[Federal Register Volume 84, Number 65 (Thursday, April 4, 2019)]
[Rules and Regulations]
[Pages 13115-13121]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-06562]
=======================================================================
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
16 CFR Part 316
[3084-AB38]
Controlling the Assault of Non-Solicited Pornography and
Marketing Rule
AGENCY: Federal Trade Commission.
ACTION: Confirmation of rule.
-----------------------------------------------------------------------
SUMMARY: The Federal Trade Commission (``FTC'' or ``Commission'') has
completed its regulatory review of its rule implementing the
Controlling the Assault of Non-Solicited Pornography and Marketing Act
(``CAN-SPAM Rule'' or ``Rule'') as part of the agency's periodic review
of all its regulations and guides, and has determined to retain the
Rule in its present form.
DATES: This action is effective as of April 4, 2019.
ADDRESSES: Relevant portions of the record of this proceeding,
including this document, are available at https://www.ftc.gov.
FOR FURTHER INFORMATION CONTACT: Christopher E. Brown, (202) 326-2825,
Bureau of Consumer Protection, Federal Trade Commission, 600
Pennsylvania Ave. NW, CC-8528, Washington, DC 20580.
SUPPLEMENTARY INFORMATION:
I. Introduction
The Commission reviews its rules and guides periodically to seek
information about their costs and benefits, as well as their regulatory
and economic impact. This information assists the Commission in
identifying rules and guides that warrant modification or rescission.
[[Page 13116]]
Pursuant to this process, on June 28, 2017, the Commission
initiated a regulatory rule review by publishing notice in the Federal
Register requesting public comment on the CAN-SPAM Rule (``Comment
Request'').\1\ The Commission sought comment on standard regulatory
review questions such as whether or not the Rule continues to serve a
useful purpose and continues to be needed; the costs and benefits of
the Rule for consumers and businesses; and what effects, if any,
technological or economic changes have had on the Rule. In addition to
generally requesting comment recommending modifications to the Rule,
the Commission also invited comment regarding three specific issues;
namely, whether it should: (1) Expand or contract the categories of
messages that are treated as ``transactional or relationship
messages;'' (2) shorten the time-period for processing opt-out
requests; and (3) specify additional activities or practices that
constitute aggravated violations. After considering the comments and
evidence, the Commission has determined to retain the Rule without
modification.
---------------------------------------------------------------------------
\1\ Federal Trade Commission: Rule Review; request for public
comments, 82 FR 29254 (June 28, 2017).
---------------------------------------------------------------------------
II. Background
Enacted in 2003, and effective since January 1, 2004, the CAN-SPAM
Act regulates the transmission of all commercial electronic mail
(``email'') messages, and authorizes the Commission to issue mandatory
rulemakings and discretionary regulations concerning certain
definitions and provisions of the Act.\2\
---------------------------------------------------------------------------
\2\ 15 U.S.C. 7701-7713.
---------------------------------------------------------------------------
In 2004, pursuant to the Act's directive, the Commission
promulgated the ``Adult Labeling Rule,'' which requires that commercial
emails containing sexually oriented material include the phrase
``SEXUALLY-EXPLICIT:'' as the first 19 characters in the subject
heading and exclude sexually oriented materials from both the subject
heading and content of the email message that is initially viewable
upon opening the message.\3\
---------------------------------------------------------------------------
\3\ Federal Trade Commission: Label for Email Messages
Containing Sexually Oriented Material; Final Rule, 69 FR 21023 (Apr.
19, 2004).
---------------------------------------------------------------------------
In 2005, the Commission issued rule provisions that define the
relevant criteria for determining the ``primary purpose'' of an email
message.\4\ These rule provisions also clarify that the definitions of
certain terms derived from the Act and appearing in the Rule are
prescribed by particular referenced sections of the Act. Finally, these
rule provisions also include a severability provision, so that in the
event a portion of the Rule is stricken, the remainder of the Rule will
stay in effect.
---------------------------------------------------------------------------
\4\ Federal Trade Commission: Definitions and Implementation
Under the CAN-SPAM Act; Final Rule, 70 FR 3110 (Jan. 19, 2005).
---------------------------------------------------------------------------
Pursuant to its discretionary authority, the Commission promulgated
additional CAN-SPAM Rule provisions in 2008.\5\ These rule provisions:
(1) Add a definition of the term ``person'' to clarify that the Act's
obligations are not limited to natural persons; (2) modify the
definition of ``sender'' to make it easier to determine which of
multiple parties advertising in a single email message is responsible
for complying with the Act's opt-out requirements; (3) clarify that a
sender can include an accurately-registered post office box or private
mailbox established under United States Postal Service regulations to
satisfy the Act's requirement that a commercial email display a ``valid
physical postal address;'' and (4) clarify that an email recipient
cannot be required to pay a fee, provide information other than his or
her email address and opt-out preferences, or take any steps other than
sending a reply email message or visiting a single internet web page to
opt out of receiving future email from a sender.
---------------------------------------------------------------------------
\5\ Federal Trade Commission: Definitions and Implementation
Under the CAN-SPAM Act; Final Rule, 79 FR 29654 (May 21, 2008).
