Wednesday, May 14, 2008By: Ray Everett - Church
After four years of drafts and discussions, the Federal Trade Commission has approved the Final Rule - the enforceable implementing regulations - that say how the FTC will be enforcing the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act).
The Final Rule was issued by the FTC on Monday, May 12, and will be published in the Federal Register, most likely within the next week or so. They will take effect 45 days after their publication. You can find a copy (http://www.ftc.gov/opa/2008/05/canspam.shtm) in PDF form at the FTC's website.
(Obligatory disclaimer: The information contained in this blog posting is not intended to serve as legal advice. If you have any questions about compliance or liability, you are urged to seek appropriate legal counsel.)
The entire federal register notice is 109 pages long, although the rule itself is only six pages of that. The rest of the document is a lengthy but incredibly informative discussion of all the feedback they received during the process and an explanation of why they did or did not choose certain approaches.
The rule itself sets out four main issues that will affect senders of commercial email:
* The FTC clarified that when the law uses the term "person," that will include not only individual human beings, but also corporations and non-profit organizations.
* To satisfy the Act's requirement that commercial email display a "valid physical postal address," a sender is allowed to use an accurately-registered post office box or private mailbox, so long as it is established under the applicable United States Postal Service regulations for such services.
* An e-mail recipient cannot be required to pay a fee, provide information other than his or her e-mail address and opt-out preferences, or take any steps other than "sending a reply e-mail message or visiting a single Internet Web page" to opt out of receiving future e-mail from a sender.
* The definition of "sender" will be modified to include a means of creating a "designated sender" who will be responsible for complying with the Act in those situations where multiple parties may be advertising in a single e-mail message.
The first two points are neither earth shattering nor controversial. But the same cannot be said of the other two, or of the many issues which the FTC chose to discuss in its notice but on which it ultimately chose to punt rather than issue regulations.
Prohibiting the charging of a fee to be unsubscribed is a no-brainer. But by prohibiting the asking of additional information, which would include usernames and passwords, could mean some changes for how sites handle the unsubscribe process.
Moreover, the discussion makes it quite clear that the FTC will not look kindly upon any process that takes more than one page, or fills that page with other advertising or marketing pitches. A big flashing banner that says "Please don't unsubscribe!" will definitely not be allowed on the unsubscribe page. Whether you could place some kind of appeal on the landing page after the unsubscribe request itself has been processed is not clear in the discussion by the FTC.
The biggest news in this Final Rule, however, is how the FTC chose to modify the definition of "sender" in response to many inquiries about multi-advertiser messages. They added to the definition of "sender" to clarify that:
"...when more than one person's products, services, or Internet website are advertised or promoted in a single electronic mail message, each such person who is within the Act's definition will be deemed to be a "sender," except that, only one person will be deemed to be the "sender" of that message if such person: (A) is within the Act's definition of "sender"; (B) is identified in the "from" line as the sole sender of the message; and (C) is in compliance with [the Act and the FTC's Final Rule]."
In creating the concept of a "designated sender," the discussion in the notice indicates that the FTC intends that the "element requiring identification of the person in the "from" line [be] mandatory."
Under the Act, the "from" line (the line identifying or purporting to identify a person initiating the message) must accurately identify any person who initiated the message. So when taken in conjunction with this change, the FTC seems to be requiring that there be at least one entity accurately identified in the "from" line and they're probably going to presume that that entity will be deemed to be sender.
Applying this process to an example, let's say a newsletter publisher "PublishCo" sends an advertisement containing promotions for Company A, Company B, and Company C. Under the originally proposed definition of "sender," all four entities could be considered a sender, and thus all four would be responsible for ensuring CAN-SPAM Act compliance.
But under the Final Rule, the FTC would allow PublishCo to be the "designated sender" to be responsible for all compliance tasks, no matter how many advertisers appear in the body of the message.
To be the designated sender, however, PublishCo would need to be accurately identified in the "from" line, include their physical address in the body of the email message, and provide one of the two designated opt-out mechanisms (e.g., "sending a reply electronic mail message or visiting a single Internet Web page").
It's important to note that the rule does not require that there be a designated sender. The FTC discussion indicates that having an entity identified in the "from" line is "mandatory," but the discussion goes on to indicate that the rule:
"does not eliminate the possibility that a message may have more than one "sender." However, marketers can use the criteria set forth in the proviso to establish a single sender and reduce CAN-SPAM's compliance burdens. If marketers fail to structure the message to avoid multiple senders under the sender definition, then each sender is obligated to comply with CAN-SPAM requirements for senders, notably, to provide its physical postal address and to honor any opt-out requests."
In other words, if you don't have a designated sender, every advertiser appearing in a message could be deemed a sender and be responsible for processing unsubscribes and sharing suppression lists with all other senders. In a newsletter containing ads for a half-dozen advertisers, this could rapidly turn into a compliance mess, with each and every one of the advertisers liable for ensuring that all the collecting, processing, and trading of unsubscribe lists with all the other advertisers occurs without a hitch.
