G8 countries to adopt an anti-spam law, but when it’s enacted later this year (as most analysts agree it will), Canada’s new law will be among the very strictest, creating penalties of up to 10-million Canadian dollars (or just under 9.87-million U.S. dollars) for businesses who send spam into or within Canada.

Bill C-28, dubbed the “Fighting Internet and Wireless Spam” Act (or “FISA”, for short) imposes new requirements on senders of just about every type of electronic messaging, including mandates that stretch well-past the minimal requirements for e-mail under the U.S. CAN SPAM Act of 2003.

Under CAN SPAM, senders are required to abide by a series of labelling requirements, provide a working unsubscribe mechanism, and honor unsubscribe requests within ten business days. CAN SPAM, however, has never required that senders obtain prior consent from recipients. FISA requires either explicit permission, or implicit permission in the form of an existing business relationship or a conspicuous publication of the recipient e-mail address. If the publication of the address is accompanied by an instruction not to send unsolicited e-mail, it doesn’t count as implicit permission. FISA creates a two-year window from the date an address was collected without explicit permission to try and convert it to explicit permission. If after two years explicit permission is not obtained, the sender must suppress the address. Both CAN SPAM and FISA explicitly preclude sending to addresses that have been automatically “harvested” from web sites.

CAN SPAM grants enforcement powers to the FTC, and gives ISPs the right to bring action against infringing senders themselves. FISA, in contrast, provides no criminal penalties, but allows both ISPs and individual recipients of spam to pursue civil action against senders.

The requirements seem to create significant new hurdles for senders, but authors of the Canadian law insist that the legislation is aimed squarely at only the worst of the worst offenders. FISA includes a “due diligence defense”, in which senders should not be held liable for violations if they can show they were making reasonable efforts to abide by the law when the offense was committed. Honest mistakes won’t count against senders.

Should U.S. senders be worried about the new Canadian law? Obviously, the law doesn’t apply if you’re not sending to recipients in Canada, but senders may not always know where (geopolitically speaking) the owner of a particular address receives their mail. However, if you’re already abiding by CAN SPAM and best common practices, you’re likely already in compliance.

The short answer is that (in theory at least) FISA is enforceable in the US, though the process is neither simple nor cheap. It takes about as much time and and money to obtain a judgement in Canada as it does in the U.S., so enforcement action is likely to be as rare, and therefore reserved only for the most egregious of offenders. Canadian plaintiffs would also have to find a U.S. court willing to enforce the judgement, which is by no means a given. However, there is an open pledge between the U.S. and Canadian governments to support law enforcement efforts across borders. Earlier this month, a Canadian court was willing to enforce a judgement obtained by Facebook in a California court against a Canadian spammer who racked up $873-million in fines for CAN SPAM violations. It will be instructive to see whether U.S. courts will be willing to reciprocate once FISA is enacted.

Within the e-mail community, the new law is regarded as further evidence of a trend in which legal requirements and best practices appear to be converging, albeit at a glacial pace. The take-away for senders, then, should sound familiar: adhere to CAN SPAM and best sender practices. Send to those who have granted permission, and try to engage with and obtain permission from any segments for whom you do not have it.

Andrew Barrett is Sr. Director of ISP Relations & Deliverability for Real Magnet.

Legislative Update: Is the FTC Finished with E-mail?

Friday, May 21st, 2010

I sat in on an FTC legislative update webinar presented by The E-mail Experience Council Wednesday afternoon, and thought it might be useful to run down some of the high points for the Real Magnet blog.

Lois Greisman of the FTC started the webinar by asserting that CAN SPAM “leveled the playing field” by providing a road map for legitimate marketers to follow in terms best practices, and a way to distinguish good actors from the bad. I’m not sure I agree with her on that last point; I receive a daily bucket load of unsolicited bulk e-mail that complies with CAN SPAM, and I have trouble discerning the good actors among them.

She noted that the law has been a useful tool for going after certain types of spammers. As an example, she points to the US$2.9-million judgment against ValueClick, who last spring were found to have used brazenly deceptive subject lines in their e-mail (remember the “click here for a free iPod” guys?), among other sins.

Greisman stated flat out that the FTC is uninterested in pursuing broader e-mail specific protections, noting that Congress spoke quite clearly in the passage of the law, and had carefully considered but eventually discarded stiffer requirements. The FTC seems to be signaling that CAN SPAM, with all its flaws, will remain the law of the land as written (and subsequently clarified in the rules update of May 2008), and that we should not expect additional e-mail marketing specific requirements anytime soon.

Legislators are, however, considering an expansion of FTC rule-making authority and enforcement powers that has the Direct Marketing Association a bit nervous. In some cases, it would allow the FTC to impose immediate civil penalties on fraudsters, and give them the opportunity to “go down the food chain” after organizations that aided and abetted the fraud.

For details on these and other topics addressed in the webinar, have a look at my twitter time line for my live narrative of the hour-long session. You’re very welcome to follow me there.  You may also follow Real Magnet’s twitter here.

Andrew Barrett is Sr. Director, ISP Relations & Deliverability at Real Magnet.