---------------------------------------------------------------------------
III. Regulatory Review Comments and Analysis
The Commission considered ninety-two comments in response to its
Comment Request.\6\ Most of these comments were from individual
consumers. Two comments were from consumer groups,\7\ seven comments
were from industry and trade association groups,\8\ one comment was
from an internet service provider,\9\ and two comments were from
providers of email-related services.\10\ This rule review notice
summarizes the comments received and explains the Commission's decision
to retain the Rule. It also explains why the Commission declines to
propose the adoption of commenters' suggested modifications.
---------------------------------------------------------------------------
\6\ All rule review comments are on the public record and
available on the Commission's website at www.ftc.gov/policy/public-comments/2017/06/initiative-704. This rule review notice cites
comments using the last name of the individual commenter or the name
of the organization, followed by the number assigned by the
Commission. The Commission received 100 comments, but some of the
comments were blank or not germane to the Rule Review, and
therefore, removed from consideration. As a result, some of the
comments discussed in this notice bear a comment number higher than
92.
\7\ Electronic Privacy Information Center (``EPIC'') (93); CAUCE
North America (``CAUCE'') (96).
\8\ Lashback, LLC (``Lashback'') (89); Electronic Retailing
Association (``ERA'') (94); Data & Marketing Association (``DMA'')
(95); American Bankers Association (``ABA'') (97); Email Sender and
Provider Coalition (``ESPC)'' (86); MPA-The Association of Magazine
Media (``MPA'') (90); Online Trust Alliance (``OTA'') (85).
\9\ X Mission, L.C. (``X Mission'') (88).
\10\ ValiMail, Inc. (``ValiMail'') (91); L-Soft Sweden AB (``L-
Soft'') (98).
---------------------------------------------------------------------------
The Commission discusses the comments in three sections. In Section
A, the Commission considers the comments that address whether there is
a continuing need for the Rule and the costs and benefits of the Rule
for consumers and businesses. In Section B, the Commission analyzes the
comments that respond to its specific requests for comments regarding
whether the Commission should modify the definition of ``transaction or
relationship messages,'' shorten the time-period for processing opt-out
requests, and specify additional activities or practices that
constitute aggravated violations. In Section C, the Commission
discusses the comments that propose other modifications to or
clarifications of the Rule.
A. Continuing Need for the Rule
Most of the commenters who addressed the issue supported retaining
the Rule; only a few recommended rescinding it. Nineteen commenters
explicitly stated that there is a continuing need for the Rule, citing
benefits to consumers such as the value of having an enforcement tool
for taking action against offenders and a reduction in the volume of
unsolicited commercial emails.\11\ For example, the Electronic Privacy
Information Center (``EPIC''), a consumer advocacy group, asserted
that, ``[w]hile the volume of spam is lower than it was just a few
years ago, the need for the Rule continues.'' \12\ EPIC also asserted
that ``[c]ompanies and individuals still make use of the Rule[,] and
its continued enforcement, including substantial financial judgments
imposed against violators, will serve to dissuade others from sending
spam emails.'' \13\ Similarly, the Online Trust Alliance (``OTA'')
maintained that ``there is a continuing need for the Rule and that it
has been beneficial by setting guidelines that limit the amount of
unwanted or deceptive email reaching consumers.''
[[Page 13117]]
The MPA--The Association of Magazine Media--also encouraged the
Commission to retain the Rule, arguing that it ``strikes an appropriate
balance of protecting consumers while avoiding overly burdensome or
expensive regulatory requirements for businesses.'' \14\ One individual
commenter opined that ``companies would not provide a method of opt-out
. . . if they were not required to and subject to monetary penalties
for noncompliance.'' \15\
---------------------------------------------------------------------------
\11\ Santiago (2); Smith (3); Schenlle (28); Pesterfield (30);
Freedman (33); Bristol (42); Kester (54); Garson (62); Schroeder
(71); Davis (78); Hoofnagle (79); OTA (85); ESPC (86); Lashback
(89); MPA (90); EPIC (93); ERA (94); DMA (95); Butler (100).
\12\ EPIC (93).
\13\ Id.
\14\ MPA (90).
\15\ Schnelle (28).
---------------------------------------------------------------------------
Thirteen commenters indirectly addressed the question of whether
there is a continuing need for the Rule, and impliedly supported its
retention as evidenced by their descriptions of the Rule's benefits to
consumers and/or recommendations for furthering the consumer-friendly
practices required by the Rule.\16\ For example, XMission, L.C., a
small-business internet service provider, explained its desire to more
aggressively prosecute spammers and ``creat[e] a more compliant
commercial email marketing industry.'' \17\ Another commenter wrote:
``[t]he Commission should adjust the Rule to maintain its substantial
consumer benefits while addressing its shortcomings.'' \18\
---------------------------------------------------------------------------
\16\ CAUCE (96); ABA (97); ValiMail (91); XMission (88); Ford
(99); Upton (87); Courchaine (43); Huff (36); McIntosh (26); Dayman
(82); Garrett (81); Francis (67); Cinatl (45).
\17\ XMission (88).
\18\ Ford (99).
---------------------------------------------------------------------------
Forty-two commenters did not respond to the question of whether the
Commission should retain the Rule.\19\ Many of these commenters merely
described their personal experiences with spam emails or offered
observations regarding industry compliance with the Rule, but did not
articulate any recommendations concerning the Rule.\20\
---------------------------------------------------------------------------
\19\ Silverstein (4); Lugo (7); Ohlstein (8); Boyd (9); Simone
(10); Wheeler (11); Boyden (12); Reinoehl (13); Andrews (14);
LaBerge (15); Kellner (16); Barr (17); Barry (18); Spencer (19);
Willis (21); Evans (22); Burke (23); Nguyen (24); Donie (25);
Wroblewski (27); Hildebrand (29); Blatnik (34); Vitale (38); E.
