Is your organization in compliance with the recently passed CAN-SPAM anti-spam legislation? Because of the short-time frame between President Bush signing the legislation and the new law taking effect, many companies have either overlooked or misunderstood certain aspects of the law.
For example, in a mid-January analysis of more than 100 opt-in email messages from companies across multiple industries, our company discovered that 44 percent of the emails were not in compliance with one of the simplest requirements of the law. These emails did not include a postal mailing address somewhere in the body of the message.
Before we dive into key requirements of the CAN-SPAM Act and recommended actions and best practices that organizations should follow, it is important to first understand the larger customer and legislative environment that has gotten us to this point.
The Emergence of “Customer Control”
Besides CAN-SPAM, 2003 saw the enactment or passage of legislation establishing a “Do Not Call Registry,” financial privacy laws at the federal and state level and anti-spam regulations in numerous states, including California’s controversial “opt-in” law. Computer users were also threatened by potentially serious viruses and the theft of their identity and personal financial information and accounts.
The outcome of all of this activity was that customers awoke from a privacy and permission sleep in 2003. Whether you believe consumers are actually in significantly greater control over their personal information and marketing messages they receive is irrelevant. Consumers believe they are – and will punish those organizations that don’t understand and respect this reality.
CAN-SPAM: The Definitions
Enter CAN-SPAM. The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act) stipulates that all companies that send or otherwise “initiate” commercial e-mail comply with a number of specific requirements. But first, what constitutes a commercial email? The Act distinguishes commercial emails from “transactional” or “relationship” messages and introduces a new term into the industry lexicon – “affirmative consent.”
Commercial email message: Any email message “the primary purpose of which is the commercial advertisement or promotion of a commercial product or service.”
Transactional or relationship email message: An email message that is primarily intended to facilitate, complete or confirm a commercial transaction that the recipient has previously agreed to enter in with the sender.
Affirmative consent: The Senate Commerce Committee Report for the CAN-SPAM Act indicates that “affirmative consent” requires some active choice or selection by the recipient. Remaining passive, such as not unchecking a pre-checked box or other default Web form, is not sufficient.
Key Requirements of CAN-SPAM
CAN-SPAM requires that all companies that send or otherwise “initiate” commercial email to:
1. Refrain from sending any message with a misleading subject heading.
2. Include in each message a valid return email address or Internet-based reply mechanism that will function for at least thirty (30) days following the transmission of the message.
3. Include a physical postal address in the body of each message.
4. Include a conspicuous notice identifying each message as an advertisement or solicitation*
5. Include in the body of each message a notice explaining how recipients can prevent the transmission of future messages by using the sender’s return email address or Internet-based reply mechanism.
6. Honor all “opt-out” requests within ten (10) business days of their receipt.
7. Refrain from selling, exchanging or otherwise transferring the e-mail address of any recipient who has made an “opt-out” request, except as necessary to comply with the Act or other provisions of law.
*With the exception of the notice identifying a message as an advertisement, all of the above apply to commercial emails (unsolicited or opt-in). Emails sent to recipients with affirmative consent do not need to include the notice of advertisement. The Act allows marketers to determine the form and location of this notice – state laws requiring the letters “ADV” to be displayed in a subject heading and similar labeling requirements are preempted.
The full Act can be downloaded at: http://www.spamlaws.com/federal/108s877.html.
CAN-SPAM and State Laws
The federal CAN-SPAM Act preempts all state laws that specifically govern commercial email, including the far more restrictive California spam statute that took effect on January 1, 2004. The scope of this federal preemption is not absolute, however. Provisions in state spam laws that prohibit false and deceptive email content and message transmission information will remain in effect, as will state computer crime laws, consumer protection acts and other laws of general applicability. The CAN-SPAM Act also does not authorize a private right of action for recipients of commercial email, as is the case with some state laws.
Complying With CAN-SPAM
Let’s look at some areas of the Act that in general lack clarity or may require more significant changes in email practices. These include:
Transactional or Relationship Message Requirements – These messages must include accurate path information in the email header, but are not subject to the postal address, notification and opt-out requirements outlined above.
Promotional Content Within Transactional or Relationship Messages – The Senate Commerce Committee Report that accompanied the Act suggests that a bonafide “transactional or relationship message” may contain some content promoting a product or service unrelated to a previous transaction. The report emphasizes, however, that this promotional material must truly be ancillary to the primary purpose of the communication. This would suggest, for example, that a monthly bank statement notice could contain a small amount of content promoting equity lines or car loans.
