After Three Years: FTC Approves Revision to CAN-SPAM Act from 2003

The Federal Trade Commission (FTC) made a revision to the original Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (called CAN-SPAM or the Act) after three years considering public comments.The Commission received 152 comments and suggestions on the NPRM and 13,517 comments and suggestions on the ANPR from representatives of a broad spectrum of the online commerce industry, trade associations, individual consumers, and consumer and privacy advocates. The Commission vote to approve the Federal Register Notice was 4-0.I decided to post about this update, because I like to point to the CAN-SPAM act as a good example for what you get as an industry, if you are unable to regulate yourself and specify any form of best practices to be able to distinguish themselves from unethical spammers. Although the Direct Marketing Association (DMA) was able to get some changes through before the final release of the act, but that you could best describe as damage control. The DMA was not involved when the act was originally developed. As you can see, the FTC was this time much more open to feedback and comments (I assume that one reason for that was the fact that the Act did nothing to reduce spam, but caused an outcry from legitimate advertisers instead).If you are not familiar with the original CAN-SPAM act, here is a link to the document in PDF format at the FTC website.The 4 points that were added to the original act address some of the practical issues that resulted from the original act, but none of them will have any impact on reducing the SPAM problem itself. If you hoped that you will receive less spam anytime soon, then you will be disappointed.The FTC News release from May 12, 2008 summarizes the changes as follows:

  1. an e-mail recipient cannot be required to pay a fee, provide information other than his or her e-mail address and opt-out preferences, or take any steps other than sending a reply e-mail message or visiting a single Internet Web page to opt out of receiving future e-mail from a sender;
  2. the definition of “sender” was modified to make it easier to determine which of multiple parties advertising in a single e-mail message is responsible for complying with the Act’s opt-out requirements;
  3. a “sender” of commercial e-mail can include an accurately-registered post office box or private mailbox established under United States Postal Service regulations to satisfy the Act’s requirement that a commercial e-mail display a “valid physical postal address”; and
  4. a definition of the term “person” was added to clarify that CAN-SPAM’s obligations are not limited to natural persons

The full text of the Federal Register Notice can be found here (PDF).MarketingSherpa released a short audio podcast with there Senior Reporter Chris Heine discussing the revision with Jeff Mills of eROI. Kenneth Corbin published on May 13, 2008 an article titled “FTC Tightens Up CAN-SPAM Rules” at, which includes comments by Matt Wise of Q Interactive and Janis Kestenbaum, a staff attorney with the FTC’s Bureau of Consumer Protection.Matt Wise said:

“Under the new rules, multiple advertisers collaborating on an e-mail campaign will have the opportunity to designate one as the sender, which will be required to identify itself in the “from” line.The e-mails must contain a mechanism for a user to opt out of receiving future messages, which the designated sender will then be responsible for processing. “

Wise added

“that he hopes the new rules for multi-brand messages will streamline the unsubscribe process, with marketing companies such as his own taking on the responsibilities for maintaining opt-out lists.”

Janis Kestenbaum said

“Also under the new rules, advertisers will be able to satisfy the requirement for including a postal address with a P.O. box or a private address. Previously, they had to include a corporate street address in their messages. “

The update will also include language to simplify the requirements of an opt-out process. Marketers will not be able to require consumers to pay a fee or furnish any data other than an e-mail address to process an opt-out request.Jeff Mills expressed some concerns that this might create a problem for advertisers who require their customers to log-in to their account to update their email preferences. I don’t think that there is too much reason for concern, based on the comments of Janis Kestenbaum who said that said the main impetus behind that update was to prevent companies from using consumers’ request to opt out as a springboard to extort more information about them. Similarly, marketers will not be able to require consumers to visit more than one Web site to process an opt-out request, she said.If the customer has an online account with an advertiser already, then I believe that those advertisers need to provide the means for the customer to simply opt-out by entering his email address into a form or something like that. This form could be used by pranksters to opt-out friends, colleagues or other people where the prankster knows the email address and assumes that the person is a subscriber to a specific newsletter. The owner of the email address would become pretty upset, if he suddenly does not get his email newsletter anymore. If I should be wrong, I strongly recommend that advertisers put something into their FAQ saying that they cannot control who is opting out who because of the new legal requirements by the FTC.On a side note, the FTC left the deadline for complying with an opt-out request unchanged at 10 days.The new rules will take effect 45 days after the FTC publishes the update in the Federal Register.Here is a list with some additional legal resources that are relevant for internet marketers.Cheers!Carsten Cumbrowski