Alterman (39); Menonna (40); T. Bell (41); Schulzrinne (56);
Bothwell (57); Babineaux (59); Searcy (60); Phillips (61); Wippler
(63); Barth (66); Atkinson (68); E. Smith (69); Walton (73); Masters
(74); Shoemaker (75); Rucker (76); Hyde (77).
\20\ See e.g., Simone (10); Barry (18); Spencer (19); Evans
(22); Blatnik (34); Vitale (38).
---------------------------------------------------------------------------
Eleven commenters were very critical of the Rule, expressing
complaints such as the Rule is ``too weak,'' ``ineffectual,'' or ``an
abject failure,'' but none recommended repeal or rescission.\21\ Only
six individual commenters explicitly recommended repeal of the
Rule.\22\ And, while these commenters typically urged the Commission to
replace the Rule with something more effective, they did not suggest
any alternatives. Moreover, none of these commenters identified any
specific costs or burdens associated with complying with the Rule.
---------------------------------------------------------------------------
\21\ L-Soft (98) (``it has failed''); Balsam (31) (``isn't
working''); Nowlin (44) (``abject failure''); Crabtree (53) (``isn't
working''); Bickers (47) (``let the Act expire''); Hofstee (50)
(``effectiveness too low''); S. Smith (70) (``isn't working'');
Przeclawski (65) (``sham''); Augenstein (58) (``does not work'');
Winokur (48) (``ineffectual''); D. Alterman (52) (``too weak'').
\22\ K. Bell (5); Wyckoff (35); Carlson (37); Dawson (49); Roth
(51); St. Peters (64).
---------------------------------------------------------------------------
In light of the comments received, the Commission concludes that a
continuing need exists for the Rule. The comments predominantly
indicate that the Rule benefits consumers and does not impose
significant costs to businesses. Accordingly, the Commission will
retain the Rule.
B. Rule Modifications Regarding Specific Issues
The CAN-SPAM Act expressly authorizes the Commission to issue
discretionary regulations concerning the Act's definition of the term
``transaction or relationship messages,'' its provisions regarding the
time-period for processing opt-out requests, and activities or
practices that constitute aggravated violations.\23\ Accordingly, the
Commission requested public comments regarding whether it should modify
the Rule with respect to the aforementioned definition and provisions
of the Act. As discussed below, several commenters addressed possible
modifications to the Rule concerning these issues.
---------------------------------------------------------------------------
\23\ See 15 U.S.C. 7702(17)(B) (``The Commission by regulation
pursuant to section 7711 of this title may modify the definition in
subparagraph (A) [the term ``transactional or relationship
message''] to expand or contract the categories of messages that are
treated as transactional or relationship messages . . .''); 15
U.S.C. 7704(c).
---------------------------------------------------------------------------
1. Comments Regarding the Definition of ``Transactional or Relationship
Messages''
Six commenters considered whether the Commission should expand or
contract the definition of ``transactional or relationship messages.''
\24\ Three commenters opposed modifying the definition and three
commenters argued for the definition's expansion and/or clarification.
Two individual commenters among the six cautioned the Commission not to
contract the scope of messages defined as ``transactional or
relationship,'' but offered no justification for their position.\25\
Lashback, LLC (``Lashback''), an email compliance service monitoring
company, opposed modification of the definition because it ``do[es] not
believe that this issue is at the crux of the problems in email,'' but
rather, ``the focus should remain on misleading messages that are sent
solely or primarily for marketing purposes.'' \26\
---------------------------------------------------------------------------
\24\ Schnelle (28); Hoofnagle (79); OTA (85); Lashback (89);
American Bankers Association (97); Butler (100).
\25\ Hoofnagle (79); Butler (100).
\26\ Lashback (89).
---------------------------------------------------------------------------
Another commenter urged the Commission to modify the definition of
``transactional or relationship messages'' to ``make clear that a
company/business is allowed to email information to a consumer upon
their request even when the email would otherwise be considered a
commercial email message.'' \27\ The commenter further remarked that it
is common for consumers to ``request[] various pieces of information
through . . . email including product information,'' but companies are
hesitant to respond ``for fear of potentially violating the Rule's
requirements.'' \28\ It appears that the commenter, in essence,
proposes that a subsequent commercial email message from a sender to a
recipient of a commercial product or service purchased from the sender
be deemed a ``transactional or relationship message'' based upon the
prior existing business relationship. This would require modification
of the definition of a ``transactional or relationship message'' as
well as a ``commercial electronic mail message.'' The commenter,
however, offered no evidence that this concern is widespread, or that
the proposed modification would benefit consumers.
---------------------------------------------------------------------------
\27\ Schnelle (28).
\28\ Id.
---------------------------------------------------------------------------
Another commenter, OTA, proposed that so-called ``informational''
messages concerning ``news items, site activity, product updates,
etc.'' should be deemed ``transactional or relationship messages''
because ``they relate directly to the service or product that the
consumer requested and clearly do not contain commercial content.''
\29\ The Commission notes, however, because the Rule already specifies
that the definition of ``transactional or relationship message''
includes email messages whose primary purpose is to provide certain
types of product information (e.g., warranty, recall, safety, security)
and product updates or upgrades, no change is necessary.\30\
---------------------------------------------------------------------------
\29\ OTA (85).
