FTC Issues New Regulations for CAN-SPAM Compliance: What Do the Rules Mean for Associations?

7 min

After three years in the making, new rules implementing certain aspects of the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 ("CAN-SPAM" or the "Act") provide associations with additional direction on how to manage messages subject to the Act's requirements for "commercial" email. Released by the Federal Trade Commission ("FTC") on May 12, 2008, the new rules reinforce the FTC's position that the Act's requirements apply to promotional messages sent by associations and other tax-exempt nonprofit organizations. Nonetheless, the new rules and related FTC commentary provide helpful guidance on a number of other issues, including how to manage joint email marketing initiatives and "forward-to-a-friend" features.

Four New Rules

The FTC has adopted rule provisions on four out of five topics that it proposed in May 2005. First, the FTC has added a definition of the word "person" to clarify the types of entities to which the Act applies. The definition of "person" includes any individual, group, unincorporated association, limited or general partnership, corporation, or other business entity. In adopting this rule, the FTC rejected arguments from several organizations that there should be a blanket exemption for all messages sent by unincorporated nonprofit entities. When nonprofit organizations send emails that are primarily intended to advertise or promote a commercial product or service, such as membership in the organization or the sale of association publications, the FTC believes those messages qualify as "commercial" messages subject to the Act's requirements.

CAN-SPAM requires all commercial email messages to include a "valid physical postal address" for the sender of the message. The second rule the FTC adopted was to add a definition of "valid physical postal address" to include not only street addresses but also post office boxes and private mailboxes, provided that such post office boxes and private mailboxes are accurately registered.

Third, the FTC issued a rule expressly prohibiting any marketer from charging a fee or imposing other obligations on the message recipient before processing the recipient's opt-out request. According to the FTC, some marketers have been using the opt-out mechanism required under CAN-SPAM as a means to collect additional personal information about the message recipient or subject them to advertising. Now, marketers may only require that a message recipient send a reply email or visit a single web page to opt-out.

Fourth, the FTC has adopted a three-part test that marketers can follow when more than one person's products or services are advertised in the message in order to designate one of those persons as the single "sender" of the message. This rule allows associations in a joint marketing campaign to include only one opt-out mechanism and one "valid physical postal address" in the message, rather than multiple opt-outs and addresses for each party involved. Under this test, when the products or services of multiple organizations are featured in a message, the parties can designate one "sender" of the message if that person (a) meets the Act's definition of "sender"; (b) is uniquely identified in the "from" line of the email; and (c) complies with certain email transmission requirements already set forth in the Act. The Act defines "sender" as "a person who initiates a [commercial electronic mail message] and whose product, service, or Internet website is advertised or promoted by the message." The FTC clarified that the "from" line could include the designated sender's non-deceptive name, trade name, product or service.

The email transmission requirements with which the designated sender must comply include (i) ensuring that the email does not contain false or misleading transmission information; (ii) ensuring that the email does not include a deceptive "subject" heading; (iii) including a functioning return email address or other web-based mechanism, clearly and conspicuously displayed, that the recipient can use to make an opt-out request; (iv) provide clear and conspicuous identification of the message as an advertisement or solicitation; (v) provide clear and conspicuous notice of the recipient's right to opt-out of receiving future commercial messages from the sender; (vi) provide a valid physical postal address for the sender; and (vii) if the message includes sexually explicit content, include the characters "SEXUALLY EXPLICIT:" at the beginning of the subject header.

The new rule on designating a sender also states that if the designated sender does not comply with all of these transmission responsibilities, then all of the marketers whose products or services are advertised in the message will be liable as "senders" under the Act. In effect, this provision requires marketers to ensure that designated sender responsibilities are carefully outlined in contracts or other joint marketing arrangements.

The fifth topic addressed by the FTC was whether to reduce the timeframe for organizations to process opt-out requests from 10 business days to 3 business days. The FTC declined to adopt this rule, and the timeframe for honoring opt-out requests remains at 10 business days after the request is received.

"Forward-to-a-Friend" Messages

In addition to the new rules, the FTC addressed a number of other email marketing issues raised by CAN-SPAM. The FTC reviewed the applicability of CAN-SPAM to "forward-to-a-friend" marketing tactics, whereby the marketer requests or induces a person to forward a commercial message to another person. These programs usually involve either an original recipient forwarding the email to others, or a website that enables a visitor to provide the email address of a person to whom the marketer can send an email. The FTC concluded that if the marketer induces a person to forward a commercial email message by offering money, coupons, discounts, awards, additional entries in a sweepstakes, or other consideration, then the marketer is responsible for ensuring compliance with the Act's opt-out and disclosure requirements in the forwarded email. However, if the marketer merely provides a mechanism by which a person can forward a message, without further inducing the person to forward, then the marketer is involved in the routine conveyance of an email and is not responsible for transmission requirements with respect to the forwarded email.

No Expansion of "Transactional or Relationship" Messages

The FTC declined to expand the categories of "transactional or relationship" messages, which are exempt by definition from the class of "commercial" messages subject to CAN-SPAM's transmission and disclosure requirements. The FTC reviewed renewed requests by members of the association community to expressly include in these categories messages sent by an association to its members or past members. While rejecting these requests, the FTC reiterated its previous position that emails from a membership association to its members likely constitute "transactional or relationship" messages where the messages concern "goods or services ... that the recipient is entitled to receive under the terms of a transaction that the recipient has previously agreed to enter into with the sender." However, the FTC also said that where a message recipient is no longer a member of an organization, it is unlikely that messages from the organization fall within any of the existing "transactional or relationship" categories.

Other FTC Conclusions

On other matters, the FTC concluded that creating a provision stating when third party list providers are considered "senders" under CAN-SPAM would not be feasible; the agency noted that a list provider would be deemed a "sender" if it met CAN-SPAM's definition of sender. The FTC declined to adopt a rule providing a safe harbor protecting marketers from liability for CAN-SPAM violations committed by their "affiliate" marketers (e.g., third-party marketing representatives paid to drive traffic to the marketer's website). The FTC decided not to impose a time limit on how long an opt-out request remains effective. Finally, the FTC declined to expand the list of "aggravated violations" that could subject marketers to triple damages. Specifically, it declined to encompass new practices such as "spoofing" and "hashbusting" as aggravated violations.

* * * * *

For more information, please contact the authors at jstenenbaum@venable.com or etberge@venable.com, or at 202-344-4000.

This article is not intended to provide legal advice or opinion and should not be relied on as such. Legal advice can only be provided in response to specific fact situations.