Avoiding State and Federal Anti-Spam Legislation

• Introduction
• California's Anti-Spam Legislation

  a. Civil Anti-Spam Legislation

  b. Criminal Anti-Spam Legislation

• Other Features Commonly Used By Web Sites That May Constitute Spam

  a. Tell a Friend

  b. Moving E-Mail or Outsourcing Your Email Service

  c. Moving Selling Databases of E-Mail Addresses

  d. E-Mailing Co-Registered Users

• 4. Conclusion
  
  

Return to Internet Alert

Introduction

Although anti-spam legislation has not yet been enacted at the federal level, Internet Service Provider's ("ISPs"), the courts, and various state legislatures have become increasingly proactive in their efforts to thwart third parties seeking to transmit unsolicited commercial e-mails ("Spam"). In addition, on July 18, 2000, the House of Representatives passed the "Unsolicited Commercial Electronic Mail Act of 2000" ("H.R.3113"), and now we are anticipating the Senate will pass a similar bill, leading to a reconciliation of the two versions. Nineteen states, including California, Nevada, Rhode Island, Virginia, and Washington have passed anti-spam legislation. Some states restrict sending unsolicited commercial messages, unless the sender has the recipient's consent or has an existing relationship with the recipient. Other states restrict the use of misleading headers. So what happens if you violate these restrictions? Well, many of the state statutes provide for civil statutory damages and, in some cases, criminal sanctions. This article focuses on California's attempts to protect its residents against spam and some of the less obvious features web sites often use that may inadvertently violate anti-spam legislation.

California's Anti-Spam Legislation

On January 1, 1999, the following three California laws relating to unsolicited commercial e-mail or "spam" went into effect:

• (1) California Business and Professions Code §§17538.4,
• (2) California Business and Professions Code §§17538.45; and
• (3) California Penal Code §§ 502.

The first two state statutes will be discussed together and the penal code separately.

California's Civil Anti-Spam Legislation

California Business & Professions Code sections 17538.4 and 17538.45 apply to any unsolicited email that is delivered to a California resident via an ISP's facilities located in California. These two statutes prohibit any person or entity conducting business in California from e-mailing documents consisting of unsolicited advertising material, unless the following requirements are met:

• the person or entity must establish either: (a) a toll-free telephone number that the recipient may call or (b) valid sender operated return e-mail via which recipient may notify the sender that he or she no longer wishes to receive any further unsolicited documents;
• the toll free number or valid return e-mail address must be located at the beginning of the text of the message and the font must be at least the same size font as the majority of the text of the message;
• upon the notification of a recipient's desire to be removed from any mailing list, the sender must immediately honor the request; and
• the subject header for such unsolicited e-mails must contain "ADV:" in the beginning of their subject line, except that spam of an adult nature must bear the legend "ADV:ADLT:" as the first eight characters of the subject line. Please Note: This law was struck down on the grounds that it violates the Dormant Commerce Clause.
• There is also a provision in the California statute that grants ISP's the discretion to determine which messages are deliverable to their subscribers via the ISP's anti-spam policies. Under the statute, no individual or entity may use or cause to be used (by initiating an unsolicited e-mail advertisement), an ISP's equipment located in California in violation of the ISP's policy prohibiting or restricting the use of its equipment to deliver unsolicited e-mail advertisements to its subscribers.
• Violation of these two (2) California statutes may be punishable as a misdemeanor (See Cal. Bus. & Prof. Code §§§§ 17538.4) and in some cases may give rise to civil damages (See Cal. Bus. & Prof. Code §§§§ 17538.45.) Under the new statutes, in addition to any other action available under law, any ISP whose policy on spam is violated may bring a civil action to recover either (1) the actual monetary loss suffered by that ISP, or (2) liquidated damages of $ 50 for each e-mail message initiated or delivered in violation of the statute (up to a maximum of $ 25,000 per day), whichever amount is greater. Pursuant to the statute, a court may also award reasonable attorneys' fees.

California's Criminal Anti-Spam Legislation

The third statute enacted, California Penal Code §§502, amends California's Computer Crimes Act. This statute, as amended, prohibits the unauthorized use of another party's Internet domain name in connection with the sending of electronic mail messages, if such use causes damage to one or more computers. Cal. Penal Code §§§§ 502(c)(9). Although the statute has broad applicability, it was enacted to redress the problem of "spoofing," whereby the sender of spam attempts to hide his, her or its true identity by making the messages appear as if they originated from someone else. Section 502(d) of the statutes subjects violators of the statute to criminal prosecution, with penalties depending upon the damage the violation causes. In addition, Section 502(e) of the statute allows victims of a violation to bring a civil cause of action against a person convicted of an offense.

