I was at the Secure360 conference (a fabulous event, btw) this week, and I’m just getting to an important current topic: CAN-SPAM.
On Monday (5/12) the FTC announced an update to the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM) law.
“FTC Approves New Rule Provision Under The CAN-SPAM Act
The Federal Trade Commission has approved four new rule provisions under the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM or the Act). The provisions are intended to clarify the Act’s requirements. The provisions and the Commission’s Statement of Basis and Purpose (SBP) will be published in the Federal Register shortly.
The new rule provisions address four topics: (1) an e-mail recipient cannot be required to pay a fee, provide information other than his or her e-mail address and opt-out preferences, or take any steps other than sending a reply e-mail message or visiting a single Internet Web page to opt out of receiving future e-mail from a sender; (2) the definition of “sender” was modified to make it easier to determine which of multiple parties advertising in a single e-mail message is responsible for complying with the Act’s opt-out requirements; (3) a “sender” of commercial e-mail can include an accurately-registered post office box or private mailbox established under United States Postal Service regulations to satisfy the Act’s requirement that a commercial e-mail display a “valid physical postal address”; and (4) a definition of the term “person” was added to clarify that CAN-SPAM’s obligations are not limited to natural persons.
In addition, the SBP accompanying the final rule also addresses a number of topics that are not the subject of any new rule provisions. These include: CAN-SPAM’s definition of “transactional or relationship message”; the Commission’s decision not to alter the length of time a “sender” of commercial e-mail has to honor an opt-out request; the Commission’s determination not to designate additional “aggravated violations” under the Act; and the Commission’s views on how CAN-SPAM applies to forward-to-a-“friend” e-mail marketing campaigns, in which someone either receives a commercial e-mail message and forwards the e-mail to another person, or uses a Web-based mechanism to forward a link to or copy of a Web page to another person. The SBP explains that, as a general matter, if the seller offers something of value in exchange for forwarding a commercial message, the seller must comply with the Act’s requirements, such as honoring opt-out requests.
The new rule provisions and SBP are a follow-up to a Notice of Proposed Rulemaking (NPRM) and Advance Notice of Proposed Rulemaking (ANPR) on these and other CAN-SPAM topics that the Commission published on May 12, 2005 and March 11, 2004, respectively. The Commission received 152 comments and suggestions on the NPRM and 13,517 comments and suggestions on the ANPR from representatives of a broad spectrum of the online commerce industry, trade associations, individual consumers, and consumer and privacy advocates. The new rule provisions and SBP are based on these comments and suggestions as well as the Commission’s law enforcement experience.”
Are your marketing folks aware of these new changes? I know many marketing practices, in legitimate and large organizations, that currently would be in violation of these new requirements. Namely…
(1) I’ve seen several emails from legitimate organizations that require much more than just an email address to opt-out of getting further messages.
(2) I’ve seen the identity of the sender of many different types of marketing messages from legitimate organizations that is very vague and hard to determine. For example, often a message indicates that it is from an organization such as “Marketing X”, but yet the message is about products, services or promotions from “Company Y.”
(3) I *RARELY* see email messages, from what otherwise seems to be legitimate organizations, that contain an actual physical mailing address.
(4) Often the emails from organizations seem to be going to any type of entity…natural person, shared ID, department in a company, whatever…that can receive an email.
Check with your marketing folks to see how they handle opt-outs; review their procedures and tools for doing so.
Then, lo and behold, the FTC announced on Tuesday the largest penalty yet for CAN-SPAM violations; “MySpace wins $230 million anti-spam judgment”
The judgment was against Cyber Promotions, whose website, curiously enough, I could not find today.
Was the large fine judgment and the CAN-SPAM update announcement a coincidence?
Possibly. But it sure is a good motivator to organizations to take note and take action to get their act together and follow the new rules, doesn’t it?
Any fine that ends in “illions” gets the attention of most organizations.
Tags: awareness and training, CAN-SPAM, Cyber Promotions, FTC, Information Security, IT compliance, MySpace, policies and procedures, privacy, risk management, security awareness, security training