How to Comply with CAN-SPAM and All of Its New Rules
Complying with CAN-SPAM isn’t just a good idea – it’s the law. Complying with the CAN-SPAM act of 2003 and its subsequent newer rules is required of all commercial email senders, regardless of size. If you send out email that can in any way be considered commercial, or send email to a mailing list which you maintain, you need to comply with CAN-SPAM.
CAN-SPAM compliance is the minimum standard which an email sender must meet if they have any hope of having their email delivered to the inbox, rather than it being delivered to the junk folder or otherwise blocked as spam. However, most ISPs and spam filters require more stringent mailing list maintenance processes than CAN-SPAM requires – again, CAN-SPAM is the minimum standard.
Here is what you must do in order to meet the CAN-SPAM requirements. The below is current as of 2016, and covers both the original requirements of the CAN-SPAM Act of 2003, as well as the updates published by the FTC in May of 2008.
CAN-SPAM Requires that:
- All information in your email, both the email headers and body (content) of the email, be true, accurate, and not misleading.
- You provide a fully-functioning method for the recipient to opt-out of your mailings in each and every mailing, and that the act of opting out can only require a single action. [Note: the single action requirement was part of the 2008 update to CAN-SPAM.] This means that the recipient can either reply to the email to opt-out, or they can click a link that takes them immediately to the opt-out, requiring no further action. You cannot require someone to enter a password, or to have to click through to a second page, in order to effect the opt-out.
- You honor all opt-out requests, and immediately remove the user from your mailing list, and also cease sharing the user’s address with anybody, even with previously agreed-to partners. You may not “repurpose” a subscriber’s email address once they opt-out by adding it to a different mailing list, or sharing it with someone else.
- You include your physical mailing address in each and every mailing. This can be your actual street address, a post office box, or a private mail box (“PMB”) such as at a Mailboxes Etc..
The other big update to CAN-SPAM in 2008, in addition to the ‘single action’ rule, is this:
For any email you send that contains the advertisements of someone other than yourself, the entity that the email is “From” must also have their own advertisement in the email (in other words, the “From” sender must match at least one advertisement within the email). Doing so makes the “From” sender the “designated sender” under CAN-SPAM, making them responsible for processing all opt-out requests. Failure to have a designated sender – i.e. if the “From” sender does not have an advertisement for their own goods or services in the email, but there are advertisements in the email for other entities – then each and every entity advertised in the email all become responsible for processing opt-out requests.This is the requirement which by far causes the most confusion.
In large part, this requirement is an effort to hold affiliate and joint venture (“JV”) programs responsible for how their affiliates promote them. If the affiliate is honest about who they are, and their “From address”, and if they put something in the email about themselves, then the user will be able to unsubscribe from the affiliate’s list. But if the affiliate is dishonest, and hides their true identity, then the affiliate program for the product featured in the email (which will be the product being sold under the affiliate program) becomes responsible. In other words, if you are advertised in the affiliate’s email, and the affiliate cloaks who they are, you become responsible. By shifting responsiblity for mislabled email to the companies being advertised in the email, there is an incentive for affiliate program managers to more tightly police their affiliates.
An example best illustrates how this rule applies in the multi-marketer email context. Suppose A, B, and C have goods advertised or promoted in a single email message. If A’s name appears in the “from” line of the message, A is considered the “sender”. While B and C promote their goods, services, or website in the message, and may control portions or all of the content of the message, and may supply email addresses for A to use, neither B nor C would be considered “senders” (unless A does not comply with the requirements under CAN-SPAM). This is because it would be clear to a consumer that an opt-out request should be sent to A.
Another example to help explain this rule is to imagine an email newsletter. Typically such a newsletter will be from a particular organization, and there will be things about that organization in the newsletter. However, if you received a newsletter from A, with nothing in the newsletter content at all about A, and only with content from B or advertising for B, you might be confused not only as to why you were getting this content that appears to be from B, but how to opt out. If A’s information is in the body of the newsletter, it will be much clearer to you that to opt-out, you need to opt-out with A. Or, if the “From” line is “From B”, then you will know to opt-out with B. But if the “From” is A, and the content is all B’s, then both A and B are on the hook for handling opt-outs, as it’s not really clear to the user who really should be responsible. You may know that as A you are responsible, but the recipient is going to try to opt out with B once their content lands the recipient on B’s site. You can see how this can also apply to affiliates – if affiliate A sends email promoting B’s products or content, and A is not mentioned anywhere in the offer, but the email is “From” A, then both A and B are on the hook for handling any opt-outs. But if A makes clear in the text of the offer that the offer is being sent by A, then only A is on the hook for handling opt-outs. This puts the onus on affiliates to be clear in their email that they are the ones sending the email, and on those offering affiliate programs to police their affiliates.
CAN-SPAM Applies To:
- Any and all bulk commercial email – including nearly all mailing lists of any size. If you send two or more pieces of nearly identical email to two or more different people, your email can be considered to be bulk commercial email for the purposes of CAN-SPAM.
- Email for which a primary purpose is to feature your goods, services, or content even if you do not send the email yourself.
- All email sent out by your affiliates on your behalf.