No Change to CAN-SPAM
Following spirited public comment over a nearly 20-month period, the Federal Trade Commission has voted to keep the CAN-SPAM Rule governing commercial email requirements as-is. The rule, which the FTC put in place following the implementation of the 2003 CAN-SPAM Act, requires commercial emails to contain certain elements. In June 2017, the FTC sought public comment on various aspects of the rule, including whether consumers were benefitting from the rule, whether it should be modified to account for technological or economic changes, and the cost of compliance for those affected. The FTC reports that the 92 public comments it received overwhelmingly favored keeping the rule. The Commission concluded that the rule benefits consumers and does not impose any significant economic burdens, and therefore no changes were warranted.
Those who submitted written comments on the rule included consumer advocacy organizations, industry trade groups, and individuals. While there was some sentiment, particularly among consumers, that the rule is weak and should include, among other things, stronger opt-out — or possibly even opt-in — methods, the Commission determined that imposing such requirements on the senders of commercial emails was outside the scope of the FTC's rulemaking authority, and the current requirements sufficiently advance the CAN-SPAM legislation.
The FTC's CAN-SPAM Rule applies to any “commercial electronic mail message,” and requires, among other things, that commercial email messages do not contain false or misleading header information; do not use deceptive subject lines (in other words, they should accurately reflect the content of the message); identify the message as an ad; tell recipients where the sender is physically located; conspicuously advise recipients on how to opt out of receiving future emails from the sender; and promptly honor opt out requests (within 10 business days).
Even if your business is in compliance with CAN-SPAM, keep in mind that the California Consumer Privacy Act, which is expected to go into effect at the beginning of 2020, will impose additional requirements on businesses that collect email addresses and other personal information from consumers, such as the right of consumers to opt out of the sale of their personal information from one business to another.