- California Enacts Sweeping Ban on Unsolicited E-Mail Advertising
- October 9, 2003 | Authors: Ronald L. Plesser; James J. Halpert; Alisa M. Bergman
- Law Firm: Piper Rudnick LLP - Washington Office
I. Introduction and Summary
On September 23, 2003, Governor Gray Davis signed S.B. 186, a broad law prohibiting unsolicited commercial e-mail advertising and related activities that takes effect on January 1, 2004. This new law, sponsored by Representative Kevin Murray (D-Los Angeles), will significantly change both California law and the landscape of state spam regulation. S.B. 186 is the first opt-in (prior affirmative consent) spam law in California, and the first such law in the country enforced by the plaintiffs' bar with a significant statutory damages bounty. It replaces a prior notice and opt-out and "ADV" labeling requirement in California law.
It is possible that the law will be preempted within the next year by federal spam legislation or that it will be successfully challenged on dormant commerce clause,1 First Amendment, and other grounds. However, in the meantime, companies involved in e-mail advertising should pay attention to the bill's prohibitions and consider compliance strategies before January 1, 2004 as e-mail advertising is a highly volatile issue and legitimate companies that use e-mail advertising will become potential targets for the California plaintiffs' bar.
California's new anti-spam law is very broad in scope and is drafted vaguely. It imposes strict liability without knowledge that e-mail is being sent to California, covers business-to-business (B-to-B) as well as business-to-consumer (B-to-C) e-mail advertising, covers e-mail sent to telecommunications devices (possibly including wireless phones), and raises potential liability questions that may affect companies that use e-mail advertising to advertise mainstream products or services. For example, the law may affect the following sorts of business models:
- A company that sends even a single unsolicited commercial e-mail advertisements (UCE) from California or to a California e-mail address to attract new customers;
- An advertiser who uses agents or viral marketing to send B-to-B or B-to-C unsolicited e-mail advertisements from California or to a California e-mail address;
- A company that does not itself send UCE, but may be deemed to "cause" the transmission of UCE from California or to a California e-mail address;
- An e-mail list provider who supplies e-mail addresses to a third party that uses them to send UCE from California or to a California e-mail address;
- A company that collects Californians' e-mail addresses (for example, from a web site or by receiving them from a list provider) for the purpose of using those addresses to send unsolicited e-mail advertising.
Like the Utah spam law, California's new spam law is likely to generate significant litigation. S.B. 186 contains a statutory damages bounty of up to $1 million per "incident," which gives the plaintiffs' bar an incentive to test ambiguities in the law in litigation against deep-pocket defendants. However, defendants who have implemented qualifying compliance programs qualify for a cap on damages and further reduction in damages (but not summary judgment) at the discretion of the trial court.
This memo provides an overview of issues raised by S.B. 186, as well as recommendations for reducing exposure under the law. The law will be codified at Sections 17529 and 17538.45 of the Business and Professions Code. A copy of S.B. 186 can be found here.
II. What S.B. 186 Will Do
When it takes effect on January 1, 2004, S.B. 186 will prohibit a wide range of activities related to the sending of commercial e-mail: (1) sending unsolicited commercial e-mail advertising without the consent of the recipient and outside a pre-existing business relationship; (2) failing to provide notice and opt-out options in commercial e-mail advertisements to existing customers; (3) advertising by e-mail using misleading subject lines; (4) advertising using another person's domain name; (5) advertising using falsified header or router information; (6) collecting e-mail addresses for the purpose of sending UCE; (7) conducting so-called "dictionary attacks" to randomly generated e-mail addresses; (8) registering by automated means for multiple e-mail accounts to be used to send UCE; and (9) sending unsolicited commercial e-mail in violation of the rules of the recipient ISP.
1. Broad Strict Liability
The law's prohibitions (discussed in greater detail below) against unsolicited commercial e-mail sent outside of a pre-existing business relationship and its requirement to honor opt-outs apply very broadly to: (1) any advertiser who advertises through e-mail; (2) any sender of commercial e-mail; (3) any other person who "causes the transmission" of commercial e-mail; or (4) any e-mail list provider who provides e-mail addresses to which commercial e-mail is sent. § 17529.1(a) & (i). E-mail service providers who are "only involved in the routine transmission" of the advertisement over their networks are exempt from liability. § 17529.8(a)(3).
It also applies to e-mail sent from California or "to a California e-mail address," a term which is defined very broadly to include e-mail addresses: (1) for which the user receives bills at a mailing address in California; (2) "ordinarily accessed from" a computer located in California; or (3) furnished to a California resident. § 17529.1(b). Furthermore, there is no requirement that the defendant know or have reason to know that e-mail is being sent to the California e-mail address.
