Today in 2003: The CAN-SPAM Act is signed into law

December 16, 2011

Today in Legal HistoryOn December 16, 2003, the “Controlling the Assault of Non-Solicited Pornography And Marketing” Act, or CAN-SPAM Act, was signed into law, and took effect just over two weeks later on January 1, 2004.

As suggested by both the law’s full name and acronym, the purported aim of the bill was to stop (or “can”) spam – that is, unsolicited marketing email.

It set out to accomplish this through several means.

First, the law prohibits false or misleading header information – that is, an email’s “From,” “To,” and routing information – including the originating domain name and email address – must be accurate and identify the person who initiated the email.

Next, it prohibits deceptive subject lines (they cannot mislead the recipient about the contents of the message).

The Act also requires that marketing emails give recipients a valid way to opt-out of receiving future emails, and forbids the selling or transferring of email addresses of such users who have chosen to opt-out.

Lastly, it requires that commercial email be identified as an advertisement and include the sender’s valid physical postal address.

The Act enforces these and other prohibitions through a combination of criminal penalties, civil enforcement by the Federal Trade Commission, and private rights of action.

Sounds great, doesn’t it?

On paper, perhaps.

In practice, though, CAN-SPAM seems to have had little effect on the volume of spam being sent.

According to several studies by three different spam-filtering vendors conducted weeks after CAN-SPAM’s enactment, spam rates had actually risen.

In addition, two of the vendors’ studies found that less than one percent of spam sent was compliant with CAN-SPAM, and the third found just over ten percent compliant.

Moreover, according to a 2009 study by the International Journal of Cyber Criminology, the Act has not reduced the volume of spam sent.

Instead, it concludes that the law created a safe-harbor for spam by specifically listing how spam can be compliant with U.S. law.

Furthermore, the way CAN-SPAM is structured, enforcement is somewhat limited.

Specifically, only the worst offenders are targeted by the FTC and criminal law enforcement agencies.

Also, CAN-SPAM limits the right to a private cause of action to an “Internet access service,” which, even under the broader definition given in 2010’s Haselton v. Quicken Loans, Inc., does not include individual consumers.

Given the impetus needed for Congress to pass regulatory legislation, one has to wonder why such an ineffective law as CAN-SPAM was enacted to begin with.

Considering that CAN-SPAM was enacted after California had passed much tougher anti-spam restrictions (to take effect beginning in 2004 as well), and that CAN-SPAM contained a specific provision preempting all state spam regulation, the motivation, perhaps, is clearer.

States, of course, are still able to regulate fraud and deception in emails, but under CAN-SPAM, the act of regulating what spam is allowable and isn’t falls under the exclusive purview of the federal government.

Many email users may have certainly noticed less spam in their inboxes since 2004, but this is actually because of advances in spam filtering technology, not CAN-SPAM.

Does Congress need to update CAN-SPAM, then?

That question seems less central than one that is increasingly pertinent today:

Is Congress even capable of passing effective legislation than does more good than harm?