The law required the FTC to report back to Congress within 24 months of the effectiveness of the act No changes were recommended. It also requires the FTC to promulgate rules to shield consumers from unwanted mobile phone spam. On December 20, 2005 a detailed report to congress on the effectiveness of the act indicated that the volume of spam has begun to level off, and due to enhanced anti-spam technologies, less is reaching consumer inboxes. A significant decrease in sexually-explicit e-mail was also reported. However, this progress is most likely attributed to improved technologies, not to the law.
The CAN-SPAM Act is commonly referred to by anti-spam activists as the YOU-CAN-SPAM Act because the bill does not require e-mailers to get permission before they send marketing messages It also prevents states from enacting stronger anti-spam protections, and prohibits individuals who receive spam from suing spammers. The Act has been largely unenforced, despite a letter to the FTC from Senator Burns, who noted that "Enforcement is key regarding the CAN-SPAM legislation." In 2004 less than 1% of spam complied with the CAN-SPAM Act of 2003.
16 C.F.R. part 316, "Definitions and Implementation Under the CAN-SPAM Act; Final Rule" goes into effect July 7, 2008 and changes the original CAN-SPAM Act of 2003 by (1) Adding a definition of the term "person"; (2) Modifying the term "sender"; (3) Clarifying that a sender may comply with section 7704(a)(5)(A)(iii) by including a post office box or private mailbox and (4) Clarifying that to submit a valid opt-out request, a recipient cannot be required to pay a fee, provide information other than his or her email address and opt-out preferences, or take any other steps other than sending a reply email message or visiting a single page on an Internet website.
CAN-SPAM defines a "commercial electronic mail message" as "any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose)." It exempts "transactional or relationship messages." The FTC issued final rules (16 C.F.R. 316) clarifying the phrase "primary purpose" on December 16, 2004. Previous state laws had used bulk (a number threshold), content (commercial), or unsolicited to define spam.
Commercial by many industry standards is defined by a combination of the content in the subject line and "above the fold content" in the body of the message. If this content contains a solicitation and it can be determined that the majority of the content is selling something- it is a commercial offer.
If the subject line and body content are majority invoicing information, a sales receipt, account information, etc. the offer is considered transactional. Note that an offer or advertisement can be placed in a transactional message so long as it is placed in a non-prominent position. Many in the email marketing industry utilize the 80/20 rule to define commercial vs. transactional email in order to be clearly in either category.
The bill permits e-mail marketers to send unsolicited commercial e-mail as long as it adheres to 3 basic types of compliance defined in the CAN-SPAM Act: unsubscribe, content and sending behavior compliance:
Note that falsifying header information is a serious violation of the CAN-SPAM Act and generally is an indicator of criminal or malicious intent which can bring the attention of other law enforcement agencies besides the FTC, including but not limited to the FBI, DOJ and US Postal Inspectors.
The content is exempt if it consists of :
There are no restrictions against a company emailing its existing customers or anyone who has inquired about its products or services, as these messages are classified as "relationship" messages under CAN-SPAM .
If a user opts out, a sender has ten days to cease sending and can only use that email address for compliance purposes . The legislation also prohibits the sale or other transfer of an e-mail address after an opt-out request. The law also requires that the unsubscribe mechanism must be able to process opt-out requests for at least 30 days.
Use of automated means to register for multiple e-mail accounts from which to send spam compound other violations. It prohibits sending sexually-oriented spam without the label later determined by the FTC of "SEXUALLY EXPLICIT." This label replaced the similar state labeling requirements of "ADV:ADLT" or "ADLT."
CAN-SPAM in makes it a misdemeanor to send spam with falsified header information . A host of other common spamming practices can make a CAN-SPAM violation an "aggravated offense," including harvesting, dictionary attacks, IP address spoofing, hijacking computers through Trojan horses or worms, or using open mail relays for the purpose of sending spam.
This chapter supersedes any statute, regulation, or rule of a State or political subdivision of a State that expressly regulates the use of electronic mail to send commercial messages, except to the extent that any such statute, regulation, or rule prohibits falsity or deception in any portion of a commercial electronic mail message or information attached thereto.
The legislation does not allow e-mail recipients to sue spammers or file class-action lawsuits, but allows enforcement by the FTC, State Attorneys General, Internet service providers, and other federal agencies for special categories of spammers (such as banks). An individual might be able to sue as an ISP if (s)he ran a mail server, but this would likely be cost-prohibitive and would not necessarily hold up in court. Individuals can also sue using state laws about fraud, such as Virginia's which gives standing based on actual damages, in effect limiting enforcement to ISPs.
