Attorneys explain more Federal Trade Commission email rules (second of three parts).
At iMedia's May Summit, attendees got an update on the latest FTC thinking about spam. The session, moderated by iMedia's Alan Gerson, featured Lew Rose, partner in the law firm of Collier Shannon Scott, and Reed Freeman, chief privacy officer of Claria Corp. Here is a transcript of their presentation. Follow along with the presentation slides here.
Freeman: I just left my law firm and my former colleague Lew Rose to join Claria Corporation. That’s the former Gator Corporation. I want to make clear from the outset that we don’t send spam. This is a holdover from a previous life, and no spam is coming from Claria.
The CAN-SPAM Act is a new piece of legislation that has been around for four-and-a-half months. We’ve already seen major enforcement actions under the CAN-SPAM Act, notably a recent criminal action. But before the FTC brought its first CAN-SPAM case, it had brought 61 spam cases under its prior authority, and that was everything Lew was talking about -- that truth in advertising laws apply to email marketing. That's the first point the FTC wants you to know.
Point 2: CAN-SPAM applies to virtually all commercial emails
CAN-SPAM applies to all commercial emails, except for those that have to do with a specific transaction that you have engaged in. This is different than what you may have heard of under state laws that were passed before CAN-SPAM -- there were about 37 of them. They left out things, they accepted things like a prior business relationship, they gave an exception for people who opted in. None of that applies with CAN-SPAM. If you have a double, triple, quintuple blood brother opt-in you still have to comply with CAN-SPAM in nearly every respect. What it does exempt is these transactional or relationship messages, those that when someone does a purchase with you, you give a confirmation, you give more information about the purchase. This does not include follow-up on the next sale.
A commercial email is an email that advertises or proposes a sale, or advertises or promotes a commercial product or service. The Federal Trade Commission has to do a rule-making by the middle of December of this year to decide: what does it mean that the primary purpose of an email is commercial? So, what obviously comes up is editorial content. In particular, think of the newsletters you get. Say you get a newsletter that has a link at the bottom of it. The question has arisen: is that a commercial email, and do I have to comply with all of the labeling requirements, and so forth? The practical answer that I can give, now that I’m not in private practice, is: we don’t know for sure, probably not. Anyway, that's unlikely to be enforced. Government has already shown it's going after egregious violators. It's leaving the harder questions for later. Unless you’re sending out email in spectacular bulk, you’ll probably be left alone by ISPs as well.
Point 3: You must make mandatory disclosures
Under CAN-SPAM, an email needs to have a valid sender postal address. Nobody knows what that means. Only Congress can make the word "address" complicated -- and lawyers. But address means your physical address. Some people want to put a P.O. Box. You probably won’t get sued if you put a P.O. Box on, but if you want to be perfectly compliant, physical address is what that means. Notice that the email is an ad or a solicitation. The CAN-SPAM Act requires that you say that. It does not say where, it does not say how.
It does say that the FTC cannot make a rule requiring "ADV:" in the subject line. The FTC is prohibited from requiring that. So suddenly, you see a lot less ADV: in the subject line. What do you do? I’ve seen all kinds of things. I’ve seen when you open an email, it flashes up advertisement followed by the text. I’ve seen it in small print at the bottom: this advertising message or this promotional message brought to you by so and so. I’ve seen all kinds of things. I was advising clients earlier, put it in there, put it in small print, if you do that, put it first. You’re unlikely to run into trouble.
The government will come along later and tell us exactly how to do that. But for now, it’s a pretty easy thing to comply with. Now if you have an opt-in list, this is the only benefit you get, after all of that work and all of those people who decided not to opt in, you do not have to say advertisement in the email, which you really hardly have to do anyway.
