[Federal Register Volume 73, Number 99 (Wednesday, May 21, 2008)]
[Rules and Regulations]
[Pages 29654-29680]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E8-11394]



[[Page 29653]]

-----------------------------------------------------------------------

Part IV





Federal Trade Commission





-----------------------------------------------------------------------



16 CFR Part 316



Definitions and Implementation Under the CAN-SPAM Act; Final Rule

  Federal Register / Vol. 73, No. 99 / Wednesday, May 21, 2008 / Rules 
and Regulations  

[[Page 29654]]


-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

16 CFR Part 316

[Project No. R411008]
RIN 3084-AA96


Definitions and Implementation Under the CAN-SPAM Act

AGENCY: Federal Trade Commission.

ACTION: Final Rule.

-----------------------------------------------------------------------

SUMMARY: In this document, the Federal Trade Commission (``FTC'' or 
``Commission'') issues its Statement of Basis and Purpose and final 
Discretionary Rule (``final Rule'') pursuant to section 7711(a) of the 
Controlling the Assault of Non-Solicited Pornography and Marketing Act 
of 2003 (``CAN-SPAM'' or ``the Act''), which gives the FTC 
discretionary authority to ``issue regulations to implement the 
provisions of [the] Act.''

EFFECTIVE DATE: The provisions of the final Rule will become effective 
on July 7, 2008.

ADDRESSES: Requests for copies of the provisions of the Statement of 
Basis and Purpose and final Rule should be sent to: Public Records 
Branch, Room 130, Federal Trade Commission, 600 Pennsylvania Avenue, 
N.W., Washington, DC 20580. Copies of these documents are also 
available at the Commission's Website: http://www.ftc.gov.

FOR FURTHER INFORMATION CONTACT: Janis Claire Kestenbaum, (202) 326-
2798, and Sana Coleman Chriss, (202) 326-2249, Division of Marketing 
Practices, Bureau of Consumer Protection, Federal Trade Commission, 600 
Pennsylvania Avenue, N.W., Washington, DC 20580.

SUPPLEMENTARY INFORMATION: The final Rule: (1) Adds a definition of the 
term ``person''; (2) modifies the term ``sender'' in those instances 
where a single email message contains advertisements for the products, 
services, or websites of multiple entities; (3) clarifies that a sender 
may comply with section 7704(a)(5)(A)(iii) of the Act by including in a 
commercial email message a post office box or private mailbox 
established pursuant to United States Postal Service regulations; and 
(4) clarifies that to submit a valid opt-out request, a recipient 
cannot be required to pay a fee, provide information other than his or 
her email address and opt-out preferences, or take any steps other than 
sending a reply email message or visiting a single page on an Internet 
website. This Statement of Basis and Purpose also explains the 
Commission's rationale for not adopting other proposals contained in 
the Commission's May 12, 2005 Notice of Proposed Rulemaking 
(``NPRM''),\1\ and addresses the application of CAN-SPAM to forward-to-
a-``friend'' emails and certain other categories of email messages 
identified in the NPRM.
---------------------------------------------------------------------------

    \1\ 70 FR 25426.
---------------------------------------------------------------------------

STATEMENT OF BASIS AND PURPOSE

I. BACKGROUND

A. CAN-SPAM Act of 2003

    On December 16, 2003, the President signed into law the CAN-SPAM 
Act.\2\ The Act, which took effect on January 1, 2004, imposes a series 
of new requirements on the use of commercial electronic mail 
(``email'') messages. In addition, the Act gives federal civil and 
criminal enforcement authorities new tools to combat commercial email 
that is unwanted by the recipient and/or deceptive. The Act also allows 
state attorneys general to enforce its civil provisions, and creates a 
private right of action for providers of Internet access service.
---------------------------------------------------------------------------

    \2\ 15 U.S.C. 7701-7713.
---------------------------------------------------------------------------

    In enacting the CAN-SPAM Act, Congress made the following 
determinations of public policy, set forth in section 7701(b) of the 
Act: (1) there is a substantial government interest in regulation of 
commercial email on a nationwide basis; (2) senders of commercial email 
should not mislead recipients as to the source or content of such mail; 
and (3) recipients of commercial email have a right to decline to 
receive additional commercial electronic mail from the same source.
    Based on these policy determinations, Congress, in sections 7704(a) 
and (b) of the CAN-SPAM Act, outlawed certain commercial email acts and 
practices. Section 7704(a)(1) of the Act prohibits transmission of any 
email that contains false or misleading header or ``from'' line 
information. Section 7704(a)(2) prohibits the transmission of 
commercial email messages with false or misleading subject headings. 
Section 7704(a)(3) requires that a commercial email message contain a 
functioning return email address or similar Internet-based mechanism 
for recipients to use to ``opt out'' of receiving future commercial 
email messages. Section 7704(a)(4) prohibits the sender, or others 
acting on the sender's behalf, from initiating a commercial email to a 
recipient more than ten business days after the recipient has opted 
out. Section 7704(a)(5) prohibits the initiation of a commercial email 
message unless it contains three disclosures: (1) clear and conspicuous 
identification that the message is an advertisement or solicitation; 
(2) clear and conspicuous notice of the opportunity to decline to 
receive further commercial email messages from the sender; and (3) a 
valid physical postal address of the sender. And section 7704(b) 
specifies four ``aggravated violations'' -- practices that compound the 
available statutory damages when alleged and proven in combination with 
certain other CAN-SPAM violations.\3\
---------------------------------------------------------------------------

    \3\ 15 U.S.C. 7704(b). The four such practices set forth in the 
statute are: address harvesting; dictionary attacks; automated 
creation of multiple email accounts; and relaying or retransmitting 
through unauthorized access to a protected computer or network. The 
Act's provisions relating to enforcement by state attorneys general 
and providers of Internet access service create the possibility of 
increased statutory damages if a court finds a defendant has engaged 
in one of the practices specified in section 7704(b) while also 
violating section 7704(a). Specifically, sections 7706(f)(3)(C) and 
(g)(3)(C) permit a court to increase a statutory damages award up to 
three times the amount that would have been granted without the 
commission of an aggravated violation. Sections 7706(f)(3)(C) and 
(g)(3)(C) also provide for this heightened statutory damages 
calculation when a court finds that the defendant's violations of 
section 7704(a) were committed ``willfully and knowingly.''
---------------------------------------------------------------------------

    The Act authorizes the Commission to enforce violations of the Act 
in the same manner as an FTC trade regulation rule.\4\ Section 7706(f) 
authorizes the attorneys general of the states to enforce compliance 
with certain provisions of section 7704(a) of the Act by initiating 
enforcement actions in federal court, after serving prior written 
notice upon the Commission when feasible.\5\ CAN-SPAM also authorizes 
providers of Internet access service to bring a federal court action 
for violations of certain provisions of sections 7704(a), (b), and 
(d).\6\
---------------------------------------------------------------------------

    \4\ Sections 7706(a) and (c) of the CAN-SPAM Act provide that a 
violation of the Act shall be treated as a violation of a rule 
issued under section 18(a)(1)(B) of the FTC Act, 15 U.S.C. 
57a(a)(1)(B).
    \5\ 15 U.S.C. 7706(f). Specifically, the state attorneys general 
may bring enforcement actions for violations of section 7704(a)(1), 
7704(a)(2), or 7704(d). The states may also bring an action against 
any person who engages in a pattern or practice that violates 
section 7704(a)(3), (4), or (5).
    \6\ 15 U.S.C. 7706(g). Section 7704(d) of the Act requires 
warning labels on commercial email messages containing sexually 
oriented material. 15 U.S.C. 7704(d). In April, 2004, the Commission 
promulgated its final rule regarding such labels. See 69 FR 21024 
(Apr. 19, 2004); 16 CFR 316.4.
---------------------------------------------------------------------------

B. Notice of Proposed Rulemaking

    In its May 12, 2005 NPRM, the Commission proposed rule provisions 
on five topics: (1) defining the term ``person,'' a term used 
throughout the Act, but not defined; (2) modifying the definition of 
``sender'' to make it easier to determine which of multiple parties

[[Page 29655]]

advertising in a single email message must have its valid physical 
postal address included in the message and is responsible for honoring 
``opt-out'' requests; (3) clarifying that Post Office boxes and private 
mailboxes established pursuant to United States Postal Service 
regulations constitute ``valid physical postal addresses'' within the 
meaning of the Act; (4) shortening from ten days to three days the time 
a sender may take before honoring a recipient's opt-out request; and 
(5) clarifying that to submit a valid opt-out request, a recipient 
cannot be required to pay a fee, provide information other than his or 
her email address and opt-out preferences, or take any steps other than 
sending a reply email message or visiting a single page on an Internet 
website.\7\
---------------------------------------------------------------------------

    \7\ Prior to the NPRM, the Commission issued an Advance Notice 
of Proposed Rulemaking (``ANPR''), 69 FR 11776 (Mar. 11, 2004), 
soliciting comments on a number of issues raised by CAN-SPAM, 
including the interpretation of the term ``primary purpose,'' which 
the Commission addressed in a final Rule issued on January 19, 2005, 
codified at 16 CFR 316.3. In addition, the ANPR requested comment on 
the definitions of ``transactional or relationship message'' and 
``valid physical postal address,'' the application of the Act to 
both multiple-marketer and forward-to-a-``friend'' emails, the 
sufficiency of the ten-business-day opt-out period that had been set 
by the Act, the potential addition of new aggravated violations, and 
implementation of the Act's provisions generally. (Two issues 
addressed in the NPRM and in this Statement of Basis and Purpose -- 
the definition of ``person'' and the prohibition on charging a fee 
or imposing other requirements on recipients who wish to opt-out -- 
were not addressed in the ANPR.) The ANPR also solicited comment on 
questions related to four Commission reports required to be 
submitted to Congress. The Commission received over 13,500 comments 
in response to the ANPR.
---------------------------------------------------------------------------

    In response to this NPRM, the Commission received 152 comments from 
email marketers and their associations, email recipients, and other 
interested parties.\8\ Based upon the entire record in this proceeding 
and the Commission's law enforcement experience, the Commission hereby 
adopts final Rule provisions that are very similar, but not identical, 
to the proposed Rule provisions. As discussed in detail below, the 
adopted provisions are based upon the recommendations of commenters to 
make certain modifications in the proposed provisions, as well as the 
Commission's anti-spam law enforcement experience. Commenters' 
recommendations that the Commission has declined to adopt in its final 
Rule are also identified, along with the Commission's reasons for 
rejecting them.

II. DISCUSSION OF THE FINAL RULE
---------------------------------------------------------------------------

    \8\ Approximately 93 of these comments were submitted by 
industry representatives, 56 were submitted by consumers, and 3 were 
submitted by privacy groups. Appendix A is a list of the commenters 
and the acronyms used to identify each commenter who submitted a 
comment in response to the NPRM. These comments are available on the 
Commission's website at the following address: http://www.ftc.gov/os/comments/canspam3/index.shtm.
---------------------------------------------------------------------------

A. Section 316.2 -- Definitions

    Section 316.12,\9\ one of the Rule provisions previously adopted 
under CAN-SPAM, defines thirteen terms by reference to the 
corresponding sections of the Act that define those terms.\10\ The NPRM 
proposed modification of the previously-adopted definition of 
``sender'' by adding a proviso to cover multiple sender scenarios. The 
NPRM also proposed adding definitions of ``person'' and ``valid 
physical postal address.'' All other definitions were to remain as 
adopted. While the NPRM did not propose any changes to the Act's 
definition of ``transactional or relationship message,'' it posed a 
series of questions about the interpretation and potential expansion of 
this definition, and similarly requested comment on the application of 
the Act's definitions of ``sender'' and ``initiate'' to forward-to-a-
``friend'' email campaigns.
---------------------------------------------------------------------------

    \9\ Because the final Rule contains several new provisions, the 
numbering of the Rule's subsections has changed. All cites to the 
Rule in this Statement of Basis and Purpose are to the new, 
renumbered Rule provisions, unless otherwise stated.
    \10\ The Commission adopted these definitions in the Adult 
Labeling Rulemaking proceeding under section 7704(d) of CAN-SPAM, 
which required the Commission to prescribe a mark to be included in 
commercial email containing sexually oriented material. 69 FR 21024 
(Apr. 19, 2004). A fourteenth term, ``character,'' not defined in 
CAN-SPAM, was also defined in the Adult Labeling Rule. 16 CFR 
316.2(b).
---------------------------------------------------------------------------

1. Section 316.2(h) -- Definition of ``Person''

    In the NPRM,\11\ the Commission proposed adding a definition of 
``person,'' a term used throughout the Act,\12\ pursuant to its 
authority to ``issue regulations to implement the provisions of this 
Act.''\13\ Under the definition proposed in the NPRM, which is 
identical to the definition contained in the Telemarketing Sales Rule, 
16 CFR 310.2, the term ``person'' would mean ``an individual, group, 
unincorporated association, limited or general partnership, 
corporation, or other business entity.''
---------------------------------------------------------------------------

    \11\ NPRM, 70 FR at 25428.
    \12\ See, e.g., 15 U.S.C. 7702(8), (9), (12), (15) & (16); 
7704(a)(1), (2) & (3).
    \13\ 15 U.S.C. 7711(a).
---------------------------------------------------------------------------

    Seven of the eight commenters that addressed this issue supported 
the addition of the Commission's proposed definition of ``person,'' 
opining that it would clarify the types of entities to which the Act 
applies.\14\ The sole objection came from the Society for Human 
Resources Management (``SHRM''), which argued that unincorporated 
nonprofit associations should be excluded from the definition of 
``person'' and, therefore, wholly exempt from CAN-SPAM.\15\ SHRM argued 
that, without such an exemption, the risk of liability under the Act 
could discourage the organization's members from volunteering to serve 
in a leadership capacity.
---------------------------------------------------------------------------

    \14\ See Discover; Empire; ESPC; FNB; KeySpan; NAR; Metz. 
Adknowledge also advocated modifying the definition of ``person,'' 
but, at bottom, its argument appears to relate to liability in the 
context of a multi-marketer email. The Commission thus has 
considered Adknowledge's comment in connection with the definition 
of ``sender,'' below. See infra Part II.A.2.
    \15\ See also ABA (noting that its comments on the ANPR asked 
the Commission to clarify that the term ``person'' should exclude 
associations and other tax-exempt nonprofit organizations with 
respect to their email sent in pursuit of their tax-exempt nonprofit 
purposes).
---------------------------------------------------------------------------

    Having considered the comments, the Commission adopts without 
modification the definition of ``person'' in the proposed Rule. The 
Commission believes that the addition of this definition will advance 
the implementation of the Act by clarifying that the term ``person'' is 
broadly construed and is not limited to a natural person. The 
Commission rejects the argument that there should be a blanket 
exemption for all messages sent by unincorporated nonprofit entities. 
As we have previously observed, CAN--SPAM does not set up a dichotomy 
between ``commercial'' and ``nonprofit'' messages.\16\ Accordingly, 
when nonprofit organizations send emails the primary purpose of which 
is the advertisement or promotion of a commercial product or service, 
recipients are entitled to the Act's protections. In any event, as 
discussed below, see infra Part II.A.3.j., messages from an association 
to its members will often be ``transactional or relationship messages'' 
under section 7702(17) of the Act and thus not required to include a 
functioning Internet-based mechanism for consumers to use to opt out of 
receiving future commercial messages.\17\
---------------------------------------------------------------------------

    \16\ 69 FR 50091, 50100 (Aug. 13, 2004).
    \17\ Section 7706(d) makes clear that the Commission has only 
the same jurisdiction and power under the Act as it has under the 
FTC Act, 15 U.S.C. 41, et seq. Consequently, the FTC lacks 
jurisdiction to enforce CAN-SPAM against any entity that is not 
``organized to carry on business for its own profit or that of its 
members.'' 15 U.S.C. 44. States and providers of Internet access 
service can bring CAN-SPAM actions against nonprofits, however.
---------------------------------------------------------------------------

2. Section 316.2(m) -- Definition of ``Sender''

    Section 7702(16)(A) of CAN-SPAM defines ``sender'' as ``a person 
who initiates [a commercial electronic mail]

[[Page 29656]]

message and whose product, service, or Internet web site is advertised 
or promoted by the message.''\18\ In the NPRM, the Commission proposed 
amending the definition of ``sender'' to address concerns identified in 
the ANPR comments about the application of CAN-SPAM's definition of 
``sender'' to scenarios where multiple marketers use a single email 
message ---- for example, where a commercial email from an airline also 
contains advertisements or promotions for a hotel chain and a car 
rental company. The Commission received almost 60 comments in response 
to this proposal, many of which suggested modifications to the proposed 
Rule provision. After consideration of these comments, the Commission 
has modified the definition of ``sender'' as proposed in the NPRM. The 
final Rule provides that multiple ``senders'' of a commercial email, 
under certain conditions, may identify one among them as the ``sender'' 
who will be deemed the sole ``sender'' of the message (the ``designated 
sender''). Thus, under the final Rule, the designated sender, but not 
the other marketers using the same email message, must honor opt-out 
requests made by recipients of the message.\19\ Moreover, under the 
final Rule, the physical address of the designated sender, but not the 
addresses of the other marketers using the same email message, must 
appear in the message.
---------------------------------------------------------------------------

    \18\ 15 U.S.C. 7702(16)(A). The Commission incorporated by 
reference into the CAN-SPAM rules this definition of ``sender'' in 
its primary purpose rulemaking. 16 CFR 316.2(l); 70 FR at 3127.
    \19\ Under the final Rule, where a commercial email is sent by 
multiple ``senders'' who designate one ``sender'' to be responsible 
for honoring opt-out requests, the other marketers using the single 
email message still will be ``initiators'' of the email message and 
therefore responsible for complying with CAN-SPAM's requirements 
concerning ``initiators'': 15 U.S.C. 7704(a)(1), 15 U.S.C. 
7704(a)(2), 15 U.S.C. 7704(a)(3)(A)(i), 15 U.S.C. 7704(a)(5)(A), and 
16 CFR 316.4.
---------------------------------------------------------------------------

a. Background

    As discussed in the ANPR, the Act itself does not specifically 
address multiple-marketer emails. Rather, under the Act, if multiple 
senders using a single email message meet the definition of ``sender,'' 
each would need to provide an opt-out mechanism, a valid physical 
postal address for each sender would have to appear in the message, and 
each would be responsible for honoring an opt-out request by a 
recipient.\20\ The ANPR sought comment on ``whether it would further 
the purposes of CAN--SPAM or assist the efforts of companies and 
individuals seeking to comply with the Act if the Commission were to 
adopt rule provisions clarifying the obligations of multiple senders 
under the Act.''\21\
---------------------------------------------------------------------------

    \20\ The ``sender'' is required by the Act to honor opt-out 
requests. 15 U.S.C. 7704(a)(4)(A)(i). Additionally, the ``sender's'' 
physical postal address must be included in the message. 15 U.S.C. 
7704(a)(5)(A)(iii).
    \21\ 69 FR at 11778.
---------------------------------------------------------------------------

    Commenters responding to the ANPR claimed that implementation of 
the Act may be impeded in multiple marketer scenarios because marketers 
and consumers will encounter certain difficulties under a regime that 
holds more than one party responsible as the sender of a single email. 
First, commenters claimed that consumer confusion would result from 
multiple opt-out mechanisms and valid physical postal addresses in a 
single email message.\22\ Second, some ANPR commenters predicted that 
rigid application of CAN-SPAM's sender definition would likely chill 
electronic commerce and destroy the type of joint marketing 
arrangements that are common in industry.\23\ According to these 
commenters, marketers would have to develop mechanisms for receiving 
suppression lists (lists of email addresses of consumers who previously 
had opted-out of receiving messages from a sender) from every marketer 
or co-marketer with which they deal, and for comparing their own 
mailing lists against multiple suppression lists.\24\ In addition, a 
marketer would have to develop processes for managing multiple opt-
outs, i.e., ensuring that the consumer can opt out from each marketer 
and that all opt-outs sent to the marketer are forwarded to the 
marketers from whom the consumer no longer wishes to receive commercial 
email. These commenters argued that existing CAN-SPAM treatment of 
multiple senders in a single email is needlessly complex and results in 
unnecessary administrative costs and delays for legitimate email 
marketers because of the need to maintain and effectuate multiple 
suppression lists.\25\ Third, commenters stated that a requirement to 
check names against multiple lists would necessitate passing lists back 
and forth among several parties, increasing the risk that consumers' 
private information may be shared with inappropriate entities or 
exposed to hackers. Moreover, these commenters opined that multiple 
suppression lists could force a business to divulge customer names to 
list owners and other marketers, even when the business has promised to 
protect that information under its privacy policy.\26\
---------------------------------------------------------------------------

    \22\ 70 FR at 25429 (citing comments by American Bankers 
Association; DMA; ERA; IAC; MPAA; Microsoft; PMA; Time Warner).
    \23\ Id. (citing comments by NAA; Time Warner).
    \24\ Id. (citing comments by American Bankers Association; DMA; 
ERA; IAC; MPAA; Microsoft; PMA; Time Warner).
    \25\ Id. (citing comments by American Bankers Association; DMA; 
ERA; MPAA; Microsoft).
    \26\ Id. (citing comments by American Bankers Association; ASTA; 
ACB; DMA; IAC; MPA; Microsoft; Time Warner). ANPR commenters 
identified a fourth problem in some situations, such as newsletters. 
Commenters stated that a requirement that each separate marketer in 
a single email message be treated as a separate sender would run 
counter to consumer expectations -- consumers would expect to opt 
out of the email list of the person with whom the consumer had a 
relationship, not from a marketer in the newsletter. Id. (citing 
comments by ABM; DMA; Microsoft; Midway; Time Warner).
---------------------------------------------------------------------------

    For these reasons, many commenters responding to the ANPR urged 
that the Act's ``sender'' definition be modified to provide that when 
more than one company's products or services are advertised or promoted 
in a single email message, only one among them be responsible as the 
sender of a message for purposes of the Act.
    Based upon these comments, in the NPRM, the Commission proposed 
adding a proviso to the definition of ``sender'' to allow multiple 
sellers advertising in a single email message to designate one among 
them as the single ``sender'' of the message for purposes of the Act. 
Under the NPRM's proposed proviso, only one of multiple persons whose 
products or services are advertised or promoted in an email message 
would have been the ``sender'' if that person: (A) initiated the 
message and otherwise met the Act's definition of ``sender,'' and (B) 
was the only person who: (1) ``controls the content of such message,'' 
(2) ``determines the electronic mail addresses to which such message is 
sent,'' or (3) ``is identified in the `from' line as the sender of the 
message.'' Under the proposed Rule, if more than one person meeting the 
Act's definition of ``sender'' were to satisfy one of these three 
criteria, then each such person who satisfied the definition would have 
been considered a sender for purposes of CAN-SPAM compliance 
obligations.\27\
---------------------------------------------------------------------------

    \27\ A hypothetical example illustrated the NPRM ``sender'' 
definition proposal. If X, Y, and Z are sellers who satisfy the 
Act's ``sender'' definition, and they designate X to be the single 
``sender'' under the Commission's proposal, among the three sellers, 
only X may control the message's content, control its recipient 
list, or appear in its ``from'' line. X need not satisfy all three 
of these criteria, but no other seller may satisfy any of them. The 
sellers may use third parties to be responsible for any criteria not 
satisfied by X. For example, if X appears in the ``from'' line, the 
sellers may use third parties -- but not Y or Z -- to control the 
message's content and recipient list. 70 FR at 25428.