Senator John McCain is responsible for a last-minute amendment which makes businesses promoted in spam subject to FTC penalties and enforcement remedies, regardless of whether the FTC is able to identify the specific spammer who initiated the e-mail.
Senator Corzine sponsored an amendment to allow bounties for some informants. The FTC has limited these bounties to individuals with inside information . The bounties are expected to be over $100,000 , but none have been awarded yet.
AOL Executive Vice President and General Counsel Randall Boe stated:
Trade groups such as the Direct Marketing Association (DMA) have sought to weaken implementation of the law in various ways. These include lengthening the time for honoring opt-outs from 10 business days to 31 calendar days, limiting the validity of opt-out requests to no more than two to three years, and eliminating rewards to persons who assist the Federal Trade Commission in enforcement of the act. The DMA has also opposed provisions requiring the subject line of spam to indicate that the message is an advertisement.
Within a few months, hundreds of lawsuits had been filed by an alliance of ISPs. Many of these efforts resulted in settlements; most are still pending. Though most defendants were "John Does," many spam operations, such as Scott Richter's, were known.
On April 29, 2004, the United States government brought the first criminal and civil charges under the Act. Criminal charges were filed by the United States Attorney for the Eastern District of Michigan, and the FTC filed a civil enforcement action in the Northern District of Illinois. The defendants were a company, Phoenix Avatar, and four associated individuals: Daniel J. Lin, James J. Lin, Mark M. Sadek, and Christopher Chung of West Bloomfield, Michigan. Defendants were charged with sending hundreds of thousands of spam emails advertising a "diet patch" and "hormone products." The FTC stated that these products were effectively worthless. Authorities said they face up to five years in prison under the anti-spam law and up to 20 years in prison under U.S. mail fraud statutes.
On September 27, 2004, Nicholas Tombros pled guilty to charges and became the first spammer to be convicted under the Can-Spam Act of 2003. He was sentenced in July 2007 to three years probation, six months house arrest, and fined $10,000.
On April 1, 2006, Mounir Balarbi, of Tangier, Morocco, was the first person outside the United States to have an arrest warrant validated under the CAN-SPAM Act of 2003. Mounir's trial was held in absentia, and he was sentenced in a closed session.
On January 16, 2006, Jeffrey Goodin, 45, an Azusa, California, man was convicted by a jury in United States district court in Los Angeles in United States v. Goodin, U.S. District Court, Central District of California, 06-110, under the CAN-SPAM Act (the first conviction under the Act), and on June 11, 2007, was sentenced to 70 months in federal prison. Out of a potential sentence of 101 years prosecutors had asked for a sentence of 94 months. Goodin was already detained in custody as he had missed a court hearing.
As of late 2006, CAN-SPAM has been all but ignored by spammers. A review of spam levels in October 2006 estimated that 75% of all email messages were spam, and the number of spam emails complying with the requirements of the law were estimated to be 0.27% of all spam emails.
On August 25, 2005, three people were indicted on two counts of fraud and one count of criminal conspiracy. On March 6, 2006 Jennifer R. Clason, 33, of Raymond, New Hampshire, pled guilty and was to be sentenced on June 5, 2006. She faced a maximum sentence of 5 years on each of the three counts and agreed to forfeit money received in the commission of these crimes. On June 25, 2007, the remaining two were convicted of spamming out millions of e-mail messages that included hardcore pornographic images. Jeffrey A. Kilbride, 41, of Venice, California, and James R. Schaffer, 41, of Paradise Valley, Arizona, were convicted on eight counts in U.S. District Court in Phoenix, Arizona. Both were sentenced to five years in prison, and ordered to forfeit $1,300,000. The charges included conspiracy, fraud, money laundering, and transportation of obscene materials. The trial, which began on June 5, was the first to include charges under the CAN-SPAM Act of 2003, according to the Department of Justice. The specific law that prosecutors used under the CAN-Spam Act was designed to crack down on the transmission of pornography in spam. Two other men, Andrew D. Ellifson, 31, of Scottsdale, Arizona, and Kirk F. Rogers, 43, of Manhattan Beach, California, also pled guilty to charges under the CAN-SPAM Act related to this spamming operation. Both were scheduled to be sentenced on June 5, 2006 in Phoenix.
On May 13, 2008, Sanford Wallace, and his partner, Walter Rines, were found guilty of sending unsolicited advertisements for pornography and gambling websites to MySpace users when they failed to appear in court, and ordered to pay $230 million, the largest CAN-SPAM award to date.
The act has caused problems for mailers as sexually explicit subject lines have trouble passing through statistical filters maintained by most popular e-mail companies.