Ask Laura: Confused about CAN SPAM

AskLaura_Heading3

Dear Laura, 
I read your blog post about CAN SPAM earlier this week, and there’s one thing that confuses me. You never mention that harvesting addresses is a violation. I’ve seen many other people, including lawyers, assert that harvesting addresses is a violation of CAN SPAM. Why did you leave that out?
Signed,
Hopeful maker of musubi

Dear Hopeful,
The idea that harvesting is, in and of itself, a violation of CAN SPAM is one of those mis-conceptions that has become “common knowledge” and that “everyone knows.” But careful reading of the statute and the FTC rulemaking from 2008 makes it clear that harvesting is not a violation.

15 U.S. Code § 7704 Aggravated violations relating to commercial electronic mail
(A) In general It is unlawful for any person to initiate the transmission, to a protected computer, of a commercial electronic mail message that is unlawful under subsection (a), or to assist in the origination of such message through the provision or selection of addresses to which the message will be transmitted, if such person had actual knowledge, or knowledge fairly implied on the basis of objective circumstances, that—
(i) the electronic mail address of the recipient was obtained using an automated means from an Internet website or proprietary online service operated by another person, and such website or online service included, at the time the address was obtained, a notice stating that the operator of such website or online service will not give, sell, or otherwise transfer addresses maintained by such website or online service to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages; or
(ii) the electronic mail address of the recipient was obtained using an automated means that generates possible electronic mail addresses by combining names, letters, or numbers into numerous permutations.
(emphasis added)

That’s pretty clear to me. Harvesting is only an issue if the message is in violation of CAN SPAM. If you harvest an address and send CAN SPAM compliant mail, then there is no problem.
This was further clarified in the FTC Rulemaking from 2008.

[S]ection 7704(b) specifies four “aggravated violations” — practices that compound the available statutory damages when alleged and proven in combination with certain other CAN-SPAM violations. [3]
[3] 15 U.S.C. 7704(b). The four such practices set forth in the statute are: address harvesting; dictionary attacks; automated creation of multiple email accounts; and relaying or retransmitting through unauthorized access to a protected computer or network. The Act’s provisions relating to enforcement by state attorneys general and providers of Internet access service create the possibility of increased statutory damages if a court finds a defendant has engaged in one of the practices specified in section 7704(b) while also violating section 7704(a). Specifically, sections 7706(f)(3)(C) and (g)(3)(C) permit a court to increase a statutory damages award up to three times the amount that would have been granted without the commission of an aggravated violation. Sections 7706(f)(3)(C) and (g)(3)(C) also provide for this heightened statutory damages calculation when a court finds that the defendant’s violations of section 7704(a) were committed “willfully and knowingly.
(emphasis added)

Translating all of that out of legal government speak we get to the idea that only the things listed in 7704(a) are violations and there can be enhanced penalties. Also, these enhanced penalties are only available to state Attorneys General or ISPs.
It would be lovely if harvesting were a violation. It would cut out a lot of the “targeted” spam we see. I think my favorite was the time someone contacted us about advertising shovels on the domain samspade.org. Um… just because there is “spade” in the domain name doesn’t mean we’re a good target for your shovel advertising. But harvesting is only a problem if you violate CAN SPAM. That means spammers can send all the mail the want to harvested addresses as long as they include:

  • Functioning opt-out link
  • Physical address
  • Valid headers
  • Clear messaging that this is an advertisement.

Of course, most spammers don’t have functioning opt-out links and unsubscribing doesn’t actually stop spam. Harvesting would be a treble violation for much of the actual spam. But those folks who annoy the daylights out of me by scraping my address off LinkedIn and sending me their newsletter? Most of the time that’s not illegal.

Related Posts

Social invading everything

I discovered, inadvertently, that there is a business networking site modeled after dating site. If you’re selling something you go on the site and register as a seller. If you’re buying something you go on the site and register as a buyer. Buyers can post RFIs and sellers can respond.
Decent enough business model, they’ve even fleshed it out so the site itself acts as an invoicing and billing mechanism.
That’s how I discovered it, one of our very large international telco customers decided they wanted to use this site for billing. Many large telcos expect vendors to use their proprietary site, so I wasn’t that surprised when they asked. And, given they’re international being able to bill them electronically just means I don’t have to remember to use the international stamps.
At the behest of our customer, I signed up at the website. It’s like most social networking sites, create a profile, categorize yourself, make everything public. The thing is, I don’t want to use this site to find new customers. I am just using it because one of my current customers is expecting it. Don’t get me wrong, Abacus is a great product and our customers are extremely happy with it, but it’s pretty niche. It’s not something that’s going to be searched for on a generic website.
I thought that when I set my profile to private that would be some sort of signal to keep me out of the main directory of the site. This morning I realized that wasn’t true when I got a bunch of emails telling me about all these companies looking for “business software” (the closest category I could find).
Getting a bunch of irrelevant mail was annoying enough. Even worse, there was no unsub link in the email. Eventually, I discovered an entire page of email options that were not made clear to me up front. I also sent mail to support and suggested that they talk to their lawyers to clarify whether their opt-out option was consistent with CAN SPAM. I’m pretty sure it doesn’t, but I am not a lawyer.
To the company’s credit, they did have good support and my questions through support were answered in a timely fashion. One of their support reps even called me on the phone to clarify what it was that I wanted to happen and walk me through their email options. She was very upfront about yes, they opted everyone in to all the mail at the very beginning of the process. “We’re like match.com for businesses!”
I’m sure there are some businesses that will find this service to be great. But it’s not what I want or need. Despite the fact that their support was so helpful, I don’t have a great feeling about this company. It seems a bit dishonest that I thought I was signing up for a billing portal, but was actually joining “match.com for businesses. Why couldn’t they make that clear in the 7 emails in 2 days “inviting” me to sign up?
I know I’m a little more sensitive to bad mailing processes than most people, but this was quite an unpleasant experience from the multiple identical emails and reminders before I signed up to the irrelevant stuff I got afterwards.

Read More

One Click, Two Click, Red Click, Blue Click

I’ve seen a lot of discussion and arguments over the CAN SPAM rule about whether or not an unsubscribe needs to be a One-Click unsubscribe. It’s gotten so common, I have a stock email I use as a template when wading into such discussions. It’s probably useful for a lot of other people, too, so I thought I’d share.
The regs say:

Read More

Ignoring opt-outs

One of the marketing solutions to the spam problem is just to have recipients opt out.

Read More