---------------------------------------------------------------------------

[[Page 29657]]

b. The Final Rule

    Based upon the comments responding to the NPRM proposal, the 
Commission believes that modification of the proposed Rule's definition 
of ``sender'' as it relates to multi-marketer emails is necessary. The 
final Rule drops the proposed ``controls the content'' and ``determines 
the electronic mail addresses to which such message is sent'' elements, 
adds compliance with the core provisions of CAN-SPAM as an element, 
makes the elements conjunctive rather than disjunctive, and makes the 
element requiring identification of the person in the ``from'' line 
mandatory. The Commission believes that these modifications will meet 
the concerns of marketers while still preserving CAN-SPAM opt-out 
protections.
    Thus, under the final Rule, multiple marketers can designate as a 
single ``sender,'' for purposes of compliance with the Act, a person 
who: (A) meets the Act's definition of ``sender,'' i.e., such person 
initiates a commercial electronic mail message in which it advertises 
or promotes its own goods, services, or Internet website; (B) is 
identified uniquely in the ``from'' line of the message; and (C) is in 
compliance with 15 U.S.C. 7704(a)(1), 15 U.S.C. 7704(a)(2), 15 U.S.C. 
7704(a)(3)(A)(i), 15 U.S.C. 7704(a)(5)(A), and 16 CFR 316.4.\28\ In 16 
CFR 316.2(m), the final Rule thus states:
---------------------------------------------------------------------------

    \28\ These provisions, as explained below, apply to initiators 
of commercial emails and require that the email message may not 
contain false or misleading transmission information or a deceptive 
subject heading; but must contain a valid postal address, a working 
opt-out link, and proper identification of the message's commercial 
or sexually explicit nature.
---------------------------------------------------------------------------

 The definition of the term ``sender'' is the same as the definition of 
that term in the CAN-SPAM Act, 15 U.S.C. 7702(16), provided that, when 
more than one person's products, services, or Internet website are 
advertised or promoted in a single electronic mail message, each such 
person who is within the Act's definition will be deemed to be a 
``sender,'' except that, only one person will be deemed to be the 
``sender'' of that message if such person: (A) is within the Act's 
definition of ``sender''; (B) is identified in the ``from'' line as the 
sole sender of the message; and (C) is in compliance with 15 U.S.C. 
7704(a)(1), 15 U.S.C. 7704(a)(2), 15 U.S.C. 7704(a)(3)(A)(i), 15 U.S.C. 
7704(a)(5)(A), and 16 CFR 316.4.
    The Commission makes this clarification pursuant to its 
discretionary rulemaking authority to ``issue regulations to implement 
the provisions of this Act.''\29\
---------------------------------------------------------------------------

    \29\ 15 U.S.C. 7711(a). Like the proposed Rule, this final Rule 
does not eliminate the possibility that a message may have more than 
one ``sender.'' However, marketers can use the criteria set forth in 
the proviso to establish a single sender and reduce CAN-SPAM's 
compliance burdens. If marketers fail to structure the message to 
avoid multiple senders under the sender definition, then each sender 
is obligated to comply with CAN-SPAM requirements for senders, 
notably, to provide its physical postal address and to honor any 
opt-out requests.
---------------------------------------------------------------------------

    The definition of ``sender'' in the final Rule provides marketers 
flexibility to structure their messages in a way that alleviates 
redundant obligations for the various marketers in a single email while 
ensuring that recipients of such messages receive the benefit of CAN-
SPAM's core opt-out protections. Specifically, the final Rule makes it 
more practicable than the proposed Rule for multiple marketers 
promoting their products in a single email to designate a single entity 
as the ``sender'' under the Act because the marketers' decision as to 
which of them will appear in the ``from'' line resolves the question of 
which will be considered a ``sender'' under the Act and will be charged 
with the resulting responsibilities. The final Rule eliminates the 
complex fact determination of who ``controls'' the content and the 
element of who ``determines the electronic mail addresses to which such 
message is sent.'' By placing the focus on the ``from'' line, the best 
point of reference for consumers, the modification in the final Rule 
more directly conforms to consumers' expectations as to the identity of 
the entity responsible for sending them a multi-marketer email.
    An example illustrates how the final Rule's ``sender'' definition 
applies in the multi-marketer email context. Suppose A, B, and C have 
goods advertised or promoted in a single email message and that each is 
an initiator under the Act. If A's name appears in the ``from'' line of 
the message, A is considered the ``sender'' under the final Rule. While 
B and C promote their goods, services, or Internet website in the 
message, may control portions or all of the content of the message, and 
may supply email addresses for A to use to address the message, neither 
B nor C would be considered ``senders,'' unless A did not comply with 
the listed requirements that apply to ``initiators,'' namely 15 U.S.C. 
7704(a)(1), 15 U.S.C. 7704(a)(2), 15 U.S.C. 7704(a)(3)(A)(i), 15 U.S.C. 
7704(a)(5)(A), and 16 CFR 316.4. It would be clear to a consumer that 
an opt-out request would be sent to A, the one person identified in the 
``from'' line.
    The comments and the FTC's law enforcement experience suggest that 
a provision, such as the final Rule's sender definition, that allows 
multiple senders flexibility in determining who will be the sole 
``sender'' raises the possibility of abuse by illegitimate marketers. 
As discussed below, this concern is addressed in part by the addition 
of certain initiator provisions to the proviso: 15 U.S.C. 7704(a)(1), 
15 U.S.C. 7704(a)(2), 15 U.S.C. 7704(a)(3)(A)(i), 15 U.S.C. 
7704(a)(5)(A), and 16 CFR 316.4. If the designated sender is not in 
compliance with the initiator provisions, then all marketers in the 
message will be liable as senders.

c. Comments on the NPRM's Definition of ``Sender''

    Commenters who addressed the proposed definition of sender were 
nearly unanimous in supporting a ``sender'' definition that would 
enable marketers to designate a single ``sender'' when multiple 
marketers use a commercial email message. Reiterating ANPR comments, 
several commenters noted that such a rule provision would avoid 
``daunting compliance challenges'' for email marketers, such as the 
heavy burden of cross-checking the opt-out lists of all the individual 
marketers with the designated sender's opt-out list.\30\ Likewise, 
commenters supported the NPRM's proposed Rule because it would enable 
recipients to determine the party responsible for honoring opt-out 
requests.\31\ Others noted with approval that designating a single 
sender would eliminate confusion for consumers who otherwise would face 
multiple opt-out links and postal addresses.\32\ Finally, other 
commenters opined that the proposed Rule would promote protection of 
consumer privacy.\33\
---------------------------------------------------------------------------

    \30\ See, e.g., ATAA; Charter; DoubleClick; ERA; ESPC; FNB; IAC; 
ICC; IPPC; Mattel; Microsoft; NAR; NEPA; NetCoalition; NNA. As the 
ERA summarized it, ``[D]esignating a single sender will enhance 
accuracy and compliance efforts, streamline the opt-out process for 
consumers and sellers/marketers, and avoid confusion by, among other 
things, avoiding cluttered or repetitious information in messages or 
multiple suppression lists. It also helps address privacy concerns 
that may attend to sharing consumer suppression data.''
    \31\ See, e.g., Mattel; NAFCU.
    \32\ See ATAA (it would be ``difficult to format messages in a 
way that makes them compelling and understandable to recipients'' 
because of the welter of opt-out links and postal addresses); ERA; 
ESPC.
    \33\ See ERA; NetCoalition.
---------------------------------------------------------------------------

    In contrast to the almost unanimous support for a multi-marketer 
proviso, however, few commenters supported the definition of ``sender'' 
as proposed in the NPRM without change.\34\ Many commenters raised 
concerns about the workability and clarity of the proposal,

[[Page 29658]]

as well as its consistency with consumer expectations. Most commenters 
urged the Commission to modify or clarify the criteria articulated in 
the proposed Rule. Such comments concerned four issues. The first three 
issues relate to the three listed criteria in the NPRM's proposed 
proviso: (1) the significance of the person identified in the ``from'' 
line; (2) the meaning of ``controls the content of the message'' and 
the structure of the proviso; and (3) the meaning of ``determines the 
electronic mail addresses'' to which a message is sent. A fourth 
category of comments addressed what it means to ``advertise'' or 
``promote'' a product, service, or website under the Act, which is 
related to the question posed in the NPRM about whether ``list owners'' 
can be ``senders'' under the Rule and thus be required (or allowed) to 
process opt-out requests in lieu of other marketers who promote a 
product, service, or website in the email.\35\
---------------------------------------------------------------------------

    \34\ See, e.g., ARDA; Empire; Mattel; NAFCU; NAR; NNA; SHRM; 
Wahmpreneur.
    \35\ At least one commenter suggested, without further detail, 
that the sender in a multi-marketer email should be the ``entity 
that controls the sampling, distribution, and opt-out registry.'' 
CMOR. Another commenter suggested determination of a sender in a 
multi-marketer email with a ``single, dominant marketer'' test. 
Bigfoot.
    The Direct Marketing Association (``DMA'') advocated formal 
adoption by the Commission of the Staff Letter of March 8, 2005, 
which opined on a specific fact pattern involving, among other 
things, multiple marketers who send commercial email messages to 
persons who had provided affirmative consent to receive multi-
marketer commercial email messages. The Commission declines to adopt 
the Staff Letter. The final Rule will govern multi-marketer message 
sender liability.
---------------------------------------------------------------------------

(i) ``From'' Line

    Many commenters favored looking to the ``from'' line of the message 
in order to determine who, under the Act, is the ``sender'' of a multi-
marketer message. Commenters urged that this element is most critical 
for recipient expectations\36\ and would be easy to use as a way to 
designate a single sender.\37\ Some commenters argued that the other 
two proposed elements should be deleted.\38\ A few commenters also 
requested that the Commission provide additional guidance on which non-
deceptive names can be used in the ``from'' line, including a company's 
brands and service names.\39\
---------------------------------------------------------------------------

    \36\ See, e.g., Bigfoot; Charter; DoubleClick; KeySpan; MBNA; 
Nextel; OPA; SHRM.
    \37\ See Charter; DoubleClick; Nextel; Reed.
    \38\ See DoubleClick; KeySpan.
    \39\ See, e.g., MBNA; SIIA.
---------------------------------------------------------------------------

(ii) ``Controls the Content''

    Most commenters voiced concerns about the ``controls the content'' 
element of the proposed proviso and its likely effect. Many of these 
commenters found this criterion vague and urged the Commission to 
provide additional guidance concerning what it means to ``control'' the 
content of commercial email.\40\ Many advocated eliminating this factor 
altogether,\41\ and others urged various ways to modify it.\42\ Two 
primary themes emerged from the comments: (1) several parties may 
exercise some degree of ``control'' over content, and (2) ``control'' 
in this context is a vague and ill-defined concept. Commenters 
explained that in joint marketing arrangements, it is standard industry 
practice for each marketer to exercise control over the use of its own 
trademarks, branding, legal disclosures, and advertising copy.\43\ 
Commenters further explained that in highly regulated industries, such 
as life insurance, securities, pharmaceuticals, and alcoholic 
beverages, marketers may be required to include certain text and legal 
disclosures.\44\ Some commenters also stated that, in addition to 
controlling their own trademarks and disclosures, marketers sometimes 
influence the content of other parts of a message without 
``controlling'' it, or may suggest advertising text without making the 
final decision about the advertising content.\45\ To protect their 
brand reputations, commenters explained that they need to be able to 
review and approve the advertising content of other marketers.\46\
---------------------------------------------------------------------------

    \40\ See, e.g., ACB; ACLI; Associations; BOA; CBA; Charter; DLA; 
DMA; Discover; ERA; ESPC; FNBO; HSBC; IAC; Mastercard; Microsoft; 
MPA; MPAA; NAA; NAIFA; NBCEP; NEPA; NetCoalition; PMA; SIIA; Time 
Warner.
    \41\ See Associations; ATAA; Charter; DoubleClick; Keyspan; 
MasterCard; NAIFA; SIIA; Wells Fargo. Similarly, other commenters 
suggested that the proposed Rule be modified to allow more than one 
marketer to control the content of the message, while still allowing 
one of the marketers to be designated as the sender. See CBA; DMA; 
MPA; NBCEP; NetCoalition; NRF.
    \42\ See e.g., Adknowledge; ICC; MPA.
    \43\ See Reed; DoubleClick; Time Warner; MasterCard; Microsoft; 
Bigfoot; HSBC; MPAA; OPA.
    \44\ See, e.g., ACLI; BF; HSBC; IPPC; MPAA; OPA; SIA.
    \45\ See, e.g., BF; Visa.
    \46\ See, e.g., Associations; ERA; HSBC; MasterCard; MPA; 
NetCoalition; Nextel; NRF; OPA; PMA.
---------------------------------------------------------------------------

    A number of commenters opined that, without clarification, under a 
literal application of the proposed Rule, essentially all marketers 
would be deemed to ``control'' the content of a multi-marketer email, 
thereby preventing the designation of a single sender and defeating the 
purpose of the proposed Rule.\47\ Conversely, according to commenters, 
a standard that forced marketers to cede all control of the content of 
messages to one marketer among several using a single email message 
would greatly disrupt standard industry practices.\48\
---------------------------------------------------------------------------

    \47\ See ATA; DoubleClick; HSBC; IAC; IPPC; Mastercard; Time 
Warner.
    \48\ See e.g., NAA; TimeWarner.
---------------------------------------------------------------------------

    To alleviate these perceived problems, a number of commenters 
suggested that the Commission eliminate the ``controls the content'' 
element, because they believed that the proposed Rule could operate 
effectively in its absence.\49\ Others suggested that the Commission 
clarify that ``control'' means control of the ``primary'' or 
``overall'' content of the message, but does not mean either control by 
a company over its own advertisement\50\ or the practice of reviewing 
and approving the advertising content of other marketers.\51\ These 
commenters asked the Commission to clarify that ``control'' should 
refer to control over what content will be distributed in the email 
message as a whole and not control over the design, content, or 
placement of a particular advertisement in a multi-marketer 
message.\52\ Other commenters advocated that ``control'' of the content 
of the message should mean the ultimate ability to determine whether 
and when the message is transmitted.\53\
---------------------------------------------------------------------------

    \49\ See NAIFA; SIIA.
    \50\ See, e.g., ACB; Adknowledge; Associations; ATAA; CBA; 
Charter; Discover; DMA; Experian; FNB; IAC; ICC; KeySpan; Microsoft; 
MPAA; NAIFA; NBCEP; NEPA; NetCoalition; NRF; OPA; Reed; SIIA; Time 
Warner; Wells Fargo.
    \51\ See, e.g., ERA; HSBC; MasterCard; MPA; Nextel; PMA.
    \52\ See ACB; BoA; Discover; ERA; ESPC; Experian; HSBC; IAC; 
ICC; Mastercard; Microsoft; MPA; MPAA; NAA; PMA; Visa.
    \53\ See, e.g., BigFoot; SIIA.
---------------------------------------------------------------------------

    In a similar vein, some commenters felt that the structure of the 
proviso as proposed in the NPRM would have limited the ability of 
legitimate marketers to co-promote their products without any 
corresponding benefit to consumers.\54\ Commenters pointed out that 
there are circumstances when one entity provides the email addresses to 
which a message is to be sent and one or more other entities control 
the content of the message. Under the proposal in the NPRM, all 
entities would be considered senders because the proposed Rule's 
definitional requirements allowing one sender to be designated could 
not be met.\55\ These commenters asked that the final Rule be made more 
flexible to accommodate the variety of marketing agreements commonly 
used in the industry.\56\
---------------------------------------------------------------------------

    \54\ See Bigfoot; CBA; DMA; DoubleClick; ESPC; MPAA; NBCEP; 
NetCoalition; NRF; SIIA; Wells Fargo.
    \55\ See DMA; SIIA.
    \56\ See, e.g., MPAA.

---------------------------------------------------------------------------

[[Page 29659]]

(iii) ``Determines the Electronic Mail Addresses to Which Such Message 
is Sent''

    Few commenters discussed the third element of the proposed proviso 
for the definition of ``sender'': that the sender be the party that 
determines the email addresses to which such message is sent. Some 
commenters objected to this element of the definition because, they 
contend, entities in joint marketing campaigns may want to contribute 
or recommend some email addresses without being considered the primary 
``sender.''\57\
---------------------------------------------------------------------------

    \57\ See, e.g., KeySpan; Reed; SIA. Several commenters also 
requested clarification of what constitutes ``determines'' and 
suggested that merely providing criteria for targeting recipients 
(such as demographic characteristics) should not qualify as 
``determining'' the email addresses. See DoubleClick; KeySpan; 
MasterCard; Unsub. As discussed below, this element has been 
removed, and thus these requests for clarification need not be 
addressed.
---------------------------------------------------------------------------

(iv) ``Promote''

    Finally, a few commenters suggested that the Commission define 
broadly the term ``promote'' in the Act's definition of sender. They 
argued that a person ``advertises'' or ``promotes'' the person's 
``product, service, or Internet website'' by appearing in the ``from'' 
line of the message or simply by having the person's name referenced in 
the email.\58\ Under this interpretation, they argued, more persons 
could qualify as designated ``senders'' under the proviso.
---------------------------------------------------------------------------

    \58\ See, e.g., Adknowledge; ESPC; Unsub.
---------------------------------------------------------------------------

d. Response to Comments on the Definition of ``Sender'' and Explanation 
of the Final Rule's Definition of ``Sender''

    Having considered the comments on the proposed definition of 
``sender,'' the Commission adopts a modified version as its final Rule. 
These modifications mitigate the concerns of marketers raised in the 
comments, recognize the benefits afforded by advertising by multiple 
entities in a single email, conform more closely to the expectations of 
email recipients, and continue to provide the CAN-SPAM protections 
contemplated by Congress. In summary, as discussed below, the 
Commission retains the ``from'' line element in the proviso as a 
mandatory element, drops the ``controls the content'' and ``determines 
the electronic mail addresses to which the message is sent'' elements, 
and adds a requirement that the designated sender be in compliance with 
certain provisions of the Act and Rules that apply to initiators.
    In response to comments regarding the ``from'' line, the Commission 
found persuasive the suggestions that the ``sender'' of a multi-
marketer email should be the person identified in the ``from'' line of 
the message. The Commission agrees that a rule that uses the ``from'' 
line as the sole determinant of the sender in a multi-marketer email 
would be straightforward for marketers to follow and is the single most 
helpful element of an email to enable recipients to identify the sender 
of the email.\59\ A designated ``sender'' for purposes of a multi-
marketer email must, in addition to meeting the other requirements 
listed below, include its non-deceptive name, trade name, product, or 
service in the ``from'' line of the email.\60\
---------------------------------------------------------------------------

    \59\ See Charter (stating that the ``from'' line criterion 
``specifically accords with consumer expectations.'').
    \60\ In response to commenters seeking further guidance about 
whether a company's non-deceptive product or service names can be 
used in the ``from'' line, the Commission responds as follows. CAN-
SPAM provides that ``a `from' line . . . that accurately identifies 
any person who initiated the message shall not be considered 
materially false or misleading.'' 15 U.S.C. 7704(a)(1)(B). The 
Commission believes that this does not mean that the ``from'' line 
necessarily must contain the initiator's formal or full legal name, 
but it does mean that it must give the recipient enough information 
to know who is sending the message. Email senders should consider 
their messages from their recipients' perspective. If a reasonable 
recipient would be confused by the ``from'' line identifier, the 
sender is not providing sufficient information. See NPRM, 70 FR at 
25431 (further discussing this issue).
---------------------------------------------------------------------------

    And, under the final Rule, the designated sender must be 
``identified in the `from' line as the sole sender of the message'' -- 
if two or more senders appear in the ``from'' line, the multi-marketer 
proviso would not be met.
    On the second issue identified by commenters, the Commission has 
deleted the ``controls the content of such message'' element from the 
proviso. Comments urging its removal were persuasive, and comments that 
advocated clarification rather than removal revealed that retaining 
this element would not serve to assist recipients in identifying or 
confirming the sender of a multi-marketer message. By its nature, a 
multi-marketer message promotes more than one company's content, and 
thus more than one company controls its content in at least some 
way.\61\ Modifying the criterion to require ``overall'' control of the 
content would simply add further nuance and complication and make 
enforcement difficult. Deleting this criterion will make the proviso 
more practicable for legitimate marketers to designate a single 
``sender'' while preserving for email recipients the protections of 
CAN-SPAM.\62\ Under the final Rule, therefore, a non-designated sender 
under the multi-marketer proviso will not have ``sender'' liability 
just because it controls its own advertising copy, including its 
trademarks and legal disclosures, or reviews other marketers' content 
to ensure the absence of objectionable material in proximity to its own 
brand.
---------------------------------------------------------------------------

    \61\ See IAC.
    \62\ See, e.g., Charter (``the Commission's proposed definition 
is inadequate and unworkable''); DoubleClick; Keyspan; MasterCard; 
NAIFA; SIIA.
---------------------------------------------------------------------------

    The Commission has deleted the third element discussed by 
commenters that required that the designated ``sender'' of a multi-
marketer email determine the email address to which such message will 
be sent. The NPRM rationale for this element was to ensure that the 
designated sender had the ability to process opt-out requests. The 
Commission is now convinced that requiring the designated sender to 
determine recipient email addresses would serve little, if any, 
purpose. Under the Act, as a sender, the designated sender already must 
check to make sure that none of the email recipients appears on its 
opt-out list. In a multi-marketer email, if the designated sender 
receives a list of proposed email addresses from a non-designated 
sender, the designated sender must scrub that list against its own opt-
out list before sending the message to the addresses on that list.
    On the fourth and final issue raised by commenters, the Commission 
declines to make any additional changes to the definition of ``sender'' 
proposed by the NPRM. Some commenters suggested that the FTC define 
broadly the phrase ``advertised or promoted'' in the Act's definition 
of ``sender,'' so that more entities could qualify as ``senders'' under 
the multi-marketer proviso. The Commission believes that the definition 
of a ``sender'' should be based on consumer expectations. If a 
reasonable consumer would not believe that a person's product, service, 
or website were ``advertised or promoted'' in the message, then that 
person does not qualify as a ``sender.'' The Commission believes that 
the meaning of ``advertised or promoted'' is clear and broadly 
understood.\63\
---------------------------------------------------------------------------

    \63\ By analogy, another definition in the Act, that of a 
``commercial electronic mail message,'' states that
    [t]he inclusion of a reference to a commercial entity or a link 
to the web site of a commercial entity in an electronic mail message 
does not, by itself, cause such message to be treated as a 
commercial electronic mail message for purposes of this chapter if 
the contents or circumstances of the message indicate a primary 
purpose other than commercial advertisement or promotion of a 
commercial product or service.
    15 U.S.C. 7702(2)(D).


