June 25, 2008

CAN-SPAM Update: Have You Complied With the New Rules Yet?

SUMMARY: The Federal Trade Commission’s latest update on CAN-SPAM regulations take effect in less than two weeks. Is your email compliant? Not sure?

We have the nitty-gritty on what the new provisions mean to email marketers. The updates include:
- Good news (what didn’t change)
- Five major provisions to review
- Definition of a sender
- How to handle re-subscribes

The Federal Trade Commission’s latest updates to the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM) become enforceable on July 7. So, it’s prime time for a look at the updates – and at CAN-SPAM in general – to make sure your email programs remain on the up and up.

Most email marketers didn’t know all of the act’s requirements two years ago when the FTC last updated CAN-SPAM, according to a Web Surveyor survey. No offense, but we doubt that many of you have been grilling yourselves on the details since then.

“CAN-SPAM is something to keep front of mind for any campaign that you run,” says Ana Lucia Dunkle, Relationship Marketing Manager, A&E Television Networks. “Obviously, you want to keep your marketing goals as a top priority. But, in terms of your reputation as a sender, you have to put [huge] importance on following the rules. When we heard about the updates, right away we went back over our practices simply to make sure that we will still be doing what we should be doing.”

Dunkle and her team didn’t procrastinate to make sure A&E was still compliant.

The Good News
First, some good news:

- CAN-SPAM terminology is now better defined, giving marketers clearer standards – that’s a baby step in the right direction.
- We know exactly who a “sender” is now.
- The FTC kept the 10-day mandatory opt-out requirement in place after mulling cutting it to three days.
- Nothing in CAN-SPAM will get you in legal trouble if you are sending *permission-based* emails. (Note: We aren’t attorneys; please check with your own legal counsel.)
- The FTC will not designate additional “aggravated violations.” In other words, it won’t go out of its way to engage in witch hunts.

5 Changes: A Close Look
To be clear, the new provisions are not cataclysmic, but they do touch on a few points many marketers need to contend with.

The five key provisions from the FTC's 109-page document:

-> Provision #1. Unsubscribe requirements

You cannot require an email recipient to:
o Pay a fee
o Provide information other than their email address and opt-out preferences
o Take more than these opt-out steps:
- Send a reply email message
- Visit a single Web page

Prohibiting a fee probably won’t affect Sherpa’s readers. But those of you who make subscribers visit multiple Web pages to unsubscribe will need to make some changes. Brands that require log-ins and passwords to unsubscribe at a preferences center, for instance, need to change their process, says Jeff Mills, Director of Sales & Strategy, eROI.

Mills offers a prime example: You get the mail for someone who no longer works at your company. They signed up for a chunk of those emails with a log-in and password. You can’t unsubscribe because you don’t have that information. What do you do?

“Moving forward, for those marketers, making a sweeping change from the current system to most likely a legacy Web system that doesn’t require a log-in – it’s a much more daunting task than people on the outside realize.”

One option we’ve heard about: Embed individual passwords in the unsubscribe URL. Then, when they click the unsubscribe button, no log-in is needed. But such a process might be time-consuming. Check with your ESP for possible solutions.

-> Provision #2. Definition of ‘sender’

A ‘sender’ is now defined as the entity whose goods, services, business, organization, etc., are advertised in a commercial email message. This clarification makes it simpler to know which of multiple parties advertising in a single email message is responsible for complying with CAN-SPAM’s opt-out requirements.

Take special note if you mail on behalf of other advertisers. This modification allows for a ‘designated sender’ – a single party that will be responsible for complying with CAN-SPAM in those situations where multiple parties may advertise in the same message.

For the most part, the name in the ‘From’ line of an email becomes the designated sender. They must comply with all provisions and follow common best practices (i.e., listing a physical postal address and presenting an in-message opt-out mechanism).

Note that a designated sender is not *required* in multi-party email ads. Identifying an entity in the ‘From’ line is mandatory, but the FTC rule “does not eliminate the possibility that a message may have more than one sender.”

So, does each advertiser *need* to provide an opt-out link and a postal address in a multi-party email? No, only the designated sender.

If one of your advertising partners is caught violating the rules, however, having your address and opt-out mechanism in the message may be the most sure-fire piece of evidence to suggest that you were trying to comply. Being able to include your info may be something you should request from the designated sender.

-> Provision #3. P.O. Box address OK

A ‘sender’ can use an “accurately-registered” post office box or private mailbox. This will meet the rule that a commercial email present a “valid physical postal address.” Prior CAN-SPAM rules did not make that clear.

Emailers following best practices should already be posting a physical address in their templates. But the FTC’s go-ahead to use postal boxes gives some relief to those bedroom-and-garage eretail startups and eBay entrepreneurs who don’t want business mail delivered to their homes.

-> Provision #4. Definition of ‘person’

Get ready for a bit of legal jargon: A ‘person’ now is not limited to a human being. An FTC ‘person’ includes groups, institutions, unincorporated associations, businesses of all sizes and nonprofits, as well as human beings. This definition leaves no doubt now that nonprofits must abide by CAN-SPAM.