\30\ See 16 CFR 316.2(o) (clarifying that the term ``transaction
or relationship message'' is the same as the definition of that term
in the Act, which includes an electronic mail message the primary
purpose of which is to provide warranty information, product recall
information, or safety or security information with respect to a
commercial product or service used or purchased by the recipient).
---------------------------------------------------------------------------
[[Page 13118]]
Finally, the American Bankers Association recommended that the
Commission clarify that the definition of ``transactional or
relationship message'' includes ``two types of emails that banks and
other businesses frequently send . . . to existing customers:
educational emails and invitations to events.'' \31\ Depending on the
specific facts and subject matter, an invitation to an event or an
educational email may be commercial in nature, might be transactional
or relationship-related, or might be considered to be ``other content
that is not transactional or relationship content'' that is not subject
to the Act's commercial email message requirements.\32\ Given the fact-
specific nature of any determination, no rule modification is
warranted.
---------------------------------------------------------------------------
\31\ ABA (97).
\32\ See 16 CFR 316.3(a)(3) (providing analysis for determining
whether the Act's commercial email requirements apply to an
``electronic mail message [that] contains both the commercial
advertisement or promotion of a commercial product or service as
well as other content that is not transactional or relationship
content'').
---------------------------------------------------------------------------
For each of the reasons stated above, the Commission believes that
the record does not support modification of the Rule on this issue. To
assist with businesses' understanding of these issues, however, the
Commission will review and consider revising its existing Compliance
Guide for Businesses.
2. Comments Regarding Time-Period for Processing Opt-Out Requests
Twelve comments addressed whether the Commission should modify the
Rule to shorten the time-period for processing opt-out requests to less
than ten business days: Six comments opposed shortening the time-
period,\33\ while six comments favored shortening the time-period.\34\
---------------------------------------------------------------------------
\33\ Schnelle (28); OTA (85); ESPC (86); Lashback (89); MPA
(90); ERA (94).
\34\ Huff (36); Bristol (42); Schulzrinne (56); Davis; Upton
(87); CAUCE (96).
---------------------------------------------------------------------------
Industry and trade association groups that opposed shortening the
time-period typically noted the financial and/or operational burdens
that such a modification would impose upon small businesses that often
process opt-out requests manually or without the assistance of
automated processing.\35\ The OTA regarded a shorter time-period as
unnecessary, citing evidence that top retailers already comply ``well
inside the ten-day time period for opt-outs, largely due to the
sophisticated systems employed to manage their email communications to
consumers.'' \36\
---------------------------------------------------------------------------
\35\ ESPC (86); OTA (85); Lashback (89); MPA (90); ERA (94).
\36\ OTA (85).
---------------------------------------------------------------------------
Commenters that favored shortening the time-period, however, viewed
ten business days as unnecessarily lengthy, particularly in light of
available technologies that allow companies to conduct automated
processing of opt-outs.\37\ Some of these commenters urged the
Commission to adopt alternative time-periods as short as one day or one
business day.\38\ However, none of these comments provided the
Commission with evidence showing how or to what extent the current ten
business-day time-period has negatively affected consumers, nor did
they address the concerns noted by other commenters that such a change
may pose substantial burdens on small businesses. For these reasons,
the Commission declines to propose a modification to the Rule that
would shorten the time-period for opting out of commercial email
messages.
---------------------------------------------------------------------------
\37\ Bristol (42); Schulzrinne (56); Davis (78).
\38\ See e.g., Huff (36); Schulzrinne (56); Davis (78).
---------------------------------------------------------------------------
3. Comments Regarding Activities or Practices That Constitute
Aggravated Violations
Four commenters responded to the Commission's request for public
comments regarding whether it should modify the Rule to specify
additional activities or practices that constitute aggravated
violations. Two commenters proposed that the Commission specify as
``aggravated violations'' activities or practices that are already
considered violations of the requirements for commercial messages under
the Act or Rule.\39\ For example, Lashback urged the Commission to
specify as an aggravated violation a sender's failure to identify a
commercial email message as an advertisement ``[i]n order to increase
the visibility and impact of this simple and clear requirement--and
likely drive greater compliance and better disclosures to consumers.''
\40\ An individual commenter recommended that the Commission
``substantially increase fines for entities that do not effectively
provide methods for unsubscribing that require no further information
beyond the email address and the desire to leave.'' \41\ Neither of
these commenters, however, provided evidence indicating that ``those
activities or practices are contributing substantially to the
proliferation of commercial electronic mail messages that are unlawful
under [section 7704(a) of the Act].'' \42\
---------------------------------------------------------------------------
\39\ Lashback (89); Butler (100).
\40\ Lashback (89); cf. 15 U.S.C. 7704(a)(5)(i) (``clear and
conspicuous identification that the message is an advertisement or
solicitation'').
\41\ Butler (100); cf. 16 CFR 316.5.
\42\ 15 U.S.C. 7704(c)(2).