---------------------------------------------------------------------------

[[Page 29660]]

    Lastly, based on its law enforcement experience, the Commission 
recognizes that illegitimate marketers may attempt to use the proviso 
to escape liability under CAN-SPAM. Both CAN-SPAM's definition of 
``initiator'' and the final Rule's revised definition of ``sender'' 
substantially reduce the likelihood of such abuse.\64\ First, marketers 
in a single email message who are not designated senders are still 
``initiators'' under CAN-SPAM and liable under any of the provisions 
that apply to initiators, such as the prohibition against use of 
deceptive headers and subject lines and the requirement to include an 
opt-out link.\65\ Second, the final Rule's definition of ``sender'' 
requires that the designated ``sender'' be in compliance with certain 
initiator provisions of the Act: 15 U.S.C. 7704(a)(1), 15 U.S.C. 
7704(a)(2), 15 U.S.C. 7704(a)(3)(A)(i), 15 U.S.C. 7704(a)(5)(A), and 16 
CFR 316.4.\66\ The proviso states that if the designated sender does 
not comply with these five ``initiator'' responsibilities, all the 
marketers will be liable as senders (and not just initiators) under the 
Act because the proviso will not apply. By requiring the designated 
sender to comply with these provisions of law, the other marketers 
using a single email message must ensure that the entity that is the 
designated ``sender'' complies with the Act and the Commission's rules. 
Otherwise, the other marketers using the email risk losing the 
protections provided by the proviso and each will be a ``sender'' of 
the message. The final Rule, therefore, provides senders of multi-
marketer emails a method of reducing the burdens associated with 
multiple opt-out links and postal addresses while guarding against 
possible abuse. Nonetheless, if the Commission finds such abuse through 
the operation of the proviso, it will reconsider whether the final Rule 
is justified under the Act.\67\
---------------------------------------------------------------------------

    \64\ At least one commenter suggested that the proviso could be 
subject to abuse. See Adknowledge (suggesting that to avoid abusive 
practices, the proposed regulation explicitly should state that a 
``person'' must be a ``bona fide business entity'' because 
``spammers continually change the name of the originating entity 
along with header or other information, or consider a mere email 
address list as a `business entity.''').
    \65\ See, e.g., FTC v. Phoenix Avatar, 2004-2 Trade Cas. (CCH) ] 
74,507 (N.D. Ill. Jul. 30, 2004) (order granting preliminary 
injunction); FTC v. Opt-in Global, No. 05-cv-1502 (N.D. Cal. filed 
Apr. 12, 2005) (final order entered Apr. 6, 2006); FTC v. Dugger, 
No. CV-06-0078 (D. Ariz. filed Jan. 9, 2006) (final order entered 
Jul. 31, 2006).
    \66\ Section 7704(a)(1) of the Act prohibits initiation of an 
email that contains false or misleading transmission information, 
and section 7704(a)(2) prohibits initiation of an email with a 
deceptive subject heading. Section 7704(a)(3)(A)(i) requires an 
initiator to include a ``functioning return electronic mail address 
or other Internet-based mechanism, clearly and conspicuously 
displayed, that a recipient may use to submit . . . a reply 
electronic mail message or other form of Internet-based 
communication requesting not to receive future commercial electronic 
mail messages from [the] sender [responsible for the initial 
commercial message].'' Section 7704(a)(5)(A) of the Act requires 
that an initiator ``provide clear and conspicuous identification 
that the message is an advertisement or solicitation, clear and 
conspicuous notice of the opportunity . . . to decline to receive 
further commercial electronic mail messages from the sender, and a 
valid physical postal address of the sender.'' Finally, 16 CFR 
316.4, the Sexually Explicit Labeling Rule, imposes certain 
requirements on a message that includes sexually oriented material, 
including the 19 characters ``SEXUALLY EXPLICIT: '' at the beginning 
of the subject header of the message.
    \67\ Of course, it should be noted that the proviso in no way 
relieves non-designated senders of liability for ensuring that their 
own advertising complies with the FTC Act.
---------------------------------------------------------------------------

e. List Owners

    In the NPRM, the Commission asked whether under CAN-SPAM, third-
party list providers who do nothing more than provide a list of names 
to whom others send commercial emails could be required to honor opt-
out requests.\68\ Specifically, the NPRM asked whether such list 
providers could satisfy the statutory definition of sender, i.e., a 
person that both initiates a message and advertises its product, 
service, or website in the message.
---------------------------------------------------------------------------

    \68\ 70 FR at 25450.
---------------------------------------------------------------------------

    Some commenters opposed extending opt-out responsibilities to 
third-party list providers because it would be contrary to 
congressional intent, difficult to implement and monitor, and would 
impose administrative costs and complexity for legitimate list 
providers and email marketers.\69\ Although the NPRM asked about list 
owners who have no other involvement in the message besides providing a 
list of names to others, commenters discussed other list rental 
arrangements in which both the marketer and the list owner have some 
degree of control over the content of the message.\70\ In those cases, 
list owners typically do not have control over the specific creative 
content within an advertisement, but they can approve or disapprove an 
advertisement for delivery to email addresses on their lists.
---------------------------------------------------------------------------

    \69\ See FNB; Jumpstart; Lashback; Schnell; SIA (list providers 
play a role ``similar to that of a telephone directory service,'' 
are neither ``advertising or promoting their products and 
services,'' nor ``initiating the email,'' and accordingly ``do not 
come within the definition of `sender' under the CAN-SPAM Act.'').
    \70\ See, e.g., Unsub.
---------------------------------------------------------------------------

    On the other hand, two commenters argued in favor of extending opt-
out obligations to third-party list providers.\71\ Some of these 
commenters thought the Commission should clarify that in such 
situations the list owner exercises fundamental ``control'' of the 
content of the message for purposes of the then-proposed regulatory 
definition of ``sender.''\72\ Other commenters urged the Commission to 
adopt the position that a list owner would be considered a sender if 
the list owner ``advertises or promotes'' its services merely by being 
referenced in the ``from'' line or in the message itself, thereby 
making it responsible for the opt-out function and other CAN-SPAM 
compliance.\73\
---------------------------------------------------------------------------

    \71\ See Adknowledge; EPIC.
    \72\ See, e.g., ESPC.
    \73\ See, e.g., Adknowledge; Baker; ESPC; cf. Microsoft (arguing 
that it should constitute a deceptive trade practice for a list 
owner to fail to identify itself and the role that it plays in 
sending the message, that its identification would be considered 
advertising or promoting its services, and thus that the list owner 
would meet the definition of ``sender'' and have CAN-SPAM 
liability); Adknowledge (proposing that the Commission make it 
``mandatory for list owners to advertise or promote themselves in 
each email message they transmit'').
---------------------------------------------------------------------------

    Because of the variety of situations in which a list owner might be 
involved in a commercial email, and because none of the commenters 
provided a workable mechanism for all of these situations, the 
Commission is persuaded that amending the rules under CAN-SPAM to 
create a specific provision for list owners is not feasible.
    The Commission finds that a list owner must honor opt-out requests 
only if it qualifies as the ``sender'' of a commercial email (i.e., it 
is an initiator and its ``product, service, or Internet web site'' are 
``advertised or promoted'' in the email). And, if it does qualify as a 
``sender,'' it may avail itself of the multi-marketer proviso added to 
the definition of sender in the final Rule.

f. Safe Harbor for Email Messages Sent By Affiliates

    In the NPRM, the Commission asked whether it should adopt a ``safe 
harbor'' with respect to opt-out and other obligations for a sender 
whose product, service, or website is advertised by affiliates or other 
third parties. Moreover, the Commission sought guidance on the criteria 
for a safe harbor.\74\
---------------------------------------------------------------------------

    \74\ 70 FR at 25450.
---------------------------------------------------------------------------

    Although the Act does not provide a definition of ``affiliate,'' 
the Commission noted in the NPRM that ``affiliates'' are induced to 
send commercial email messages by sellers seeking to drive traffic to 
their websites, and that sellers generally pay affiliates based on the 
number of individuals who, directed by the affiliates, ultimately visit 
the seller's

[[Page 29661]]

website and/or purchase the seller's product or service.\75\
---------------------------------------------------------------------------

    \75\ 70 FR at 25428 n.23. According to IAC, in a typical 
affiliate program, a marketer enters an arrangement with an 
affiliate to pay the affiliate for referrals to its website. The 
affiliate can employ a variety of methods to direct consumers to the 
marketer's website, including email messages. The affiliate sends 
email messages containing an advertisement promoting the marketer's 
goods or services and a hypertext link to visit the marketer's 
website directly from the email message (either as a direct link or 
through the affiliate's link, which redirects the recipient to the 
marketer's website). If a recipient of the email uses this link to 
visit the marketer's website, the marketer logs the visit as 
attributable to the affiliate's email. Depending on the arrangement 
between the marketer and the affiliate, the marketer will pay the 
affiliate a prescribed amount either for the visit (also known as a 
``click through'') or for a completed sale, or both. IAC states in 
its comments that it has thousands of affiliates. For Expedia, one 
of IAC's websites, however, the majority of the sales from the 
affiliate program are generated by a relatively small number of 
productive affiliates.
---------------------------------------------------------------------------

    Before turning to the issue of whether a safe harbor is appropriate 
to shield marketers from liability for CAN-SPAM violations of 
affiliates, two preliminary questions must be considered. First, is the 
marketer who uses an affiliate an ``initiator'' under the final Rule? 
Second, in scenarios where a marketer uses an affiliate, what is the 
impact of the final Rule on the status of both the marketer and the 
affiliate as ``senders''?
    With regard to whether a marketer that uses affiliates is an 
``initiator,'' under the Act, a person is an ``initiator'' if the 
person originates, transmits, or ``procure[s] the origination or 
transmission of'' a message.\76\ In the typical affiliate marketing 
scenario, the affiliate originates and transmits the message, and is 
therefore an initiator. The marketer, however, does not originate or 
transmit the message, but does ``procure'' the origination of the 
message. The Act defines ``procure'' as ``intentionally to pay or 
provide other consideration to, or induce, another person to 
initiate[]a message on one's behalf.''\77\ A few commenters argued that 
a marketer does not actually ``initiate'' an email message if it does 
not provide consideration to an affiliate for each message, because it 
provides consideration to the affiliate for visits to its website or 
completed sales made as a result of the affiliate's email messages.\78\ 
According to this argument, in these circumstances, the marketer pays 
consideration for the referral, but not for the message itself.
---------------------------------------------------------------------------

    \76\ 15 U.S.C. 7702(9).
    \77\ 15 U.S.C. 7702(12) (emphasis added).
    \78\ See IAC (arguing that affiliates are not ``hired'' to do 
anything, but are ``simply paid a small fee for referrals,'' and 
that the affiliate emails are ``created and transmitted entirely at 
the discretion of the affiliate.''); Unsub (arguing that the payment 
structure does not differ from a company renting a mailing list from 
a third party).
---------------------------------------------------------------------------

    The Commission believes that this interpretation is too narrow. By 
agreeing in advance to pay an affiliate for sales to persons who come 
to a marketer's website as a result of an affiliate's referral, a 
seller or marketer creates an inducement for the affiliate to originate 
or transmit commercial email messages to the public. In the language of 
the Act, the seller induces another person -- the affiliate -- to 
initiate messages on the seller's behalf.
    With regard to the second question, in the typical affiliate 
program, the marketer is a ``sender'' because its product, service, or 
website is promoted in the email message, and the affiliate is only an 
``initiator.'' It is only when the affiliate promotes its own product, 
service, or website along with that of the marketer that the affiliate 
is also a ``sender'' under the Act. In such a case, under the final 
Rule, the affiliate may serve as the designated sender, provided that 
it is listed in the ``from'' line of the message and is in compliance 
with 15 U.S.C. 7704(a)(1), 15 U.S.C. 7704(a)(2), 15 U.S.C. 
7704(a)(3)(A)(i), 15 U.S.C. 7704(a)(5)(A), and 16 CFR 316.4. If, 
however, the affiliate promotes its own product, service, or website in 
addition to that of the marketer, but does not comply with the 
designated sender requirements in the final Rule, then both the 
affiliate and the marketer are liable as ``senders'' under the final 
Rule.\79\
---------------------------------------------------------------------------

    \79\ In either case, both the affiliate and the marketer are 
``initiators'' under the Act.
---------------------------------------------------------------------------

    A ``safe harbor'' would absolve a marketer of initiator liability 
(or of sender liability if the affiliate is not the designated sender 
under the final Rule) if the marketer takes prescribed steps to ensure 
that the affiliate complies with CAN-SPAM. Those who commented on this 
issue were split on whether the Commission should adopt a safe harbor 
for CAN-SPAM liability for marketers whose products are promoted by 
affiliates or other third parties. Those opposed to a safe harbor 
stated that it would allow marketers to circumvent CAN-SPAM 
requirements.\80\ Those in favor of a safe harbor stated that it would: 
(1) provide clarity to marketers that practice due diligence when 
selecting third-party email marketers; (2) encourage marketers to 
maintain reasonable practices and procedures to prevent violations of 
CAN-SPAM; and (3) effectuate congressional intent.\81\
---------------------------------------------------------------------------

    \80\ See, e.g., Amin; Jumpstart; LashBack; Schaefer; Unsub; 
VFCU.
    \81\ See e.g., AeA; ARDA; ERA LashBack; MPAA; NADA.
---------------------------------------------------------------------------

    Many online businesses advocated the adoption of a safe harbor in 
principle,\82\ but only a fraction of those commenters suggested 
specific components to the safe harbor. Those suggestions included the 
following requirements: (1) that the contract between the marketer and 
the affiliate specifically require the affiliate to comply with CAN-
SPAM;\83\ (2) that the affiliate periodically certify that it complies 
with CAN-SPAM;\84\ (3) that the marketer provide the affiliate with 
written guidelines on how to comply with CAN-SPAM;\85\ (4) that the 
marketer maintain additional reasonable procedures to determine whether 
the affiliates are complying with CAN-SPAM;\86\ (5) that a marketer 
comply with its privacy policy relating to the conduct of third parties 
sending email messages on its behalf;\87\ and (6) that a marketer have 
``flexibility to determine what procedures are reasonable.''\88\
---------------------------------------------------------------------------

    \82\ See ESPC (noting that it is ``generally supportive of safe 
harbor programs'' and ``would be very interested in further 
discussion of such programs''); SIIA (making a ``preliminary 
proposal''); Visa (``such a safe harbor could be based on examples 
demonstrating relationships that do not result in control of content 
or email addresses.''); Wahmpreneur (suggesting a safe harbor that 
would apply to permission-based marketing).
    \83\ See IAC.
    \84\ See id.
    \85\ See id.
    \86\ See id.
    \87\ See SIIA; ACLI.
    \88\ See IAC.
---------------------------------------------------------------------------

    After considering all the comments submitted and in the light of 
the changes to the Rule's definition of ``sender'' for multi-marketer 
messages as well as its law enforcement experience, the Commission has 
decided against creation at this time of a ``safe harbor'' for 
companies whose products, services, or website are advertised by 
affiliates or other third parties. First, the requisite criteria for a 
safe harbor have not been articulated clearly. Second, email marketing 
models continue to evolve, and there may not be enough transparency in 
email marketing to support a safe harbor.
    The Commission believes that the final Rule's definition of 
``sender'' gives marketers the necessary flexibility to market their 
products using email on their own or in conjunction with other parties 
while at the same time preserving the protections afforded to consumers 
by CAN-SPAM. If, after marketers have had the opportunity to conduct 
business under the ``sender'' definition in the final Rule, concerns 
about the necessity of a safe harbor persist, the Commission can 
reconsider this issue.

[[Page 29662]]

g. Messages Sent to Members of Online Groups

    The NPRM asked whether CAN-SPAM should apply to email messages sent 
to members of online groups. According to ESPC, online groups are also 
known as discussion lists, list servs, mailing lists, and chat groups. 
They often constitute communities engaging in both commercial and non-
commercial speech via email. Many such lists are volunteer efforts, but 
their messages sometimes include commercial content. Lists can be fee-
based or free.\89\
---------------------------------------------------------------------------

    \89\ See ESPC.
---------------------------------------------------------------------------

    Generally discussion groups are permission-based, that is, ``opt-
in.'' Those lists that are free to join often include advertising in 
messages sent to subscribers, either with or without content relating 
to the purpose of the group. Depending on the type of discussion group, 
different individuals may be able to send messages to the entire group. 
In some groups, any member may send a message; in other groups, only 
the moderator or list owner may send messages; in still other groups, 
anyone may send a message, but the message must be approved by a 
moderator. It is rare for mailing list software to allow subscribers to 
choose the senders from whom they want to receive messages. In other 
words, they opt to receive all messages in the discussion group or none 
at all.\90\
---------------------------------------------------------------------------

    \90\ See ESPC.
---------------------------------------------------------------------------

    Four commenters stated that they believe online groups should not 
be subject to CAN-SPAM.\91\ They felt that compliance with CAN-SPAM 
would be too burdensome for unpaid list moderators and might cause them 
to cease operations, potentially chilling free speech. ESPC argued that 
email service providers that host mailing list services generally are 
considered to be engaged in routine conveyance under the Act, taking 
them outside the definition of initiator under the Act. ESPC also 
argued that most moderators also would be engaging in routine 
conveyance when sending messages to the group on behalf of group 
members.\92\
---------------------------------------------------------------------------

    \91\ See ESPC; NAEDA; PCIAA; Schnell.
    \92\ The Commission notes, however, that CAN-SPAM defines 
``routine conveyance'' as requiring an ``automatic technical 
process.'' 15 U.S.C. 7702(15). Thus, if a list moderator is manually 
forwarding messages to the group on behalf of group members, the 
moderator would not be engaged in ``routine conveyance.'' See also 
infra Part II.A.5 (discussing ``routine conveyance'' in connection 
with forward-to-a-``friend'' emails).
---------------------------------------------------------------------------

    One commenter urged the Commission not to distinguish between email 
messages sent to members of groups and email messages sent to 
recipients who are not members of groups. That commenter stated that an 
exception from CAN-SPAM would give an unfair advantage to the operators 
of online groups without compelling justification, and would create an 
incentive for ``group'' status that would likely be exploited by 
aggressive marketers.\93\
---------------------------------------------------------------------------

    \93\ See Jumpstart.
---------------------------------------------------------------------------

    The Commission believes that CAN-SPAM compliance is not unduly 
burdensome for online groups. Of course, in some cases, the primary 
purpose of emails sent by and to online groups will not be commercial, 
and thus the Act will not apply.\94\ However, for those messages with a 
primary purpose that is commercial, group members should be entitled to 
the benefits of CAN-SPAM's opt-out provisions. Indeed, best practices 
in the industry already require group members to opt into listservs and 
provide straightforward mechanisms for opting out.\95\ The Commission, 
therefore, has determined not to exempt online groups from CAN-SPAM at 
this time, but may reconsider the issue in the future should 
circumstances warrant.
---------------------------------------------------------------------------

    \94\ Most of the Act's requirements apply to an email only if it 
is a ``commercial electronic mail message,'' which is defined as an 
email ``the primary purpose of which is the commercial advertisement 
or promotion of a commercial product or service (including content 
on an Internet web site operated for a commercial purpose).'' 15 
U.S.C. 7702(2)(A). See also 16 CFR 316.3 (primary purpose rule).
    \95\ See ESPC.
---------------------------------------------------------------------------

3. Section 316.2(o)--Definition of ``Transactional or Relationship 
Message''

    CAN-SPAM designates five broad categories of emails as 
``transactional or relationship messages.''\96\ The Act excludes these 
messages from its definition of ``commercial electronic mail 
message,''\97\ and thus relieves them from most of the Act's 
requirements and prohibitions.\98\ In the NPRM, the Commission proposed 
no modification to Rule 316.2(n), which incorporates the Act's 
definition of ``transactional or relationship message'' by reference. 
Under the Act, the Commission can expand or contract the definition of 
``transactional or relationship message'' only if two conditions are 
met: (1) such modification is necessary to accommodate changes in email 
technology or practices; and (2) such modification is necessary to 
``accomplish the purposes of [the Act].''\99\ None of the 50 comments 
submitted on this issue demonstrated that an expansion or contraction 
of the ``transactional or relationship message'' categories were 
necessary to accommodate changes in email technology of practices. 
Accordingly, the final Rule leaves the statutory definition 
unaltered.\100\ The NPRM also invited comment on a series of questions 
concerning the application of the existing categories of 
``transactional or relationship messages'' to certain types of 
messages. The Commission has carefully reviewed these comments and 
discusses its views on these issues below.
---------------------------------------------------------------------------

    \96\ Section 7702(17)(A) of the Act defines a ``transactional or 
relationship message'' as ``an electronic mail message the primary 
purpose of which is --
    (i)to facilitate, complete, or confirm a commercial transaction 
that the recipient has previously agreed to enter into with the 
sender;
    (ii)to provide warranty information, product recall information, 
or safety or security information with respect to a commercial 
product or service used or purchased by the recipient;
    (iii) to provide --
    (I)notification concerning a change in the terms and features 
of;
    (II)notification of a change in the recipient's standing or 
status with respect to; or
    (III) at regular periodic intervals, account balance information 
or other type of account statement with respect to, a subscription, 
membership, account,loan, or comparable ongoing commercial 
relationship involving the ongoing purchase or use by the recipient 
of products or services offered by the sender;
    (iv)to provide information directly related to an employment 
relationship or related benefit plan in which the recipient is 
currently involved, participating, or enrolled; or
    (v)to deliver goods or services, including product updates or 
upgrades, that the recipient is entitled to receive under the terms 
of a transaction that the recipient has previously agreed to enter 
into with the sender.''
    \97\ See supra n.94.
    \98\ Section 7704(a)(1)'s prohibition on false or misleading 
transmission information applies equally to ``commercial electronic 
mail messages'' and ``transactional or relationship messages.'' 
Otherwise, CAN-SPAM's prohibitions and requirements cover only 
``commercial electronic mail messages.''
    \99\ 15 U.S.C. 7702(17)(B).
    \100\ The NPRM asked whether there are any types of messages 
that erroneously fall outside of the reach of the proposed Rule, 
and, if so, how such a shortcoming should be remedied. 70 FR at 
25450. No commenters identified any such categories of messages. 
See, e.g., Discover (stating that it was aware of no messages that 
fall outside the Rule that should be covered by it). Accordingly, 
the Commission adopts no modification of the definition of 
``transactional or relationship message'' to accommodate any such 
categories of messages.
---------------------------------------------------------------------------

a. Legally Mandated Notices

    In the NPRM, the Commission asked whether an email message that 
contains only a ``legally mandated notice'' -- i.e., communications 
mandated by state or federal law -- should be considered a 
``transactional or relationship message.''\101\ Commenters identified 
messages mandated by the Truth in Lending Act, the Gramm-Leach-Bliley

[[Page 29663]]

Act, and the USA PATRIOT Act as well as messages concerning billing 
errors and changes in terms or account features as examples of legally 
mandated notices.\102\
---------------------------------------------------------------------------

    \101\ 70 FR at 25450.
    \102\ See, e.g., ACA; CBA; FNB; NRF.
---------------------------------------------------------------------------

    All 13 commenters that addressed this issue opposed classifying 
messages that solely contained legally mandated notices as ``commercial 
electronic mail messages.''\103\ Commenters were divided on whether 
such messages should be exempt from the Act,\104\ categorized under a 
new definition of ``transactional or relationship message,''\105\ or 
classified under one of the existing, statutory categories of 
transactional or relationship emails, such as messages to facilitate a 
commercial transaction that the parties have entered into (section 
7702(17)(A)(i))\106\ or messages to provide notification regarding a 
change in the terms and features of an account (section 
7702(17)(A)(iii)).\107\
---------------------------------------------------------------------------

    \103\ See FNB; KeySpan; Schnell; Wells Fargo; ESPC; BOA; ACA; 
DoubleClick, NRF, HSBC; CBA; Discover; PCIAA.
    \104\ See Discover; ESPC (arguing that legally mandated notices 
are either exempt from the Act or transactional or relationship in 
nature, depending on the content and context of the message in 
question); FNB; KeySpan (arguing that legally mandated notices 
should either be exempt from the Act or that the Commission should 
create a new transactional or relationship category for legally 
required notes); PCIAA (same); MPAA (arguing that messages 
containing legally mandated notices are not ``commercial electronic 
mail messages'' provided that their commercial content does not 
exceed the amount reasonably believed by the sender to be required 
to meet the legal requirement prompting the message); Schnell 
(``[A]n e-mail message containing only a legally mandated notice 
should have no standing in CAN-SPAM at all, other than perhaps a 
routine conveyance. It is not a commercial e-mail message, and is 
not a transactional or relationship message.'').
    \105\ See DoubleClick; KeySpan; NRF.
    \106\ See HSBC (arguing that such an email facilitates the 
commercial transaction into which the parties have entered).
    \107\ See ACA; CBA; Wells Fargo; BOA.
---------------------------------------------------------------------------

    The Commission declines either to expand the definition of 
``transactional or relationship message'' to include legally mandated 
notices or to make a blanket determination that such messages fall 
under one of the existing categories of transactional or relationship 
emails. Despite the unanimity of opinion expressed in the comments that 
such notices should not be treated as commercial in nature, none of the 
commenters demonstrated that expansion of the definition of 
``transactional or relationship message'' to include legally mandated 
notices was necessary to accommodate changes in email technology or 
practices and to accomplish the purposes of the Act.\108\ That said, 
the Commission believes that, in most cases, the types of legally 
mandated notices described by the commenters likely would be 
categorized as transactional or relationship messages. Such 
determinations, however, must be made on a case-by-case basis depending 
on the specific content and context of such messages. Moreover, if a 
message providing a non-commercial legally mandated notice also 
includes commercial content, it should be evaluated under the 
Commission's primary purpose criteria as a dual purpose message.\109\
---------------------------------------------------------------------------

