Congress passed the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN SPAM) in early December 2003, and President Bush quickly signed it into law. Many business organizations sought rapid passage in order to preempt a particularly harsh law in California that was set to take effect January 1, 2004. The new law, effective that same date, preempts all state and local laws that regulate the use of e-mail to send "commercial" messages (except to the extent that those laws prohibit falsity or deception in such e-mail messages).
Trade and professional associations have increasingly moved to e-mail as a method of communicating with members and nonmembers alike. Now that CAN SPAM has become the law of the land, associations will need to review their use of e-mail to ensure that they do not run afoul of the new rules. Associations send a wide variety of e-mail messages, some of which may fit within the regulated types of e-mail and others that do not. While the new law will not require recipients to provide prior consent to receive e-mail communications — as the proposed federal fax regulations would have done regarding certain types of faxes — it is essential for associations to understand what is covered, what is not, and what the requirements are for e-mail that is subject to the law. The administrative and other burdens that the law may impose on associations are significant.
What Types of E-mails Are Covered?
CAN SPAM regulates all "commercial electronic mail," whether unsolicited or not. As defined by the law, commercial electronic mail messages have the "primary purpose" of advertising or promoting a commercial product or service, including content on an Internet Web site. The distinction between "unsolicited" and other commercial e-mail disappeared with a major revision to the act during the final weeks of legislative drafting. The new rules apply regardless of whether the commercial e-mail is unsolicited, and they extend to associations that send commercial e-mail messages to existing members, among others.
As it currently stands, the new law makes no express exceptions for tax-exempt nonprofit organizations, although the Federal Trade Commission (FTC) may have some ability to change this through its rulemaking proceedings. Thus, virtually any e-mail message sent by an association that promotes the sale of a product or service may be covered — not just unsolicited messages sent in large numbers. However, at this point, it is unclear whether e-mail messages sent by tax-exempt nonprofit organizations in furtherance of their tax-exempt purposes — even those that promote the sale of a product or service, such as an association educational conference — will be covered by the definition of "commercial" e-mail messages.
Some in the association community have maintained that such messages are not "commercial" in nature and, therefore, should not be covered by the definition. Of course, the Federal Communications Commission (FCC), which will have no authority in the FTC rulemaking, has taken the position (in connection with its fax regulations) that all association fax communications promoting the sale of products or services — even if in furtherance of the association's mission — are "commercial." The association community is asking Congress to provide clarification to the FTC on this point. Even if such postenactment legislative history is obtained, though, it will not be binding on the FTC. So, regardless, a definitive answer on this critical issue will need to come from the FTC.
If the FTC construes the term "commercial" narrowly and in a manner that excludes those association e-mails in furtherance of their tax-exempt purposes, then presumably the only e-mails covered by the law would be those "unrelated" to a tax-exempt association's purposes. If the FTC construes the term "commercial" broadly, as the FCC has done, then association e-mails sent to promote, say, conferences and events for which a fee is charged or sent to sell educational publications to members or nonmembers would be covered. On the other hand, associations often send e-mail messages that clearly fall outside of the definition. Examples include legislative alerts, industry news updates, and other similar information-only items.
If an e-mail constitutes a "commercial electronic mail message," then the message must contain clear and conspicuous identification that the message is an advertisement or solicitation, clear and conspicuous notice of the opportunity to decline to receive further commercial e-mails from the sender (e.g., an "opt-out"), and a valid, physical postal address of the sender.
As defined in CAN SPAM, "commercial electronic mail" does not include a category of e-mails called "transactional or relationship messages," which relay information specific to the recipient. Nonetheless, transactional messages do not create a blanket exception from the commercial e-mail category for messages to persons with whom the sender has an "established business relationship" (as that term has been used under federal telemarketing and fax rules). Thus, even if an association sends a commercial advertisement or solicitation only to its members, the message will be subject to the law's requirements for commercial e-mail unless it contains one of five transactional or relationship primary purposes:
- Facilitating, completing, or confirming a commercial transaction that the recipient has previously agreed to enter into with the sender;
- Providing warranty information, product recall information, or safety or security information about a commercial product or service;
- Providing information regarding a membership, subscription, account, loan, or other ongoing commercial relationship;
- Providing information related to an employment relationship or benefit plan;
- Delivering goods or services that the recipient is entitled to receive under the terms of a transaction that the recipient has previously agreed to enter with the sender.
