Is harvesting illegal under CAN SPAM

This issue comes up repeatedly, as many people have read the CAN SPAM act and believe that CAN SPAM specifically prohibits sending mail to harvested address. This is not how I read the law.
The FTC publishes a CAN SPAM Compliance Guide for Businesses that only mentions harvesting in the context of criminal penalties for violations. They list the following 7 main requirements of CAN SPAM.

  1. Don’t use false or misleading header information.
  2. Don’t use deceptive subject lines.
  3. Identify the message as an ad.
  4. Tell recipients where you’re located.
  5. Tell recipients how to opt out of receiving future email from you.
  6. Honor opt-out requests promptly.
  7. Monitor what others are doing on your behalf.

No mention of “don’t send to harvested addresses there.”
The clause people always point to, when they’re arguing that address harvesting is illegal is subsection (b) Aggravated violations relating to commercial electronic mail

(1) Address harvesting and dictionary attacks
(A) In general
It is unlawful for any person to initiate the transmission, to a protected computer, of a commercial electronic mail message that is unlawful under subsection (a), or to assist in the origination of such message through the provision or selection of addresses to which the message will be transmitted, if such person had actual knowledge, or knowledge fairly implied on the basis of objective circumstances, that—
(i) the electronic mail address of the recipient was obtained using an automated means from an Internet website or proprietary online service operated by another person, and such website or online service included, at the time the address was obtained, a notice stating that the operator of such website or online service will not give, sell, or otherwise transfer addresses maintained by such website or online service to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages; or
(ii) the electronic mail address of the recipient was obtained using an automated means that generates possible electronic mail addresses by combining names, letters, or numbers into numerous permutations.

To me, it’s very clear this says that it is unlawful to transmit a message to a harvested address if that message is unlawful under subsection (a). If mailing to a harvested message itself were unlawful, then I would expect the section to say it is unlawful to transmit a message to a harvested address.
I’m not a lawyer, this is not legal advice, talk to your own advisor before believing anything anyone writes on the internet. I have talked to lawyers about this, though, and they’re the ones that convinced me that the act does not prohibit harvested addresses.

Related Posts

Are the new Gmail ads email?

I’ve seen lots of opinions over the last few weeks about whether or not the new ads in the Gmail promotions tab are email or not.

Read More

Papa John's settles texting suit

Last year a class action law suit was filed against Papa John’s for violation of the Telephone Consumer Protection Act (TCPA) for texts received by Papa John’s customers. Customers allege they never opted in to receive promotional text from the company. Papa John’s claim that they didn’t send the marketing, but instead was sent by third party contractors.
A blog post on lawyers.com says that Papa John’s settled the case for $16.5 million.

Read More

Bad unsubscribe processes

We recently renewed our support contract with VMWare. It’s a weirdly complicated system, in that we can’t buy directly from VMWare, but have to buy through one of their resellers. In this case, we purchased the original hardware from Dell, so we renewed our contract through Dell.
Dell sends my email address over to VMWare as part of the transaction.
My only role in this is as CFO. I approve the purchase and pay the bill. I don’t do anything technical with the license.
The email failures start when VMWare decides that I need to receive mail about some user group meetings they’re holding all over the US. First off, I’m not the right person to be sending this mail to inside our company. I’m the billing contact, not the user contact. Then, they send me mail about meetings all over the US, when they know exactly where I’m located. Would it be so hard to do a semi-personalized version that highlighted the meetings in my local area then pointing out the other locations? Apparently, yes, it is so hard.
The biggest failures, though are in the unsubscribe process.
unsubscribe option
The unsubscribe page is no big deal. I get to unsub from all VMWare communications, and submit that request without having to figure out what my VMWare password is or anything.
After I hit submit, I’m taken to this page.
VMWareThank you
Wait? What?
“Thank you for registering?” I didn’t register! I don’t want you to contact me. Plus, this is a HP co-branded page when I’m not a customer of HP. VMWare knows this, they know they got my address from Dell.
The biggest problem is that I’m not sure that my address was actually unsubscribed. I suspect that someone copied a form from elsewhere on the site to use as an unsubscribe form. This person forgot to change the link after the “submit” button was clicked. But what else did they forget to change? Is the unsubscribe actually registered in the database?
I suppose only time will tell if VMWare actually processed my unsubscribe. If they didn’t they’re technically in violation of CAN SPAM.
The lesson, though, is someone should check unsubscribe forms. Someone in marketing should own the unsubscribe process, and that includes confirming that unsubscribe pages work well enough.

Read More