    \108\ KeySpan addressed the statutory standard by arguing that 
``[i]t has become common practice for senders to email legally 
required notices to individuals who purchased the sender's products 
or services online.'' The Commission, however, is not persuaded that 
this is a ``change'' in email practices that has evolved since the 
passage of the Act.
    \109\ 16 CFR 316.3; see also NPRM, 70 FR at 25438.
---------------------------------------------------------------------------

b. Debt Collection Emails

    In the NPRM, the Commission invited comment on the Act's 
application to debt collection email messages, including messages sent 
by a third party on behalf of the seller from whom the recipient 
purchased goods or services rather than by the seller itself.\110\ 
Nearly all of the 15 commenters that addressed this issue urged that 
debt collection emails by a seller from whom the consumer made a 
purchase should be considered transactional or relationship in 
nature.\111\ Most of these commenters also stated that the same 
conclusion should apply to emails sent by third-party debt 
collectors.\112\
---------------------------------------------------------------------------

    \110\ NPRM, 70 FR at 25450.
    \111\ See NADA; Schnell; FNB; ESPC; DMA; NCTA; NNA; Charter; 
HSBC; CUNA; KeySpan; PCIAA; VFCU. But see Discover (arguing that all 
debt collection emails should be exempt from regulation under CAN-
SPAM); ACA (arguing that ``at most'' debt collection emails should 
be regulated as ``transactional or relationship messages'').
    \112\ See, e.g., DMA; ESPC; FNB; NCTA. But see Schnell (arguing 
that debt collection emails from a third party should be considered 
commercial); Charter (arguing that debt collection messages sent by 
third-party debt collectors would be neither ``commercial'' nor 
``transactional or relationship'' messages and thus would fall 
outside the scope of CAN-SPAM).
---------------------------------------------------------------------------

    The Commission declines to modify the definition of ``transactional 
or relationship messages'' to include an express provision addressing 
debt collection emails because there is no evidence in the record that 
such a modification is necessary to accommodate new email technology or 
practices. Such a modification is also unwarranted because debt 
collection messages will usually qualify as ``transactional or 
relationship messages'' under the existing definition of the term. The 
primary purpose of debt collection emails is not the ``advertisement or 
promotion of a commercial product or service,'' and, therefore, they 
generally would not be ``commercial electronic mail messages'' under 
section 7702(2)(A) of CAN-SPAM.\113\ Rather, debt collection emails 
from a seller from whom the consumers made a purchase are best 
understood as ``complet[ing] . . . a commercial transaction that the 
email recipient has previously agreed to enter into with the sender,'' 
and thus are ``transactional or relationship messages'' under section 
7702(17)(A)(i). Morever, the Commission agrees with the overwhelming 
majority of commenters that the ``sender'' with whom the ``recipient 
has previously agreed to enter into'' a commercial transaction can be 
interpreted to encompass a third party acting on behalf of a seller 
from whom the consumer made a purchase.\114\Thus, an email from a third 
party collecting on behalf of a seller likely is a ``transactional or 
relationship message.''
---------------------------------------------------------------------------

    \113\ Cf. Telemarketing Sales Rule, 68 FR 4580, 4664 n.1020 
(Jan. 29, 2003) (``[D]ebt collection . . . activities are not 
covered by the [Telemarketing Sales Rule, 16 CFR 310] because they 
are not `telemarketing' -- i.e., they are not calls made `to induce 
the purchase of goods or services.'''). If a debt collection email 
also contains material advertising or promoting a commercial 
product, service, or website, then it must be analyzed as a dual 
purpose message under Rule 316.3.
    \114\ Debt collection emails also must comply with other 
applicable federal and state laws. Significantly, the Fair Debt 
Collection Practices Act, 15 U.S.C. 1601, et seq. (``FDCPA''), 
imposes limitations on debt collectors' communications with 
consumers and third parties. Compliance with CAN-SPAM in no way 
excuses a debt collector from complying with the FDCPA and other 
statutes and regulations affecting communications regarding debt 
collection.
---------------------------------------------------------------------------

c. Copyright Infringement Notices and Market Research

    Two business organizations urged the Commission to clarify that 
messages containing copyright infringement notices or marketing and 
opinion research surveys are neither commercial nor transactional or 
relationship in nature and thus are exempt from the Act.\115\ One of 
these commenters further asserted that an email containing a copyright 
infringement notice that also provided information on how to obtain a 
legitimate, licensed version of the copyrighted material in question 
would not fall within the scope of the Act.\116\ In the NPRM, the 
Commission acknowledged that there may be messages that are neither 
``commercial electronic mail messages'' nor ``transactional or 
relationship messages'' as defined by the Act, and thus are not

[[Page 29664]]

addressed in CAN-SPAM.\117\ As a general matter, the Commission agrees 
that if a sender has had no previous dealings with the recipient -- 
thus lacking the predicate for a message to be deemed ``transactional'' 
-- and that sender's messages contain only a copyright infringement 
notice, the messages also are not primarily commercial in purpose and 
thus are not subject to the requirements and prohibitions of CAN-SPAM. 
Nevertheless, where a copyright infringement notice also contains 
information on how to obtain licensed versions of copyrighted 
materials, evaluation under the Primary Purpose Rule provisions 
governing dual purpose messages may lead to the conclusion that such 
messages are covered by CAN-SPAM.\118\ Likewise, emails containing true 
opinion and research surveys may fall outside the scope of the Act, but 
to the extent that any such message seeks to advertise or promote a 
brand, a company, or a product or service to the recipient, it also may 
be primarily commercial in purpose, and therefore subject to the Act's 
requirements and prohibitions.
---------------------------------------------------------------------------

    \115\ See BSA (copyright infringement notices); SIA (research 
and opinion surveys).
    \116\ See BSA.
    \117\ NPRM, 70 FR at 25433 n.85.
    \118\ 16 CFR 316.3.
---------------------------------------------------------------------------

d. Transactions that Do Not Involve an Exchange of Consideration

    The NPRM invited comment on the Act's application to messages sent 
pursuant to a relationship in which no consideration passes, such as 
messages from a ``free'' Internet service (such as Evite or 
Shutterfly). No commenters provided any evidence of changes in email 
practices or technology that would warrant modifying the definition of 
``transactional or relationship message'' specifically to address such 
messages. Indeed, as explained in the NPRM, even without a Rule change, 
the existing definition of ``transactional or relationship message'' 
includes two categories that could include messages sent pursuant to a 
relationship in which there has been no exchange of consideration: 
section 7702(17)(A)(i), under which an electronic mail message the 
primary purpose of which is to ``facilitate, complete, or confirm a 
commercial transaction [emphasis added] that the recipient has 
previously agreed to enter into with the sender'' is deemed 
transactional or relationship in nature; and section 7702(17)(A)(v), 
which provides that an email the primary purpose of which is ``to 
deliver goods or services, including product updates or upgrades, that 
the recipient is entitled to receive under the terms of a transaction 
[emphasis added] that the recipient has previously agreed to enter into 
with the sender'' also qualifies as transactional or relationship in 
nature. In the NPRM, the Commission explained that it believed an email 
from a free Internet service to someone who has registered with the 
service would be considered a message ``to deliver goods or services * 
* * that the recipient is entitled to receive under the terms of a 
transaction'' under section 7702(17)(A)(v) rather than a ``commercial 
transaction'' under section 7702(17)(A)(i) (emphasis added), but sought 
comment on this question.\119\
---------------------------------------------------------------------------

    \119\ NPRM, 70 FR at 25434.
---------------------------------------------------------------------------

    Ten of the 13 commenters that addressed this issue took the 
position that an email message that is primarily for the purpose of 
facilitating, completing, or confirming a commercial transaction with 
the sender previously agreed to by the recipient is ``transactional'' 
under section 7702(17)(A)(i), even when the transaction at issue 
involves no exchange of consideration.\120\ A few of these commenters 
argued further that, in any event, many ``free'' Internet services do 
involve an exchange of consideration; these commenters contended that 
agreeing to receive commercial email or to view advertising, for 
example, constitutes consideration.\121\ Three commenters argued that a 
``commercial transaction'' under section 7702(17)(A)(i) must involve an 
exchange of consideration.\122\
---------------------------------------------------------------------------

    \120\ See Discover; Jumpstart; Mattel; NFCU; NAR; NetCoalition; 
SIA; Schnell; United; VFCU.
    \121\ See Jumpstart; United. One commenter also suggested that 
to protect consumers, trial memberships and other situations where 
consideration is not paid until a later time should be considered 
commercial. See Schnell.
    \122\ See ABM; NADA; PCIAA.
---------------------------------------------------------------------------

    The Commission continues to believe that in many cases it is 
unnecessary to reach the question of whether registration with a 
``free'' Internet service constitutes a ``commercial transaction'' 
under section 7702(17)(A)(i) (emphasis added), because it is likely a 
``transaction'' under section 7702(17)(A)(v). That said, having 
reviewed the comments, the Commission has been persuaded that the term 
``commercial transaction'' in section 7702(17)(A)(i) can encompass 
situations in which there has been no exchange of consideration between 
the sender and the recipient.\123\ This is consistent with the 
Commission's interpretation of the term ``commercial electronic mail 
message,'' which, as defined in section 7707(2), includes an email the 
primary purpose of which is the advertisement or promotion of a 
commercial product or service that is free and does not involve the 
exchange of consideration so long as it is a ``commercial product or 
service (including content on an Internet website operated for a 
commercial purpose).'' Many free Internet services are undoubtedly 
engaged in ``commerce'' and offer consumers goods or services that are 
``commercial'' in nature whether or not they involve an exchange of 
consideration.\124\
---------------------------------------------------------------------------

    \123\ The NPRM stated that the Commission ``believe[d] that the 
modifier `commercial' has been deliberately omitted from [section 
7702(17)(A)(v)] of CAN--SPAM to accommodate just the sort of 
scenario that IAC and Microsoft raise,'' i.e., emails from free 
Internet services, like Evite, to their members. 70 FR at 25434. 
Upon further reflection, the Commission has concluded that a 
transaction between a free Internet website, such as Evite, and its 
members -- e.g., the transaction that occurs when a consumer 
registers at the website -- can reasonably constitute a ``commercial 
transaction.''
    \124\ As the Commission noted in the Primary Purpose Rulemaking, 
70 FR at 3113, the Random House College Dictionary defines 
``commercial'' as ``of, pertaining to, or characteristic of 
commerce; engaged in commerce.'' It defines ``commerce'' as ``an 
interchange of goods or commodities, especially on a large scale; 
trade; business.'' Random House College Dictionary 270 (Rev. ed. 
unabridged 1980). Likewise, the term ``commerce'' as defined in 
section 4 of the FTC Act, 15 U.S.C. Sec.  44, is broadly construed 
to include services that are provided without charge where they 
include commercial advertising. See, e.g., Ford Motor Co. v. FTC, 
120 F.2d 175, 183 (6th Cir. 1971) (``Interstate commerce includes 
intercourse for the purpose of trade which results in the passage of 
property, persons or messages from within one state to within 
another state. All of those things which stimulate or decrease the 
flow of commerce, although not directly in its stream, are essential 
adjuncts thereto . . . . The use of advertising as an aid to the 
production and distribution of goods has been recognized so long as 
to require only passing notice.'').
---------------------------------------------------------------------------

e. Affiliated Third Parties Acting on Behalf of a Person With Whom the 
Recipient Has Previously Entered Into a Commercial Transaction

    The NPRM invited comment concerning the application of the Act to 
messages sent by affiliated third parties that are acting on behalf of 
an entity with whom a consumer has transacted business. All but one of 
the dozen commenters addressing this issue argued that messages ``to 
facilitate, complete, or confirm a commercial transaction to which the 
recipient has previously agreed'' are generally ``transactional or 
relationship messages'' under section 7702(17)(A)(i) regardless of 
whether the messages were transmitted by the entity with whom the 
consumer transacted business or an affiliated third party acting on the 
business's behalf.\125\
---------------------------------------------------------------------------

    \125\ See NAEDA; Wahmpreneur; FNB; Wells Fargo; ESPC; NAFCU; 
NAIFA; CBA; Discover; PCIAA; SIA. But see Schnell (arguing against 
application of section 7702(17)(A)(i) to affiliated third parties).

---------------------------------------------------------------------------

[[Page 29665]]

    Because there is no evidence of changes in email technology or 
practices that would warrant amending the Rule expressly to address 
messages sent by affiliated third parties that are acting on behalf of 
an entity with whom the recipient has done business, the Commission 
does not make any modifications to the Rule concerning such messages. 
In addition, the Commission notes that the examples provided by 
commenters (e.g., travel agents, insurance agents) are fairly 
straightforward examples of types of messages that would likely qualify 
as a ``transactional or relationship message'' under section 
7702(17)(A)(i).\126\ The Commission, however, does not interpret this 
provision as necessarily covering every email message sent by an 
affiliated third party. For example, if an affiliated third party were 
to market its own product, service, or Internet website in an email 
message in which the affiliated third party is also facilitating or 
completing a transaction on behalf of another vendor, then that message 
would contain both commercial and transactional content, thus 
triggering analysis of the primary purpose of the dual purpose message.
---------------------------------------------------------------------------

    \126\ See NAIFA; NAIDA; FNB; IAC (comments submitted in response 
to ANPR); Wahmpreneur. For example, if a consumer purchases an 
airline ticket on a travel website like Orbitz, a subsequent message 
from Orbitz or the airline (or both) ``to facilitate, complete, or 
confirm'' the message will be a ``transactional or relationship 
message'' (or a dual purpose message if there is additional content 
in the email). Likewise, an email from an insurance agent to a 
customer can qualify as transactional or relationship in nature 
notwithstanding the fact the customer paid the premium to the 
insurer, not its agent.
---------------------------------------------------------------------------

f. Messages Sent to Effectuate or Complete a Negotiation

    In the NPRM, the Commission asked under what circumstances an email 
sent to effectuate or complete a negotiation should be considered a 
``transactional or relationship message'' under section 
7702(17)(A)(i).\127\ Twelve of the 13 commenters addressing this issue 
agreed that such messages should be deemed transactional or 
relationship messages or should fall outside the scope of the Act.\128\
---------------------------------------------------------------------------

    \127\ NPRM, 70 FR at 25434, 25450.
    \128\ See NADA; ARDA; FNB; Wells Fargo; BOA; Cendant; SIA; SIIA; 
CBA; MPAA; KeySpan; Discover. See also Schnell (emails to effectuate 
or complete a negotiation should be deemed transactional or 
relationship only if the recipient has a reasonable expectation that 
such a negotiation will occur via email).
---------------------------------------------------------------------------

    The Commission declines to alter the definition of ``transactional 
or relationship message'' to address communications for the purpose of 
effectuating or completing a negotiation because of the lack of any 
evidence in the record that such a modification would be necessary to 
accommodate changes in email technology or practices and to further the 
purposes of the Act. However, even without such a modification, the 
Commission continues to believe that, as it stated in the NPRM, to the 
extent that negotiation may be considered a ``commercial transaction'' 
that a recipient has previously agreed to enter into, such messages 
likely would be considered transactional or relationship under section 
7702(17)(A)(i) if they were sent to facilitate or complete the 
negotiation.\129\ The Commission, however, does not interpret the term 
``transactional or relationship message'' to include an initial 
unsolicited message that proposes a transaction and attempts to launch 
a negotiation by offering goods or services. Likewise, after a party 
has terminated a negotiation, an email from the other party seeking to 
restart the negotiations would not be a ``transactional or relationship 
message.''
---------------------------------------------------------------------------

    \129\ NPRM, 70 FR at 25434.
---------------------------------------------------------------------------

g. Messages in the Employment Context

    In the NPRM, the Commission sought comment on the Act's application 
to several types of emails that arise in the employment context. Due to 
the lack of evidence in the record that would satisfy the statutory 
standard for modifying the definition of ``transactional or 
relationship message,'' the Commission does not adopt any provision in 
the final Rule concerning such messages.

(i) Messages Concerning Employee Discounts or Similar Messages

    The NPRM asked whether it is appropriate to classify emails from 
employers offering employee discounts or similar messages as 
communications that ``provide information directly related to an 
employment relationship'' under section 7702(17)(A)(iv).\130\ In 
addition, the Commission asked whether it was relevant whether the 
employee's email address to which the message was sent had been 
assigned to the employee by the employer.\131\ All 20 commenters that 
addressed this issue argued either that such messages should be 
considered ``transactional or relationship messages'' under section 
7702(17)(A)(iv)\132\ or that they are neither ``commercial'' nor 
``transactional or relationship'' messages and thus fall outside the 
scope of the Act.\133\ A consistent theme in the comments was that an 
employer should be free to send whatever information it wants to an 
email address that the employer owns and assigns to an employee.\134\ 
In such circumstances, these commenters argued, the employer is both 
the ``sender'' and the ``recipient'' under the Act.
---------------------------------------------------------------------------

    \130\ Id. at 25436, 25450.
    \131\ Id. at 25450.
    \132\ See Associations; NNA; CBA; NRF; NADA; FNB; MPA; SIIA; 
Coalition; MPAA; KeySpan; Wells Fargo; BOA; ASTA; DoubleClick; 
Nextel.
    \133\ See AeA; Discover; PCIAA; Schnell.
    \134\ See, e.g., CBA (``The conclusion must be that an employer 
can send whatever message it desires to an e-mail account that the 
employer owns and assigns the employee.''); NRF (``[If] the company 
provides the e-mail account to the employee primarily for the 
employer's benefit, [then] the employer should be free to utilize 
its own proprietary network to send information to its 
employees.'').
---------------------------------------------------------------------------

    The comments persuade the Commission that section 7702(17)(A)(iv) 
should be interpreted to encompass messages that offer employee 
discounts from employers to email accounts they have provided to their 
employees. Moreover, there is nothing in the legislative history 
suggesting that such emails were of concern to Congress in enacting 
CAN-SPAM. Further, it seems unlikely that employers would inundate 
their employees' workplace email accounts with offers of employee 
discounts and the like and thereby divert their employees' attention 
from their job responsibilities.\135\ Thus, because the definition of 
``transactional or relationship message'' is broad enough to encompass 
emails from employers to their employees offering discounts, it is 
unnecessary to modify the definition to address such messages.
---------------------------------------------------------------------------

    \135\ The Commission, however, rejects the argument of some 
commenters that employees should not be deemed ``recipients'' under 
the Act of such messages sent by their employers to their employer-
provided email addresses. See, e.g., BOA; CBA; Coalition; 
DoubleClick; DMA; MPA; Wells Fargo. The Act broadly defines the 
``recipient'' as an ``authorized user of the electronic mail address 
to which the message was sent or delivered'' and does not require 
ownership of the email address. 15 U.S.C. 7702(14) (emphasis added). 
Consequently, employees are ``recipients'' of messages delivered to 
their workplace email accounts, whether such emails were sent by 
their employers or another person.
---------------------------------------------------------------------------

(ii) Messages From a Third Party on Behalf of the Recipient's Employer

    In the NPRM, the Commission asked whether an email that 
``provide[s] information directly related to an employment relationship 
or related benefit plan in which the recipient is currently involved'' 
and that would be a ``transactional or relationship message'' under 
section 7702(17)(A)(iv) if it were sent by the recipient's employer 
would retain its transactional or relationship character if sent by a 
third party acting on the employer's behalf. Most of the handful of 
commenters that addressed this

[[Page 29666]]

question agreed with the Commission's view that messages sent by a 
third party on behalf of an employer should be considered transactional 
or relationship in nature.\136\ The Commission reiterates its 
interpretation of section 7702(17)(A)(iv) as being sufficiently broad 
to allow an employer to retain a third party as its agent to send a 
message to its employees that would otherwise fit within the confines 
of a ``transactional or relationship message.''\137\ Thus, because the 
definition of ``transactional or relationship message'' is broad enough 
to include a message sent by the third-party agent of an employer to 
its employees, provided the message would be considered transactional 
or relationship in nature if sent by the employer itself, there is no 
need to modify the definition of ``transactional or relationship 
message'' to address such messages.
---------------------------------------------------------------------------

    \136\ See KeySpan; FNB; MPAA; PCIAA. But see Schnell 
(``commercial messages to employees of a given employer that come 
from third parties should not be considered transactional or 
relationship messages, and should be considered commercial under 
CAN-SPAM'').
    \137\ Nevertheless, the Commission's interpretation does have 
its limits. For example, if a third party were to market to a client 
company's employees the third party's own goods and services on its 
own behalf, rather than on behalf of the client, those messages 
would not be deemed ``transactional or relationship messages'' under 
section 7702(17)(A)(iv).
---------------------------------------------------------------------------

(iii) Messages Sent After an Offer of Employment is Tendered

    In the NPRM, the Commission asked whether, for purposes of section 
7702(17)(A)(iv) of the Act, providing information directly related to 
an employment relationship should include providing information related 
to such a relationship after an offer of employment is tendered, but 
prior to the recipient's acceptance of the job offer.\138\ The several 
commenters that addressed the issue believed that such messages provide 
``information directly related to an employment relationship'' and thus 
are transactional and relationship in nature.\139\ None of the 
commenters argued that prospective employees would be subject to 
unwanted commercial email messages from their prospective employers 
between the time an offer of employment is made and the time it is 
either accepted or rejected.
---------------------------------------------------------------------------

    \138\ NPRM, 70 FR at 25436, 25450.
    \139\ See FNB; KeySpan; Discover; MPAA.
---------------------------------------------------------------------------

    As an initial matter, the Commission notes that, where the primary 
purpose of an email from an employer to a prospective employee is 
something other than the promotion or advertisement of a commercial 
product or service, the message would not be subject to CAN-SPAM's 
requirements for commercial email messages.\140\ Where, for example, a 
message provides only information about a prospective employee's salary 
and job responsibilities and does not advertise or promote a commercial 
product or service, it is not a ``commercial electronic mail message'' 
under the Act. Rather, an email sent to a prospective employee who has 
received a bona fide offer of employment after actively seeking such 
employment would be considered information ``directly related to an 
employment relationship or related benefit plan'' under section 
7702(17)(A)(iv), provided the email concerned only the prospective 
employment relationship.\141\ To the extent, however, that such 
messages included both information about the job offer and an 
advertisement or promotion of a commercial product or service, e.g., an 
effort to induce the job applicant to purchase the employer's goods or 
services, then the message would be analyzed as a dual purpose message 
under the Primary Purpose provisions of the Commission's CAN-SPAM 
Rules.\142\
---------------------------------------------------------------------------

    \140\ 15 U.S.C. 7702(2).
    \141\ One commenter argued that section 7702(17)(A)(iv)'s 
exemption for employment-related emails ``does not go far enough'' 
and that the final Rule should exempt ``e-mails regarding current or 
prospective job openings that are sent to individuals who are not 
currently employed by the sender, and who are not charged any fees 
or other consideration in connection with any current or prospective 
job.'' ASA. As noted above, if such emails do not advertise or 
promote a product or service, they are not commercial email messages 
and thus they fall outside the Act.
    \142\ 16 CFR 316.3.
---------------------------------------------------------------------------

h. Electronic Newsletter Subscriptions and Other Content that a 
Recipient is Entitled to Receive as a Result of a Prior Transaction 
with the Sender

    The NPRM asked ``where a recipient has entered into a transaction 
with the sender that entitles the recipient to receive future 
newsletters or other electronically delivered content, should email 
messages the primary purpose of which is to deliver such products or 
services be deemed transactional or relationship messages?''\143\ The 
commenters that addressed this issue generally believed such emails 
were ``transactional or relationship messages'' under section 
7702(17)(A)(v).\144\ Several commenters thought the Commission's 
``primary purpose'' rule already addressed the issue and supported the 
position that transmission of a periodical delivered via email ``falls 
within one of the `transactional or relationship message' 
categories.''\145\ In addition, three commenters stressed that it is 
irrelevant whether electronic newsletters or other content provided via 
subscription are entirely commercial in nature (e.g., a catalog), so 
long as the content conforms to the consumer's reasonable expectations 
about the material he or she has requested.\146\
---------------------------------------------------------------------------

    \143\ NPRM, 70 FR at 25450.
    \144\ See NADA; NAEDA; Wahmpreneur; ICC; MPAA; KeySpan; PCIAA; 
United; IPPC; Jumpstart; NEPA; TimeWarner; DoubleClick; Mattel. See 
also NFCU (electronic newsletters sent to a sender's members should 
be entirely exempt from CAN-SPAM); Discover (arguing that primary 
purpose of a newsletter delivered by email should be determined on a 
case-by-case basis); Schnell (opining that consumer request for 
electronic newsletter or other content is not determinative under 
CAN-SPAM); Sonnenschein (advocating a distinction between the ``bona 
fide transaction [in which a consumer] sign[s] up for a service or 
subscrib[es] to receive emails, coupons, or electronic newsletters 
and the mere provision of affirmative consent to receive commercial 
emails'').
    \145\ See DoubleClick; MPAA; FNB.
    \146\ See NEPA; ICC; Sonnenschein.
---------------------------------------------------------------------------