Some of these five primary purposes are more useful to associations than others. Under the first primary purpose, associations may facilitate the processing and payment of membership dues through the use of e-mail without being covered. Under the third primary purpose, associations should be able to continue e-mailing membership or account information without much concern of being covered. Such messages could include notification concerning the terms or features of the membership, notification of a change in the recipient's standing or status with respect to the association, or account balance information or other account statements that the association sends on a regular basis.
But where does that leave, for instance, associations' electronic newsletters, industry updates, and event announcements? It is possible that a free e-newsletter does not qualify as either a commercial message or a transactional or relationship message, if the message does not promote any commercial transaction between the association and the recipient. Thus, the e-newsletter would be out of the reach of CAN SPAM. A message announcing an annual conference that provides registration payment information (or a link to such information on a Web site) may fall within the purview of the law, but if the conference announcement is included with a member's annual electronic dues statement, then the "primary purpose" of the message may meet one of the transactional or relationship requirements.
The waters could get even murkier with e-newsletters that include third-party advertisements, corporate sponsorship acknowledgments, or affinity program endorsements. To help clarify what is and is not covered, CAN SPAM requires the FTC to issue regulations within a year after enactment of the law to establish criteria for determining what constitutes the "primary purpose" of an e-mail.
Once an association has managed to ascertain which of its e-mail messages are commercial, which constitute transactional or relationship messages, and which are completely exempt, it will need to follow the requirements that the law imposes on the various categories.
Transmission and Disclosure Requirements for Commercial E-mail
Associations that have been sending e-mail messages that are not misleading or fraudulent should suffer little hardship from the message transmission requirements of CAN SPAM. The law requires both commercial and transactional or relationship messages to have accurate header information, which includes the source, destination, and routing information attached to an e-mail. It also includes the originating domain name and e-mail address, as well as the information in the "from" line of the message. Accurate header information is the only requirement that applies to transactional or relationship messages. For commercial e-mail, the subject line of the e-mail cannot mislead the recipient about the contents or subject matter of the message.
CAN SPAM also imposes certain disclosure requirements on commercial e-mail. Unless the association has obtained the recipient's "affirmative consent" to receive commercial e-mail from the organization, associations must clearly and conspicuously indicate that the message is an "advertisement" or "solicitation." Under CAN SPAM, "affirmative consent" means that the recipient has expressly consented to receive the messages, either in response to a request for such consent or at the recipient's own initiative. (It is not yet clear whether an organization could consent on behalf of all of its e-mail addresses, or whether each employee would need to separately consent.) CAN SPAM does not specify how or where the language identifying the commercial nature of an e-mail (e.g., that it is an advertisement or solicitation) must be disclosed, except that it must be "clear and conspicuous." Presumably, it could be disclosed in the subject line of the message or within the text of the message. The law also requires commercial e-mail to include a valid physical postal address.
CAN SPAM does not require that the subject line of commercial e-mail include "ADV" for "advertising" (something that some businesses already are doing voluntarily or as a result of certain state laws); in fact, the new law prohibits the FTC from establishing a requirement "to include any specific words, characters, marks, or labels in a commercial electronic mail message, or to include the identification … in any particular part of such a mail message (such as the subject line or body)."
However, the law does require the FTC to set forth a plan for requiring commercial e-mail to be identifiable from its subject line by use of "ADV" or other comparable identifier within 18 months after CAN SPAM is enacted, or to explain any concerns that the FTC has that causes it to recommend against such a plan. (Presumably, further congressional action would be required for the FTC to implement such a plan.) Obviously, given the potentially broad definition of commercial e-mail, such an "ADV" requirement (which would allow spam filters to block such messages very easily) could have devastating consequences for associations.
Associations also may face a significant burden in developing policies and procedures for processing and managing newly required opt-out requests. Commercial e-mails must include a functioning return e-mail address or other Internet-based mechanism that a recipient may use to request not to receive future commercial e-mail from the association. (It is not yet clear whether an organization could opt out on behalf of all of the association's e-mail addresses, or whether each employee would need to opt out separately. It also is not yet clear whether an opt-out request to the association would extend to its subsidiaries and affiliates, although the law does provide that "separate lines of business or divisions" that are held out to e-mail recipients as separate shall be treated individually as "senders" of e-mail for purposes of the law.)
