A
May 31, 2013 decision by a federal district court in Utah serves as a helpful CAN-SPAM primer, using a $1.6 million damage award to teach the following lessons:
- Emailers can't hide behind a proxy server that obscures the sender’s true identity; and
- Emailers violate CAN-SPAM when they obtain a domain name for purposes that are prohibited by the domain-provider’s registration agreement.
The case also provides helpful guidance about the standing requirement that a private company must meet in order to sue for damages under CAN-SPAN--proving that it is a “bona fide Internet access service” that has been “adversely affected by spam emails.” (The case, linked above, is ZooBuh, Inc. v. Better Broadcasting, LLC, U.S. District Court for the District of Utah, Case No. 2:11-cv-00516.)
FACTS
Plaintiff ZooBuh, Inc. provides email, chat, and blogging services to approximately 35,000 customers worldwide, using its own servers and other equipment. ZooBuh sued to collect damages for approximately 13,000 commercial emails that it received from the defendants, based on the cost and inconvenience caused by their spam. The court agreed with ZooBuh and awarded it approximately $800,000 in damages, which the court doubled to $1.6 million based on a finding that defendants’ actions justified aggravated damages.
CONTENT VIOLATION: REMOTELY STORED IMAGES NOT OK FOR REQUIRED DISCLOSURES
CAN-SPAM requires that commercial email messages “clearly and conspicuously”:
- Identify that the message is an advertisement or solicitation;
- Provide notice of the opportunity to decline to receive further emails; and
- List a valid physical postal address for the sender.
Courts interpret the “clear and conspicuous” requirement to mean that these disclosures must be “unavoidable,” meaning that “any visual message shall be of a size and shade, with a degree of contrast to the background against which it appears, and shall appear on the screen for a duration and in a location sufficiently noticeable for an ordinary consumer to read and comprehend it.”
Because the defendants placed their CAN-SPAM disclosures in “remotely stored images” (which are linked to, but not actually part of, an email), the court had to decide whether remotely stored images satisfy the “clear and conspicuous” requirement. Based on industry standards and practices, the court held that remotely stored images are not unavoidable and therefore do NOT comply with CAN-SPAM.
The court noted that both the Department of Homeland Security and private industry advise against automatically downloading remotely stored images linked to emails, meaning that recipients likely would not see the images unless they took the extra step of downloading them. The court also questioned the permanence of linked images since they typically have a short shelf life and may be unavailable for downloading and viewing by an email recipient.
Therefore, commercial emailers should be careful to include required disclosures in the body of emails to make sure recipients can see them without relying on linked content. When it comes to CAN-SPAM disclosures think of the old Woody Allen quote about how "80% of success is just showing up." The disclosures have just got to be there.
HEADER VIOLATION NO. 1: HIDING BEHIND A PROXY SERVER IS NOT OK
Looking to a California state court case for guidance, the Utah court took issue with the defendants’ use of domain names in the “sender” portions of the challenged spam. Specifically, the court held that “where an email contains a generic ‘from’ name and is sent from a privacy-protected domain name, such that the recipient cannot identify the sender from the ‘from’ name or the publicly available WHOIS information,” the email is “materially misleading” and violates CAN-SPAM.
In the Utah case, the violation was pretty clear, given that the defendants’ emails were sent via privacy-protected domains that prevented the recipients from using WHOIS to identify the actual sender. Furthermore, many of the “from” lines in the defendants’ spam simply listed email “addresses” such as “Accounting Degree,” “Add a Sunroom,” “Adult Education,” “Air Conditioner,” “Airline Tickets,” “Ink Cartridges,” and “Ultrasound Technician.” Pretty clever, huh?
HEADER VIOLATION NO. 2: DOMAIN OBTAINED THROUGH FRAUD
Header violations under CAN-SPAM are not limited to false or misleading header information. Even header information that is technically accurate violates CAN-SPAM, when an email includes an originating email address, domain name, or IP address that was obtained by means of false or fraudulent representations. Not surprisingly, the defendants also ran afoul of this requirement because their registration agreement with their domain-provider required them to represent that they wouldn’t use the domain to send spam. Therefore, service providers looking to sue spammers should not give up simply because a challenged email accurately identifies the sender.
STANDING TO SUE UNDER CAN-SPAM
A person or company wanting to sue for CAN-SPAM violations must satisfy must satisfy specific standing requirements. Specifically, CAN-SPAM standing requires a plaintiff to be (1) “a bona fide internet access service” that (2) is “adversely affected” by spam.
Even where companies have been damaged by spam, the standing requirement can be problematic because of courts' strict interpretation of the first prong of this standing analysis. With regard to CAN-SPAM, Congress intended “that internet access service providers provide actual internet access service to customers.” Courts including the Ninth Circuit have found that there is also a required “ownership and control counterpart” to the first prong of the standing requirement.
When deciding whether ZooBuh was a "bona fide internet access service," the Utah court considered another case where an email provider had failed to satisfy that standing requirement because
the provider simply accessed an online control panel through internet service provided by Verizon to work with email accounts hosted by GoDaddy on GoDaddy's servers. Gordon v. Virtumundo, 575 F.3d 1040, 1052 (9th Cir. 2009). In contrast, the Utah court found that ZooBuh is a bona fide internet access service, because:
"Every ZooBuh email account is registered, hosted and serviced through ZooBuh’s own hardware. ZooBuh has sole ownership of all the hardware, complete and uninhibited access to the hardware, and sole physical control over the hardware. ZooBuh also provides each of its customers with their own web-based email portal (which ZooBuh designed, configured, and maintains) through which the ZooBuh customers access their selected web-based services (i.e., email, blogs, chat)."
Having found that ZooBuh satisfied the first prong of the standing analysis, the court proceeded to find that ZooBuh also satisfied the second, “adversely affected” requirement for CAN-SPAM standing due to its “financial expense and burden; lost time; lost profitability; decreases in the
life span of ZooBuh’s hardware; server and bandwidth spikes; server crashes; and pre-mature
hardware replacements.”