    The comments do not establish the statutory prerequisite to 
modifying the definition of ``transactional or relationship message'' 
expressly to address electronic newsletters and other content sent 
pursuant to a subscription. Specifically, there is no showing that such 
a modification is necessary to accommodate changes in email technology 
or practices and to accomplish the goals of the Act. Moreover, the 
Commission believes that the existing definition of ``transactional or 
relationship message'' already adequately addresses such emails. In 
view of the comments received on this issue, the Commission continues 
to believe, as it stated in the Primary Purpose Rulemaking, that when a 
recipient subscribes to a periodical delivered via email, transmission 
of that periodical to that recipient falls within section 
7702(17)(A)(v), which includes ``goods or services . . . that the 
recipient is entitled to receive under the terms of a transaction that 
the recipient has previously agreed to enter into with the sender,'' 
provided the periodical consists exclusively of informational content 
or combines informational and commercial content.\147\ On the other 
hand, when a sender delivers an unsolicited newsletter or other 
periodical via email, and there is no subscription, the situation is 
materially

[[Page 29667]]

different for purposes of CAN-SPAM than when such content is delivered 
with the consent of the recipient. In such a scenario, the emails 
likely would not be ``transactional or relationship messages'' within 
the meaning of the Act.
---------------------------------------------------------------------------

    \147\ See NPRM, 70 FR at 3118. Likewise, the Commission 
continues to believe that, as it explained in the Primary Purpose 
Rulemaking, ``if an email consists exclusively of commercial content 
(such as a catalog or other content that is purely an advertisement 
or promotion), then the email would be a single-purpose commercial 
message. This is because delivery of such advertising or promotional 
content would not constitute the `delivery of goods or services * * 
* that the recipient is entitled to receive under the terms of a 
transaction that the recipient has previously agreed to enter into 
with the sender,' under section 7702(17)(A)(v).'' Id. at 3118 n.91.
---------------------------------------------------------------------------

i. ``Business Relationship'' Messages

    The NPRM asked whether the Commission should expand the Act's 
definition of ``transactional or relationship message'' to include what 
some commenters call ``business relationship messages,'' which are 
individualized messages sent from one employee of a company to an 
individual recipient (or a small number of recipients) at another 
business.\148\ Or, as one commenter described this type of message 
``one-to-one e-mail that is sent by employees in the business-to-
business context.''\149\ The nine commenters who addressed the issue of 
``business relationship'' messages all supported expanding the 
definition of ``transactional or relationship message'' to include this 
type of email. Commenters did not claim that business relationship 
messages are ``commercial electronic mail messages'' under the Act, 
but, rather, opined that if such messages were deemed ``commercial 
electronic messages,'' they would face significant administrative and 
technological burdens, because business email systems are not designed 
to scrub each email sent by each employee against the business's CAN-
SPAM opt-out list.\150\ In addition, commenters argued that such a 
requirement would interfere with legitimate practices that are critical 
to business relationships and operations.\151\ To avoid any such 
potential problems, the commenters urged the Commission to add a new 
category of ``transactional or relationship message'' to cover business 
relationship messages.
---------------------------------------------------------------------------

    \148\ Id. at 25438 n.137, 25450. For the most part, commenters 
described ``business relationship messages'' as arising in the 
context of business-to-business communications, rather than 
communications with individual consumers. See, e.g., BOA (``For 
example, in the first mortgage business, e-mails are sent to brokers 
to inform them up-to-the minute information about current mortgage 
rates.''); CBA (``in the context of the equipment leasing industry, 
it is typical for lenders to e-mail equipment vendors a rate sheet 
that describes the amount of interest a lender would charge on a 
given piece of equipment''); Reed (``For example, our ad sales 
personnel routinely contact current advertisers about upcoming 
issues of publications.''). But see Cendant (interpreting ``business 
relationship messages'' to encompass messages from a business to 
individual consumers with whom the sender has an existing business 
relationship).
    \149\ See CBA.
    \150\ See, e.g., BOA; CBA; Wells Fargo; MPAA.
    \151\ See BOA; CBA; Cendant; ESPC; ICC; KeySpan; MPAA; Reed; 
Wells Fargo.
---------------------------------------------------------------------------

    None of the commenters, however, demonstrated changes in email 
technology or practices that would warrant an express carve-out for 
business relationship messages. For example, there is no evidence that 
the technological burdens that the commenters cite as a basis for 
creating the exemption did not exist when the Act was passed in 2003. 
There is, therefore, an insufficient evidentiary basis to modify the 
definition of ``transactional or relationship message'' under the 
statutory standard. Thus, the Commission declines to add a ``business 
relationship message'' category to the definition of ``transactional or 
relationship.''
    In any event, the commenters' concerns about the impact of the Act 
on the ability of one of their employees to send emails to a small 
number of employees at another company with which they have a 
preexisting relationship may be overblown. For example, to the extent 
an employee at one company provides affirmative consent to receive 
emails from an employee of another company, or from that company in 
general, such consent overrides any prior opt-out request.\152\ 
Consequently, when affirmative consent has been given, there is no need 
to ``scrub'' the email against the business's CAN-SPAM opt-out list. 
Nevertheless, the recipient can always opt out of receiving future 
emails from the sender, notwithstanding his or her prior affirmative 
consent. As the Commission has previously observed, affirmative consent 
to receive commercial emails from a sender does not eliminate the 
sender's obligation to provide a functioning Internet-based mechanism 
to opt out of receiving future emails or any of the sender's other 
obligations under CAN-SPAM.
---------------------------------------------------------------------------

    \152\ 15 U.S.C. 7704(a)(4)(B).
---------------------------------------------------------------------------

j. Messages from an Association to its Membership

    In the NPRM, the Commission stated that it believes that email 
messages from an association or membership entity to its members are 
likely ``transactional or relationship messages'' under section 
7702(17)(A)(v).\153\ The Commission inquired whether messages from such 
senders to lapsed members should also be considered transactional or 
relationship under section 7702(17)(A)(v), and whether messages to 
lapsed members should be considered commercial electronic messages when 
they advertise or promote the membership entity.\154\ The seven 
commenters that addressed this question argued that email messages to 
lapsed members should be considered ``transactional or relationship 
messages,''\155\ but most recommended limiting the amount of time that 
such email messages may be sent to former members.\156\
---------------------------------------------------------------------------

    \153\ NPRM, 70 FR at 25450.
    \154\ Id.
    \155\ See NAEDA; Independent; NAFCU; CUNA; Cendant; PCIAA; SIIA. 
In addition, some commenters, while not responding to the NPRM's 
inquiry about lapsed members, addressed the question of the Act's 
regulation of communications from an association to its current 
members. See, e.g., Metz; SHRM; ABM; ARTBA; NAR; ACA; ASAE. As the 
Commission explained in the NPRM, 70 FR at 25438, and reiterates 
here, messages from an association to its membership are likely 
transactional or relationship in nature. The Commission continues to 
believe, however, that there is no basis to expand the existing 
definition of ``transactional or relationship'' to create an express 
exemption for such communications.
    \156\ See NAEDA (arguing that messages to former members should 
be allowed and considered transactional or relationship messages for 
a specific amount of time e.g., 180 days); Independent (arguing that 
messages to former members are still ``transactional or relationship 
messages'' rather than ``commercial'' messages for 12 months after 
membership lapses); Cendant (membership entity should be able to 
contact members for 18 months after last transaction); CUNA (arguing 
that contact may be made for a reasonable amount of time); PCIAA 
(stating that, consistent with the Do-Not-Call Rules, an email 
message to a lapsed member should be considered a ``transactional or 
relationship message'' for 90 days after the membership has lapsed); 
VFCU (arguing that email messages to lapsed members should still be 
considered transactional or relationship in nature if the purpose is 
related to administrative matters). See also SIIA (arguing against a 
``per se approach'' concerning an association's communications with 
lapsed members).
---------------------------------------------------------------------------

    Under the existing definition of ``transactional or relationship 
message'' the Commission believes that where a recipient is no longer a 
member of an organization, it is unlikely that messages from the 
organization fall within any of the categories of ``transactional or 
relationship messages.''\157\ For example, a message that advertises or 
promotes the sale of a new or renewed membership would be a 
``commercial electronic mail message'' (or a dual purpose message to 
the extent it also includes non-commercial content). However, the 
Commission declines to modify the definition of ``transactional or 
relationship message'' to include such emails. None of the commenters 
offered any evidence that either such modification is necessary to 
accommodate changes in email

[[Page 29668]]

practices or technology or to accomplish the purposes of the Act, and 
thus the statutory standard for amending the definition of 
``transactional or relationship message'' is not satisfied.
---------------------------------------------------------------------------

    \157\ There are, of course, exceptions; for example, an email 
from a membership organization to a lapsed member to obtain payment 
of a debt would be a ``transactional or relationship'' message under 
section 7702(17)(a)(i), just as a debt collection email from non-
membership entity would be transactional and relationship in nature, 
as discussed above. See supra Part II.A.3.b.
---------------------------------------------------------------------------

4. Section 316.2(p) -- Definition of ``Valid Physical Postal Address''

    Proposed Rule 316.2(p) clarified that a sender may comply with 
section 7704(a)(5)(A)(iii) of the Act -- which requires inclusion in 
any commercial email message of the sender's ``valid physical postal 
address'' -- by including in any commercial email message any of the 
following: (1) the sender's current street address; (2) a Post Office 
box the sender has registered with the United States Postal Service; or 
(3) a private mailbox the sender has registered with a commercial mail 
receiving agency (``CMRA'') that is established pursuant to United 
States Postal Service regulations. A substantial majority of commenters 
supported the proposed definition. In consideration of these comments, 
the Commission adopts as a final Rule a modified version of the 
definition proposed in the NPRM. This modified definition allows for 
the use of Post Office or private mailboxes, but clarifies that a 
sender must ``accurately'' register such mailboxes pursuant to postal 
regulations to be considered a ``valid physical postal address'' under 
the Act. Comments addressing the proposed definition are discussed in 
detail below.
    In response to the NPRM, the Commission received 25 comments 
addressing the definition of ``valid physical postal address.'' Of 
these, 18 commenters supported the definition as proposed. 
Specifically, supporters noted that the proposed definition 
appropriately recognized that many legitimate businesses, large and 
small alike, use Post Office boxes or private mailboxes, and that 
allowing commercial email messages to disclose such a P.O. box or 
private mailbox would provide flexibility and security to email 
marketers without compromising law enforcement efforts.\158\ Other 
commenters, including small businesses and independent contractors, 
supported the proposed definition because it recognizes the privacy and 
security concerns of individuals who work from home or are fearful of 
publishing their street address for other reasons.\159\
---------------------------------------------------------------------------

    \158\ See, e.g., ACLI; ACB; DMA; DoubleClick; NNA; SIA.
    \159\ See Discover; Independent; NAR.
---------------------------------------------------------------------------

    Two additional commenters supported the Commission's proposal that 
P.O. boxes and private mailboxes be included under the definition of 
``valid physical postal address,'' but objected to the additional 
requirement that the sender be registered with the United States Postal 
Service (``USPS''). Specifically, HSBC Bank Nevada (``HSBC'') and 
MasterCard suggested that the definition be modified to allow for any 
address to which mail is delivered for a particular sender, whether or 
not that sender is registered with the USPS.\160\ HSBC noted that 
several affiliated companies often will receive mail at the same P.O. 
box, yet not all such companies may be registered to use that box with 
the USPS, as the proposed definition would require.\161\ HSBC and 
MasterCard argued that their proposed modifications would achieve the 
purposes of the Act by providing consumers with a mechanism to contact 
senders other than by email.\162\ The approach suggested by MasterCard 
and HSBC, however, does not take into account the other important 
purpose of the valid physical postal address provision -- that law 
enforcement authorities be able to identify a sender using a given 
address, which would be difficult if not impossible without 
registration of all mailbox users with the USPS.\163\
---------------------------------------------------------------------------

    \160\ See HSBC; MasterCard.
    \161\ See HSBC.
    \162\ See HSBC; MasterCard.
    \163\ Under USPS regulations, federal, state, or local 
government agencies may obtain postal and private mailbox registrant 
information from the USPS upon written certification that such 
information is required to perform the agency's duties. 39 CFR 
265.6(d)(4) & (d)(9). This is one avenue that law enforcement can 
pursue in order to identify a sender that fails to comply with CAN-
SPAM.
---------------------------------------------------------------------------

    Furthermore, USPS regulations require that anyone registering an 
individual P.O. box identify the names of all persons authorized to 
receive mail at such address, and to provide two forms of 
identification for each listed person.\164\ Similarly, with respect to 
``organization'' P.O. boxes or private mailboxes where the applicant is 
a ``firm,'' USPS regulations require any of the organization's members 
or employees who receive mail at such mailbox to be listed on the 
requisite postal form.\165\ Thus, USPS regulations specifically require 
that anyone receiving mail at a given address be registered with the 
USPS.
---------------------------------------------------------------------------

    \164\ See Domestic Mail Manual (``DMM'') 508.4.3.1(b) (other 
adult persons who receive mail in the post office box of an 
individual box customer must be listed on Form 1093 and must present 
two items of valid identification to the post office).
    \165\ See DMM 508.4.3.1(c) (requiring an organization's 
employees or members who receive mail at the organization's postal 
box to be listed on Form 1093; each person must have verifiable 
identification and present this identification to the Postal Service 
upon request) and PS Form 1583 (if applicant is a firm, applicant 
must provide the name of each person whose mail is to be delivered).
---------------------------------------------------------------------------

    Only five commenters opposed the Commission's proposed definition 
of ``valid physical postal address.'' Three of these commenters felt 
that P.O. boxes and private mailboxes should not be included in the 
proposed definition because they are often used in fraud schemes as a 
way to shield their owners from identification.\166\ The Commission 
previously addressed this argument in the NPRM, noting that ```[a]n 
individual or entity seeking to evade identification can just as easily 
use inaccurate street addresses' as hide behind a Post Office box or 
private mailbox.''\167\ No commenters provided any information to 
refute this statement.
---------------------------------------------------------------------------

    \166\ See CUNA; NFCU; Sowell.
    \167\ NPRM, 70 FR at 25439 (quoting SIIA).
---------------------------------------------------------------------------

    One consumer commenter opposing the proposed definition suggested 
that P.O. boxes have proven insufficient as a means of contacting 
senders that fail to honor opt-out requests.\168\ The Commission, 
however, has no evidence to suggest that certain senders are difficult 
to contact because of the fact that those senders have provided P.O. 
boxes or private mailboxes as their contact addresses. It is more 
likely the case that such senders are unscrupulous and have either 
provided a false or nonexistent address as a means of evading 
identification, or simply do not respond to consumer inquiries. In such 
instances, the Commission sees no added benefit to requiring that 
senders provide a street address, which could just as easily be 
falsified or simply disregarded.
---------------------------------------------------------------------------

    \168\ See Kapecki.
---------------------------------------------------------------------------

    Finally, ACUTA suggested that the Commission assess and evaluate 
the relevant postal regulations to ensure that they adequately protect 
the interests of consumers and law enforcement.\169\ Such evaluation, 
however, goes beyond the scope of this rulemaking proceeding -- 
especially when the Commission has no basis upon which to question the 
effectiveness of the USPS regulations.
---------------------------------------------------------------------------

    \169\ See ACUTA.
---------------------------------------------------------------------------

    In consideration of all of these comments, the Commission adopts a 
modified definition of ``valid physical postal address.'' In the final 
Rule, the Commission has modified slightly the definition of ``valid 
physical postal address'' to clarify that a sender must ``accurately'' 
register a P.O. box or private mailbox in compliance with these 
regulations. For example, if a sender provides a P.O. box or private 
mailbox address in its commercial email message and is not accurately 
identified

[[Page 29669]]