---------------------------------------------------------------------------
The Email Sender and Provider Coalition (``ESPC'') recommended that
the Commission specify the practice known as ``snowshoeing'' as an
aggravated violation, which it described as ``the use of multiple
domains and IP addresses (obtained from different ISPs) . . . [to] keep
the volume of emails sent [per domain or IP address] very low . . .
while permitting large aggregate volumes to be distributed across
hundreds or thousands of IP addresses and domains.'' \43\ According to
the ESPC, snowshoeing can be, and often has been, used to ``send emails
related to phishing, fraud, or identity theft schemes, but current
tools are inadequate to combat the practice because restrictions placed
upon the viewing and screening of email limit the effectiveness of
content-based filters.\44\ The ESPC did not provide, however, any
evidence regarding the prevalence or incidence of snowshoeing.\45\ Nor
did it offer support for its assertion that specifying this practice as
an aggravated violation would have a minimal impact on businesses.
Moreover, depending on the facts, some snowshoeing already is deemed an
aggravated violation under section 7704(b)(2), which proscribes the
automated creation of multiple accounts so that those accounts may be
used to send commercial email.
---------------------------------------------------------------------------
\43\ ESPC (86).
\44\ Id.
\45\ Id.
---------------------------------------------------------------------------
One individual commenter recommended that the Commission consider
whether to specify the use of third-party lookups for email addresses
as an aggravated violation under the Act.\46\ The commenter described,
in particular, how companies regularly exchange ``anonymized'' or ``de-
identified'' email addresses that could ultimately be de-anonymized and
linked to actual consumers, and emphasized that these companies engage
in email marketing. Although not stated explicitly, the commenter's
concern seems to be the potential use of such techniques by spammers to
execute well-informed phishing attacks or identity theft schemes. The
commenter did not provide, however, any evidence of widespread consumer
harm resulting from the use of third-party lookups for email addresses,
nor did the commenter address the potential costs to businesses of
specifying such a practice as an aggravated violation. For all of the
reasons stated above, the Commission
[[Page 13119]]
believes there is insufficient evidence in the record to support
modification of the Rule to specify any additional activities or
practices that constitute aggravated violations.
---------------------------------------------------------------------------
\46\ Hoofnagle (79). The Hoofnagle comment did not expressly
define the term ``third-party lookup.''
---------------------------------------------------------------------------
C. Other Proposed Modifications to or Clarifications of the Rule
Various commenters supporting the Rule suggested additional
modifications to, or clarifications of, the Rule. As discussed in
detail below, while many of the proposed rule changes may describe
effective email procedures that could inform industry best practices,
the record does not justify a rulemaking to consider whether to
incorporate these proposals into the existing Rule.
1. Comments Regarding an Opt-In Approach to Commercial Email Messages
At least 40 commenters expressed concerns or dissatisfaction with
the CAN-SPAM Act's opt-out approach to commercial email messages. Most
of these commenters recommended that the Commission modify the Rule to
require prior consent (opt-in) from recipients before initiating
commercial email messages.\47\ Some even suggested that the Rule adopt
a ``double opt-in'' approach that requires recipients to confirm their
initial request by responding to a link sent to the recipients' email
address.\48\ These commenters cumulatively identified a number of
factors--the greater burden of self-help imposed on consumers, IT
departments, and/or ISPs; privacy concerns; and lack of uniformity with
anti-spam laws in other countries--arguing for the necessity of
modifying the Rule to require an opt-in approach to commercial email
messages.\49\ Modifying the Rule to require prior consent from
recipients of commercial email messages, however, would be beyond the
text and scope of the Act.\50\
---------------------------------------------------------------------------
\47\ See e.g., K. Bell (6); Ohlstein (8); Boyden (12); Barr
(17); Wroblewski (30); Hofstee (50); Schulzrinne (56); Upton (87);
CAUCE (96); L-Soft (98).
\48\ Boyden (12); L-Soft (98).
\49\ See e.g., Boyd (9); Reinoehl (13); Donie (25); Balsam (31);
Bristol (42); Bickers (47); Crabtree (53); Schulzrinne (56); Walton
(73); ESPC (86); CAUCE (96); Butler (100).
\50\ See 15 U.S.C. 7704(c); 15 U.S.C. 7711; CAUCE (96) (``We
realize that the FTC cannot change the text of CAN SPAM, but we note
that an opt-in rule, as in the European Union and Canadian laws,
rather than opt-out, would be far more effective.''); Upton (87)
(same).
---------------------------------------------------------------------------
2. Comments Regarding Modification of Rule To Enhance Opt-Out
Provisions
Several comments proposed modifications to the Rule intended to
better effectuate the Act's provisions related to opt-out requirements
for commercial email messages.\51\ Most of these comments expressly
requested that the Commission clarify the requirement that opt-out
notices be ``clear and conspicuous.'' \52\ A few comments argued that
standardized terminology (e.g., ``unsubscribe,'' ``opt-out,'' or
``remove'') and additional guidance on placement, language, color/
contrast ratio, and text size would benefit consumers without imposing
extra costs on businesses.\53\ In support of this recommendation, the
OTA cited its own ``Email Marketing Best Practices and Unsubscribe
Audit,'' which showed that, from 2015 to 2016, the percentage of top
retailers that had good opt-out practices fell from 96 percent to 88
percent.\54\ The OTA further advocated, as did Lashback, that the Rule
require opt-out links to be text, not images, so they have
longevity.\55\ Another commenter urged the Commission to prohibit opt-
out mechanisms from setting tracking cookies unrelated to the
recipient's decision to opt out.\56\ The Ford comment echoed the
proposals regarding type size and visibility requirements, and further
asked the Commission to require a ``standardized box containing
information on how to unsubscribe, at the bottom of each email, akin to
other standardized labels for food, drugs, and cigarettes.'' \57\ Such
a standardized mechanism, Ford argued, would not only help to remedy
the problem of inconspicuous opt-out instructions, but also simplify
and expedite the opt-out process to the extent that it could ``be
invoked by a user's email client software.'' Similarly, other
commenters suggested that the Commission adopt a standardized opt-out
approach that requires minimal participation by the recipient.\58\
---------------------------------------------------------------------------
\51\ Schulzrinne (56); OTA (85); Ford (99); Hoofnagle (79);
Lashback (89).