An "Internet-based mechanism" could be a Web page that the recipient accesses by clicking a link provided within the body of the e-mail message. The Web page may provide a list or menu from which the recipient may choose specific types of e-mail messages that the individual does or does not want to receive from the association.
For example, the recipient may wish to receive information about research reports or marketing studies that the association offers for sale but not information about trade shows or sponsorship or advertising opportunities. One of the list or menu items, however, must allow the recipient to "select all" or otherwise choose not to receive any commercial messages from the association.
Any database that the association uses to manage e-mail communications must flag people who have requested not to receive commercial e-mail. Any software that the association uses to send messages in bulk quantities must be able to track the do-not-e-mail notations in the database. Associations that send commercial e-mail must design and implement procedures to ensure that opt-out requests are honored within 10 business days after receiving the request. The only way to resume sending commercial e-mail to members or nonmembers after an opt-out request is to obtain subsequent affirmative consent.
Once a person makes an opt-out request, CAN SPAM prohibits the sale, lease, exchange, transfer, or release of that person's e-mail address to anyone else for any purpose (except as required by law). CAN SPAM is written broadly and appears to prohibit the transfer or release of e-mail addresses of people who have opted out, even to organizations that will not use them for sending commercial e-mail messages (such as an advocacy group that will send only legislative updates). Whether the ban extends to associations' related foundations, for-profit subsidiaries, chapters, and other closely affiliated (but legally separate) entities is unclear, although it would appear to. Certainly, transfer or release to endorsed affinity partners, for instance, would be prohibited. The ban includes transfers of mailing lists that include e-mail addresses. Thus, if an association rents its membership list to others, it may not include e-mail addresses for those individuals who have elected not to receive commercial e-mail. The ban also appears to extend to the publication of opted-out member e-mail addresses in printed or electronic membership directories.
Finally, note that if the recipient provides the e-mail sender with his or her "affirmative consent" to receive commercial e-mail messages, that only eliminates the requirement of identification as an advertisement or solicitation; it does not eliminate the opt-out policy or the valid physical postal address requirements.
Harvesting E-mail Addresses
CAN SPAM includes various prohibitions on different methods of obtaining e-mail addresses. One such prohibition provides protection to associations that publish membership directories online and do not rent their member e-mail address lists to third parties. The law imposes penalties on those who harvest or obtain e-mail addresses using an automated means from a Web site that includes a notice that the owner of the site does not sell or otherwise transfer e-mail addresses to others.
The National "Do-Not-E-mail" Registry
CAN SPAM gives the FTC six months to develop a plan and timetable for implementing a nationwide marketing Do-Not-E-mail Registry, akin to the Do-Not-Call Registry created earlier this year. The FTC previously has described the proposed Do-Not-E-mail Registry as very problematic. Nonetheless, if such a registry is created, associations could be compelled to follow the relevant national Do-Not-E-mail rules if the FTC or Congress does not exempt them.
Enforcing CAN SPAM
The FTC and other federal agencies are given authority to penalize violators by way of injunctions, restraining orders, and fines. State attorneys general may bring actions in federal court to enjoin further violations or to obtain damages up to $2 million, which a court can triple to $6 million. Internet service providers also may take violators to court for up to $1 million in damages, which a court may triple to $3 million. CAN SPAM does not permit suits by private individuals to enforce its provisions. However, there may be opportunities for private individuals to earn rewards for reporting spammers. The law orders the FTC to establish a "bounty hunting" system that would give 20 percent of any civil penalty collected to people who identify violators and provide information leading to their arrest.
While some laws passed by Congress are of concern only to association lawyers and legal departments, due to the critical role that e-mail plays in virtually every association's communication efforts, CAN SPAM poses the potential for far-reaching, adverse effects across every sector of the association community. While the million-dollar-question — whether the FTC's definition of "commercial" e-mail will include most association e-mail messages — has not yet been answered, if the FTC follows the lead of the FCC on this issue, associations will be burdened with some serious e-mail headaches for years to come.