Are you a spammer?

If your company uses e-mail as a marketing tool, beware: You could be considered a spammer under a new federal law that went into effect Jan. 1. But wait a moment, you may be saying. My company sends out only legitimate newsletters and mailings to clients and others with whom it has an ongoing relationship. How can that be confused with spam?

The answer: It could be confused with spam because the new law sets rules about the sending of all commercial e-mail, not just unsolicited commercial e-mail. Although you would never describe your company mailings as spam, you still must take steps to comply with U.S. CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing) law. Otherwise, you could be subject to fines of as much as $6 million in aggravated cases. Even common e-mailing mistakes can result in penalties of $25 per e-mail sent.

If you aren’t paying attention to the law because you don’t think of yourself as a spammer, you’re not alone. An audit by EmailLabs, an e-mail marketing service provider, found 44 percent of a sampling of 104 pieces of commercial e-mail sent between Jan. 1 and Jan. 15 did not comply with a CAN-SPAM requirement that a postal address be included with commercial e-mail.

Most rules of CAN-SPAM are fairly straightforward. They require that businesses offer an opt-out mechanism to cancel e-mail from the company, and require labeling of e-mail and supplying of postal addresses that indicate the mail’s origin.

But some definitions in the law are unclear, and organizations sending out commercial e-mail using multiple e-mail service vendors, marketing partners, or customer e-mail databases may need to take special precautions to ensure compliance, says Loren McDonald, vice president of marketing at EmailLabs. “There are a whole slew of things causing confusion in the industry,” he says.

What the law says

CAN-SPAM creates criminal penalties for sending commercial e-mail with false transmission information, for hacking into a computer to send spam, and for using automated methods to harvest e-mail addresses from the Internet. Most legitimate companies aren’t using those common spammer tricks, but other parts of the CAN-SPAM law affect those legitimate companies.

CAN-SPAM also directs the U.S. Federal Trade Commission to create a plan for implementing a national “do-not-e-mail” registry within six months of the bill becoming law. The registry, modeled after the national do-not-call telemarketing list, is not in effect yet.

Several other requirements affecting legitimate e-mail senders are included in CAN-SPAM and apply to most commercial e-mail; an exception to the CAN-SPAM rules is “transactional or relationship” messages — possibly things such as order receipts and warrant e-mails — which the Federal Trade Commission is in the process of defining.

Under the law, most commercial e-mail must include a message indicating it’s an advertisement or solicitation. Except for e-mail sent with the recipient’s “affirmative consent,” all commercial e-mail must be labeled. That includes e-mail sent to customers with whom a business has a pre-existing relationship.

Scott Pink, who specializes in e-commerce and other technology law at the Gray Cary law firm, says “affirmative consent” means the recipient must grant some kind of active permission to accept the e-mail. Signing up with a company using a pre-checked box on a Web form to receive marketing e-mail may not be an example of affirmative consent. Pink advises that, to have a “99-percent chance” of passing CAN-SPAM muster, you may want to avoid pre-checked boxes and opt instead for boxes that customers can check themselves.

To indicate that it is an advertisement or solicitation, the e-mail need not include the “ADV” label in its subject line, as required by some state laws that CAN-SPAM has superceded. But the label must be “clear and conspicuous,” according to language in the law.

Some companies are putting a “hello, we’re sending you this advertisement” message at the top of the e-mail; others are putting an advertising disclaimer at the end. An e-mail hyping a 30-percent-off sale should be clear enough in its marketing intents without a disclaimer, Pink says. “If it looks and feels and smells like advertising … I don’t know what else you could call it,” he says.

Sexually oriented commercial e-mail must also be labeled as such.

Return to sender

All commercial e-mail must include the sender’s “valid postal address.” This may be the most confusing part of CAN-SPAM, especially if more than one company is involved. In some cases, a reseller may be advertising another company’s products, or an e-mail service provider and marketing agency may send out commercial e-mail on behalf of another company. Is the sender the company whose product is being advertised, or the e-mail service provider sending out the e-mail?

In some cases, a third party may complicate things further: Company X is advertising its widget in the newsletter of a widget industry magazine or job board — the common “third-party offers” available in many e-mail newsletters. Or a fourth party: Company X is using a marketing agency to place its ads.

