What is the CAN SPAM Act, And How Do We Comply With It?

One of the heralded pieces of Congressional legislation of 2003 was the CAN SPAM act, which became effective on January 1, 2004.   The Act provides strict regulations and guidelines about what information you need to provide in your commercial email solicitations.  The fines per infraction to the sender are $11,000 per instance, and that will make any small business owner sit up and take notice. 

The reason for anti-spam regulation is that somewhere around 80% of all emails are unsolicited commercial sales pitches – the same ones you shovel out of your inbox every morning.  This is seriously degrading network traffic, and it costs countless hours of productivity in deleting email, as well as providing a ripe ecosystem for viruses and worms and zombie attacks to flourish in.  (Sadly, internet zombie attacks can't be stopped as readily with shotguns…)

As a small business owner, you have to take great care in preserving your credibility to your customers.  Even worse, your credibility means you have to be easily identified, and that makes you an easier target for lawsuits than someone running a server in Croatia.  It's in your best interest to be aware of what the requirements are, and to follow them religiously.

The relevant federal organization regulating the CAN SPAM act is the Federal Trade Commission, which is the federal level consumer protection agency.  The Act also lets the Department of Justice enforce its provisions, which is where the teeth come into the law.  It also opens the door for ISPs to sue abusive customers for violating it, and state level agencies can use it as a hunting permit as well.

In general, as a commercial emailer, you must do the following:

1) Make sure that your header information in emails is unambiguous and not forged.  You must provide an email address, domain name and routing information that leads back to your business and your servers.
2) Your subject line on the email must provide real information about the contents of the email, including information on any attachments included.
3) You must provide an opt-out method, that is not needlessly obscured, or presented in such a way that it's not visible in the email.
4) You must provide a valid return email address, or another internet based method for your recipients to opt out.  It may lead them to a menu where they can choose which services they opt out of, but one option must always be "Remove me from all email solicitations from this business.
5) When you receive an opt-out, you have 10 business days to comply. You cannot help another entity send emails to that address, or have another entity send email on your behalf during those 10 days, or afterwards. 
6) You may not sell your opt-out lists to a third party.
7) Any commercial solicitation must be clearly marked as advertising, and include the sender's valid postal address.

In addition to the requirements above, there are also stringent penalties for companies or entities that harvest email addresses for commercial resale, or use techniques like the dictionary attack (generating email addresses by throwing random letters and numbers onto a domain name), or the spammer shotgun method of registering for multiple accounts to send commercial emails, or doing unauthorized network relaying of emails, something which most ISPs have turned off in the US anyway.

The good news for you is that as a respectable businessperson, these are all fairly easy to comply with.  Also, if you can document a prior business relationship, it's much harder for someone to make a spam case against your firm. With high profile cases going to court with damages measured in the millions of dollars, it's definitely worth your while to do so!