The CAN-SPAM Act and Compliance Challenges for Startups

As our techno-centric culture increasing depends on email as a form of communication, an increasing amount of regulatory attention has been devoted to policing unsolicited bulk electronic communication, much of it unwanted, also known as “SPAM.” Although bulk mail has been in existence for decades, mass electronic messages are extremely inexpensive to produce and distributed, especially when programmers use cookies[1] or other “trolling” features to obtain them. While direct email marketing (along with search engine marketing) is widely considered as the next evolution for early-stage companies looking to raise awareness of their product/service, SPAM is viewed as a considerable annoyance by the general public. Users are often inundated with unsolicited messages and have to waste a lot of precious time sorting through a sea of junk mail, often risking the possibility that legitimate or important email messages will be lost while deleting unwanted mail messages from their inboxes.[2] In addition, a vast majority of the messages received are for products of suspect legality, scams, chain letters, and often pornographic material.[3]

In response to increasing public outrage, in December of 2003, Congress enacted the “Controlling the Assault of Non-Solicited Pornography and Marketing Act,” otherwise known as CAN-SPAM. In order for a message to be regulated under the act, it requires the message to be of a commercial nature. CAN-SPAM creates a distinction between messages that are principally for a commercial purpose, as opposed to messages that are transactional or relationship building in nature. Although communications can and often do mix content, the determination of whether a message is commercial, and thus regulated under CAN-SPAM, lies in its primary purpose. A message will be deemd to be commercial if the principal reason for sending the message does not meet one of the following criteria:

1) to facilitate or confirm a commercial transaction that the recipient already has agreed to; 2) to give warranty, recall, safety, or security information about a product or service; 3) to give information about a change in terms or features or account balance information regarding a membership, account, or other ongoing commercial relationship; 4) to provide information about an employment relationship or employee benefits; or 5) to deliver goods or services as part of a transaction that the recipient already has agreed to.[4]

Enforcement action may be brought by citizens in federal court and also may be initiated by the Federal Trade Commission on a civil or criminal scale, depending on the provision violated.

With respect to unsolicited commercial email communications, CAN-SPAM does not prohibit them entirely, however it aims to control certain other unscrupulous marketing activity. Specifically, the act contains several provisions that could trigger civil or potential criminal liability depending on the severity of the offense. In addition, non-legal action and private enforcement against spam violators is becoming an increasingly effective tool for compliance and is now commonplace among most large Internet Service Providers. One of the more common results of abuse is that an internet service provider will actually blacklist your email domain at the request of their customers. [5] As the Small Business Association notes, “Blacklisting occurs when a customer or prospect determines that your email is or has the appearance of being unsolicited SPAM [and] they can choose to “Block Sender” or “Report SPAM” at the click of a button.[6]” Not only does this create a public relations problem for startups among and established customer base, but this also prevents potential customers from receiving communications from your organization. Once an organization has been blacklisted, companies are often forced to undergo rigorous compliance policies in order to be removed from the blacklist. For particularly egregious violations, often an internet service provider’s terms of use will contain provisions that will completely prohibit you from utilizing their services in the furture.

CAN-SPAM contains several provisions, which companies must follow in order to be compliant under the act. First, unsolicited messages that contain fraudulent subject lines (all subject lines must properly reflect the content of the message) or false header information are prohibited under CAN-SPAM.[7] Even if header information is technically accurate, if the information was obtained under false or misleading pretenses it is likewise prohibited under the act.[8] Essentially, the “to”, “reply to”, “from,” originating domain name and email address fields must clearly identify the sender and must be free of inaccurate information.[9]

CAN-SPAM also prohibits harvesting email addresses through electronic permutations, essentially criminalizing situations where the sender obtains the recipient’s email through an automated program or system that generates possible email addresses by generating possible electronic mail addresses.[10] These programs often use permutations of names, letters, and numbers to increase the number of legitimate email addresses that the target email can reach.[11] Finally, in accordance with the Federal Trade Commission’s Fair Informational Practice, under the CAN-SPAM act, unsolicited email marketing must contain an “opt-out” function, which disables future unsolicited communications to that user.[12] Additional regulations also exist under CAN-SPAM, which regulate pornographic and “wireless spam,” which encompasses mobile to mobile messaging and other electronic communications.

Go to Brotman Tax Resolution Services

Go to The Brotman Virtual Law Office

Go to Resource Blog Homepage


[1] A cookie is data sent to your computer by a Web server that records your actions on a certain Web site. It’s a lot like a preference file for a typical computer program. When you visit the site after being sent the cookie, the site will load certain pages according to the information stored in the cookie. http://www.techterms.com/definition/cookie. Last accessed December 12, 2009.

[2] Employee’s Expectation of Privacy in the Workplace. 10 A.L.R.6th 1 (2006).

[3] Id.

[4] The CAN-SPAM Act: A Compliance Guide for Business, http://www.ftc.gov/bcp/edu/pubs/business/ecommerce/bus61.shtm, last accessed December 12, 2009

[5] The CAN-SPAM Act and Beyond: Improving Email Compliance, Deliverability, and Readability, http://community2.business.gov/t5/Small-Business-Matters/The-CAN-SPAM-Act-and-Beyond-Improving-Email-Compliance, Last accessed December 12, 2009

[6] Id.

[7] 15 U.S.C.A. § 7704(b)(1)(A)(ii); 15 U.S.C.A. § 7704(a)(1)

[9] The CAN-SPAM Act: A Compliance Guide for Business, http://www.ftc.gov/bcp/edu/pubs/business/ecommerce/bus61.shtm, last accessed December 12, 2009

[11] Employee’s Expectation of Privacy in the Workplace. 10 A.L.R.6th 1 (2006).

[12] CAN-SPAM Act, 15 U.S.C.A. §§ 7704(a)(3)(A), (4)(A), 7706(g)(1)

Brotman Law Featured in Inc. Magazine - Fastest Growing Law Firm in California