Most spam law experts agree that at the very least the company selling the product should include its address in the e-mail. “A lot of people are playing it safe and putting in everybody’s postal address,” EmailLabs’ McDonald says.

This requirement raises a second question: Is a postal address a post office box number or a street address? Some e-mail service providers recommend that businesses include a street address, although some small or home-based businesses may be reluctant to give out that information. The Federal Trade Commission, responsible for enforcing CAN-SPAM, may eventually issue guidance on postal addresses.

All commercial e-mail must include an opt-out mechanism, and all opt-out requests must be honored within 10 days. That sounds simple enough, but may take a high level of coordination, especially when more than one company is involved with the e-mail.

Generally, if a customer opts out, companies should honor the widest possible interpretation of the opt-out request. But companies should also direct customers to a preference page that includes e-mail options, e-mail marketers say. If a customer opts out of one company newsletter, they should get to choose whether to opt out of all e-mail or continue receiving some, says Helen Roberts, chief operating officer at Responsys, a large e-mail marketing service provider.

The same holds true for e-mail from resellers or third-party offers: Give customers a chance to choose which e-mails they don’t want anymore. Roberts also recommends that companies ask enough survey questions when customers sign up for e-mail so that the customers receive only e-mail they will find relevant. Even customers who have opted-in to commercial e-mail may complain that it’s spam if it is no longer of interest.

“When you look at spam in the eye of the holder, you’ve got to be conscious,” Roberts says. “Even if you’re complying with any legal requirements, you still don’t want to alienate … your customer.”

Best practices under the law

In order to fully comply with the opt-out requirement, you may want to consider merging your e-mail list into one database to improve overall management. If your company has more than one e-mail list, make sure that a customer’s request to opt out of e-mail is honored across all the lists. Good communication with your e-mail service provider and e-mail marketing vendors is imperative.

Company marketing, IT, and customer support departments must follow the same script for sending out e-mail, McDonald says. Involve company legal departments in drafting the commercial e-mail policy.

“I don’t think you want a junior marketing manager making these decisions,” he says.

Beyond these rules, CAN-SPAM provides few protections for companies receiving spam e-mail. The FTC and state attorneys general can take legal action against spammers, and Internet server providers can sue spammers for the cost of damages, but private companies have no legal recourse under the law.

Some anti-spam activists have criticized CAN-SPAM for not allowing private lawsuits against spammers, but CAN-SPAM co-sponsor Sen. Conrad Burns, R-Mont., says he intentionally left private lawsuits out of CAN-SPAM to prevent lawyers from profiting from potentially endless class action lawsuits.

Services to help manage the law

Chris Selland, the managing director at Reservoir Partners, a small relationships-management consultancy, chose e-mail marketing service provider Constant Contact to help him manage changes under the law. He is confident that the software, which requires him to plug in information required by CAN-SPAM, is keeping him on the right side of the law.

“You can’t use [the software] unless you comply,” Selland says. “They won’t let you make a mistake.”

There are a number of providers who offer similar services. In addition to EmailLabs, Responsys, and Constant Contact (which markets its services to small companies), other e-mail service providers providing CAN-SPAM solutions include Digital Impact and Skylist. E-mail marketing vendors know the CAN-SPAM rules, and they often have detailed policies focused on compliance.

Noncompliance could cost you

CAN-SPAM includes some stiff penalties for not following the law. The largest penalties — $100 per e-mail ($6 million total) and, in some cases, jail time — apply to criminal violations of the law, something most legitimate companies shouldn’t have to worry about. But violators of the non-criminal parts of the law, including the opt-out and physical address portions of the law, can still be fined $25 per e-mail, and as much as $1 million.

Most observers of the law expect that enforcement will be targeted at large-scale spammers, and those sending fraudulent e-mail.

But Bart Lazar, a lawyer specializing in intellectual property and Internet law at the Seyfarth Shaw law firm in Chicago, notes that the Federal Trade Commission has fined legitimate companies for other violations of fair trade practices, so companies shouldn’t ignore CAN-SPAM.

“I think there will be some significant enforcement … with the goal being a few highly publicized prosecutions to reduce spam,” Lazar says. “But you never know. It is always possible that a company can make an inadvertent mistake and get themselves in a bit of hot water.”