\52\ Hoofnagle (79); OTA (85); Lashback (89); Ford (99); see
also 15 U.S.C. 7704(a)(3) (requiring inclusion of a return address
or comparable mechanism in commercial electronic mail that is
``clearly and conspicuously displayed''); 7704(a)(5)(A)(i)
(requiring that notice of recipient's opportunity to decline to
receive further commercial electronic mail messages from the sender
be ``clear and conspicuous'').
\53\ Hoofnagle (79); OTA (85); Lashback (89); Ford (99).
\54\ OTA (85).
\55\ Id.; Lashback (89).
\56\ Hoofnagle (79).
\57\ Ford (99).
\58\ Schulzrinne (56) (advocating for a ``standards-based opt-
out link (URL) that requires no further user input''); Butler (100)
(recommending a ``one-click method'' for opting out).
---------------------------------------------------------------------------
There is no evidence in the record to support the proposed changes
to the opt-out instructions. Additionally, none of the comments
provides the Commission with information about the costs and benefits
of these proposed rule changes. Moreover, standardized opt-out
terminology or mechanisms would need to be consistent with the
authority of the Commission, which is somewhat circumscribed with
respect to any requirement to include specific language or labels in a
commercial email message.\59\ For these reasons, the Commission
declines to propose the adoption of commenters' suggested rule
modifications regarding opt-out requirements.
---------------------------------------------------------------------------
\59\ See 15 U.S.C. 7711(b) (``Subsection (a) [granting the
Commission authority to implement the provisions of the CAN-SPAM
Act] may not be construed to authorize the Commission to establish a
requirement pursuant to section 7704(a)(5)(A) [requiring the
inclusion of advertisement identifier, opt-out notice, and physical
address in commercial electronic mail messages] of this title to
include any specific words, characters, marks, or labels in a
commercial electronic mail message . . .'').
---------------------------------------------------------------------------
3. Comments Regarding Modification of Rule To Account for Changes in
Technology
A few commenters recommended that the Commission modify the Rule to
account for technological developments that have occurred since the
promulgation of the Rule. For example, two comments called attention to
the emergence of technical approaches for mechanically processing opt-
out instructions, and suggested that the Commission encourage or
mandate their use via Rule modification.\60\
---------------------------------------------------------------------------
\60\ Upton (87) and CAUCE (96) (both citing a method for ``one-
click unsubscription'' as defined in the internet Engineering Task
Force (IETF) Request for Comment (RFC) 8058).
---------------------------------------------------------------------------
Other comments emphasized that email authentication standards aimed
at helping email providers verify sender domains and thwart email
spoofing and phishing attacks have been developed and are commonly
employed.\61\ Two comments encouraged the Commission to facilitate the
adoption of authenticated email standards--e.g., DomainKeys Identified
Mail (DKIM), Sender Policy Framework (SPF), and Domain-Based Message
Authentication, Reporting, and Conformance (DMARC)--through the
Rule.\62\
---------------------------------------------------------------------------
\61\ OTA (85); ValiMail (91); Ford (99).
\62\ ValiMail (91); Ford (99).
---------------------------------------------------------------------------
Other commenters pointed to the progress made on email
authentication standards as a basis for the Commission to reconsider
the feasibility of a Do Not Email Registry pursuant to 15 U.S.C.
7708.\63\
---------------------------------------------------------------------------
\63\ Hoofnagle (79); Ford (99); cf. EPIC (93) (advocating for a
domain name based Do Not Email Registry without appealing to
progress made on email authentication standards).
---------------------------------------------------------------------------
The Commission appreciates the information provided by these
comments, but notes that the record is
[[Page 13120]]
silent concerning the increased costs to businesses, if any, that would
result from modifying the Rule to mandate the implementation of these
various technologies. Nor does the record explain why the Commission's
codification of developing technology into the Rule is necessary where
private markets have produced email authentication and opt-out
technologies that are already enjoying widespread use. Moreover, as
some comments have acknowledged, the Commission's Bureau of Consumer
Protection (BCP) has previously addressed the issue of email
authentication in a Staff Perspective issued in March 2017.\64\
Specifically, BCP staff encouraged businesses to help reduce the volume
of phishing email messages and protect their reputations by fully
implementing various low cost, readily available email authentication
solutions.\65\ Although the Commission is familiar with these technical
solutions that can help reduce unsolicited commercial email, it is also
mindful of the potential pitfalls in incorporating technological
standards in regulations. In the absence of any evidence in the record
regarding the costs and benefits of imposing technologically-based rule
changes, the Commission is not persuaded that the proposed
modifications are appropriate at this time. However, the Commission
will continue to monitor this issue and encourage the private market in
its move toward developing and implementing technology that reduces the
volume of spam.