on the applicable postal form, fails to provide two forms of valid 
identification if required,\170\ or otherwise fails to comply with 
applicable USPS regulations, such address would not be considered a 
``valid physical postal address'' for purposes of the Act. Accordingly, 
the Commission adopts final Rule 316.2(p), which provides that a 
```valid physical postal address' means the sender's current street 
address, a Post Office box the sender has accurately registered with 
the United States Postal Service, or a private mailbox the sender has 
accurately registered with a commercial mail receiving agency that is 
established pursuant to United States Postal Service regulations.'' 
(Emphasis added.)
---------------------------------------------------------------------------

    \170\ See, e.g., DMM 508.1.9.2(a) (requiring applicants of 
private mailboxes to furnish two forms of valid identification).
---------------------------------------------------------------------------

5. Applicability of the Act to Forward-to-a-``Friend'' Email Marketing 
Campaigns

    In the NPRM, the Commission sought comment on CAN-SPAM's impact on 
forward-to-a-``friend'' email -- a type of commercial email that can 
take a variety of forms. In its most basic form, a person (the 
``forwarder'') receives a commercial email message from a seller and 
forwards the email message to another person (the ``recipient''). Other 
scenarios include those in which a seller's web page enables visitors 
to the seller's website to provide the email address of a person to 
whom the seller should send a commercial email.
    Due to the myriad forms of forward-to-a-``friend'' email, CAN-
SPAM's applicability to such messages is a highly fact specific 
inquiry. As explained below, the central question in this analysis 
often will be whether the seller has ``procured'' the origination or 
transmission of the forwarded message.

a. Background

    In the NPRM, the Commission discussed the interplay of multiple 
definitions in CAN-SPAM and their relevance in analyzing the Act's 
applicability to forward-to-a-``friend'' emails. The Commission began 
its analysis by examining CAN-SPAM's definition of ``sender'' which the 
Act defines to mean ``a person who initiates [a commercial electronic 
mail] message and whose product, service, or Internet web site is 
advertised or promoted by the message.''\171\ Thus, to be a ``sender,'' 
a seller must be both an ``initiator'' of the message and have its 
product, service, or Internet website advertised or promoted by the 
message.
---------------------------------------------------------------------------

    \171\ 15 U.S.C. 7702(16)(A).
---------------------------------------------------------------------------

    A forward-to-a-``friend'' email will ordinarily advertise a 
seller's product, service, or website. Thus, the NPRM focused on 
whether a seller would meet CAN-SPAM's definition of ``initiate.'' The 
Act defines ``initiate'' to mean ``to originate or transmit such 
message or to procure the origination or transmission of such message, 
but shall not include actions that constitute routine conveyance of 
such message.''\172\
---------------------------------------------------------------------------

    \172\ 15 U.S.C. 7702(9).
---------------------------------------------------------------------------

    In the NPRM, the Commission then examined the meaning of the term 
``procure'' and concluded that a seller ``procures'' an email by 
either: (1) providing a forwarder with consideration (such as money, 
coupons, discounts, awards, additional entries in sweepstakes, or the 
like) in exchange for forwarding the message, or (2) intentionally 
inducing the initiation of a commercial email through an affirmative 
act or an explicit statement that is ``designed to urge another to 
forward the message.''\173\ Thus, the Commission opined that CAN-SPAM's 
inclusion of the word ``induce'' in the definition of ``procure,'' 
meant that a seller could ``procure'' the initiation of a message 
without offering to provide a forwarder with any consideration if it 
exhorted visitors to its website to forward a message.\174\
---------------------------------------------------------------------------

    \173\ The NPRM indicated that to ``intentionally induce'' the 
initiation of a commercial email a ``seller must make an explicit 
statement that is designed to urge another to forward the message.'' 
70 FR 25441.
    \174\ For instance, the Commission posited that a seller would 
induce a message (and therefore ``procure'' the initiation of a 
message) if, without offering to provide a forwarder with any 
consideration, its web-based forwarding mechanism urged visitors to 
``Tell-A-Friend--Help spread the word by forwarding this message to 
friends! To share this message with a friend or colleague, click to 
the `Forward E-mail button.''' NPRM, 70 FR at 25441 n.178.
---------------------------------------------------------------------------

    Finally, the Commission concluded by stating that a seller who 
offered a web-based ``click-here-to-forward'' mechanism, but did not 
exhort visitors to forward a message or offer to pay or provide other 
consideration in exchange for forwarding the message, would be engaged 
in the ``routine conveyance'' of the message and therefore not be an 
``initiator'' of the message.\175\
---------------------------------------------------------------------------

    \175\ Id. at 25441-42.
---------------------------------------------------------------------------

b. Comments Received in Response to the NPRM

    The Commission received more than forty comments concerning 
forward-to-a-``friend'' emails. Some of these comments asserted that: 
(1) forward-to-a-``friend'' messages are not ``commercial electronic 
mail messages''; (2) most marketers whose products, services, or 
website are promoted by a forward-to-a-``friend'' message are engaged 
in ``routine conveyance''; (3) the Commission's view of ``routine 
conveyance'' was unduly narrow; (4) forward-to-a-``friend'' emails sent 
through a seller's web-based mechanism should be treated the same as 
emails that the seller sends to a forwarder who then forwards the 
messages to a recipient; (5) making CAN-SPAM's applicability hinge on 
whether a seller offered to pay a forwarder consideration was contrary 
to the language and purpose of the Act; (6) sweeping forward-to-a-
``friend'' messages into CAN-SPAM would impose high compliance burdens 
for sellers. Each cluster of comments is elaborated upon below.
    First, some commenters opined that the most relevant inquiry in a 
forward-to-a-``friend'' scenario is whether the primary purpose of the 
forwarded message is ``commercial.'' If the message's primary purpose 
is not ``commercial'' (and it is not a ``transactional or relationship 
message''), CAN-SPAM does not apply.\176\
---------------------------------------------------------------------------

    \176\ See CBA; DMA; HSBC; Wells Fargo. Section 316.3 of the Rule 
defines the ``primary purpose'' test for commercial email. 16 CFR 
316.3.
---------------------------------------------------------------------------

    Second, a handful of commenters asserted that the key factor in 
determining whether a forward-to-a-``friend'' message is covered by the 
Act should be whether the seller is engaged in ``routine 
conveyance.''\177\ These commenters argued that under section 7702(9) 
of the Act, any person engaged in ``routine conveyance'' is necessarily 
not an ``initiator,'' and thus it is unnecessary to inquire whether it 
``procured'' the message in question.
---------------------------------------------------------------------------

    \177\ See, e.g., Microsoft.
---------------------------------------------------------------------------

    Third, a number of commenters posited that the Commission's 
understanding of what constitutes ``routine conveyance'' was unduly 
narrow.\178\ Many commenters opined that all, or almost all, forward-
to-a-``friend'' mechanisms constitute ``routine conveyance.''\179\ Some 
commenters argued that under the Act's definition of ``initiate,'' 
whether a company pays consideration or otherwise induces a person to 
forward an email is irrelevant to whether the company is engaged in 
``routine

[[Page 29670]]

conveyance.''\180\ The majority of commenters, however, expressed the 
view that a company that offers consideration to a person to send or 
forward an email to another person is not engaged in ``routine 
conveyance'' under the Act.\181\ Within this group, commenters were 
divided as to whether the offer of de minimis consideration, such as 
coupons, sweepstakes entries, or points towards the purchase of a good 
or service, was sufficient to render a company ineligible for the 
``routine conveyance'' exception.\182\
---------------------------------------------------------------------------

    \178\ See, e.g., AeA; Charter; ePrize; ERA; Independent; MPA; 
Masterfoods; Mattel; Microsoft; OPA; PMA.
    \179\ See AeA; ePrize; ERA; MPAA; MPA; Masterfoods; Mattel; 
Microsoft; NCTA; NetCoalition; OPA; PMA; SIIA; Wells Fargo. But see 
Metz (``A company that sends a commercial e-mail and provides a 
website for forwarding that e-mail is not simply engaging in 
`routine conveyance'; the message that it is conveying is its 
own.'').
    \180\ See, e.g., ERA; ePrize; MPA; Microsoft (``a message may be 
induced or procured but still fall within the routine conveyance 
exception to the Act's definition of `initiate'''); NAIFA; PMA; 
SIIA.
    \181\ See ACLI; BOA; Charter; CBA; Discover; MasterCard; MPAA; 
NRF; NetCoalition; OPA; Time Warner.
    \182\ For comments arguing that a company could be engaged in 
routine conveyance notwithstanding its offer of sweepstakes entries, 
coupons, discounts, ``points'' and the like to persons for 
forwarding an email, see, e.g., AeA; ERA; FNB; Mattel; Coalition; 
PMA; RIAA (``[The] legislative history also casts doubt on whether 
Congress intended that the furnishing of merely nominal 
consideration - for instance, `points' to be accumulated toward the 
award of a free CD or music download - would be enough to qualify as 
`procuring' the forwarding of a commercial e-mail. Surely when one 
company `hires' another to carry out a commercial e-mail campaign, 
much more than nominal consideration would be involved.''). For 
comments expressing the view that an offer of sweepstakes entries, 
points, coupons, discounts and the like in exchange for forwarding a 
message would render a company ineligible for the routine conveyance 
exception, see, e.g., Charter; MPAA; NAA; NRF; OPA; Time Warner.
---------------------------------------------------------------------------

    Fourth, many commenters also stated that web-based mechanisms for 
forwarding emails should be treated no differently than the ``forward'' 
button on a typical email program.\183\ In these email programs, the 
``sender'' of the email, according to the commenters, is the person 
forwarding the email.
---------------------------------------------------------------------------

    \183\ See, e.g., Charter; DMA.
---------------------------------------------------------------------------

    Fifth, many of the commenters noted that making the offer of 
consideration the standard for determining whether a forwarder 
``procured'' the origination or transmission of a message or engaged in 
``routine conveyance'' would both be contrary to Congress's intent in 
passing the CAN-SPAM Act,\184\ and unnecessary because there is no 
evidence to suggest that Congress or consumers viewed forward-to-a-
``friend'' messages as spam.\185\
---------------------------------------------------------------------------

    \184\ See AeA; Associations; Charter; CBA; DoubleClick; 
MasterCard; Microsoft; NAIFA; NCTA; NetCoalition; PMA; RIAA; SIIA; 
Wells Fargo.
    \185\ See Masterfoods; Mattel; Visa.
---------------------------------------------------------------------------

    Finally, some commenters noted the compliance burdens that would 
result from the inclusion of forward-to-a-``friend'' emails in CAN-
SPAM's regulatory regime. According to these commenters, once a person 
forwards an email using his or her own email program, the original 
``sender'' loses the ability to control the email message's content and 
whether the message retains its compliance with CAN-SPAM.\186\ 
Commenters also stated that it was very difficult to check the names of 
recipients of forwarded messages against company opt-out lists.\187\ 
Moreover, some commenters who operate websites directed to children 
opined that if they were considered the ``sender'' of certain forwarded 
emails, they would have to honor opt-out requests and maintain opt-out 
lists, which might cause conflicts with the Children's Online Privacy 
Protection Rule.\188\
---------------------------------------------------------------------------

    \186\ See Associations; BOA; Charter; CMOR; DMA; ERA; FNB; 
Jumpstart; MPAA; MPA; Coalition; NRF; NetCoalition; RIAA; 
Wahmpreneur.
    \187\ See AeA; Cendant; ePrize (there are substantial costs in 
building a software platform that would allow scrubbing of names 
before using forwarding mechanism); MPAA (``It is virtually 
impossible to meet the CAN-SPAM requirement that a company not send 
e-mail to someone who has already opted out from its lists for 
Forward to a Friend, because the company will never know the e-mail 
address of the recipient . . . . The company would need to put all 
such e-mail in a queue and then compare the recipient's e-mail 
address with its opt-out list, a complicated and laborious 
process.''); Masterfoods; Mattel; NRF; NetCoalition; Wahmpreneur.
    \188\ The Children's Online Privacy Protection Rule (``COPPA''), 
16 CFR Part 312, establishes rules and guidelines to provide a more 
secure Internet experience for children and to protect them from 
unwanted invasions of privacy. As a result, operators of websites 
directed to children have to follow specific rules on what personal 
information may or may not be gathered from children. Section 312.5 
of COPPA states: ``An operator [of a website] is required to obtain 
verifiable parental consent before any collection, use, and/or 
disclosure of personal information from children . . . .'' Two 
commenters, Masterfoods and Mattel, argued that the Commission's 
proposed application of ``induce'' would likely result in their 
being considered the ``sender'' of emails ``initiated'' through 
their websites. They therefore argued that, under the Commission's 
analysis in the NPRM, they would be required to maintain an opt-out 
list, which would undoubtedly contain personal information of 
children, and could thereby conflict with COPPA.
---------------------------------------------------------------------------

c. Commission Statement on Forward-to-a-``Friend'' Emails

    Whether a seller or forwarder is a ``sender'' or ``initiator'' is a 
highly fact specific inquiry. Nonetheless, the application of the Act 
to a forward-to-a-``friend'' message likely often will turn on whether 
the seller has offered to pay or provide other consideration to the 
forwarder. Below, the Commission expands upon its discussion contained 
in the NPRM by discussing the liability of sellers in two common forms 
of forward-to-a-``friend'' emails: (1) those sent using a web-based 
forwarding mechanism and (2) those forwarded using the forwarder's own 
email program. The Commission then discusses the potential liability 
CAN-SPAM imposes on consumers who send forward-to-a-``friend'' emails.

(i) Seller's Liability in the Context of a Forwarding Mechanism on a 
Seller's Website

    With a web-based mechanism, a seller's website includes a button 
that enables a visitor to the website to send an email advertising the 
seller's product, service, or website. When the visitor clicks on the 
button, the seller requests the recipient's email address and often 
additional information such as the visitor's name and email address. 
The seller may also enable the visitor to add text that will be 
included in the message sent to the recipient. Upon entering the 
information, the visitor must press a ``send'' button for the message 
to be sent. The message will be sent to the recipient via the seller's 
or seller's agent's email server.
    The starting point in analyzing CAN-SPAM's applicability to 
forward-to-a-``friend'' messages is the language of the Act. A seller 
is a ``sender'' if it ``initiates'' the message and its product, 
service, or Internet website is advertised or promoted in the 
message.\189\ Because the message sent using the seller's web-based 
mechanism will ordinarily advertise the seller's product, service, or 
website, the seller will be a ``sender'' if it ``initiates'' the 
message sent to the recipient.
---------------------------------------------------------------------------

    \189\ 15 U.S.C. 7702(16).
---------------------------------------------------------------------------

    CAN-SPAM defines ``initiate'' to mean ``to originate or transmit [a 
commercial email] or to procure the origination or transmission of such 
message, but shall not include actions that constitute routine 
conveyance of such message.''\190\ Thus, where a seller is involved 
solely in ``routine conveyance,'' the seller will be exempt from the 
responsibilities of an ``initiator'' or a ``sender'' under the Act. The 
Act defines ``routine conveyance'' to mean the ``transmission, routing, 
relaying, handling, or storing, through an automatic technical process, 
of an electronic mail message for which another person has identified 
the recipients or provided the recipient addresses.''\191\ The Act's 
legislative history explains that a company engages in ``routine 
conveyance'' when it ``simply plays a technical role in transmitting or 
routing a message and is not involved in coordinating the recipient 
addresses for the marketing appeal.''\192\ Thus, under the web-based

[[Page 29671]]

scenario described above, a seller that transmits a message through an 
automatic technical process to an email address provided by a 
forwarder, absent more, is engaged in ``routine conveyance'' and is 
exempt from liability under the Act.
---------------------------------------------------------------------------

    \190\ 15 U.S.C. 7702(9).
    \191\ 15 U.S.C. 7702(15).
    \192\ S. Rep. 108-102 at 15. The legislative history therefore 
makes clear that, if a seller retains the email address of the 
person to whom the message is being forwarded for a reason other 
than relaying the forwarded message (such as for use in future 
marketing efforts), the seller would not fall within the routine 
conveyance exemption.
---------------------------------------------------------------------------

    However, under the Act, ``routine conveyance'' is narrowly 
circumscribed. Where the seller goes beyond serving as a technical 
intermediary that transmits, routes, relays, handles, or stores the 
email, the seller will be liable as the ``initiator'' and ``sender'' of 
the message forwarded from its website. A seller who ``procures'' the 
origination or transmission of an email goes well beyond the technical 
role of transmitting or routing the message.
    CAN-SPAM defines ``procure'' to mean ``intentionally to pay or 
provide other consideration to, or induce another person to initiate [a 
commercial email] on one's behalf.''\193\ As explained in the NPRM, if 
a seller offers to ``pay or provide other consideration'' to a visitor 
to its website in exchange for forwarding a commercial message, the 
seller will have ``procured'' any such messages forwarded by the 
visitor.\194\ As noted in the NPRM, the term ``consideration'' is not 
defined in the Act, but is generally understood to mean ``something of 
value (such as an act, a forbearance, or a return promise) received by 
a promisor from a promisee.''\195\ This includes things of minimal 
value. Accordingly, a message has been ``procured'' if the seller 
offers money, coupons, discounts, awards, additional entries in a 
sweepstakes, or the like in exchange for forwarding a message.\196\ 
Even the offer to provide de minimis consideration takes the seller 
beyond the mere ``routine conveyance'' of the forwarded message and 
into the ``procurement'' of the forwarded message.
---------------------------------------------------------------------------

    \193\ 15 U.S.C. 7702(12).
    \194\ 70 FR at 25441.
    \195\ Black's Law Dictionary 300 (7th ed. 1999).
    \196\ NPRM, 70 FR at 25441
---------------------------------------------------------------------------

    The definition of ``procure,'' however, does not merely cover those 
scenarios in which a seller offers to pay or provide other 
consideration to a forwarder. A seller who ``induces'' another person 
to initiate a commercial email will also fall within the definition of 
``procure.'' The NPRM explained that ``to induce'' is much broader than 
``to pay consideration.'' While CAN-SPAM does not define the term 
``induce,'' in the NPRM, the Commission applied the word's common 
definition: ``to lead on to; to influence; to prevail on; to move by 
persuasion or influence.''\197\ The Commission then opined that ``to 
induce'' did not require the transfer of something of value.\198\ 
Rather, the Commission explained, ``one must do something that is 
designed to encourage or prompt the initiation of a commercial e-
mail.''\199\ Thus, the Commission stated that, ``in order to 
`intentionally induce' the initiation of a commercial email, the sender 
must affirmatively act or make an explicit statement that is designed 
to urge another to forward the message.''\200\ In addition, the 
Commission stated that whether a seller ``induced'' a person to forward 
a message could hinge on the forcefulness of the language used by the 
seller.\201\
---------------------------------------------------------------------------

    \197\ Id.
    \198\ Id.
    \199\ Id.
    \200\ Id.
    \201\ 70 FR at 25441 n.178.
---------------------------------------------------------------------------

    The Commission believes that this description of ``induce'' in the 
NPRM is unduly narrow and inconsistent with the statute's text and 
purpose. First, ``inducement'' need not take the form of an ``explicit 
statement'' or ``affirmative act'' specifically urging someone to send 
an email. The word ``induce'' in the definition of ``procure'' simply 
makes clear that a seller may ``procure'' the origination or 
transmission of a message even where it does not specifically pay or 
provide other consideration to someone for sending an email. For 
instance, where a seller offers to pay or provide consideration to 
someone in exchange for generating traffic to a website or for any form 
of referrals, and such offer results in the forwarding of the seller's 
email message, the seller will have ``induced,'' and therefore 
``procured,'' the forwarding of the seller's email. Likewise, in an 
affiliate program where the seller does not directly offer to pay a 
sub-affiliate in exchange for generating web traffic or other 
referrals, the seller's offer to pay the affiliate for generating web 
traffic or other referrals will constitute ``inducement'' of emails 
sent by the sub-affiliate that advertise the seller's product, service, 
or website. Under each of these scenarios, the seller will have 
``induced'' the forwarding of an email and will have gone well beyond 
routine conveyance.
    However, CAN-SPAM's applicability should not rest on the 
specificity or forcefulness of the language used by the seller, 
notwithstanding the suggestion to the contrary in the NPRM.\202\ 
Accordingly, a seller's use of language exhorting consumers to forward 
a message does not, absent more, subject the seller to ``sender'' 
liability under the Act.
---------------------------------------------------------------------------

    \202\ Id.
---------------------------------------------------------------------------

    A seller, of course, is not prohibited from offering consideration 
to a visitor to its website in exchange for forwarding a commercial 
message, or otherwise inducing the visitor to do so. If it does, 
however, it will not be engaged in mere ``routine conveyance'' and must 
therefore comply with CAN-SPAM's requirements for a ``sender.'' For 
instance, the seller will need to ensure that it does not forward a 
message to a recipient who has previously made an opt-out request and 
will need to include in the message an opt-out mechanism.

(ii) Seller's Liability for Email Forwarded Using a Consumer's Email 
Program

    In the most basic forward-to-a-``friend'' scenario, a seller sends 
a commercial email to a consumer who then, using his or her own email 
program, forwards the message to a recipient.\203\ Typically, the 
seller will have no liability under CAN-SPAM for the original 
recipient's forwarding of an email. It is only where the seller 
``initiates'' the forwarding of the message that it will be deemed the 
``sender'' of the forwarded message under the Act.\204\ Again, the 
starting point is the language of the Act, which defines ``initiate'' 
as ``to originate or transmit [a commercial email] or to procure the 
origination or transmission of such message, but shall not include 
actions that constitute routine conveyance of such message.''\205\ In 
contrast to the web-based scenario discussed above, the ``routine 
conveyance'' exemption has no applicability when a consumer forwards a 
message using his or her own email program, because the seller would 
not be involved in the transmission, routing, relaying, or storage of 
the forwarded message. Nor is the seller ``originating'' or 
``transmitting'' the message in this scenario. The inquiry thus turns 
on whether the seller has ``procured'' the forwarded message. The 
principles guiding the determination of whether the seller has 
``procured'' the forwarded message are the same here as when the 
forwarding occurs through the seller's website. Accordingly, if the 
seller ``pays or provides other consideration'' to someone in exchange 
for forwarding the commercial message, the seller will have 
``procured'' the forwarding of the

[[Page 29672]]

email.\206\ For the reasons explained above, this is true regardless of 
the amount of the consideration offered; offering de minimis 
consideration in the form of coupons, discounts, sweepstakes entries 
and the like in exchange for forwarding a commercial email constitutes 
``procurement'' of the forwarded message. Likewise, if the seller 
``induces'' the forwarding of the message -- such as by offering 
payment in exchange for generating traffic to a website -- it will be 
an ``initiator,'' and thus also the ``sender,'' of the forwarded 
message. In such a circumstance, the seller will be obligated to comply 
with CAN-SPAM's requirements for a ``sender,'' such as ensuring that 
the forwarded message contains a functioning opt-out mechanism and 
ensuring that email is not forwarded to someone who has already opted 
out of receiving commercial emails from the seller.\207\
---------------------------------------------------------------------------

    \203\ We assume for purposes of this analysis that the email 
promotes or advertises the seller's product, service, or website.
    \204\ 15 U.S.C. 7702(9).
    \205\ Id.
    \206\ 15 U.S.C. 7702(12).
    \207\ As noted above, a number of commenters argued that 
complying with the Act's requirements when a consumer uses his or 
her own email program to forward the seller's email is impracticable 
for the seller. See Associations; BOA; Charter; CMOR; DMA; ERA; FNB; 
Jumpstart; MPAA; MPA; Coalition; NRF; NetCoalition; RIAA; 
Wahmpreneur. However, it is our understanding that marketing 
campaigns in which consideration is offered to consumers in exchange 
for forwarding an email typically rely on the seller's web-based 
forwarding mechanism. In such circumstances, there is no reason the 
seller cannot fully comply with CAN-SPAM.
---------------------------------------------------------------------------

(iii) Liability of a Consumer-Forwarder

    The NPRM did not discuss the potential liability of a consumer who 
forwards a commercial message via a seller's web-based mechanism or 
using his or her own email program. Such a consumer-forwarder would be 
an ``initiator'' under CAN-SPAM regardless of whether the seller 
``procured'' the message because, as explained above, the definition of 
``initiate'' includes the ``origination'' of a message and the 
consumer-forwarder would be the ``originator'' of the message. Thus, 
while a seller who provided a web-based forwarding mechanism (and did 
not ``procure'' the message) would be exempt from ``initiator'' or 
``seller'' liability where it was engaged in ``routine conveyance,'' 
the consumer-forwarder still would be an ``initiator.'' Likewise, a 
consumer who forwarded a message using his or her own email program 
(and the message was not ``procured'' by the seller) would be an 
``initiator'' of the message, while the seller would not be.
    Thus, the Act's terms result in an anomaly: a seller in such 
situations would be exempt from liability under CAN-SPAM, but the 
consumer-forwarder would be required to comply with CAN-SPAM's 
``initiator'' obligations. In other words, as ``initiators,'' ordinary 
consumers who, without being offered any consideration or inducement, 
forward a commercial message using either a seller's web-based 
forwarding mechanism or their own email program, would be required to 
provide recipients with a mechanism for opting out of receiving future 
commercial emails from the ``sender,'' a clear and conspicuous 
disclosure that the message is an advertisement or solicitation, a 
clear and conspicuous notice of the right to opt out of receiving 
commercial emails from the ``sender,'' and a clear and conspicuous 
disclosure of the ``sender's physical address.'' Yet, because the 
seller is not an ``initiator,'' there would be no ``sender'' of the 
message under the Act.
    The Commission believes that Congress did not intend to sweep into 
CAN-SPAM's regulatory scheme consumers who, without being offered any 
consideration or inducement for doing so, use a seller's web-based 
forwarding mechanism or their own email programs to send isolated 
commercial email messages to recipients. Indeed, as the Commission 
recognized in promulgating the Primary Purpose Rule, ``the repeated 
inclusion of the modifying word `commercial' in section 7702(2)(A) is 
not merely tautological, but evidences an intention to ensure that the 
CAN-SPAM regulatory scheme would not reach isolated email messages sent 
by individuals who are not engaged in commerce, but nevertheless seek 
to sell something to a friend, acquaintance, or other personal 
contact.''\208\ Hence, the Commission believes that under these facts, 
such a consumer-forwarder would not be swept into CAN-SPAM's regulatory 
scheme.\209\
---------------------------------------------------------------------------

    \208\ 70 FR at 3113.
    \209\ For the same reason, even where consideration or 
inducement such as coupons, discounts, awards, additional entries in 
sweepstakes is provided to the consumer-forwarder, the consumer-
forwarder is unlikely to be a target of enforcement (though the 
seller offering the consideration or other inducement might be), 
absent indicia that the consumer-forwarder is, in fact, acting akin 
to an affiliate marketer, for example.
---------------------------------------------------------------------------

B. Section 316.4 -- Prohibition Against Failure to Effectuate An Opt-
Out Request Within Ten Business Days of Receipt

    Section 7704(a)(4) of the Act prohibits senders from initiating the 
transmission of a commercial email message to a recipient more than ten 
business days after the senders have received the recipient's opt-out 
request. Section 7704(c)(1) gives the Commission authority to issue 
regulations modifying the ten-business-day period -- what is, in 
effect, a ``grace period'' -- for processing recipients' opt-out 
requests if the Commission determines that a different time frame would 
be more reasonable after taking into account ``(A) the purposes of 
[subsection 7704(a)]; (B) the interests of recipients of commercial 
electronic mail; and (C) the burdens imposed on senders of lawful 
commercial electronic mail.''\210\ Accordingly, in the ANPR, the 
Commission sought comment on the reasonableness of the ten-business-day 
grace period for processing opt-out requests and whether a shorter 
grace period would be more reasonable, in view of the three 
considerations enumerated in the statute and the relative costs and 
benefits.
---------------------------------------------------------------------------

    \210\ 15 U.S.C. 7704(c)(1).
---------------------------------------------------------------------------

