What Is Spam?
You first need to understand what CAN-SPAM defines as spam because then you can see how the law applies to you. The bill's definition is a little complicated: Spam is UCE, but unsolicited and commercial have well-defined meanings that might conflict with an ordinary administrator's thoughts on the subject.
- Commercial email is "any electronic email message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service (including content on an Internet Web site operated for a commercial purpose)." Fortunately for us, email that merely mentions a company name or Web site isn't necessarily commercial; the primary purpose must be promotion. The Federal Trade Commission (FTC) has until January 2005 to devise rules for determining what an email message's "primary purpose" really is.
- Unsolicited email is OK if a preexisting relationship is in place between the sender and recipient. For example, if I buy a car from my local auto dealer, the law permits the dealership to send me messages about my car (e.g., recall or warranty notices). Likewise, a bank can send account information or notifications to its customers without their prior explicit permission. Messages sent to complete or confirm a transaction, provide account information, or provide status on subscriptions, memberships, accounts, and other relationships are exempt from the law. The law uses the phrase "transactional or relationship message" to cover these commercial-but-not-unsolicited messages, which remain legal. Because these messages make up the overwhelming majority of business-to-customer traffic at most organizations, this provision probably means that you don't have to change your mailing practices.
However, some messages automatically run afoul of the law, whether they're commercial or not. If the sender forges header information, relays messages through a third party without permission, or uses throwaway fake accounts from an ISP, those messages are illegal, as are any messages sent pursuant to other crimes or offenses, such as fraud, identity theft, obscenity, or child pornography.
What Does CAN-SPAM Prohibit?
Now that you know how the law defines spam, we can take a look at the specific actions the law prohibits. You might assume that sending any messages that meet the definition of spam is illegal, but unfortunately that's not true. Six key restrictions govern the types of mail that can't be sent.
Misleading headers. The first restriction is simple: You can't send messages that have false or misleading headers, even if they're sufficiently well formed to get the message delivered. Any message that forges the sender name or domain, the sender IP address, or any other header information falls into this category. Interestingly, any message sent through an SMTP relay "with the purpose of disguising its origin" also qualifies. I'll be interested to see under what circumstances such a purpose can be proved.
Misleading subject lines. The second restriction is also simple. You can't send messages that have misleading subject lines, the intention of which would be to mislead a person about the message's contents or subject matter.
Opt out. The third restriction is where things start to get a little more problematic. The law requires that all commercial messages include a working, valid return address that recipients can use to opt out of further communication. That address must be maintained for at least 30 days after the message is sent. This restriction obviously interlocks with the requirement that all header information be valid. The law specifies that, besides just sending a reply message, you may allow other means for opting out, which means that you could include an Unsubscribe me URL in the message. A specific provision permits multiple-choice settings so that users can pick and choose which types of commercial email they want to receive. If you've ever registered for an online newsletter or for a print newspaper's Web site, you're probably already familiar with this approach. One easy way to comply with this requirement is to send your messages with a return address that points to a public folder, which you can easily monitor. In fact, you could write a simple event sink or script that would automatically remove users from your mailing list.
One new wrinkle is that the law requires senders to include a valid postal or physical address in commercial messages. Doing so is easy, but a quick survey of the vendor messages and press releases landing in my Inbox shows that many companies haven't yet complied. Because this step is such an easy one, you should probably ensure that your commercial mass mailings include it, just to be safe. You can include this information in the message itself, or you can use a third-party disclaimer product such as Red Earth Software's Policy Patrol, Exclaimer's Exclaimer for Microsoft Exchange suite, or Franz Krainer's DisclaimIt.
Hands off. The fourth restriction follows naturally from the third: Once someone has opted out, you can no longer legally send that person messages of the type he or she opted out from, and you can't sell, lease, or transfer that person's address. There's a 10-day window before this provision takes effect, presumably to allow the sender to send a You have unsubscribed notice. The big weakness in this provision, unfortunately, is that users must opt out from each individual sender—there's no centralized registry of users who don't want spam, as there is for telemarketing calls. Although this situation is awful for users, it relieves administrators of legitimate businesses of the burden of working with a centralized registry. Currently, no Microsoft Exchange Serverbased tools automate this process, although with a little careful scripting, you could set up a mailbox for logging the addresses of people who want to opt out.
Sexually explicit. The fifth restriction requires special markings for sexually oriented mail: The subject line must include the words "SEXUALLY EXPLICIT." Unfortunately, the law's definition of "sexually oriented" applies only to explicit material, so you can bet that spammers will construe the law to mean that they can continue to send some types of ads without marking them. Sexually explicit messages might not contain explicit images, either, although sending hyperlinks to such images remains legal. (That, of course, raises a question: If you send an HTML message with an <img> tag that points to your server—instead of attaching the image—does it fall under the law?)
Vicarious spam. The sixth restriction covers vicarious spam: Hiring a company that you know, or have reason to believe, is a spammer is against the law. The law doesn't cover the use of affiliate programs; because an affiliate program isn't a hiring relationship, it probably doesn't apply, which means the flood of "free satellite TV" and "get a $50 gift card" spam messages isn't likely to diminish. I'm hopeful that this restriction will curb some of the spam that comes from hosts outside the United States because US companies will no longer be able to hire them unless they comply with the law.
Aggravating Circumstances
As with most laws, the antispam bill takes some aggravating circumstances into consideration. If you break the law and one or more of the following aggravating circumstances are present, the penalties increase:
- You can't randomly generate addresses. For example, you can't create a long list of common names and use it to send email to each name@yourcompany.com.
- You can't harvest addresses from online sources, then use them to send spam. Note that you can still gather addresses on paper, over telephone, or through any other means that doesn't involve using a "Web site, proprietary service, or other online public forum;" in fact, the law permits harvesting with the consent of the forum operator.
- You can't automatically generate fake accounts to send spam. Most Webmail providers have switched to systems that require a human to type a code that appears as an image; the image is distorted so that optical character recognition (OCR) software can't read it. Supposedly, such systems make it impossible for scripts to sign up for accounts, so spammers instead pay people to sign up for them. That behavior is perfectly legal, provided the other restrictions described above are met.
Prev. page
1
[2]
3
next page 