The breadth of the law's definitions creates strict liability under several prohibitions of S.B. 186 for: (1) the advertiser; (2) the actual sender of the e-mail; (3) the e-mail list provider for e-mails sent in violation of S.B. 186's provisions; and (4) for other entities who "cause" the sending of UCE in violation of the law. This maze of potential liability will complicate contractual arrangements among those involved in e-mail advertising.
2. Opt-In Requirement
S.B. 186 prohibits performing any of the functions discussed above with regard to any UCE sent from California or to a "California e-mail address." § 17529.2.
This ban on UCE (e.g., e-mail advertisements sent to prospects on a third party's e-mail list or even an individual whose card a salesperson picks up at a trade show) is subject to two exceptions. The first is consent of the recipient to receive e-mail advertisements from the advertiser. The second is a broad exception for e-mails sent to individuals who have a pre-existing or current business relationship with the advertiser (not the sender of the e-mail if that is a different person). This exception is not time limited and applies where the recipient has: (1) made an inquiry and provided his or her e-mail address, or (2) made an application, purchase, or transaction regarding products or services offered by the advertiser, regardless of whether consideration is involved. § 17529.1(l). The law is silent as to whether the existing business relationship exception extends to affiliated companies, and, until this issue is clarified by the courts or the law is invalidated, advertisers face litigation risk if they assume that it does. The exception does not specifically exempt personal relationships, which casts some doubt on whether "tell-a-friend" "viral" e-mail marketing programs fall within the exception.
3. Opt-Out Requirement
S.B. 186 imposes a notice and opt-out requirement for e-mails sent within the business relationship exception. In order to qualify for the exception, e-mail advertisements must provide recipients with notice and the ability to opt out of receiving further e-mail advertisements from the advertiser, who may be different than the sender of the e-mail. Free e-mail services are exempt from the opt-out requirement. § 17529.1(l).
4. Further Restrictions on Advertisers
S.B. 186 contains three further restrictions that, in contrast to the general vicarious liability approach of S.B. 186, apply only to advertisers, not to senders or list providers. These restrictions also appear to apply to all commercial e-mail advertisements, even those that follow the opt-in and opt-out requirements discussed above.
One of these prohibitions may generate significant litigation -- a prohibition against using an e-mail advertisement that has a subject line that "a person knows" would be likely to mislead a reasonable recipient about a material fact regarding the contents or subject matter of the message. § 17529.5(c). The most sensible interpretation of this provision is that the advertiser or its agent must have knowledge of the misleading nature of the e-mail advertisement, but the language is unclear.
The two other prohibitions focus on "outlaw spammer" tactics and are less likely to create exposure for legitimate e-mail advertisers. The second is a Lanham-Act-like prohibition against advertising using a commercial e-mail advertisement that contains or is accompanied by a third party's domain name without that third party's permission. § 17529.5(a). The third is a prohibition against using a commercial e-mail advertisement that contains or is accompanied by false or obscured header information, other than truthful information that a third party has lawfully authorized the advertiser to use. § 17529.5(b).
5. Spammer Tactics
The law also contains three prohibitions aimed at a number of common so-called "outlaw spammer" tactics: (1) harvesting e-mail addresses for the purpose of using them in UCE; (2) using randomly generated e-mail addresses to send UCE (so-called "dictionary attacks"); and (3) registering through automated means for multiple e-mail accounts from which to send UCE. § 17529.4(a)-(c).
However, the harvesting prohibition is framed too broadly and is not limited to automated collection of e-mail addresses through means such as the use of so-called "spider" programs that search for "@" signs on web pages. On its face, the prohibition reaches any type of collection of e-mail addresses for the purpose of sending UCE from California or to a California e-mail address, including human review of the addresses of potential customers in online auctions, chatrooms, etc., and possibly even receiving e-mail addresses from a third-party list provider.
Violations are enforceable by recipients (the plaintiffs' bar), e-mail service providers, and the state Attorney General. Remedies for each violation include either actual damages or liquidated damages of $1,000 per e-mail advertisement message sent in violation of the opt-in or opt-out requirements, up to a maximum of $1 million "per incident," as well as costs and attorneys' fees for prevailing plaintiffs. § 17529.8(a)(1) & (2). The term "incident" is defined as a single transmission or delivery to multiple recipients of UCE containing substantially similar content. § 17529.1(j). It will likely be tested in litigation, with plaintiffs arguing that each batch of UCE sent out constitutes a separate incident.