    In consideration of the comments received in response to the ANPR, 
the NPRM proposed to shorten the time period for honoring an opt-out 
request from ten to three business days. The Commission also posed a 
number of questions in Part VII of the NPRM about the appropriate time 
to allow for processing an opt-out request, including questions about: 
technical procedures and cost implications associated with opt-out 
processing; the level of risk associated with ``mail bombing'' -- the 
bombardment of an email address with commercial email in the nine 
business days following an opt-out request, aggressive email targeting 
tactics; and the effect of third-party arrangements on the timing of 
opt-out processing. In response to the NPRM, the Commission received 
numerous comments opposing the proposed rule.
    Based on the Commission's analysis of the comments received in 
response to the NPRM, the Commission is persuaded that: (1) reducing 
the opt-out grace period from ten to three business days would not 
necessarily advance the privacy interests of consumers; (2) the time 
period for processing opt-out requests required by legitimate 
commercial emailers varies, and often exceeds three business days 
depending upon a number of factors, including the size of the business, 
the existence of third-party marketing agreements, and the maintenance 
of multiple email databases; and (3) neither the current record nor the 
Commission's experience reflects that email bombing of commercial email 
recipients is a wide-scale tactic deployed by lawful commercial 
emailers. Furthermore, the record does not reflect that shortening the 
opt-out grace period would

[[Page 29673]]

necessarily reduce any potential threat of email bombing. Accordingly, 
the Commission declines to adopt a final Rule that would reduce the 
statutory grace period from ten business days to three business days, 
but will continue to monitor whether commercial emailers are using 
abusive targeting tactics and/or failing to honor opt-out requests in a 
timely manner to determine whether regulatory or other action is 
required in the future. Likewise, as explained below, the Commission 
reaffirms its refusal to impose a limit on the duration of opt-out 
requests at this time.

1. The Appropriate Deadline for Effectuating an Opt-Out Request

    Approximately 100 commenters addressed the issue of whether the 
period for opt-out compliance should be reduced. The vast majority -- 
over 85 percent -- opposed reducing the time frame to less than ten 
business days.\211\ Many of these commenters argued that the need for 
coordination and synchronization of opt-out mechanisms requires a 
minimum of ten days.\212\ Some of these commenters also suggested that 
senders of email messages who are not now complying with the Act would 
not comply with the proposed change, but those who are attempting to 
comply would be burdened, with no gain in protection of consumers's 
privacy interests.\213\
---------------------------------------------------------------------------

    \211\ See, e.g., CMOR; BrightWave; Swent; Footlocker; Intermark; 
Empire; SHRM; FNB; Wells Fargo; VCU; MPAA; ACB; Bigfoot; PMA; BOA; 
NetCoalition; Reed; DoubleClick; DMA; CBA; Time Warner; Coalition; 
NEPA; IAC.; Charter; Jumpstart; HSBC; ASAE; Comerica; Cendant; CUNA; 
KeySpan; MasterCard; Discover; Microsoft; PCIAA; Vertical; BD; 
Exact; ARTBA; ACUTA; Sprint (stating that it would have to devote at 
least 30,000 man hours, or in excess of $2 million, in order to 
modify its systems to accelerate the process of implementing opt-out 
requests); ABM (``Diversified Business Communications has concluded 
that imposition of a three-day opt-out requirement would reduce the 
effectiveness of its marketing and increase its cost by a minimum of 
$20,000 per year.'').
    \212\ See, e.g., ACUTA; BD; Experian.
    \213\ See, e.g., ERA; OPA; ATAA; ARDA; Charter; MPA; PMA.
---------------------------------------------------------------------------

    A number of commenters provided substantive descriptions of the 
time frames that are involved with processing opt-out requests and 
coordinating such efforts with third-party vendors. Commenters 
explained that the time necessary to process opt-out requests varies 
based on a number of factors, such as whether the sender itself 
collects opt-out requests and removes email addresses from its own 
marketing list or uses a third-party vendor for the entire process or 
for certain portions of the process.\214\
---------------------------------------------------------------------------

    \214\ See, e.g., DMA.
---------------------------------------------------------------------------

    According to another commenter, some cable companies rely on third-
party vendors to handle all email marketing, process opt-out requests, 
and manage suppression lists. ``The cable operator may be able to input 
a customer's opt-out request in one to two business days in its own 
internal database, but the third party vendor that provides a variety 
of targeted marketing and advertising services may take up to 8-10 
business days to complete the processing.''\215\
---------------------------------------------------------------------------

    \215\ See NCTA.
---------------------------------------------------------------------------

    A few commenters argued that delays also can result from concerns 
about privacy with respect to negotiating non-disclosure agreements and 
using hard copy media, such as CDs, to transmit their suppression 
files. As one commenter explained:
 We often see other situations that make the three-day period difficult 
at best, including large corporations with legacy databases that must 
plan for their marketing campaigns and use of suppression lists a week 
in advance, use of hard-copy media -- such as CDs -- to transmit the 
files via the postal service, and then the use by small businesses 
which only have access to low bandwidth connections. A three-day 
deadline could cause many advertisers, especially small or 
traditionally offline businesses, to abandon their e-mail acquisition 
efforts altogether in order to comply.\216\
---------------------------------------------------------------------------

    \216\ See Experian.
---------------------------------------------------------------------------

    Finally, a few commenters pointed out that they offer not only 
Internet-based opt-out mechanisms but also opportunities to unsubscribe 
by telephone or other means, which can be very time-consuming.\217\
---------------------------------------------------------------------------

    \217\ See, e.g., Masterfoods; Mattel; Jumpstart. With respect to 
these comments, the Commission notes that section 7704(a)(3)(A)(i) 
of the Act requires that a commercial email message contain a 
functioning return email address or other Internet-based mechanism 
that the recipient may use to submit an opt-out request, but does 
not require requests submitted in other ways to be honored within 
the given time period. See also NPRM, 70 FR at 25443.
---------------------------------------------------------------------------

    In terms of potential benefits to consumers from reducing the grace 
period to three business days, nearly all of the commenters argued that 
bombarding a recipient with email following an opt-out request is not a 
valid concern and that the potential risk of mail bombing would not, in 
any event, be mitigated by shortening the opt-out period to three 
days.\218\
---------------------------------------------------------------------------

    \218\ See, e.g., CMOR; Verizon; LashBack; ACLI; ABM; FNB; ERA; 
ESPC; ARTBA; MPA (arguing that, if a marketer were involved in mail 
bombing, it could still do so under a three-business-day time 
frame); PMA; BOA; SIA; NRF; NetCoalition; Reed; DoubleClick; 
Associations; Time Warner; IAC; ICC; Nextel (asserting that no 
rational marketer would undertake mail bombing); Charter; HSBC; 
MasterCard; Discover; Microsoft; Nissan; Vertical; ExactTarget; 
Sprint. But see iPost (``[I]t has been demonstrated by the use of 
`honeypot' or `spamtrap' emailboxes that submitting opt-out requests 
does lead to targeting for receipt of additional commercial email . 
. . . The length of time that elapses following submission of the 
opt-out request has little bearing on this practice, which no 
responsible marketer would employ in any case.'').
---------------------------------------------------------------------------

    A few commenters argued either in favor of the proposed three-day 
time period,\219\ or recommended time periods of less than three 
days.\220\ These commenters, several of whom are individual consumers, 
generally believe that there are no technical obstacles to automatic or 
near-automatic opt-out processing. Other commenters suggested that five 
to seven days could represent a reasonable period of time to process an 
opt-out request.\221\
---------------------------------------------------------------------------

    \219\ See Unsub; Rushing; Nelson; NAFCU.
    \220\ See Aurelius; Edge; Schaefer; Roberts; Pernetian; Amin.
    \221\ See, e.g., May (``Extending the time period to 5 days, but 
shortening from 7 [sic] days, would encompass 90% of the online 
population and is a reasonable time period to comply with opt-in 
requests.''); Clear (supporting a compromise of five or six days).
---------------------------------------------------------------------------

    Many small businesses, however, opined that compliance with a 
shorter time frame would pose a significant burden due to the technical 
support needed.\222\ For example, some small entities process opt-out 
requests manually or have only part-time staff. Given holidays and 
vacations, those entities do not believe they could process requests 
within three days.\223\ Small membership-based associations such as the 
American Road and Transportation Builders Association and SHRM also 
expressed concern about staffing issues. SHRM argued that it would be 
unreasonable to expect volunteers or even a single paid staff director 
to check for, and handle, opt-out requests several times per week to 
satisfy the proposed three-day rule.
---------------------------------------------------------------------------

    \222\ See, e.g., NADA; BrightWave; Ezines; ARDA; ABM; ASAE; NAMB 
(``NAMB believes that the proposed 3-business day time period has a 
disproportionate economic impact on all small business entities, 
which includes many mortgage brokers.''); MPA; NAR; NAA (indicating 
that a three-business-day period would be challenging for small 
newspapers); ASTA (``Nearly instantaneous processing' may be 
possible for some, but there is no record support for the 
proposition that it is possible for all, or even most, businesses, 
particularly small businesses.'').
    \223\ See, e.g., Sheu; Wiederhoeft; Intermark; ECFCU; SHRM; IS; 
ASAE; Comerica; IPPC; BD; ARTBA.
---------------------------------------------------------------------------

    Finally, a few commenters argued that ten business days is not 
sufficient time for processing opt-out requests and a longer time frame 
would be better.\224\ Some of these commenters pointed out that 
telemarketers have 31 days to process new listings on the National Do

[[Page 29674]]

Not Call Registry\225\ and that commercial email messages directed to 
certain mobile devices are prohibited if the wireless domain name 
referenced in the address has been posted on the Federal Communications 
Commission's (``FCC'') wireless domain list for at least 30 days.\226\ 
These commenters argued that, for consistency, 31 or 30 days should be 
allowed for processing opt-out requests.\227\
---------------------------------------------------------------------------

    \224\ See, e.g., NNA; ACLI; NRF; ICC.
    \225\ 69 FR 16368 (Mar. 29, 2004).
    \226\ The FCC has issued a list of wireless domains to which 
commercial email messages cannot be directed without the addressee's 
express prior authorization or if other conditions are met. 47 CFR 
64.3100(a) & (e). The thirty-day safe harbor does not apply if the 
person or entity initiating the message did so knowing the address 
was to a protected mobile service. 47 CFR 64.3100(a)(4); Rules and 
Regulations Implementing the Controlling the Assault Of Non-
Solicited Pornography and Marketing Act of 2003, CG Docket No. 04-
53, Rules and Regulations Implementing the Telephone Consumer 
Protection Act of 1991, CG Docket No. 02-278, 19 FCC Rcd. 15927, 
15969 (2004).
    \227\ See, e.g., Verizon; Intermark; NAR; SIIA; MCI; IAC.
---------------------------------------------------------------------------

    Having carefully considered the comments concerning the amount of 
time required to process and coordinate opt-out requests, along with 
the Commission's law enforcement experience, the Commission is 
persuaded that it should retain the ten-business-day grace period for 
honoring opt-out requests. The Commission is persuaded that its 
proposal in the NPRM to shorten the period to three business days could 
impose a substantial burden on legitimate commercial email marketers. 
In particular, the Commission is concerned that reducing the opt-out 
period could pose a significant challenge for small entities. In 
addition, the Commission believes that reducing the opt-out period 
would not necessarily advance the privacy interests of consumers. 
Neither the current record nor the Commission's law enforcement 
experience indicates that email bombing of commercial email recipients 
is a wide-scale tactic deployed by lawful commercial emailers, or that 
reducing the opt-out grace period would necessarily reduce any 
potential threat of email bombing.
    At the same time, the Commission rejects the argument that email 
marketers should have more than ten business days to process opt-out 
requests. The Commission finds that, based on the record, senders of 
commercial email are not unduly burdened by the ten-business-day grace 
period for honoring opt-out requests established by Congress.\228\ 
Indeed, in 2005, a Commission study revealed that nearly 90% of the top 
100 etailers honored the ten-business-day opt-out time period,\229\ 
which suggests that, on balance, compliance is feasible for most 
senders of commercial email. Further, the Commission is not persuaded 
that the fact that telemarketers have 31 days to process new listings 
on the National Do Not Call Registry justifies extending the period for 
honoring CAN-SPAM opt-out requests to 31 days, in view of the 
difference in the structure and operation of email suppression lists as 
compared to the National Do Not Call Registry.
---------------------------------------------------------------------------

    \228\ See, e.g., DoubleClick; ACB; Cendant; iPost; Empire. See 
also NCL's comments in the ANPR (stating that ``We are unaware of 
any problems with the ten-business-day time period and would 
strongly oppose lengthening it.'').
    \229\ See ``Top Etailers' Compliance with CAN-SPAM's Opt-Out 
Provisions.'' Staff Report (July 2005), available at http://www.ftc.gov/reports/optout05/050801optoutetailersrpt.pdf. This 
report explained that 89% of the top 100 etailers that sent 
commercial email during the study honored all three of the opt-out 
requests made by FTC staff.
---------------------------------------------------------------------------

    For all these reasons, the Commission declines to adopt proposed 
Rule 316.4, which would have reduced the statutory ten-business-day 
grace period for honoring opt-out requests.\230\ The grace period 
therefore remains ten business days.
---------------------------------------------------------------------------

    \230\ Proposed Rule 316.4(b) would have clarified that law 
enforcement officials are not required to allege or prove a 
defendant's state of mind to obtain a cease and desist order or an 
injunction to enforce compliance with proposed Rule 316.4(a), which 
pertains to the time period for honoring opt-out requests. Because 
the Commission declines to adopt Rule 316.4(a), proposed Rule 
316.4(b) is no longer necessary. Moreover, the language of the Act 
itself is clear on this issue -- whenever a provision of the Act or 
the Commission's Rule contains a state-of-mind component, that 
requirement does not apply when a law enforcement official seeks a 
cease and desist order or an injunction. 15 U.S.C. 7706(e) & (f)(2).
---------------------------------------------------------------------------

2. Expiration of Opt-out Requests

    In the NPRM, the Commission declined to propose a time limit for 
how long an opt-out request will remain in effect, but indicated that 
it would consider submissions of information or data that would show 
whether such a time limit would be useful in implementing the 
provisions of the Act. The Commission noted that, in the somewhat 
similar context of the Do Not Call Registry, the Registry administrator 
is able routinely to purge defunct or changed telephone numbers from 
the Registry database, whereas email marketers do not appear to have 
similar capabilities for such purging.\231\ The Commission also stated 
that an email marketer's suppression list is likely to have far fewer 
entries than the then 91 million numbers\232\ on the Do Not Call 
Registry, making the prospect of ``scrubbing'' far less daunting, and 
potentially vitiating the argument that setting an expiration period 
for opt-out requests is required.\233\
---------------------------------------------------------------------------

    \231\ 70 FR at 2544. The NPRM also stated that the duration of a 
person's registration on the Do Not Call Registry is five years or 
until the registrant changes his or her telephone number or takes 
the number off the Registry. Id. Congress has since enacted 
legislation which eliminates the expiration of listings on the 
Registry. See Do-Not-Call Improvement Act of 2007, Pub. L. No. 110-
188 (2008).
    \232\ As of June 2007, the Do Not Call Registry contained more 
than 145 million telephone numbers.
    \233\ 70 FR at 2544.
---------------------------------------------------------------------------

    Several commenters argued that the Commission should limit the 
length of time that requests should remain in effect. These commenters, 
however, were divided on what would be an appropriate time limit.\234\ 
Other commenters argued that the Commission should not impose a time 
limit on a consumer's opt-out request.\235\
---------------------------------------------------------------------------

    \234\ See, e.g. , ARDA; Wells Fargo; BOA; NRF (all arguing for a 
two- to three-year time limit); CMOR; ABM; FNB; ERA; ESPC; ACB; 
Bigfoot; Visa (all arguing for a five-year or longer time limit).
    \235\ For example, DoubleClick argued that it did ``not believe 
that a consumer's choice should have an expiration date. If a 
consumer asks to be removed from a commercial email list and 
subsequently changes her/his mind, s/he can re-subscribe to that 
mailing list.'' Similarly, the Virginia Credit Union argued that it 
also believes that ``the opt-out request should be honored 
indefinitely until such time the consumer contacts the sender and 
requests otherwise.''
---------------------------------------------------------------------------

    Various commenters submitted data to the Commission about the size 
of their suppression lists. That data showed that suppression list size 
varies, and it is not clear whether or in what instances suppression 
lists may exceed the Do Not Call Registry. While many suppression lists 
contain less than 100,000 addresses,\236\ ESPC states that the 
suppression lists of some companies exceed the Do Not Call Registry by 
over 10 million entries. One commenter noted that ``[f]rom a logistical 
perspective, many companies have large suppression lists that can 
exceed a million names.''\237\ Another commenter reported that its 
suppression list will likely have fewer than the number of entries that 
the National Do Not Call Registry contains.\238\
---------------------------------------------------------------------------

    \236\ See ESPC (``The time and cost varies linearly based on the 
size of the lists involved. Both the size of the suppression list 
and the size of the active list affect the processing time and cost. 
Many senders' suppression lists contain less than 100,000 addresses, 
in which case the time and cost are fairly negligible.'').
    \237\ See DoubleClick.
    \238\ See FNB.
---------------------------------------------------------------------------

    In analyzing the data submitted by these commenters, the Commission 
finds that, at this time, there is insufficient evidence to show that 
email suppression list scrubbing is impeded by the lack of a time limit 
on opt-out requests, or that imposing a limit will be

[[Page 29675]]

useful in implementing the provisions of the Act under section 7711(a). 
Notably, Congress chose neither to impose such a time limit nor to 
specifically authorize the Commission to do so at this time. 
Consequently, the Commission declines to impose a time limit on the 
duration of an opt-out request.

C. Proposed Rule 316.5 -- Prohibition on Charging a Fee or Imposing 
Other Requirements on Recipients Who Wish To Opt Out

    In the NPRM, the Commission proposed to prohibit the imposition, as 
a condition for accepting or honoring a recipient's opt-out request, of 
any fee, obligation to provide personally identifying information 
(beyond one's email address), or any other requirement.\239\ Several 
commenters agreed with the Commission's proposal to prohibit senders 
from charging a fee to opt out,\240\ but challenged the portion of the 
rule that would prevent the collection of additional personal 
information or require email recipients to interface with more than one 
Internet Web page to opt out from receiving future commercial email 
messages from the sender. These commenters cumulatively identified a 
host of factors -- the risk of typographical errors, computer security 
issues, online identity theft, and sabotage by competitors -- arguing 
for the necessity of collecting personal information or requiring 
multiple opt-out steps to verify the identity of the recipient.\241\ 
While the Commission recognizes that computer security and identity 
theft are serious problems facing online consumers, the Commission is 
not persuaded that imposing additional requirements on consumers who 
are attempting to opt out would do anything to minimize the risk of 
these problems. To the contrary, the Commission believes that requiring 
consumers to transmit additional personally identifying information 
would increase the risk of that information being intercepted by a 
hacker or rogue third party.
---------------------------------------------------------------------------

    \239\ As proposed and adopted here, Rule 316.5 provides: 
``Neither a sender nor any person acting on behalf of a sender may 
require that any recipient pay any fee, provide any information 
other than the recipient's electronic mail address and opt-out 
preferences, or take any other steps except sending a reply 
electronic message or visiting a single Internet web page, in order 
to: (a) use a return electronic mail address or other Internet-based 
mechanism, required by 15 U.S.C. 7704(a)(3), to submit a request not 
to receive future commercial electronic mail messages from a sender; 
or (b) have such a request honored as required by 15 U.S.C. 
7704(a)(3)(B) and (a)(4).''
    \240\ See, e.g., KeySpan; MasterCard; Metz; Empire; Wells Fargo; 
Coalition; BOA.
    \241\ See, e.g, Wells Fargo; Coalition; Experian; MPAA; AeA; 
Microsoft; Verizon; MasterCard.
---------------------------------------------------------------------------

    Other commenters explained that verifying the identity of a 
recipient would be important because their suppression lists are 
connected to consumer account information rather than consumer email 
addresses. For example, DMA argued that ``tracking by account 
information also makes it easier to honor opt-out requests for 
customers regardless of what they change their email address to.''\242\ 
The Commission does not find this argument persuasive, because, as the 
Commission stated in the NPRM, ``according to CAN-SPAM, opt-out 
requests are specific to a recipient's email address, not his or her 
name,'' and, in this case, certainly not to his or her account 
information.\243\
---------------------------------------------------------------------------

    \242\ See also MPAA; Microsoft (both requesting the Commission 
to clarify that the use of passwords or other authentication 
information is permitted under the rule); ABA (stating that it would 
be beneficial to have ``member-recipients log on the entity's 
Website, edit the member's profile, and thereby directly express the 
member's complete opt-out preferences.'').
    \243\ NPRM, 70 FR at 25445. Similarly, for this reason, the 
Commission is not persuaded by those commenters arguing that senders 
should be able to require their member-recipients to update their 
member profiles in order to opt out from receiving commercial email 
messages. See, e.g., ABA; ATAA.
---------------------------------------------------------------------------

    At least one commenter argued in favor of allowing marketers an 
opportunity to ``display an advertisement or other incentive in order 
to remind the recipient of the value of the list subscription prior to 
their unsubscription.''\244\ The Commission reiterates its position 
stated in the NPRM that subjecting a recipient who wishes to opt out to 
sales pitches before the opt-out request is completed is an 
unacceptable encumbrance on a consumer's ability to opt out of 
receiving unwanted commercial email messages.
---------------------------------------------------------------------------

    \244\ See Experian.
---------------------------------------------------------------------------

    Accordingly, the Commission adopts final Rule 316.5, which 
prohibits the imposition of any fee, any requirement to provide 
personally identifying information (beyond one's email address), or any 
other obligation as a condition for accepting or honoring a recipient's 
opt-out request.

D. Section 7704(c)(2) -- Aggravated Violations Related to Commercial 
Email

    The final Rule does not provide for any additional aggravated 
violations beyond those already specified in the Act. Committing an 
aggravated violation along with a violation of section 7704(a) could 
subject a defendant to triple damages in a CAN-SPAM enforcement action 
by a state attorney general or an ISP.\245\ Section 7704(b) of the Act 
lists four practices which are to be considered ``aggravated 
violations.''\246\ According to a Senate Committee Report on an earlier 
version of the Act, designating specific practices as ``aggravated'' 
violations is intended to ``apply to those who violate the provisions 
of the bill while employing certain problematic techniques used to 
either generate recipient email addresses, or remove or mask the true 
identity of the sender.''\247\
---------------------------------------------------------------------------

    \245\ 15 U.S.C. 7706(f)(3)(C) & (g)(3)(C).
    \246\ The four practices are: (1) automated email address 
harvesting; (2) dictionary attacks; (3) automated creation of 
multiple email accounts; and (4) relay or retransmission of a 
commercial email message through unauthorized access.
    \247\ S. Rep. No. 108-102, at 8 (2003).
---------------------------------------------------------------------------

    Section 7704(c)(2) of the Act authorizes the Commission to specify 
activities or practices -- in addition to the four already enumerated 
in the statute -- as aggravated violations if the Commission determines 
that ``those activities or practices are contributing substantially to 
the proliferation of commercial electronic mail messages that are 
unlawful under [section 7704(a) of the Act].'' (Emphasis added.)
    In response to the Commission's request in the NPRM for comment on 
whether any specific practices were contributing substantially to the 
proliferation of email, the Commission received only five comments. 
Three of the commenters complained about various practices that either 
are already illegal under the Act or that the commenters believed 
should be made illegal, but did not provide any evidence that the 
practices were contributing substantially to the proliferation of 
commercial electronic mail messages that are unlawful under section 
7704(a) of the Act, and, thus, should be deemed aggravated 
violations.\248\
---------------------------------------------------------------------------

    \248\ See Nelson (email spoofing); Rubin (selling email 
addresses after opt-out; single seller using multiple domain names); 
Sowell (commercial email messages should have only one sender; email 
should indicate how the sender obtained the recipient's name or 
email address).
---------------------------------------------------------------------------

    The other two commenters expressed concern that lists of email 
addresses of consumers who have opted out from receiving email (known 
as ``suppression lists'') can be, and in some instances have been, 
misused by third parties to send unwanted email.\249\ Specifically, 
these commenters indicated that, in some cases, third parties have 
obtained unauthorized access to another company's suppression list, 
which the third parties have then used to send emails of their own. The 
record,

[[Page 29676]]

however, lacks evidence that this practice is widespread and is 
``contributing substantially to the proliferation of commercial 
electronic mail messages that are unlawful under [section 7704(a) of 
the Act].\250\ Thus, there is an insufficient evidentiary basis for the 
Commission to designate this practice as an aggravated violation. In 
any event, depending on the facts, some of these practices may violate 
section 7704(a)(4)(A)(iv) of the Act. Under this provision, ``the 
sender or any other person that knows that the recipient has made [an 
opt-out request to the sender]'' may not ``sell, lease, exchange, or 
otherwise transfer or release the electronic mail address of the 
recipient (including through any transaction or other transfer 
involving mailing lists bearing the electronic address of the 
recipient) for any purpose other than compliance with this chapter or 
other provision of law.''
---------------------------------------------------------------------------

    \249\ See LashBack (some companies allow third parties to access 
their suppression lists); Unsub (``many sellers . . . post a text 
version of their opt-out suppression lists on Blind Affiliate 
Networks, allowing easy access for any list owner who is a member'' 
of that network).
    \250\ 15 U.S.C. 7704(c)(2).
---------------------------------------------------------------------------

III. PAPERWORK REDUCTION ACT

    In accordance with the Paperwork Reduction Act of 1995, 44 U.S.C. 
3501-3520 (``PRA''), the Commission reviewed the proposed and final 
Rule. The final Rule does not impose any recordkeeping, reporting, or 
disclosure requirements and, thus, does not constitute a ``collection 
of information'' as defined in the regulations implementing the 
PRA.\251\
---------------------------------------------------------------------------

    \251\ See 5 CFR 1320.3(c).
---------------------------------------------------------------------------

IV. REGULATORY FLEXIBILITY ACT

    The NPRM included an initial regulatory flexibility analysis 
(``IRFA'') under the Regulatory Flexibility Act (``RFA''),\252\ even 
though the Commission did not expect that the proposed Rule would have 
a significant economic impact on a substantial number of small 
entities. In addition, the Commission invited public comment on the 
proposed Rule's effect on small entities to ensure that no significant 
impact would be overlooked.\253\
---------------------------------------------------------------------------

    \252\ 5 U.S.C. 601-612.
    \253\ NPRM, 70 FR at 25447-49.
---------------------------------------------------------------------------

    This Final Regulatory Flexibility Analysis (``FRFA'') incorporates: 
the Commission's initial findings, as set forth in the May 12, 2005 
NPRM; addresses the comments submitted in response to the IRFA notice; 
and describes the steps the Commission has taken in the final Rule to 
minimize its impact on small entities consistent with the objectives of 
the CAN-SPAM Act.

A. Succinct Statement of the Need for, and Objectives of, the Final 
Rule

    The final Rule was created pursuant to the Commission's mandate 
under the CAN-SPAM Act. The Act authorizes the Commission, at its 
discretion and subject to certain conditions, to: promulgate 
regulations expanding or contracting the categories of ``transactional 