---------------------------------------------------------------------------
\64\ OTA (85) and ValiMail (91) (both citing Businesses Can Help
Stop Phishing and Protect their Brands Using Email Authentication,
Staff Perspective, March 2017, available at https://www.ftc.gov/news-events/blogs/business-blog/2017/03/want-stop-phishers-use-email-authentication).
\65\ Businesses Can Help Stop Phishing and Protect their Brands
Using Email Authentication, Staff Perspective, March 2017, available
at https://www.ftc.gov/news-events/blogs/business-blog/2017/03/want-stop-phishers-use-email-authentication.
---------------------------------------------------------------------------
4. Comments Regarding Modification of Rule To Clarify Definition of
Certain Terms Derived From the Act
It is a violation of the CAN-SPAM Act to initiate the transmission
of a commercial message or a transaction or relationship message that
contains, or is accompanied by, materially false or misleading header
information.\66\ Accordingly, the Act provides that a ```from' line
(the line identifying or purporting to identify a person initiating the
message) that accurately identifies any person who initiated the
message shall not be considered materially false or materially
misleading.'' \67\ As both OTA and ValiMail explain in their comments,
however, in addition to the ``from'' line that is displayed within the
end user's email client, industry practice (via email authentication
standards) permits senders to identify themselves using additional
``from'' lines not visible to the end user, such as the Reply-to or
Return-Path fields.\68\ Consequently, both comments urged the
Commission to specify that the definition of ``from'' refers only to
the ``from'' field displayed in a user's email client, alluding to
concerns about phishing attacks involving scammers who put one address
in Reply-to or Return-Path fields, but another address in the From
field. Neither comment, however, offers any evidence that the absence
of such a clarification impedes the Commission's ability to enforce
CAN-SPAM violations involving false header information or that such a
clarification would enable greater enforcement. Nonetheless, the
Commission staff will continue to monitor this issue and use other
resources available to ensure that marketers understand their
obligations under the Rule.
---------------------------------------------------------------------------
\66\ 15 U.S.C. 7704(a)(1).
\67\ 15 U.S.C. 7704(a)(1)(B) (emphasis added).
\68\ OTA (85); ValiMail (91).
---------------------------------------------------------------------------
The CAN-SPAM Act also authorizes providers of internet access
service to enforce certain provisions of the Act.\69\ Where an internet
access service brings a claim against a sender of email messages, the
statute requires that the person providing consideration or inducing
another person to initiate the electronic mail message has actual or
constructive knowledge that the person initiating the email is
engaging, or will engage, in a pattern or practice violating the
Act.\70\ XMission, L.C. (``XMission''), on behalf of itself and other
small to mid-sized internet service providers (ISPs), advocated that
the Commission eliminate the scienter requirement from the definition
of ``procure'' so that ``bona fide [Plaintiff] internet service
provider[s] . . . [are] held to the same standard as FTC or government
plaintiffs.'' \71\ The scienter requirement, however, is statutory--a
requirement that the Commission likely cannot alter via a rule.
---------------------------------------------------------------------------
\69\ 15 U.S.C. 7706(g)(1).
\70\ 15 U.S.C. 7706(g)(2).
\71\ XMission (88).
---------------------------------------------------------------------------
The CAN-SPAM Act prohibits a person from initiating a commercial
mail message with a subject heading that is ``deceptive,'' which the
Act defines as ``be[ing] likely to mislead a recipient, acting
reasonably under the circumstances, about a material fact regarding the
contents or subject matter of the message.'' \72\ The Lashback comment
urges the Commission to modify the Rule to clarify the definition of
``deceptive'' by adding language that describes examples of deceptive
messages,\73\ but the Act expressly states that the prohibition against
deceptive subject headings is ``consistent with the criteria used in
enforcement of [Section 5 of the FTC Act],'' \74\ and therefore,
already provides clarity concerning the meaning of ``deceptive.'' \75\
Moreover, in the absence of any evidence in the record demonstrating
confusion regarding what constitutes a deceptive subject heading, the
Commission is not persuaded that the proposed modification is
necessary.
---------------------------------------------------------------------------
\72\ 15 U.S.C. 7704(a)(2).
\73\ Lashback (89).
\74\ 15 U.S.C. 7704(a)(2).
\75\ See e.g., FTC Policy Statement on Deception (October 14,
1983), available at https://www.ftc.gov/system/files/documents/public_statements/410531/831014deceptionstmt.pdf.
---------------------------------------------------------------------------
5. Comments Regarding Modification of Rule That Would Be Contrary to
Congressional Intent Under the Act
A number of comments expressed support for modifications to the
Rule that arguably exceed the Commission's authority to issue
regulations implementing the Act.\76\ Such recommendations included:
(1) Requiring that language identifying a commercial email message as
an advertisement be included in the subject line; \77\ (2) extending
opt-out obligations to third-party list providers; \78\ (3) requiring
consumer permission before transferring or selling a consumer's email
address to a third-party; \79\ (4) blocking all unsolicited spam from
servers outside the U.S.; \80\ (5) limiting the frequency at which
emails may be sent to recipients; \81\ (6) minimizing or
[[Page 13121]]
eliminating federal preemption; \82\ (7) requiring companies that
provide access to transmission lines connecting users to the internet
to filter out and report spam to regulatory authorities; \83\ (8)
providing email recipients a private right of action to enforce CAN-
SPAM Act violations; \84\ and (9) permitting class-action lawsuits.\85\
---------------------------------------------------------------------------
\76\ Cf. 15 U.S.C. 7702(17)(B) (granting the Commission
rulemaking authority to modify the definition of the term
``transactional or relationship'' message); 15 U.S.C. 7704(c)
(granting the Commission supplementary rulemaking authority
regarding the time-period for processing opt-out requests and
activities or practices that constitute aggravated violations); 15
U.S.C. 7711 (granting the Commission authority to issue regulations
implementing certain CAN-SPAM Act provisions in accordance with the
Administrative Procedure Act).
