CAN-SPAM Compliance For Online Businesses
Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003 is a US law that's usually shortened to CAN-SPAM. It sets out requirements for the use of commercial email, and has special relevance to companies that send newsletters and mass-mailouts. CAN-SPAM dictates how the messages must be set out, who they can be sent from, and who should receive the messages. It also ensures there is a mechanism for opting out in every commercial email.
Email has been open for abuse since the advent of email itself, right back to the days when the ARPANET first came into being. Scammers and businesses have continually pushed the boundaries of what's acceptable, and experimented with ways to send illegal emails without being detected.
CAN-SPAM has been criticized by some for being too lenient, and for targeting the wrong people. After all, businesses use email to market products and services legitimately, and are usually happy to comply with the law. In itself, sending one email to large numbers of recipients isn't illegal, and email marketing is a powerful method of spreading the word about an offer or product. Critics say that CAN-SPAM has failed to deter malicious spammers who have no intention of complying with the law.
A Brief History of Email Spam
The first spam email was sent on May 3 1978, when marketer Gary Thuerk sent a commercial email to more than 15% of the ARPANET's users. (Back then, that was around 400 people.) Thuerk now refers to himself, in tongue-in-cheek fashion, as the father of e-marketing.
When his marketing email began to land in recipients' inboxes, there was an immediate backlash. Thuerk was chastised by his peers for sending a commercial email, and with invalid headers to boot. The message was ugly, written in all-caps, and sent without permission. Thuerk understood that there was a risk that his email would not be well-received, but he could never have known what would follow.
The first mass spamming operation, in a more modern sense, was carried out in 1997 by a company called Cyber Promotions, run by the notorious and prolific spammer, Sanford "Spamford" Wallace. His dubious company had previously specialised in sending junk faxes, and the rest of the internet soon caught up with the idea of moving junk mailings onto the internet. As the amount of spam email grew, Wallace moved on to producing spyware. In mid-2016, he was sentenced to two and a half years in prison after pleading guilty of sending 27 million unsolicited messages on Facebook.
As of the first quarter of 2016, more than half of global email traffic is classified as spam. (Statistics from other sources suggest this may be a low estimate; Barracuda consistently reports that spam accounts for more than 80%.) As of October 2016, US is thought to be the worst offender for spamming, with China, Russia and Ukraine following closely in the global rankings.
The Basics of CAN-SPAM
CAN-SPAM was the first attempt of regulating use of email as a method of commercial communication, and controlling the amount of spam people receive. Although its name covers both email marketing and adult messages, it's focused to the email marketing angle.
If you're confused about when CAN-SPAM does or does not apply, here are some general guidelines:
- CAN-SPAM applies to commercial email only. If you aren't sure whether your message is "commercial," the Federal Trade Commission says that you should consider the primary purpose of the email. If the email is to advertise, it's commercial. If your email relates to a transaction with a customer, and the transaction is the primary purpose of the email, your email is not commercial, and the CAN-SPAM Act does not apply.
- CAN-SPAM only applies within the US. Many countries have similar laws, but it isn't possible to provide a general overview that covers all countries, because every country has its own specific technical requirements. Penalties also vary from territory to territory. But despite the fact that CAN-SPAM is US legislation, it contains recommendations which are considered good practice no matter where you are.
- CAN-SPAM does apply if you are sending email from a non-profit organization, but many emails from non-profits will come under the heading of "transactional" email and will be exempt. Emails asking for donations are not necessarily commercial, but it depends if the non-profit is advertising. Non-profits are a special case, so legal advice may be required.
Complying With Unsubscribe Requirements
CAN-SPAM says that users should be able to unsubscribe easily from marketing emails. Unsubscribe links must be obvious, and positioned in a certain way. Specifically, businesses must place an unsubscribe link at the bottom of the email, or provide some other method if a link is not included.
Importantly, the unsubscribe link or other mechanism must be functional, and must allow rapid unsubscription. That means you can't provide a dummy link, or require someone to jump through hoops to get their email address off your list. If the opted-out person's email address is added to a list for future exclusion, that list cannot be used for anything except opt-outs. Don't be tempted to send any emails to the list of people who want to be removed.
Any recipient that unsubscribes from a list can expect their details to be removed from the mailing list within two weeks, and the unsubscribe script must be available for at least 30 days after the message was originally sent. In reality, most unsubscribe operations should be almost instantaneous, if you use a modern email marketing platform.
Making the Content of Your Emails Compliant
Each time a business sends a commercial email, it must use accurate contact details. The From line is important, because it must be accurate, and must describe the person or company that's actually sending the message. That doesn't necessarily mean it needs to be a functional email address that points to a working mailbox; many businesses use a "bounce" address to reduce the amount of mail they get back. But it's good practice to use an email at your domain — even if it's fake.
Additionally, the email should contain an accurate postal address for the business, or the third party that's representing it. The subject line of the email also needs to accurately reflect the contents of the message. It's not legal to write a subject line that describes a non-existant offer, or tricks someone into opening an unexpected message.
The Act does cover adult content too, although the requirements are fairly modest. If you send emails with adult content, your subject must begin with "SEXUALLY-EXPLICIT." If the user has not opted in to receiving the email, there must be no adult content visible above the fold. Otherwise, the law is the same as it is for all other types of commercial email.