Other Features Commonly Used By Web Sites That May Constitute Spam

(1) "Tell a Friend" Features

Many Web sites now permit users to "tell a friend" about a Web service or page by enabling the visitor to use a Web-based e-mail utility to send an e-mail notice to the e-mail address(es) specified by the visitor. Depending on the context, these features have many names, such as "tell a friend," "refer a friend," or "e-mail this page to a friend." These "tell a friend" utilities are generally categorized in one of two ways:

(1) as a legitimate tool to help visitors communicate with each other, and thus no different from other e-mail utilities; and

(2) as a tool to induce the visitor to provide the Web site with valid email addresses, which the Web site may then use to build a database from which to send commercial unsolicited email.

Under the first paradigm, the tool is mostly legally benign from the Web site's standpoint. The visitor sending the e-mail might be violating the anti-spam laws, but such violations should not be imputed back to the Web site. Nevertheless, if the Web site does not use technical controls or authentication procedures with the tool, users can easily engage in bad behavior. For example, with many tools, it is easy to "mail bomb" a recipient--completely anonymously--merely by pasting a single e-mail address in the "to" field dozens, hundred or thousands of times. Also, to the extent that a user is capable of editing the text sent to the recipient, the user can engage in all sorts of bad communications or, for that matter, use the tool to send spam using the Web site's servers. In any respect, because so few Web sites place technological controls on these tools, these tools can form the basis for a site to be blacklisted by the RBL.

Under the second paradigm, the Web site is probably sending spam to the recipients in violation of numerous anti-spam laws. The fact that the recipients are purportedly "friends" does not cure the violations, since the anti-spam laws do not contemplate that "friends" will submit e-mail addresses to mass marketers who will send messages containing commercial promotions. At the present time, noone knows which of the two paradigms will prevail if a Web site was sued under one of the state anti-spam laws for its "tell-a-friend" feature. Arguably, a Web site's implementation of this feature may affect the court's willingness to be sympathetic. Nevertheless, the present anti-spam laws do not directly address the use of this kind of feature. As a result of the legal uncertainty and technology risk (i.e., being blacklisted), many clients would be wise to remove these features.

(2) Moving E-Mail or Outsourcing Your Email Service Many Web sites offer free Web-based e-mail as part of their package of services. Problems may occur where such Web sites have outsourced the operation of the e-mail service to an e-mail service provider and now want to change the e-mail service provider. To change the e-mail service provider almost invariably would require the web site to transfer the end-user's e-mails from the existing service provider to the new service provider B. So what? Well, this constitutes a disclosure of private communications which is governed by the Electronic Communication Privacy Act (ECPA), a statute last substantially revised in the mid-1980s and wholly unsuited to the Internet era. As ECPA does not contemplate such transfers of private communications between providers, such transfers are left in a gray area and arguably could subject the outsourcer and website to serious civil and criminal sanctions.

This grey area, however, is completely avoidable. How? By requiring the intended user of the email service to consent in advance to the transfer of e-mails between service providers in the user agreement. At present, however, most use agreements provide, if anything, a privacy policy-like restriction that says the service provider will NEVER disclose private e-mails to third parties absent certain levels of subpoena, warrant or court order. This problem is wholly avoidable either simply by amending the user agreement or arduously by getting the individual consent from each user whose account is being transferred. The later requires the web site to e-mail each user and to get each user's affirmative response, something that is logistically difficult and rather unpleasant.

Other Features Commonly Used By Web Sites That May Constitute Spam

"Tell a Friend" Features

Many Web sites now permit users to "tell a friend" about a Web service or page by enabling the visitor to use a Web-based e-mail utility to send an e-mail notice to the e-mail address(es) specified by the visitor. Depending on the context, these features have many names, such as "tell a friend," "refer a friend," or "e-mail this page to a friend."

These "tell a friend" utilities are generally categorized in one of two ways:

as a legitimate tool to help visitors communicate with each other, and thus no different from other e-mail utilities; and

as a tool to induce the visitor to provide the Web site with valid email addresses, which the Web site may then use to build a database from which to send commercial unsolicited email.

Under the first paradigm, the tool is mostly legally benign from the Web site's standpoint. The visitor sending the e-mail might be violating the anti-spam laws, but such violations should not be imputed back to the Web site. Nevertheless, if the Web site does not use technical controls or authentication procedures with the tool, users can easily engage in bad behavior. For example, with many tools, it is easy to "mail bomb" a recipient--completely anonymously--merely by pasting a single e-mail address in the "to" field dozens, hundred or thousands of times. Also, to the extent that a user is capable of editing the text sent to the recipient, the user can engage in all sorts of bad communications or, for that matter, use the tool to send spam using the Web site's servers. In any respect, because so few Web sites place technological controls on these tools, these tools can form the basis for a site to be blacklisted by the RBL.

