That's partly because the act may allow a lot more spamming. The bill, as signed into law last month by President Bush, doesn't actually ban unsolicited bulk e-mail (UBE), otherwise known as spam. It simply requires that such e-mails bear a working return address, a physical postal address, and a way for recipients to request that they receive no more messages from a company.
Those simple guidelines can easily be followed by thousands of marketing companies who've been waiting for Congressional permission to spam. Now they can send bulk e-mails until they're requested to stop by each harried recipient. You notice the bill wasn't called the CAN'T-SPAM Act.
But even if you don't start receiving double or triple your usual dose of spam, every enterprise that sends any e-mails at all will be impacted by the act. Merely sending out a company newsletter — and restricting it only to people who've specifically requested it — puts you at risk. That's because the law sets forth a number of new requirements that even legitimate, permission-based e-mailers must adhere to.
Laying Down the Law
A brief overview of some of the new conditions for mass e-mail shows why your company should take this law seriously:
• Postal addresses. As mentioned above, the act requires each newsletter or bulk e-mail message to include a "valid physical postal address of the sender." That's a requirement for all commercial messages, not just unsolicited ones. Interestingly, if spammers start including a postal address in their missives, it may make it easier for your company's anti-spam filters to catch spam by looking for certain patterns, such as specific street names.
• Clean lists. Besides requiring that you remove from your lists anyone who "unsubscribes" from your newsletters, the act also prohibits you from sending solicitations to e-mail addresses that are "harvested" from Web sites. Beware — if your company rents outside lists of e-mail addresses to send test mailings to, you might unknowingly wind up using lists that have were built up in just such ways.
• Closed relays. The act also prohibits the use of "open relays," mail servers that pass along bulk messages for others without limitation. A popular spammer trick is to subvert computers that aren't well protected and use their relay function to send millions of spam messages anonymously. Your company might not knowingly use such a devious method, but if any of your machines are vulnerable to such attacks, you might find yourself on lists of "known spammers" — or defending yourself against lawsuits.
The CAN-SPAM Act has been roundly criticized by those who advocate a pure ban on spam, modeled on Congress's previous criminalization of unsolicited bulk faxes. But despite its flaws, the new law does have a few tough-sounding enforcement elements.
Do the Crime and Do the Time
The federal legislation supercedes anti-spam laws that exist in several U.S. states, many of which were much harsher on UBE. Thanks to the CAN-SPAM Act, individuals in those states can no longer sue spammers, but Internet service providers (ISPs) are specifically authorized to do so, in addition to the Federal Trade Commission or the attorney general of any state.
The federal penalties for spamming now include fines and three years of jail time for first offenders, rising to five years for those convicted a second time (even if the first conviction was a state offense). ISPs can sue for up to $1 million, while attorneys general can demand $2 million. But these caps are removed — and spammers can be sued for unlimited amounts — if the spam messages in the case used falsified header information to take advantage of open relays, for example.
Most interesting, the FTC is instructed by the act to report to Congress later this year on a system that would award 20% of any spammers' fines to the individuals who first brought to the commission the evidence of these spammers' violations of the act.
Where to Turn for Advice
I've merely scratched the surface of the 21 pages of fine print that makes up the CAN-SPAM Act. Considering the potential impact of this law on companies of all sizes, it's essential that you educate yourself further.
The best white paper for laypeople that I've seen on the subject is an analysis by Customer Paradigm, a consulting firm in Boulder, Colo. The 27-page PDF document (which includes the full text of the act) is available free here.
The firm asks you to provide a working e-mail address, to which a link is sent that allows you to download the white paper. Customer Paradigm also uses this address to send you subsequent updates, but says you can unsubscribe from the notices at any time.
Another in-depth analysis of the law's impact on legitimate companies is by Anne Holland, managing editor of Marketing Sherpa, a publisher in Portsmouth, R.I. In an urgent bulletin to her readers, she warned recently that an unsubscribe request by a recipient of an e-mail newsletter from one of your company's divisions may prohibit your other divisions from mailing to that recipient henceforth.
"I can see major implications for anyone who allows sales reps to send out offers to their own lists," Holland says, by way of example. See her full article on the act here.
You may never have thought of your company as a spammer. But if you send out any significant quantity of e-mail newsletters or bulk marketing messages, you and your legal counsel need to sit down soon and discuss what the CAN-SPAM Act now requires of you.
It'll be a lot better to find these details out before some ISP or state agency uses the courts to let you know you're not following the letter of the law.