Complying With Technical Requirements
The final section of CAN-SPAM relates to the methods by which emails are sent, the technical aspects of the email message, and the method that the business uses to collect email addresses. These are all important in confirming that your email is genuine, both to the recipient and to the servers that process it.
Under CAN-SPAM, messages cannot be sent through an open relay. An open relay is a mailserver that's not properly secured, and has been left open for anybody to use. While some servers are set up intentionally as open relays, primarily for sending spam, many servers are hijacked and set up as open relays without the owner's knowledge.
CAN-SPAM also says that messages must not be "null" (ie, without content), and must contain at least once text sentence. The email headers must be valid, and not spoofed. Email addresses that receive the message should only be obtained legitimately. Those email addresses should not be harvested, bought, or sold.
Every violating email that you send carries a penalty of up to $16,000. For example, if you just bought a questionable email list containing 5,000 contacts, you could be facing an $8,000,000 fine if you sent an unsolicited message to everyone on the list.
Fines can be levied to the business that is being advertised, as well as third parties that relate to that business. For example, if you use an email marketing agency or content production company, they could be fined because they're sending messages on behalf of your business. That's why it's critical to choose your partners carefully, and keep a close eye on the messages they're sending on behalf of your business.
Violating CAN-SPAM can land you in jail, too, although this is more likely if there are other criminal activities taking place. So you could be jailed for harvesting email addresses and selling them, using an open relay, or tricking someone into letting you use their mail server.
What CAN-SPAM Doesn't Cover
CAN-SPAM has been criticized for being incomplete. Before it was brought into law, anti-spam campaigners wanted to see stronger evidence of opt-in. Campaigners also wanted spam email recipients to be able to sue the sender, something that is explicitly disallowed in the Act.
Let's look at these two points separately.
First, it's important to note that CAN-SPAM does have a requirement for the FTC to hold a nationwide email opt-out list, or provide a very good excuse. Fortunately, the FTC has the best excuse going: maintaining a list like this — and actually encouraging businesses to use it — is not possible. This is partly because of the nature of the task; it's simply enormous, and would take huge resources to keep it up to date. But aside from that, companies outside the US would be exempt anyway. No international sender with malicious intent is likely to comply with an opt-out list from one country.
Secondly, it's true that CAN-SPAM does not allow email recipients to file suit. Recipients can complain to the FTC, or their state; some states have laws that allow for action to be taken. However, CAN-SPAM supersedes many of these laws anyway. If you plan to sue, legal advice is essential.
Suing the sender of an email is not particularly straightforward, unless the business is obviously identifiable from the email content. When spam is fired across the internet from unknown senders, it would be impossible to figure out where the emails had been sent from in the vast majority of cases. Many millions of spam emails are sent using hacked servers, which may have been converted into open relays without the knowledge of the person paying the bill. Even regular hosting accounts can be targeted in this way.
If you want to remove yourself from commercial email lists, there is another option. The US Direct Marketing Association operates the eMPS, an email version of the marketing preference service. Once you register, you will not be sent unsolicited commercial email by any company that is a member of the DMA. While registration is worth trying, it's unlikely to make much difference to the vast majority of email users.
Sending spam email is a serious business. It can result in huge fines, jail time, and lost customers. Even if you evade the most serious consequences of CAN-SPAM, sending unsolicited emails will not impress your customers.
Before sending any message to an email list, consider whether your list has been legitimately compiled. Check that you've included all of the essential components, and only send emails with legitimate email marketing software.
There's a lesson here for hosting customers, too. If you have a VPS or dedicated server, test it regularly to ensure it's not functioning as an open relay. Even if you aren't a willing participant in a spam operation, a server that's not secure could result in your IP being blacklisted, which could prevent your own business emails from being delivered.
- Coalition Against Unsolicited Commercial Email (CAUCE): an advocacy group dedicated to defending internet users against privacy invasion and abuse. It was founded in May 1997 to campaign for anti-spam laws in the US.
- CAN-SPAM Act — A Compliance Guide for Business: learn how to follow the law in the US.
- Guide to the Privacy and Electronic Communications Regulations 2003: a simple guide to UK anti-spam laws from the Information Commissioner's Office.
- Open Relay Test: test your web server to find out whether it's operating as an open relay.
- CAN-SPAM Checklist: tick off each item on this PDF every time you compose an email to ensure that your marketing message is compliant.
- Spam and Open Relay Blocking System (SORBS): if you've been running an open relay without realizing, your IP address may have been blacklisted. Check listings, and de-list your server, via the SORBS website.
- What Nonprofits Must Do to Comply with the CAN-SPAM ACT: this guide provides a checklist for CAN-SPAM, specifically reworded for non-profit organizations.
NOTE: This article provides an overview of CAN-SPAM with the best information available, but it is no substitute for professional legal advice. As with all matters dealing with the law, you should consult an attorney if you have any questions.
Further Reading and Resources
We have more guides, tutorials, and infographics related to doing business online:
- How to Make a Website: learn about the different approaches to creating a webiste.
- Google Rankings: Understand, Diagnose, and Fix: what good is a website if no one knows about it? Learn all about getting the Google ranking you deserve.
- How to Choose the Right CMS: a content management system (CMS) is usually the best tool to use for creating a website. Find out why and which CMS would be best for you.
Ultimate Guide to Web Hosting
All websites have to be hosted them somewhere. Check out our Ultimate Guide to Web Hosting. It will explain everything you need to know in order to make an informed choice.