Under the second paradigm, the Web site is probably sending spam to the recipients in violation of numerous anti-spam laws. The fact that the recipients are purportedly "friends" does not cure the violations, since the antispam laws do not contemplate that "friends" will submit e-mail addresses to mass marketers who will send messages containing commercial promotions.

At the present time, no one knows which of the two paradigms will prevail if a Web site was sued under one of the state anti-spam laws for its "tell-a-friend" feature. Arguably, a Web site's implementation of this feature may affect the court's willingness to be sympathetic. Nevertheless, the present anti-spam laws do not directly address the use of this kind of feature. As a result of the legal uncertainty and technology risk (i.e., being blacklisted), many clients would be wise to remove these features.

(2) Moving E-Mail or Outsourcing Your Email Service

Many Web sites offer free Web-based e-mail as part of their package of services. Problems may occur where such Web sites have outsourced the operation of the e-mail service to an e-mail service provider and now want to change the e-mail service provider. To change the e-mail service provider almost invariably would require the web site to transfer the end-user's e-mails from the existing service provider to the new service provider B. So what? Well, this constitutes a disclosure of private communications which is governed by the Electronic Communication Privacy Act (ECPA), a statute last substantially revised in the mid-1980s and wholly unsuited to the Internet era. As ECPA does not contemplate such transfers of private communications between providers, such transfers are left in a gray area and arguably could subject the outsourcer and website to serious civil and criminal sanctions. This grey area, however, is completely avoidable. How? By requiring the intended user of the email service to consent in advance to the transfer of e-mails between service providers in the user agreement. At present, however, most use agreements provide, if anything, a privacy policy-like restriction that says the service provider will NEVER disclose private e-mails to third parties absent certain levels of subpoena, warrant or court order. This problem is wholly avoidable either simply by amending the user agreement or arduously by getting the individual consent from each user whose account is being transferred. The later requires the web site to e-mail each user and to get each user's affirmative response, something that is logistically difficult and rather unpleasant.

(3) Selling Databases of E-Mail Addresses

Occasionally clients will inquire about "buying" a database of e-mail addresses. Usually this arises in the context of buying e-mail addresses from a company going bankrupt, selling his business, or interested in unloading its list of users who legitimately signed up with the company.

If the seller of the e-mail address database is also selling other company assets, and the database is integrally associated with those assets, the acquirer's use of the database may not violate the anti-spam laws--especially if the acquirer uses the e-mail address database only to communicate messages related to the line of business it has acquired. Otherwise, the seller probably cannot transfer the user's consent or prior business relationship to the database acquirer, and thus the acquirer's use of the database would violate the anti-spam laws.

(4) E-Mailing Co-Registered Users

Increasingly, a Web site will allow users registering with it to "co-register" with other Web sites by checking (or, in some cases, failing to uncheck) a box on the registration page. Usually, when the user completes the registration, contact information (including e-mail address) is passed over to the co-registered Web site. The co-registered Web site may then send a welcome message to the user or otherwise begin e-mailing the user.

In some circumstances, the co-registered Web site's e-mail could violate the anti-spam laws. The language on the registration page can operate as "consent" which is extended to the co-registered Web site, in which case the resulting e-mails are legal. However, the wording of that consent is crucial--if a user can argue that they did not consent to the e-mail, then the resulting e-mail could be illegal spam. Thus, the legal advisor on such transactions should carefully review the registration page from a legal compliance standpoint.

Conclusion

At present, many of the rules related to new Web-based business practices are becoming well-understood, and in some cases resolved. In contrast, e-mail has suffered from a lack of attention. But with the newly passed H.R. 3113, which should be reconciled with a similar senate bill sometime in the near future, Web sites would be well advised to proceed cautiously with attention paid to recently passed and expected legislation. It would be a grave mistake for Web based businesses to proceed with a reckless abandon to the legal consequences of violating state and federal regulations imposed.

Back to Top

Return to Internet Alert

This Internet Alert was prepared by Melissa C. Marsh. If you have questions relating to this Alert she can be reached at (323) 655-1002 or at mmarsh@yourlegalcorner.com Interacting with e-mail on this web site does not constitute the creation of an attorney/client relationship. This web site is an advertisement for legal services..

This Internet Alert is published as an information service to clients and friends. Please recognize that the information is general in nature, should not be relied upon to make legal decisions, and does not constitute legal advice. The attorney listed above would be pleased to discuss in greater detail the information in this alert and its application to your specific situation. We welcome your comments and suggestions.