About Carsten Cumbrowski

Internet Marketer, Entrepreneur and Blogger. To learn more about me and what I am doing, visit my website and check out the “about” section.

Twitter: ccumbrowski

4 Responses to After Three Years: FTC Approves Revision to CAN-SPAM Act from 2003

  1. Carsten-

    I think you mis-stated two very important things about CANSPAM in your post…

    1. “The DMA was not involved when the act was originally developed.”

    Yes, it was as were a number of agencies and merchants. I was working for an email marketing company at the time and we were in Orlando for the DMA’s when the FTC announced the new statute. The DMA was involved and very supportive (as were most legit email marketers) of its passage.

    2. “As you can see, the FTC was this time much more open to feedback and comments (I assume that one reason for that was the fact that the Act did nothing to reduce spam, but caused an outcry from legitimate advertisers instead).”

    CANSPAM was never meant to curtail the amount of spam. It was a way to facilitate and distinguish legitimate email marketers from the spammers so that the federal government could go after the “bad guys” under federal laws rather than the myriad of state laws that were popping up at the time and opening the doors for an amazing amount of tortious suits against legitimate marketers.

    The updates are a positive improvement on the law, but let’s not be ahistorical and pretend that CANSPAM was created out of a vacuum that didn’t involve the DMA or email marketers. If anything, it put permission based email marketing on the map as a more acceptable and profitable form of performance marketing.


  2. Hi Sam,

    thanks for your comments. From what I heard from numerous sources was that the DMA got involved towards the end of the process and did indeed cause modifications to some of the articles in the act. Correct me if that is not correct please.

    Some of the issues of the act were addressed by the current revision.

    I follow some direct marketing publications and blogs and the picture that is drawn imo is that CAN-SPAM was in general considered to be something that was needed (the affiliate marketing industry needs something similar as well btw). However, it's original context was developed by outsiders of the industry who had only little practical knowledge about what is happening in the email marketing industry. It should have come from inside the industry itself, but didn't. The only thing that could be done was to get as much as possible "fixed" and adjusted to what was considered best practices in the industry back then.

    The changes were not perfect and still created issues for legitimate advertisers while being at the same time too week in some areas, where the Act could have been much stronger.

    It caused headaches for a many in the industry who did not consider themselves black-hat.

    This is the perception of the things that I got over the past years from numerous comments and mentioning of the CAN-SPAM act.

    Again, if this perception is wrong, please let me know.

    btw. my point in my post is about the lack of any standards or best practices in affiliate marketing, which does not even have something that resembles an industry association at all today. There are affiliates and other participants in the industry who are abusing the system and cause issues for consumers and for legitimate affiliate marketers.

    If the industry cannot distance itself from what is commonly considered bad practice, outsiders will step in and force regulations upon it, which will create more issues for clean marketers than for the bad guys. There are movements that lobby for the creation of an association and establishment of best practices that lawmakers could adapt or reinforce via state or federal law and legislation. Also to create a body that communicates to the outside world on behalf of the industry to educate, lobby and support anything that is relevant to the industry as a whole.

    This context is important for the understanding of my post IMO. Just FYI.



  3. Couldn't agree with you more on the "let's clean up our town well so that others won't have to" point. It's a valid point that needs immediate consideration (and action).

    CANSPAM did cause a few headaches, but most people (even in the then maligned email publisher/CPA network space) were already doing most, if not all, of what the regulations called for but it is still a good example of how industries should enforce best practices policies themselves before governmental action is taken.

  4. It's IMHO a good example for almost throwing the baby out with the bath-water, but luckily have been able to catch it in mid air. 🙂