Point 4: No false or misleading headers
This is the easy part. The government, the Department of Justice (DOJ), competitors, ISPs -- they’re all coming after misleading headers right now. This is information that makes it look like the message came from one person, when it fact it came from another, that disguises the origin of the email, bouncing off proxy servers and so forth. This is the trick under CAN-SPAM. This is the part I think you still struggle with most -- the deceptive subject line. We think of that as no lying in the subject line. The government takes it a step further and says the subject line, the text of the subject line, must be reasonably related to the content of the email. So it would be a violation of the Act to say, "Hi." "Hi" is a violation of the Act now, because it bears no reasonable relationship to what’s in the message. You have to have a subject line that a reader would say: "I understand what I’m about to open, and when I open it, I won’t be surprised by what I see."
Audience Question: How do we deal with friend of a friend emails?
Freeman: Good question. The answer is easy for me to say and in most cases easy for you to understand, but hard on the margins. The answer is: a sender under the Act is liable for violations of CAN-SPAM. A sender is one who procures the transmission of an email, either sends it or procures the transmission, so what does it mean to procure the transmission when someone else sends an email? The answer is, if you give any consideration -- that's a legal term of anything of value -- to someone to send the email, you are a sender. So say I’m a marketer and I have a friend of a friend program, and you send an email, and I give you a $20 discount to shop at my store to send an email. Before I got fired for being stupid, I would have violated the Act if you didn’t comply with the Act, because I have procured the transmission of your email. Now, let’s say I had a funny video and I was going to engage in a viral marketing campaign and I wanted people to send the video out to their friends. And they were just going to send it because it’s funny, and I would get the benefit of the message that’s being communicated in the video or the ads in it. If I haven’t given you anything of value and you send it, I think most people right now would take the position, including the government, that I have not procured the transmission of that. So it’s all in what you’ve given to the person to send the email.
Point 5: Provide an opt-out
Here’s the rule: The sender is liable for an opt-out. Under prior law, it used to be there was a person with a list and a person with a message. The person with the message gave it to the person with the list, he sent it out. The person with the list complied with the opt-outs, the person with the message didn’t have to. It’s exactly backwards now. Now, the person with the message goes to somebody with a list, and they send the email out. Opt-outs go to the person who transmitted them -- they go back to the marketer. They don’t go to the list owner. Most list owners are complying anyway, because I guess they think they have to. But the opt-out goes to the person with the message, not the person with the list now. That’s the tricky part. That was the hard part to understand.
And it brings to mind, "OK, well what do I do when I have multiple lists and multiple affiliates?" What about a huge affiliate marketing program? I have two things to say about that. The first is, affiliate marketing is under huge, tremendous pressure at the federal and state level, particularly in New York, where the Attorney General takes the position that if you have an affiliate marketing program, and your affiliates are out violating the law, what you’re really doing is hiding from the law, and you’re responsible. It’s a shell game -- you must be liable. I had a case, actually, where I said to the New York Attorney General -- by the way, it’s very unpleasant to meet the New York Attorney General -- but I said, "Let me get something straight. My marketer client didn’t do it right, right? Didn’t know it, right? Fixed it right away, right? Against his policy, right? Why is he liable? We think it’s a clear case." They hate affiliate marketing, and they killed the business. And so I quit private practice.
Opt-outs must be valid for 30 days. If you give an opt-out and somebody can have the email in their in box for 30 days, they have to be able to open up that inbox email and opt out. And you have to honor opt-outs within 10 days.
Oh, the other thing about affiliate marketing -- how do you manage if you have 10 affiliates and people opt out here, people opt out there, they all have different lists and the next time they send, this affiliate’s got to honor those opt-outs when they send it for us? There are services for that now, and the best one that I’ve found is called Unsub Central. It’s in Dallas.
There is no rule requiring you to have any kind of opt-out for direct mail. Of course, most of you know that the DMA has the email preference service that most mailers use to filter. The way you get in trouble offline is to offer an opt-out and not honor it. It’s the classic case of a good deed that goes unpunished if you offer it and miss it once. And you only have to miss it once.