or relationship messages'';\254\ modify the ten-business-day period 
proscribed in the Act for effectuating a recipient's opt-out 
request;\255\ and specify additional activities or practices as 
``aggravated violations.''\256\ The Act also authorizes the Commission 
to ``issue regulations to implement the provisions of [the] Act.''\257\ 
The final Rule modifies certain definitions of the Act, such as what 
constitutes a ``sender'' and a ``valid physical postal address''; adds 
a definition of ``person''; and clarifies other relevant provisions of 
the Act.
---------------------------------------------------------------------------

    \254\ 15 U.S.C. 7702(17)(B).
    \255\ 15 U.S.C. 7704(c)(1)(A)-(C).
    \256\ 15 U.S.C. 7704(c)(2).
    \257\ 15 U.S.C. 7711(a).
---------------------------------------------------------------------------

B. Summary of Significant Issues Raised by the Public Comments in 
Response to the IRFA

    In the IRFA, the Commission sought comment regarding the impact of 
the proposed Rule and any alternatives the Commission should consider, 
with a specific focus on the effect of the proposed Rule on small 
entities. The public comments on the proposed Rule are discussed above 
throughout the Statement of Basis and Purpose, as are any changes that 
have been made in the final Rule. After reviewing the comments, 
including those that specifically addressed the impact of the Rule on 
small entities, the Commission does not believe that the final Rule 
will unduly burden entities that send commercial electronic mail 
messages or transactional or relationship mail messages. The majority 
of comments concerning the impact of the proposed Rule on small 
entities addressed the Commission's proposal to shorten the opt-out 
period from ten business days to three. As noted in Part II.B above, 
these commenters argued that a shortened time frame would impose undue 
administrative costs and burdens on small businesses.\258\ The 
Commission agrees that the final Rule must not be unduly burdensome to 
small businesses, and, while the record still lacks specific data 
describing the time and cost involved with processing opt-out requests 
for small businesses, the Commission finds that three business days 
would pose a challenge for some of these entities. In light of the 
concerns raised by the commenters, including small entities, the final 
Rule retains the opt-out period at ten business days.
---------------------------------------------------------------------------

    \258\ See, e.g., ABM; ARDA; BrightWave; Ezines; MPA; NAA; NADA; 
NAMB; NAR.
---------------------------------------------------------------------------

C. Explanation as to Why No Estimate is Available as to the Number of 
Small Entities to Which the Final Rule Will Apply

    Determining a precise estimate of the number of small entities 
subject to the final Rule, or describing those entities, is not readily 
feasible for two reasons. First, there is insufficient publicly 
available data to determine the number and type of small entities 
currently using email in any commercial setting. As noted in the IRFA, 
the final Rule will apply to ```senders' of `commercial electronic mail 
messages,' and, to a lesser extent, to `senders' of `transactional or 
relationship messages.'''\259\ Thus, any company, regardless of 
industry or size, that sends commercial email messages or transactional 
or relationship messages would be subject to the final Rule.
---------------------------------------------------------------------------

    \259\ NPRM, 70 FR at 25448.
---------------------------------------------------------------------------

    In the IRFA, the Commission set forth the few sources of publicly 
available data to approximate the number of entities that send 
commercial email messages or transactional or relationship messages, 
noting that ``[g]iven the paucity of data concerning the number of 
small businesses that send commercial e-mail messages or transactional 
or relationship messages, it is not possible to determine precisely how 
many small businesses would be subject to the proposed Rule.''\260\ 
None of the comments provided information regarding the number of 
entities of any size that will be subject to the final Rule.
---------------------------------------------------------------------------

    \260\ Id.
---------------------------------------------------------------------------

    The second reason that determining a precise estimate of the number 
of small entities subject to the final Rule is not readily feasible is 
that the assessment of whether the primary purpose of an email message 
is ``commercial,'' ``transactional or relationship,'' or ``other'' 
turns on a number of factors that require factual analysis on a case-
by-case basis. Thus, even if the number of entities that use email in 
commercial dealings were known, the extent to which the messages they 
send will be regulated by the final Rule depends upon the primary 
purpose of such messages, a determination which cannot be made absent 
factual analysis.

[[Page 29677]]

D. Description of the Projected Reporting, Recordkeeping, and Other 
Compliance Requirements of the Final Rule, Including an Estimate of the 
Classes of Small Entities that Will Be Subject to the Requirements of 
the Final Rule and the Type of Professional Skills that Will Be 
Necessary to Implement the Final Rule

    The final Rule does not itself impose any reporting, recordkeeping, 
or other disclosure requirements within the meaning of the Paperwork 
Reduction Act. The final Rule primarily: clarifies the scope of certain 
definitions within the CAN-SPAM Act, such as ``sender'' and ``valid 
physical postal address''; defines one new term, ``person''; and 
clarifies that a recipient may not be required to pay a fee, provide 
information other than his or her email address and opt-out 
preferences, or take any other steps other than sending a reply email 
message or visiting a single Internet Web page to submit an opt-out 
request. Any costs attributable to CAN-SPAM are the result of the 
substantive requirements of the Act itself -- such as the requirement 
that commercial email messages include an opt-out mechanism and certain 
disclosures -- not the Commission's interpretive final Rule.

E. Discussion of Significant Alternatives the Commission Considered 
That Would Accomplish the Stated Objectives of the CAN-SPAM Act and 
That Would Minimize Any Significant Economic Impact of the Final Rule 
on Small Entities

    Through both the ANPR and the May 12, 2005 NPRM, the Commission 
sought to gather information regarding the economic impact of CAN-
SPAM's requirements on all businesses, including small entities. The 
Commission requested public comment on whether the proposed Rule would 
unduly burden such entities that use email to send messages defined as 
``commercial'' or ``transactional or relationship'' messages under the 
Act and the FTC's CAN-SPAM Rule; whether this burden is justified by 
offsetting benefits to consumers; what effect the proposed Rule would 
have on small entities that initiate messages the primary purpose of 
which are commercial or transactional or relationship; what costs would 
be incurred by small entities to ``implement and comply'' with the 
proposed Rule; and whether there were ways the proposed Rule could be 
modified to reduce the costs or burdens for small entities while still 
being consistent with the requirements of the Act. The Commission 
requested this information in an attempt to minimize the final Rule's 
burden on all businesses, including small entities.
    In drafting the final Rule, the Commission carefully considered and 
sought to mitigate the burdens placed on email marketers, both large 
and small alike. For example, because a shortened time frame for 
processing opt-out requests might place a significant burden on 
senders, including small businesses, the final Rule retains the 
original ten-business-day period set forth in the Act. Moreover, the 
final Rule's definition of ``valid physical postal address'' provides 
for the use of commercial and postal mailboxes in light of the concerns 
many small entities expressed with respect to disclosing their physical 
addresses in email messages. Finally, to the extent that small entities 
participate in sending multiple marketer messages, the final Rule's 
definition of ``sender'' minimizes the burden placed on such entities 
by permitting the designation of a single ``sender'' to comply with 
CAN-SPAM's disclosure and opt-out requirements.
    As explained earlier in this Statement of Basis and Purpose, the 
Commission has considered the comments and alternatives proposed by 
such commenters, and continues to believe that the final Rule will not 
create a significant economic impact on small entities or others who 
send or initiate commercial email messages or transactional or 
relationship messages.

List of Subjects in 16 CFR Part 316

    Advertising, Business and industry, Computer technology, Consumer 
protection, Labeling.

0
Accordingly, for the reasons set forth in the preamble above, the 
Commission amends title 16, CFR Chapter I by revising Part 316 to read 
as follows:

PART 316--CAN-SPAM RULE

Sec.
316.1 Scope.
316.2 Definitions.
316.3 Primary purpose.
316.4 Requirement to place warning labels on commercial electronic 
mail that contains sexually oriented material.
316.5 Prohibition on charging a fee or imposing other requirements 
on recipients who wish to opt out.
316.6 Severability.

    Authority: 15 U.S.C. 7701-7713.


Sec.  316.1  Scope.

    This part implements the Controlling the Assault of Non-Solicited 
Pornography and Marketing Act of 2003 (``CAN-SPAM Act''), 15 U.S.C. 
7701-7713.


Sec.  316.2  Definitions.

    (a) The definition of the term ``affirmative consent'' is the same 
as the definition of that term in the CAN-SPAM Act, 15 U.S.C. 7702(1).
    (b) ``Character'' means an element of the American Standard Code 
for Information Interchange (``ASCII'') character set.
    (c) The definition of the term ``commercial electronic mail 
message'' is the same as the definition of that term in the CAN-SPAM 
Act, 15 U.S.C. 7702(2).
    (d) The definition of the term ``electronic mail address'' is the 
same as the definition of that term in the CAN-SPAM Act, 15 U.S.C. 
7702(5).
    (e) The definition of the term ``electronic mail message'' is the 
same as the definition of that term in the CAN-SPAM Act, 15 U.S.C. 
7702(6).
    (f) The definition of the term ``initiate'' is the same as the 
definition of that term in the CAN-SPAM Act, 15 U.S.C. 7702(9).
    (g) The definition of the term ``Internet'' is the same as the 
definition of that term in the CAN-SPAM Act, 15 U.S.C. 7702(10).
    (h) ``Person'' means any individual, group, unincorporated 
association, limited or general partnership, corporation, or other 
business entity.
    (i) The definition of the term ``procure'' is the same as the 
definition of that term in the CAN-SPAM Act, 15 U.S.C. 7702(12).
    (j) The definition of the term ``protected computer'' is the same 
as the definition of that term in the CAN-SPAM Act, 15 U.S.C. 7702(13).
    (k) The definition of the term ``recipient'' is the same as the 
definition of that term in the CAN-SPAM Act, 15 U.S.C. 7702(14).
    (l) The definition of the term ``routine conveyance'' is the same 
as the definition of that term in the CAN-SPAM Act, 15 U.S.C. 7702(15).
    (m) The definition of the term ``sender'' is the same as the 
definition of that term in the CAN-SPAM Act, 15 U.S.C. 7702(16), 
provided that, when more than one person's products, services, or 
Internet website are advertised or promoted in a single electronic mail 
message, each such person who is within the Act's definition will be 
deemed to be a ``sender,'' except that, only one person will be deemed 
to be the ``sender'' of that message if such person: (A) is within the 
Act's definition of ``sender''; (B) is identified in the ``from'' line 
as the sole sender of the message; and (C) is in compliance with 15 
U.S.C. 7704(a)(1), 15 U.S.C. 7704(a)(2), 15 U.S.C.

[[Page 29678]]

7704(a)(3)(A)(i), 15 U.S.C. 7704(a)(5)(A), and 16 CFR 316.4.
    (n) The definition of the term ``sexually oriented material'' is 
the same as the definition of that term in the CAN-SPAM Act, 15 U.S.C. 
7704(d)(4).
    (o) The definition of the term ``transactional or relationship 
messages'' is the same as the definition of that term in the CAN-SPAM 
Act, 15 U.S.C. 7702(17).
    (p) ``Valid physical postal address'' means the sender's current 
street address, a Post Office box the sender has accurately registered 
with the United States Postal Service, or a private mailbox the sender 
has accurately registered with a commercial mail receiving agency that 
is established pursuant to United States Postal Service regulations.


Sec.  316.3  Primary purpose.

    (a) In applying the term ``commercial electronic mail message'' 
defined in the CAN-SPAM Act, 15 U.S.C. 7702(2), the ``primary purpose'' 
of an electronic mail message shall be deemed to be commercial based on 
the criteria in paragraphs (a)(1) through (3) and (b) of this 
section:\1\
---------------------------------------------------------------------------

    \1\ The Commission does not intend for these criteria to treat 
as a ``commercial electronic mail message'' anything that is not 
commercial speech.
---------------------------------------------------------------------------

    (1) If an electronic mail message consists exclusively of the 
commercial advertisement or promotion of a commercial product or 
service, then the ``primary purpose'' of the message shall be deemed to 
be commercial.
    (2) If an electronic mail message contains both the commercial 
advertisement or promotion of a commercial product or service as well 
as transactional or relationship content as set forth in paragraph (c) 
of this section, then the ``primary purpose'' of the message shall be 
deemed to be commercial if:
    (i) A recipient reasonably interpreting the subject line of the 
electronic mail message would likely conclude that the message contains 
the commercial advertisement or promotion of a commercial product or 
service; or
    (ii) The electronic mail message's transactional or relationship 
content as set forth in paragraph (c) of this section does not appear, 
in whole or in substantial part, at the beginning of the body of the 
message.
    (3) If an electronic mail message contains both the commercial 
advertisement or promotion of a commercial product or service as well 
as other content that is not transactional or relationship content as 
set forth in paragraph (c) of this section, then the ``primary 
purpose'' of the message shall be deemed to be commercial if:
    (i) A recipient reasonably interpreting the subject line of the 
electronic mail message would likely conclude that the message contains 
the commercial advertisement or promotion of a commercial product or 
service; or
    (ii) A recipient reasonably interpreting the body of the message 
would likely conclude that the primary purpose of the message is the 
commercial advertisement or promotion of a commercial product or 
service. Factors illustrative of those relevant to this interpretation 
include the placement of content that is the commercial advertisement 
or promotion of a commercial product or service, in whole or in 
substantial part, at the beginning of the body of the message; the 
proportion of the message dedicated to such content; and how color, 
graphics, type size, and style are used to highlight commercial 
content.
    (b) In applying the term ``transactional or relationship message'' 
defined in the CAN-SPAM Act, 15 U.S.C. Sec.  7702(17), the ``primary 
purpose'' of an electronic mail message shall be deemed to be 
transactional or relationship if the electronic mail message consists 
exclusively of transactional or relationship content as set forth in 
paragraph (c) of this section.
    (c) Transactional or relationship content of email messages under 
the CAN-SPAM Act is content:
    (1) To facilitate, complete, or confirm a commercial transaction 
that the recipient has previously agreed to enter into with the sender;
    (2) To provide warranty information, product recall information, or 
safety or security information with respect to a commercial product or 
service used or purchased by the recipient;
    (3) With respect to a subscription, membership, account, loan, or 
comparable ongoing commercial relationship involving the ongoing 
purchase or use by the recipient of products or services offered by the 
sender, to provide --
    (i) Notification concerning a change in the terms or features;
    (ii) Notification of a change in the recipient's standing or 
status; or
    (iii) At regular periodic intervals, account balance information or 
other type of account statement;
    (4) To provide information directly related to an employment 
relationship or related benefit plan in which the recipient is 
currently involved, participating, or enrolled; or
    (5) To deliver goods or services, including product updates or 
upgrades, that the recipient is entitled to receive under the terms of 
a transaction that the recipient has previously agreed to enter into 
with the sender.


Sec.  316.4  Requirement to place warning labels on commercial 
electronic mail that contains sexually oriented material.

    (a) Any person who initiates, to a protected computer, the 
transmission of a commercial electronic mail message that includes 
sexually oriented material must:
    (1) Exclude sexually oriented materials from the subject heading 
for the electronic mail message and include in the subject heading the 
phrase ``SEXUALLY-EXPLICIT: '' in capital letters as the first nineteen 
(19) characters at the beginning of the subject line;\2\
---------------------------------------------------------------------------

    \2\ The phrase ``SEXUALLY-EXPLICIT'' comprises 17 characters, 
including the dash between the two words. The colon (:) and the 
space following the phrase are the 18\th\ and 19\th\ characters.
---------------------------------------------------------------------------

    (2) Provide that the content of the message that is initially 
viewable by the recipient, when the message is opened by any recipient 
and absent any further actions by the recipient, include only the 
following information:
    (i) The phrase ``SEXUALLY-EXPLICIT: '' in a clear and conspicuous 
manner;\3\
---------------------------------------------------------------------------

    \3\ This phrase consists of nineteen (19) characters and is 
identical to the phrase required in 316.5(a)(1) of this Rule.
---------------------------------------------------------------------------

    (ii) Clear and conspicuous identification that the message is an 
advertisement or solicitation;
    (iii) Clear and conspicuous notice of the opportunity of a 
recipient to decline to receive further commercial electronic mail 
messages from the sender;
    (iv) A functioning return electronic mail address or other 
Internet-based mechanism, clearly and conspicuously displayed, that
    (A) A recipient may use to submit, in a manner specified in the 
message, a reply electronic mail message or other form of Internet-
based communication requesting not to receive future commercial 
electronic mail messages from that sender at the electronic mail 
address where the message was received; and
    (B) Remains capable of receiving such messages or communications 
for no less than 30 days after the transmission of the original 
message;
    (v) Clear and conspicuous display of a valid physical postal 
address of the sender; and
    (vi) Any needed instructions on how to access, or activate a 
mechanism to access, the sexually oriented material, preceded by a 
clear and conspicuous statement that to avoid viewing the sexually 
oriented material, a recipient

[[Page 29679]]

should delete the email message without following such instructions.
    (b)Prior affirmative consent. Paragraph (a) does not apply to the 
transmission of an electronic mail message if the recipient has given 
prior affirmative consent to receipt of the message.


Sec.  316.5  Prohibition on charging a fee or imposing other 
requirements on recipients who wish to opt out.

    Neither a sender nor any person acting on behalf of a sender may 
require that any recipient pay any fee, provide any information other 
than the recipient's electronic mail address and opt-out preferences, 
or take any other steps except sending a reply electronic mail message 
or visiting a single Internet Web page, in order to:
    (a) Use a return electronic mail address or other Internet-based 
mechanism, required by 15 U.S.C. 7704(a)(3), to submit a request not to 
receive future commercial electronic mail messages from a sender; or
    (b) Have such a request honored as required by 15 U.S.C. 
7704(a)(3)(B) and (a)(4).


Sec.  316.6  Severability.

    The provisions of this Part are separate and severable from one 
another. If any provision is stayed or determined to be invalid, it is 
the Commission's intention that the remaining provisions shall continue 
in effect.
    By direction of the Commission.

Donald S. Clark
Secretary
    Note: The following Appendix will not appear in the Code of Federal 
Regulations

                     List of Commenters and Acronyms
               CAN-SPAM DISCRETIONARY RULEMAKING COMMENTS
------------------------------------------------------------------------
             Acronym                             Commenter
------------------------------------------------------------------------
ABA                               American Bar Association
ABM                               American Business Media
ACA                               ACA International
ACB                               America's Community Bankers
ACLI                              American Council of Life Insurers
ACUTA                             ACUTA, Inc.
Adknowledge                       Adknowledge, Inc.
AeA                               American Electronics Association
Allen                             Bobby Allen
Amin                              J. Amin
aQuantive                         aQuantive, Inc.
ARDA                              American Resort Development
                                   Association
ARTBA                             American Road and Transportation
                                   Builders Association
ASA                               American Staffing Association
ASAE                              American Society of Association
                                   Executives
Associations                      Direct Marketing Association et al. on
                                   behalf of
                                  American Advertising Federation,
                                  American Association of Advertising
                                   Agencies,
                                  American Bankers Association,
                                  American Council of Life Insurers,
                                  American Society of Association
                                   Executives,
                                  American Society of Travel Agents,
                                   Inc. -- Cruise Lines International
                                   Association,
                                  Association of National Advertisers,
                                  Consumer Bankers Association,
                                  Direct Marketing Association, Inc.,
                                  Electronic Retailing Association,
                                  Email Service Provider Coalition,
                                  The Financial Services Roundtable,
                                  Information Technology Association of
                                   America,
                                  Interactive Travel Services
                                   Association,
                                  Internet Alliance,
                                  Internet Commerce Coalition,
                                  Magazine Publishers of America,
                                  National Business Coalition on E-
                                   Commerce and Privacy,
                                  National Retail Federation,
                                  NetCoalition,
                                  Network Advertising Initiative,
                                  Promotion Marketing Association,
                                  U.S. Chamber of Commerce
ASTA                              American Society of Travel Agents,
                                   Inc.
ATAA                              Air Transport Association of America
Ault                              Russell Ault
Aurelius                          Aurelius
Baker                             Baker & Hostetler, LLP
BD                                BD, Inc.
Bigfoot                           Bigfoot Interactive
BOA                               Bank of America Corporation
BrightWave                        BrightWave Marketing, Inc.
Brown                             Brown-Foreman Corporation
BSA                               Business Software Alliance
Buschner                          Arthur Buschner
Cambridge                         Cambridge Electronics Laboratory
Cantor                            Elaine Cantor
CBA                               Consumer Bankers Association
Cendant                           Cendant Cooperation
Cha                               Brian Cha
Charter                           Charter Communications, Inc.
Christensen                       Keith Christensen
Clark                             Patrick Clark
Clear                             Luanne Clear
Click                             Click Tactics, Inc.
CMOR                              The Council for Marketing and Opinion
                                   Research
Coalition                         National Business Coalition on E-
                                   Commerce and Privacy
Comerica                          Comerica Incorporated
CUNA                              Credit Union National Association
Darling                           RWR Darling
Dennis                            David Dennis
Discover                          Discover Financial Services
DMA                               Direct Marketing Association, Inc.
DoubleClick                       DoubleClick, Inc.
Edge                              Ronald D. Edge
Edwards                           Edwards
Ellenburg                         George M. Ellenburg
Empire                            Empire Corporate FCU
EPIC                              Electronic Privacy Information Center
ePrize                            ePrize, LLC
ERA                               Electronic Retailing Association
ESPC                              Email Service Provider Coalition
Exact                             ExactTarget, Inc.
Experian                          Experian Marketing Solutions
Ezines                            The Circle of Ezines
FNB                               First National Bank of Omaha
Footlocker                        Footlocker.com/Eastbay
Goldbar                           Goldbar Enterprises, LLC
Gorman                            Richard Gorman
Gray                              Woodrow Gray
HSBC                              HSBC Bank of Nevada
IAC                               IAC/InterActiveCorp
ICC                               Internet Commerce Coalition
ICOP                              International Council of Online
                                   Professionals
IMN                               iMake News, Inc.
Independent                       Independent Sector
Intermark                         Intermark Media
iPost                             Bart Schaefer on behalf of iPost
IPPC                              International Pharmaceutical Privacy
                                   Consortium
Jarrell                           Lon Jarrell, Jr.
Jumpstart                         Jumpstart Technologies, LLC
Kapecki                           Jon Kapecki
KeySpan                           KeySpan Energy
Landesmann                        Mark Landesmann
Lantow                            Lantow
LashBack                          LashBack, LLC
MasterCard                        MasterCard International
Masterfoods                       Masterfoods USA
Mattel                            Mattel, Inc.
May                               William May
MBNA                              MBNA America Bank, N.A.
MCI                               MCI, Inc.
Metz                              Seymour Metz
Microsoft                         Microsoft Cooperation

[[Page 29680]]

 
Morris                            Ireeta Morris
MPA                               Magazine Publishers of America
MPAA                              Motion Picture Association of America
NAA                               Newspaper Association of America
NADA                              National Automobile Dealers
                                   Association
NAEDA                             North American Equipment Dealers
                                   Association
NAFCU                             National Association of Federal Credit
                                   Unions
NAIFA                             National Association of Insurance and
                                   Financial Advisors
NAMB                              National Association of Mortgage
                                   Brokers
NAR                               National Association of Realtors
NCTA                              National Cable and Telecommunications
                                   Association
Nelson                            Nelson
NEPA                              Newsletter and Electronic Publishers
                                   Association
NetCoalition                      NetCoalition
Nextel                            Nextel Communications, Inc.
NFCU                              Navy Federal Credit Union
Nissan                            Nissan North America, Inc.
NNA                               National Newspaper Association
NRF                               National Retail Federation
OPA                               Online Publishers Association
Oriez                             Charles Oriez
PCIAA                             Property Casualty Insurers Association
                                   of America
Pernetian                         Pernetian
PMA                               Promotion Marketing Association, Inc.
Reed                              Reed Elsevier, Inc.
Return                            Return Path, Inc.
RIAA                              Recording Industry Association of
                                   America
Roberts                           Bart Roberts
Rubin                             Kim Rubin
Rushing                           Rushing
Rushizky                          Paul Rushizky
SAG                               Strategic Advisory Group
Satchell                          Stephen Satchell
Schaefer                          Mark Schaefer
Schnell                           Ron Schnell
Sheu                              Caroline Sheu
Shires                            William Shires
SHRM                              Society for Human Resource Management
SIA                               Securities Industry Association
SIIA                              Software Information Industry
                                   Association
Sing                              Ah Sing-Bombard
Slachetka                         Mike Slachetka
Sonnenschein                      Sonnenschein Nath & Rosenthal, LLP
Sowell                            Sean Sowell
Sprint                            Sprint Corporation
Subscriber                        SubscriberMail, LLC
Swent                             Norm Swent
Tietjens                          Richard Tietjens
Time Warner                       Time Warner, Inc.
Topica                            Topica
Travaglini                        Anne Travaglini
Unsub                             UnsubCentral
UOL                               United Online
VCU                               Virginia Credit Union
VFCU                              Visions Federal Credit Union
Verizon                           Verizon, Inc.
Vertical                          Vertical Response, Inc.
Visa                              Visa U.S.A., Inc.
Wahmpreneur                       Wahmpreneur Publishing, Inc.
Wells Fargo                       Wells Fargo & Company
West                              Hal West
Wiederhoeft                       Phyllis Wiederhoeft
Wyle                              Ed Wyle
------------------------------------------------------------------------

[FR Doc. E8-11394 Filed 5-20-08: 8:45 am]
BILLING CODE 6750-01-S