Under our example above, if the email "from" line did not indicate a single designated sender and instead provided something less definitive (e.g., "A_Consortium_of_Fine_ Businesses@PublishCo.net"), then all of the advertisers in the message could still be considered "senders" under the Act and be responsible for not only its own compliance but the compliance activities of every other "sender" on that message.
There's also another twist to this. In order for PublishCo to meet the Act's definition of a sender, it would need to be considered as advertising in the message. This requirement could be met with something as simple as including the words, "For the best in new products and services, come visit PublishCo.net." Without some content that could be clearly considered advertising for itself, however, PublishCo might not fulfill the legal definition of a sender and leave all the other advertisers on the hook.
The decision about whether to be a designated sender is one that a company like our fictional PublishCo will have to make with its legal counsel. But it might make sense for PublishCo to step up and be the entity identified as the designated sender, placing their address in the "from" line, their contact information in the message body along with their unsubscribe process, allowing PublishCo to take on the tasks of providing consumers with the opt-out choices, and in turn providing each advertiser with the suppression list arising from that campaign. For most ESPs or publishers, this could mesh well with the existing value-added services such organizations already provide.
Taking on this role as the designated sender would also allow PublishCo to offer choices to subscribers about exactly which advertisements they want to receive. While we noted that the FTC expects the unsubscribe process to be simple and unencumbered with additional advertisements or appeals, the law does still permit offering an array of choices.
Simplifying the compliance process by having a "designated sender" may help avoid legal problems, but it can also help email deliverability. Think of our example above with three advertisers and a publisher. If all four entities were considered senders, each with its own boilerplate disclosures and opt-out processes, a consumer receiving such an email might be confused about whether they might need to follow four different unsubscribe processes in order to effectively communicate their desire.
Some less-than-reputable advertisers might rejoice at such a prospect: by making the unsubscribe process cumbersome some recipients might be dissuaded from doing so - or so the theory goes. But in the end, it is really all of the senders who will wind up as the ultimate losers.
When faced with a confusing or cumbersome process, consumers will take the path of least resistance and click the "Report Spam" button or report the senders to email blacklists. Anything that drives consumers to click the spam button is among the most damaging things a sender can do to its email reputation.
At Habeas, we have long encouraged the customers of our online reputation management services to adhere to prevailing email industry best practices. Foremost among those is compliance with the CAN-SPAM Act, including making sure that the unsubscribe process is clear and simple.
At the end of the day, if a consumer is no longer interested in your email, you want to get them off your list as quickly - and from the consumer's perspective, as effortlessly - as possible, in order to avoid being labeled as spam and harming your email reputation.
Finally, it is worth noting that the FTC decided not to address a number of other thorny issues in the regulations. But the Federal Register notice does include some useful, if lengthy, discussions of many of those topics and provides some insights into how the agency might rule if pressed on those points.
Among the other topics discussed are: CAN-SPAM's definition of "transactional or relationship message"; the Commission's decision not to alter the length of time a "sender" of commercial e-mail has to honor an opt-out request; the Commission's determination not to designate additional "aggravated violations" under the Act; and the Commission's views on how CAN-SPAM applies to forward-to-a-"friend" email marketing campaigns.
The viral "tell a friend" email model, in which someone either receives a commercial e-mail message and forwards the e-mail to another person, or uses a Web-based mechanism to forward a link to or copy of a Web page to another person, is a hallmark of today's hottest social networking websites. The FTC declined to wade into regulating those kinds of emails, but they took pains to explain that, as a general matter, if the seller offers something of value in exchange for forwarding a commercial message, the seller must comply with the Act's requirements, such as honoring opt-out requests.
At the end of the day, for those familiar with the regulatory process, it's not surprising that this one has produced a set of rules that raises almost as many questions as it answers. We will undoubtedly see a number of additional inquiries to the FTC seeking further advice as companies explore how the Final Rule affects their particular ways of doing business.
But the good news for senders is that the new FTC rules will probably not have a significant adverse effect on senders who are already following the industry's best practices recommendations.
For those Habeas customers who are already utilizing our online reputation management services, our deliverability analysis and auditing process will be updated to reflect the guidance provide by the FTC for CAN-SPAM Act compliance. (Should you have any questions about your compliance practices, your customer service rep can provide you with further information.)
In the meantime, all email marketers should assume that the 45-day compliance clock is running and that they will soon be held accountable under the new regulations. For some senders, these new regulations will require changes in how they process unsubscribes or manage multi-sender campaigns.
To tackle these and other compliance questions, senders should consider a Compliance Analysis by the Habeas Advisory Services team, in which experts from Habeas review your CAN-SPAM Act compliance practices and make recommendations for reducing your risks. You can contact Ray Everett-Church <ray@habeas.com>, Director at Habeas, for more information.
