The "CAN-SPAM" Act, which recently sailed through both houses of Congress and is expected to land soon on President Bush's desk, has drawn bitter criticism from many antispam activists because it 1) doesn't ban unsolicited commercial email as such; 2) reserves enforcement for public agencies and internet service providers rather than giving individual email users a right to sue; and above all, 3) would replace and override antispam laws now in effect in 37 states, most notably a new California law which would let individual email users sue for $1,000 over each unsolicited email. One activist group has dubbed the federal bill "the 'YOU-CAN-SPAM' Act because it legalizes spamming instead of banning it."
But whatever CAN-SPAM's other merits, its override of the new California law is well justified. That measure—signed into law two months ago by then-Gov. Gray Davis and set to take effect Jan. 1 unless Congress overrides it—would load punitive burdens on businesses not just in the Golden State but across the country, while shutting down uses of email that are in fact welcome to most recipients. If experience with similar laws is any indication, it would also unleash bounty-hunting lawyers who'd concentrate their efforts not on the fly-by-night spam operations that clog most users' inboxes, but on extracting money from legitimate concerns that weren't intending to break any law.
The trouble with the new California law starts with its broad definition of spam. Most unwanted bulk email is sent blindly to thousands, even millions of recipients. Under the Senate version of CAN-SPAM, as few as 100 emails sent within 24 hours can constitute bulk mailing. Amazingly, California lawmakers set no threshold at all: they explicitly contemplate liability for "a single [uninvited] transmission or delivery to a single recipient". (Think twice before sending an email to someone whose business card you picked up at a convention.) Again unlike the federal version, the California law specifies that its ban on "commercial" solicitations applies to emails from nonprofit entities and to those seeking the uncompensated "gift offer" of goods or services. Implication? It could break the law to send a single uninvited email urging a Fresno or Fontana neighbor to volunteer time or pretzels for a community association's block party.
The only lawful California messages would be those in which the recipient had either requested email regarding goods and services, or had a pre-existing business relationship with the sender. Although the bill's language is vague on the point, a valid permission given to one sender would probably not be transferable to others, even if the address holder intended to give a broad consent at the time. If so, the result would be to shut down sharing of what is known as "permission-based" email lists between marketers, no matter how willingly consumers had given such permissions. The law might also make it unlawful for, say, a trade association planning a convention to let the convention hotel approach its members with room rate information unless it first obtained a fresh consent from each member to do so.
More surprising legal traps are not hard to find. For example, it's common for newspaper websites (including that of the Wall Street Journal) to include a button inviting visitors to "Send this story to a friend". But as one ad executive (Brian Klais of Netconcepts) has pointed out, this arrangement would very likely violate the new California law, because even if the friend has a pre-existing relationship with the recipient, the newspaper, whose server will be used to send the message, doesn't.
What lends urgency to these speculations is the harsh penalty provided by Sacramento lawmakers: $1000 per errant email, payable to individual complainants. There's a million-dollar ceiling per "incident", but each transmission not containing "substantially similar content" would count as a separate incident. So a year's worth of a weekly newsletter would expose a company to $52 million in possible liability, even if no actual recipients had complained along the way. Entrepreneurial lawyers, with which California is well supplied, would be sure to demand class-action status on behalf of all recipients whom a mailer could not prove had given exactly the right kind of consent.
The example of Utah is instructive. Last year the Beehive State became the first to enact a law allowing individual recipients to sue over spam, in this case for a modest $10 per email plus attorneys' fees. Within weeks a flood of more than 1,000 suits had begun, filed by two busy law firms. According to critics, most have been aimed at reputable companies over what were intended as "opt-in" mailings to willing recipients. One enterprising attorney sent out hundreds of demand letters, typically asking $6,500 a pop, to targets including eBay, Chase Manhattan, Eddie Bauer, Disney, Royal Caribbean Cruises, Omaha Steaks, Office Depot, FTD, and Monster.com. Many of these companies were able to produce electronic audit trials to demonstrate that they did in fact have prior relationships with the complaining consumers. At the same time, more than 200 defendants have paid settlements.
Or consider the cottage industry of litigation that continues to thrive over the 1991 federal law against unsolicited faxes, which offers a $500 bounty per errant fax and triple that if the offense is willful. Fines of this magnitude might make sense as a way to provide individual grievants an economic means to vindicate their interests in a small-claims format. But lawyers soon discovered that by rolling claims into one grand class action, they could escalate the sums at stake to bet-your-business levels. A Hooters restaurant franchisee in Georgia filed for bankruptcy after a $12 million verdict over its lunch-coupon participation in six omnibus local fax mailings by a local ad agency to 1,321 recipients, one of them an attorney-turned-plaintiff. Houston lawyers demanded $7 billion from more than seventy local businesses that had advertised in a junk-fax series, including $25 million from one local Mexican restaurant; a judge eventually threw out the case, but by then terrified defendants had paid an estimated $525,000 to be let out. An Atlanta car wash chain is currently battling a demand for $110 million in another fax case. One lawyer calls it "Powerball for the clever."
Many of the defendants in these cases say unwary local managers didn't realize that fax mailings of this sort were no longer legal, or had been assured by an ad agency that all recipients had opted in to a tell-me-about-discount-offers arrangement. The CAN-SPAM law makes a gesture toward reasonableness on this front, assigning liability to an advertiser who "knows, or should have known" that a mailing was wrongful. As usual, the California law is more eager to punish: experts predict that even ordering outside marketers specifically and in writing to obey the California law won't be enough to shield companies from being sued.
Nor can the consequences of California's law be confined somehow within its own borders. There's no way to pick through a list of Hotmail or Yahoo addresses to pick out which ones are used by California residents, accessed from California computers, or billed to a California mailing address—each of these a category covered by the law. (In fact, it's unsafe to assume that an address which looks likely to belong to some other state—say, one with an mit.edu suffix—isn't held by a California resident). In practice, even relatively small businesses elsewhere in the country would run into major liability in California courts.
A spokesman for Calif. Attorney General Bill Lockyer has joined the criticism of the federal bill, claiming it will frustrate the will of the people of California. By contrast, most of the state's lawmakers in Washington, including Democratic Sens. Dianne Feinstein and Barbara Boxer, have been content to sign off on the bill, override and all. In this case, it's clear that Feinstein, Boxer et al. have the better idea.