Point 6: There are criminal penalties
Suffice it to say the DOJ is going after, through the U.S. Attorneys’ offices around the country, the biggest spammers who engage in deception, either bouncing emails off proxy servers, lying in the subject line, or -- the most recent case was a case of spoofing where the from line was forged so that it looked like it came from a consumer, for example, when in fact it came from the spammer. Then, when people opted out, it came back to the consumer, and the consumer was outraged. And so, DOJ is going after the very worst offenders.
Point 7: CAN-SPAM and state preemptions
The good news is CAN-SPAM got rid of the 37 state laws to the extent that they said, "This is what you must do when you engage in email marketing -- one, two and three." These disclosures, this opt-out. All that’s gone. What’s not gone in state law is state laws that prohibit misrepresentation and falsities in email, and the reason that’s important is because states around the country now are passing laws with stiffer penalties than CAN-SPAM. So all this means is there’s only one set of rules, don’t deceive and get the technical parts right. But if you get it wrong in the wrong state, or the wrong state comes after you, it can be worse.
Point 8: Civil liability
The trick here is that if you have an affiliate that’s marketing your product, and if that affiliate engages in a violation of CAN-SPAM, particularly an egregious violation, but any violation, you’re liable to the extent that you reasonably could have known about it and didn’t do anything to stop it. There is no ostrich defense provision of CAN-SPAM.
Point 9: Wireless
Of course in Europe and Asia, SMS messaging is huge. It hasn’t caught on here. Congress assumes it will and has directed the FTC to write rules regulating wireless messaging. I think we can assume that those rules will be Draconian, but I don’t know how much it matters for marketers here now, because it just hasn’t caught on.
Point 10: Enforcement authority
Primary enforcement authority is by the Federal Trade Commission. DOJ can bring cases, state attorneys general can bring cases. That’s important, because the state attorneys general are more likely to bring the tough, technical cases because they’re more aggressive then the Federal Trade Commission. But the one thing I want to clear up is a lot of people say that the other enforcement authority is ISPs. That’s true, but misleading because the way Internet access service is defined in CAN-SPAM leads the FTC to think that not just ISPs, but anybody who provides Internet access can enforce CAN-SPAM. What does that mean? That means that an employer who provides Internet access to his employees has a cause of action under CAN-SPAM for people proliferating emails into their systems.
Point 11: Sexually explicit materials
The FTC, in its infinite creativity, took Congress’ admonition to create a label for sexually explicit emails so people know not to open them. It’s the brown-wrapper rule. And the FTC thought, issued a rule-making, took comment, and came up with "sexually explicit." That has to go in the subject line.
Point 12: Rule-making proceedings
The FTC is required to engage in a number of rule-makings under the law. That means that the law says something general, and the FTC has to figure out how it applies more socially. It has to do with a rule on what primary purpose means. We’ll know that more in December. FTC has to do a rule on what it means to be a transactional message, so that you get the exemption from having to have all of these disclosures, all of these opt outs. The ten-day business period -- the FTC is allowed to engage in a rule, but you should assume for now that it's ten days or less. It’s not going to get to be more. And the FTC also is required to do reports under CAN-SPAM.
The very best report that it has to write is whether there should be a bounty-hunter provision. To my tremendous anxiety, this has found its way into spyware legislation. It’s a bad idea. Bounty-hunter laws authorize rewards if you turn somebody in for violating CAN-SPAM. The FTC is also required to do a report on whether there should be a do not email registry. I think we can assume that ultimately the FTC will come out and say it’s a bad idea because it can’t be enforced, but Senator [Charles] Schumer from New York, who’s really powerful, really, really wants a do-not-email registry. And you should keep in the back of your mind that that’s not impossibility, and it’s not in the next Congressional session.
The only thing the FTC has to do -- it has to have the sexually explicit rule done, and that's finished. It has to have the primary-purpose rule done by December. And everything else right now is up in the air. But the thing to keep your eye on now is the do-not-email registry, which is a possibility.
Monday: Rose and Freeman answer questions from the audience.