Pre-Checked Boxes – It has been common practice for many organizations to include “pre-checked boxes” in transaction, registration and other forms that opt in consumers to receive newsletters or promotional emails. This passive opt-in, however, does not qualify as affirmative consent and subjects any emails that result from this approach to the requirements imposed on unsolicited commercial emails. Your company then can either switch to unchecked boxes or add the “advertisement” language in your emails.
Advertising Statement – If you are sending emails without affirmative consent, then you must include the aforementioned notice identifying each message as an advertisement or solicitation. The Act does not stipulate the form of location of the notice, nor does it require the use of “ADV” in the subject line, a common requirement in some state laws.
Multiple Email Newsletters/Messages – If your organization distributes more than one type of newsletter or promotional message, you will need to provide members/recipients with a means to unsubscribe from specific individual recurring message types as well as a global unsubscribe and suppression feature. A global suppression capability ensures that for recipients who request it, they will never receive any future emails from your organization.
Actions Organizations Should Take
To ensure compliance with the Act, consider taking the following steps:
Convene all company staff that are or could be involved in the email marketing process – marketing, Webmaster, IT, call center, legal, sales and others. Ensure that all affected personnel have a good understanding of the Act and how it might affect their practices and policies.
Review your company’s email marketing programs to ensure that they comply with the content and notification requirements.
Involve your legal counsel in reviewing your privacy and email policies and to clarify or advise on language or policies that may be unclear in the Act. Have counsel review any promotional content contained within transactional or relationship messages.
If you haven’t already, add a postal mailing address to all of your commercial emails.
Review and test your opt-out/unsubscribe language and process. Make sure it is clear, simple and actually works. Also, make sure you are using a valid return email address or Internet-based reply mechanism that will remain functioning for at least thirty (30) days after messages are sent.
Make sure that all opt-out requests are honored within ten (10) business days of receipt. The simplest and best approach is to utilize software (installed or hosted) that automates the reply, unsubscribe and global unsubscribe process.
If your organization uses pre-checked boxes or other “passive” opt-in mechanisms in your email sign-up process, it is recommended that you change to unchecked or other affirmative consent approach. Otherwise you will need to add the conspicuous identification that the emails are advertisements or solicitations.
It is highly recommended that you add a profile update page on your Web site and links to it from your email messages. This enables customers and subscribers to easily update their email address, opt in or opt out of individual or multiple newsletters/communications, request not to be communicated to in the future, change email formats and other information and preferences.
Consider adding a separate “email policy” to your Web site and add a link to it from the email sign-up page. Similar to a privacy policy, an email policy provides further details on how email addresses are collected, used, shared and what’s communicated and when.
If your company has obtained opt-in permission from subscribers via an offline means (i.e., check box on a direct mail card), make sure you retain these in your records. Secondly, you may want to consider “re-opting in” these subscribers via your online process so that it is easier to maintain records and respond to permission inquiries.
CAN-SPAM: What’s Ahead?
The CAN-SPAM Act also instructs the Federal Trade Commission (with input from the FCC, Attorney General, Department of Justice and other agencies) to initiate additional actions or further clarify provisions of the Act. These include:
Submit a plan with recommendations for requiring commercial email to be identifiable by its subject line
Submit a report to Congress that includes a plan and timetable for establishing a nationwide “Do-Not-E-mail list” registry.
The Act also authorizes (but does not require) the FTC to implement such a registry.
Beyond CAN-SPAM: Permission Best Practices
Regardless of what the future holds, companies should take the permission “high road” when responding to the CAN-SPAM Act and surrounding “customer-control environment.” Your email marketing program should support key principles including permission, privacy, trust, brand, preferences, relevance and relationships.
Email marketing can provide organizations with perhaps its most efficient and cost-effective means of marketing and building relationships with its members. The passage of CAN-SPAM and surrounding customer-control environment, however, requires that companies get their permission marketing houses in order.
Loren T. McDonald is Vice President of Marketing at EmailLabs, and is a
frequent author and speaker on email marketing best practices and trends. A
legal brief on CAN-SPAM from Dow, Lohnes & Alberston PLLC is available at
http://www.emaillabs.com/resources_tools.html.