In short, if an email is perceived as promotional, CAN-SPAM applies to that sender – nonprofits included.

-> Provision #5. Forward to a Friend

Brands doing ‘forward-to-a-friend’ viral emails – where participants are rewarded, incentivized or induced – must adhere to CAN-SPAM rules. They must honor opt-out requests and provide a physical address to people who receive the forwards.

“Under the new rules, an advertiser is considered the ‘sender’ of the forwarded email, and thus responsible for scrubbing the friend’s name against its ‘Do Not Email’ list and ensuring that the forwarded message has a functioning opt-out mechanism – among other requirements,” says Terri Seligman, Partner, Loeb & Loeb, LLP. “However, in contrast to the FTC’s earlier proposed rules, the final rule acknowledges that simply encouraging consumers to forward a message, without [incentives or rewards], does not subject the advertiser to ‘sender’ liability under CAN-SPAM.”

A Web page that uses a ‘click here to forward’ feature that lets recipients forward a message or link to someone else – without providing any further encouragement to do so – also is exempt.

CAN-SPAM Overview: ‘Do Not Email’ Pain Point
OK, you have the latest on CAN-SPAM updates. Here’s a refresher on a couple of the act’s key rules:

First, CAN-SPAM requirements might seem simple to comply with – just implement your postal address and an opt-out link onto your email template and abstain from ‘deceptive’ subject lines, etc. But many marketers overlook DNE (Do Not Email).

The act says, “Recipients of commercial electronic mail have a right to decline to receive additional commercial electronic mail from the same source.”

This seems easy – just allow for opt-outs. But it’s difficult for many organizations to implement DNE because the opt-out isn’t just for the particular list that sent the mail. The opt-out applies to any promotional email any list or staffer from your brand might send ever again.

Company X sends a 20% off widgets sales alert to its house list. The recipient, John@ISP.com, decides to opt out. Company X must remove (or suppress) that email address from every single promotional mailing that it sends, or is sent on its behalf, from now on.

Sound simple? Consider all the lists and databases that John@ISP.com might be on. Perhaps an outside sales rep at Company X decides to send a sales pitch to John@ISP.com. How about a Company X reseller or distributor? What if Company X has an affiliate program? Perhaps it has other widget-selling locations, branches, or franchises? Not to mention a permission opt-in list that Company X’s marketing team might rent in the future.

All of these have to remove (or suppress) John@ISP.com before sending a commercial message – even if that message complies with CAN-SPAM. Company X could be sued if they don’t.

However, is Company X in real danger if they ignore the suppression rule and allow commercial email to be sent to John@ISP.com? Most lawsuits will be filed against the big, obvious targets, such as emailers that send offensive or deceptive messages to non-permission lists. Even though you probably won’t get caught, you are still breaking the law.

When dealing with CAN-SPAM issues, it’s best to talk to an attorney. It’s always better to err on the side of caution. The damage that can be done to your reputation because of a single publicized legal bout with spam could permanently damage your marketing career.

Re-subscribing is another CAN-SPAM gray area. Better-safe-than-sorry interpretations say that marketers should never, ever send anything to that address anymore. And any queries from a DNE-list address should go unanswered.

We at Sherpa believe that you can return a DNE-list address to active status if they choose to re-subscribe. But take extreme care and log all contacts showing who contacted whom first. If you get a new subscription request from a DNE-list address, treat it with kid gloves. Your email vendor can suggest alternatives based on your operating system, but here are two possibilities:

- At your Web site, requests coming from DNE-list addresses from a Web form can trigger a warning page or pop-up alert reminding users that they had previously opted out of email. It asks them to confirm the request. If you get an affirmative, first remove the address from your DNE list and then proceed with the subscription process.

- Email subscription requests can trigger an auto-responder message with the same warning and confirmation request that would go on a Web page. You might have to override your DNE protection to send that email, though.

Requests that come from alternative channels – point-of-purchase forms, customer-service dealings, etc. – must be handled almost case by case. Again, your database manager or ESP might suggest a more-productive method. We can’t tell you exactly how to do it. But it will depend on how your list software works and how you have configured it to check against your DNE list for matching addresses and preventing accidental mailings.

Also, it might not be a bad idea to incorporate a sentence or two pointed at the rejoining subscribers in your welcome message: “And thank you to those who have come back to our newsletter to learn more about our products.”

Useful links related to this article

Past Sherpa articles on CAN-SPAM -
“CAN-SPAM Update: 3 Precautions Many Marketers Are Overlooking” (May 2004):

“How to Create, Manage, & Use a Do Not Email List for Protection from CAN-SPAM Lawsuits - Part I” (April 2004):

“Use a Do Not Email List for Protection from CAN-SPAM Lawsuits - Part II: Vendors Profiled” (April 2004):

Definitions and Implementation Under the CAN-SPAM Act:

eROI Inc.:

Loeb & Loeb LLC:

A&E Television Networks:

Improve Your Marketing

Join our thousands of weekly case study readers.

Enter your email below to receive MarketingSherpa news, updates, and promotions:

Note: Already a subscriber? Want to add a subscription?
Click Here to Manage Subscriptions