The law does provide for a reduction in damages -- to at most $100 per message or $100,000 per incident -- for defendants who have implemented compliance programs to prevent violations of the bill. To qualify, the defendant must be able to prove that it established and implemented "with due care practices and procedures reasonably designed to effectively prevent" UCE advertisements in violation of the law. § 17529.8(b). While this provision is certainly useful to potential defendants as a means to reduce significantly the maximum value of lawsuits brought under § 17529.8, it does not provide for dismissal of lawsuits against companies that inadvertently violate the law's strict liability prohibitions. Furthermore, the issue of whether a compliance program was implemented with "due care" is fact-intensive and will require documentation of compliance efforts (see recommendations below).
S.B. 186 does not specifically provide for remedies for violations of the special advertiser and spammer tactic prohibitions discussed above under items #3 and 4 above. It appears that any such violations involving e-mail sent in violation of the opt-in or opt-out prohibitions may trigger separate liability. However, if, for example, the e-mail advertisements complied with the law's opt-in and opt-out requirements, but still contained a misleading subject line, S.B. 186 would not provide for a remedy. In such a situation, a cause of action might still lie under Business and Professions Code § 17200, a catch-all statute that provides for A.G. enforcement actions and plaintiffs' actions for injunctions and restitution of ill-gotten gains in the case of business practices that violate California law.
7. Requirements to Honor ISP Prohibitions Against Sending UCE
S.B. 186 also amends a provision currently in § 17538.4 of the California Business and Professions Code (to be recodified at § 17538.45) that requires senders of commercial e-mail to honor the policies of ISPs and other e-mail service providers (such as Hotmail) prohibiting or restricting transmission of UCE on their networks.
These violations are subject to a separate remedy scheme of $50 per e-mail message up to a maximum of $25,000 per day, as well as award of costs and attorneys' fees to the prevailing party. § 17538.45(f)(1) & (2). The amendment specifies that ISPs may sue either under § 17538.45 or under the remedy provisions of new § 17538.8, but not under both provisions. See § 17538.45(f)(4).
The underlying prohibition applies to B-to-B and B-to-C UCE, and only to entities that actually use the ISP's facilities to send UCE or "cause" the facilities to be used for UCE (not specifically to advertisers). It also has a broad exception for existing business or personal relationships. Liability is triggered only if the violator receives actual notice of the ISP's policy and that the defendant's UCE advertisements would use or cause to be used the e-mail service provider's equipment located in California. § 17538.45(f)(3)(A)(ii).
III. Actions to Consider Taking in Light of California's New Spam Law
Companies involved in sending e-mail from California or to a California e-mail address should consider, well before the January 1st effective date, the following sorts of measures to reduce litigation risk under S.B. 186:
- To be able to take advantage of the reduction-in-damages provision in § 17529.8(b), develop and document a compliance program showing that you have implemented "with due care practices and procedures reasonably designed to effectively prevent" e-mail advertisements in violation of the law.
- For all e-mail advertising that you think may be sent to a California e-mail address, undertake and document measures designed to avoid advertising, transmitting, or supplying e-mail lists for UCE (e.g., e-mail advertisements sent to prospects without their consent) or e-mail advertisements sent without providing notice and the opportunity to opt out to all recipients.
- If you advertise through affiliate or "partner" e-mail marketing, undertake and document steps to verify that your corporate affiliates and business partners are not sending e-mail to your customers under their name, and compile evidence showing that if they are sending e-mail advertisements in violation of S.B. 186's opt-in or opt-out requirements, it is they, not you, who are advertisers within the meaning of § 17529.1(a).
- If you use "viral" marketing programs (programs in which third-party users advertise your content via e-mails to friends), review them very carefully and at a minimum take meaningful steps to discourage users from sending e-mail to California e-mail addresses.
- If you provide lists of e-mail addresses to others, consider developing before January 1st e-mail lists scrubbed of California residents. Undertake and document steps you have taken to remove California residents from e-mail lists.
- If you have an e-mail list and intend to send UCE, consider before January 1st either (1) confirming that all e-mail addresses on that list will not fall within the bill's definition of a California e-mail address, (see section II. 1. above), or (2) seeking consent to receive e-mail advertisements from you.
- If you send UCE and receive notice from an ISP or e-mail service provider that your e-mail activity violates their e-mail policies and that this UCE is using their facilities, take steps to cease e-mailing to those systems.
- If you are an employer and intend to send e-mail advertisements to your employees, consider obtaining consent as part of employment-related agreements or terms and conditions for use of your company network because the preexisting or current business relationship exception does not appear to cover advertisement offering within the context of employment relationships.
1 The law raises dormant commerce clause issues because it does not contain a requirement that the defendant knew that its e-mail was sent to a California e-mail address and because the definition of a "California e-mail address" itself applies in some circumstances to e-mail sent wholly outside of California. For example, California e-mail addresses are defined to include e-mail addresses "ordinarily accessed" from a computer located in California, § 17529.1(b)(2), even if the computer is not accessed from California in the case of the violations.