New CAN-SPAM Rules Clarify Online Marketing Requirements

May 27, 2008

On May 12, 2008, the Federal Trade Commission (FTC) released a Final Rule implementing new regulations under the CAN-SPAM Act of 2003 (CAN-SPAM), which generally governs the transmission of commercial electronic mail. Issued three years after the rules were proposed, the Final Rule takes effect in 45 days.

The Final Rule adopts four new provisions while clarifying the FTC's interpretation of certain CAN-SPAM requirements. The new rules and clarifications address various concerns raised during the FTC's rulemaking proceeding, such as identifying the "sender" in multiple marketer email messages, and clarifying compliance obligations in connection with "viral" marketing campaigns and similar initiatives using "forward-to-a-friend" messages.

We summarize CAN-SPAM's statutory obligations and the Final Rule below.

Overview of CAN-SPAM's Requirements

CAN-SPAM imposes obligations upon those who send commercial email messages.1 A "commercial email message" is defined in the statute as a message that has the primary purpose of advertising or promoting a commercial product or service (including content on a website operated for a commercial purpose). CAN-SPAM's definition of "sender" includes any person who "initiates" a commercial email message and whose product, service, or website is advertised or promoted by the message.

Senders of commercial email messages must ensure that their messages:

  • Do not have false or misleading header information or deceptive subject lines. Each email message's "from," "to," and routing information—including the originating domain name and email address—must be accurate and identify the person who initiated the email. Further, the subject line of a commercial message cannot mislead the recipient about the contents or subject matter of the message.
  • Include a return address or other Internet-based opt-out method and process opt-outs within 10 business days. The sender must provide a return email address or another Internet-based response mechanism that allows a recipient to ask the sender not to send future email messages to that email address, and the sender must honor the requests. Any opt-out mechanism offered must be able to process opt-out requests for at least 30 days after the message is sent. All opt-out requests must be processed within 10 business days.
  • Identify themselves as advertisements. Each commercial email message must contain clear and conspicuous notice that the message is an advertisement or solicitation and that the recipient can opt out of receiving further commercial email from the sender.
  • Contain the sender's postal address. All commercial email messages must include the sender's valid physical postal address.

New Rules

The Final Rule contains four new regulations, as described below.

  • Opt-Out Method Requirements. The FTC adopted a new regulation that prohibits commercial email senders from requiring recipients to pay a fee, provide information other than email address and opt-out preferences, or take any steps other than sending a reply email message or visiting a single Web page, as a condition of receiving or honoring opt-out requests.

    This new regulation may require some email marketers to modify the methods they use to receive and process opt-outs. In particular, opt-out methods in which users must supply log-in credentials, or navigate through multiple pages on a website, may not be used to satisfy CAN-SPAM's requirement that all commercial email messages include a functioning opt-out mechanism. The rules will not prohibit companies from offering other ways for their users to opt out, such as allowing them to indicate email preferences within an account-management tool on a website, but those alternative methods will not satisfy CAN-SPAM's opt-out requirement.
  • CAN-SPAM Responsibilities in "Multiple-Sender" Emails. If a message promotes or advertises the products, services, or websites of more than one person, more than one person may fall within CAN-SPAM's definition of "sender" and thus bear compliance burdens. For such "multiple-sender" messages, neither the statute nor prior regulations addressed the allocation of compliance obligations among senders, such as who was responsible for managing opt-out processes and ensuring that appropriate disclosures were included in the messages.

    Under the Final Rule, where multiple marketers have products, services, or websites advertised or promoted in the same email, they may designate as a single sender a person who (a) meets the definition of sender, (b) is identified in the "from" line as the sole sender of the message, and (c) complies with identified "core" provisions of CAN-SPAM. Only this designee would be required to include CAN-SPAM's required disclosures, provide a functioning opt-out method, and process opt-out requests made by the email's recipients.

    The Final Rule's multiple-sender provisions are very permissive for email marketers. Companies will be able to advertise their products and services together in email messages, with only one of the companies required to process opt-outs and comply with other sender obligations.
  • P.O. Box or Private Mailbox Can Serve as a Valid Physical Postal Address. As noted, CAN-SPAM requires senders to include a "valid physical postal address" in each commercial email they send. The Final Rule defines a valid physical postal address as "the sender's current street address, a Post Office box the sender has accurately registered with the United States Postal Service, or a private mailbox the sender has accurately registered with a commercial mail receiving agency that is established pursuant to United States Postal Service regulations."

    The FTC's approach on this issue is also permissive. Several consumer groups had advocated for a requirement that messages contain a physical street address, and not a P.O. box, contending that P.O. boxes often are used in fraudulent schemes to protect their users from identification. The FTC was not persuaded, however, to change its earlier position that hucksters seeking to evade identification could use an inaccurate street address as readily as a P.O. box or private mailbox.
  • Definition of "Person." The FTC adopted a new definition of the word "person," which is used in CAN-SPAM but not defined. Under the new rules, a person is defined as "an individual, group, unincorporated association, limited or general partnership, corporation, or other business entity." With this definition, the FTC made clear that CAN-SPAM applies to individuals as well as various types of entities.

Discussion Accompanying the Final Rule

The FTC addressed a number of other issues in its discussion accompanying the Final Rule. This accompanying discussion did not provide new regulations, but is valuable in signaling the FTC's perspective and providing a sense of its future enforcement direction.

  • "Refer-a-Friend" Messages. A key topic addressed by the FTC was what it refers to as "forward-to-a-friend" messages, also known as "send-to-friend" or "refer-a-friend" messages. These messages are solicitations sent either by one user to another using a Web-based forwarding mechanism, or forwarded by one consumer/recipient to another using his or her own email program. Several companies and trade groups had sought clarity from the FTC regarding its position on these messages, as it is unclear who, if anyone, is the sender of these messages for purposes of CAN-SPAM compliance obligations.

    The FTC made clear that a person whose commercial website, products, or services are advertised in a refer-a-friend message may be deemed the sender of that message if the person "induces" its transmission. The FTC did not define induce, but did state that a person need not offer payment or other consideration to a person in order to induce that person to forward, or otherwise transmit, a commercial email message. The FTC also stated, however, that mere statements on a Web page or in a commercial email message exhorting a viewer or recipient to forward the message would not, without more, constitute "inducement." The FTC's broader concept of inducement will require email marketers, and companies using send-to-friend features on their websites, to assess whether they are acting in ways that induce consumers to forward, or otherwise transmit, commercial email messages.

The new regulations and interpretation accompanying them highlight the ongoing importance of CAN-SPAM compliance. Those who participate in online marketing may revisit the use and enforcement of appropriate contractual terms with affiliates, referral partners, and other third parties. Practical steps such as assessing, monitoring, and addressing those third parties' CAN-SPAM compliance also may be advisable.

Wilson Sonsini Goodrich & Rosati's attorneys routinely counsel clients on compliance with CAN-SPAM, other laws applicable to commercial email, and other marketing and privacy issues. The firm also has played a leading role in litigation and regulatory efforts concerning online marketing and privacy. If you have questions in these areas, please contact Gerry Stegmaier at (202) 973-8809 or Matt Staples at (206) 883-2583.

1 CAN-SPAM is codified at 15 U.S.C. §§ 7701-7713. The FTC maintains a portion of its website, at, that provides CAN-SPAM information for businesses and consumers.