\77\ Silverstein (4) (``The FTC should issue a rule requiring
all spam to have the subject line prefixed with ``ADV:''); Bristol
(42) (``require unsolicited commercial emails to include a word or
phrase in the send line that indicates that the email is an
advertisement'').
\78\ EPIC (93).
\79\ Barr (17).
\80\ Davis (78).
\81\ Santiago (2) (``have a Rule that commercial senders could
only send such emails 1-2 times per year absent a specific request
from the consumer that such emails continue more frequently'');
Wippler (63) (``1 marketing email from the company per 32 or 48
hours'').
\82\ Bristol (42); St. Peters (64); Ford (99).
\83\ Davis (78).
\84\ Balsam (31) (``enable the spam recipients to file lawsuits,
not just the AG, FTC, and ISPs''); Wippler (63) (expressly
recommending modification of the CAN-SPAM Act); Walton (73) (``the
rules should allow for recipients of spam to enforce opt-out
requests''); cf. 15 U.S.C. 7706.
\85\ Barth (66); cf. 15 U.S.C. 7706.
---------------------------------------------------------------------------
The first suggestion is unfeasible, because the Act expressly
prohibits the Commission from designating ``any specific words,
characters, marks, or labels'' to satisfy the requirement that
initiators identify a commercial electronic mail message as an
advertisement or solicitation.\86\ The second suggestion also conflicts
with the plain language of certain definitions under both the Act and
Rule. As the Commission has previously stated, ``a list owner must
honor opt-out requests only if it qualifies as the `sender' of a
commercial email (i.e., it is an initiator and its `product, service,
or internet website' are `advertised or promoted' in the email).'' \87\
The Commission also declines to consider the remaining proposed
modifications because each would be inconsistent with the Commission's
circumscribed authority under the Act.
---------------------------------------------------------------------------
\86\ 15 U.S.C. 7711(b).
\87\ 79 FR at 29660.
---------------------------------------------------------------------------
6. Comments Regarding Law Enforcement Priorities and Policies
A number of comments made proposals better understood as
recommendations for how the Commission should implement enforcement
priorities and policies rather than modifications to the Rule. These
proposals included: (1) Allowing consumers to report and/or forward
spam to the FTC; \88\ (2) sending violators a link to CAN-SPAM
regulations and guidance documents; \89\ (3) including willful
violators of CAN-SPAM on a ``blacklist'' for circulation among email
service providers; \90\ (4) working with payment processors and other
intermediaries to shutter accounts belonging to spammers; \91\ and (5)
providing guidance to states regarding the scope of preemption under
the Act.\92\
---------------------------------------------------------------------------
\88\ Pesterfield (30); Francis (67).
\89\ Pesterfield (30).
\90\ Id.
\91\ Ford (99).
\92\ Id.
---------------------------------------------------------------------------
The Commission has already adopted the first recommendation, and
continues to encourage consumers to report illegal spam to
ftccomplaintassistant.gov or forward it directly to [email protected]. Such
complaints from consumers help the Commission to detect patterns of
fraud and abuse, and identify potential investigative targets. The
Commission also appreciates the recommendations provided by the
remaining comments, and will take such information into consideration
as it continues to formulate enforcement priorities that would benefit
consumers and secure industrywide compliance with the CAN-SPAM Rule.
IV. Conclusion
The comments overwhelmingly: (1) Favor retention of the Rule and
assert that there is a continuing need for the Rule; (2) conclude that
the Rule benefits consumers; (3) assert that the Rule does not impose
substantial economic burdens; and (4) conclude that the benefits
outweigh the minimal costs the Rule imposes. The Commission has
analyzed the proposed benefits to consumers of proposed changes to the
Rule, including any evidence provided of those benefits, and balanced
those proposed benefits against the cost of implementing the changes,
the need for the change, and alternative means of providing these
benefits for consumers, such as consumer education materials. Despite
some comments recommending that the Commission adopt modifications to
the Rule, there is insufficient evidence in the record to demonstrate
that such modifications are necessary and would, in fact, help
consumers. Additionally, none of the comments proposing modifications
or clarifications that could potentially burden industry sufficiently
analyzed the associated costs.
The FTC plans to review and consider revising its consumer and
business education materials to address the concerns raised in the
comments submitted pursuant to this Rule Review to ensure that
consumers and businesses more easily understand the Rule's protections
and requirements. Furthermore, the Commission has a variety of
enforcement tools available to help consumers better understand the
Rule's protections and ensure compliance. If, at a later date, the
Commission concludes that the Rule, case law interpreting the Rule, and
the FTC's other enforcement tools do not provide adequate guidance and
protection for consumers in the marketplace, it can then consider,
based on a further record, whether and how to amend the Rule.
Accordingly, the Commission has determined to retain the current Rule
and is terminating this review.
By direction of the Commission.
April J. Tabor,
Acting Secretary.
[FR Doc. 2019-06562 Filed 4-3-19; 8:45 am]
BILLING CODE 6750-01-P