[Federal Register Volume 84, Number 65 (Thursday, April 4, 2019)]
[Rules and Regulations]
[Pages 13115-13121]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-06562]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

16 CFR Part 316

[3084-AB38]


Controlling the Assault of Non-Solicited Pornography and 
Marketing Rule

AGENCY: Federal Trade Commission.

ACTION: Confirmation of rule.

-----------------------------------------------------------------------

SUMMARY: The Federal Trade Commission (``FTC'' or ``Commission'') has 
completed its regulatory review of its rule implementing the 
Controlling the Assault of Non-Solicited Pornography and Marketing Act 
(``CAN-SPAM Rule'' or ``Rule'') as part of the agency's periodic review 
of all its regulations and guides, and has determined to retain the 
Rule in its present form.

DATES: This action is effective as of April 4, 2019.

ADDRESSES: Relevant portions of the record of this proceeding, 
including this document, are available at https://www.ftc.gov.

FOR FURTHER INFORMATION CONTACT: Christopher E. Brown, (202) 326-2825, 
Bureau of Consumer Protection, Federal Trade Commission, 600 
Pennsylvania Ave. NW, CC-8528, Washington, DC 20580.

SUPPLEMENTARY INFORMATION: 

I. Introduction

    The Commission reviews its rules and guides periodically to seek 
information about their costs and benefits, as well as their regulatory 
and economic impact. This information assists the Commission in 
identifying rules and guides that warrant modification or rescission.

[[Page 13116]]

    Pursuant to this process, on June 28, 2017, the Commission 
initiated a regulatory rule review by publishing notice in the Federal 
Register requesting public comment on the CAN-SPAM Rule (``Comment 
Request'').\1\ The Commission sought comment on standard regulatory 
review questions such as whether or not the Rule continues to serve a 
useful purpose and continues to be needed; the costs and benefits of 
the Rule for consumers and businesses; and what effects, if any, 
technological or economic changes have had on the Rule. In addition to 
generally requesting comment recommending modifications to the Rule, 
the Commission also invited comment regarding three specific issues; 
namely, whether it should: (1) Expand or contract the categories of 
messages that are treated as ``transactional or relationship 
messages;'' (2) shorten the time-period for processing opt-out 
requests; and (3) specify additional activities or practices that 
constitute aggravated violations. After considering the comments and 
evidence, the Commission has determined to retain the Rule without 
modification.
---------------------------------------------------------------------------

    \1\ Federal Trade Commission: Rule Review; request for public 
comments, 82 FR 29254 (June 28, 2017).
---------------------------------------------------------------------------

II. Background

    Enacted in 2003, and effective since January 1, 2004, the CAN-SPAM 
Act regulates the transmission of all commercial electronic mail 
(``email'') messages, and authorizes the Commission to issue mandatory 
rulemakings and discretionary regulations concerning certain 
definitions and provisions of the Act.\2\
---------------------------------------------------------------------------

    \2\ 15 U.S.C. 7701-7713.
---------------------------------------------------------------------------

    In 2004, pursuant to the Act's directive, the Commission 
promulgated the ``Adult Labeling Rule,'' which requires that commercial 
emails containing sexually oriented material include the phrase 
``SEXUALLY-EXPLICIT:'' as the first 19 characters in the subject 
heading and exclude sexually oriented materials from both the subject 
heading and content of the email message that is initially viewable 
upon opening the message.\3\
---------------------------------------------------------------------------

    \3\ Federal Trade Commission: Label for Email Messages 
Containing Sexually Oriented Material; Final Rule, 69 FR 21023 (Apr. 
19, 2004).
---------------------------------------------------------------------------

    In 2005, the Commission issued rule provisions that define the 
relevant criteria for determining the ``primary purpose'' of an email 
message.\4\ These rule provisions also clarify that the definitions of 
certain terms derived from the Act and appearing in the Rule are 
prescribed by particular referenced sections of the Act. Finally, these 
rule provisions also include a severability provision, so that in the 
event a portion of the Rule is stricken, the remainder of the Rule will 
stay in effect.
---------------------------------------------------------------------------

    \4\ Federal Trade Commission: Definitions and Implementation 
Under the CAN-SPAM Act; Final Rule, 70 FR 3110 (Jan. 19, 2005).
---------------------------------------------------------------------------

    Pursuant to its discretionary authority, the Commission promulgated 
additional CAN-SPAM Rule provisions in 2008.\5\ These rule provisions: 
(1) Add a definition of the term ``person'' to clarify that the Act's 
obligations are not limited to natural persons; (2) modify the 
definition of ``sender'' to make it easier to determine which of 
multiple parties advertising in a single email message is responsible 
for complying with the Act's opt-out requirements; (3) clarify that a 
sender can include an accurately-registered post office box or private 
mailbox established under United States Postal Service regulations to 
satisfy the Act's requirement that a commercial email display a ``valid 
physical postal address;'' and (4) clarify that an email recipient 
cannot be required to pay a fee, provide information other than his or 
her email address and opt-out preferences, or take any steps other than 
sending a reply email message or visiting a single internet web page to 
opt out of receiving future email from a sender.
---------------------------------------------------------------------------

    \5\ Federal Trade Commission: Definitions and Implementation 
Under the CAN-SPAM Act; Final Rule, 79 FR 29654 (May 21, 2008).
---------------------------------------------------------------------------

III. Regulatory Review Comments and Analysis

    The Commission considered ninety-two comments in response to its 
Comment Request.\6\ Most of these comments were from individual 
consumers. Two comments were from consumer groups,\7\ seven comments 
were from industry and trade association groups,\8\ one comment was 
from an internet service provider,\9\ and two comments were from 
providers of email-related services.\10\ This rule review notice 
summarizes the comments received and explains the Commission's decision 
to retain the Rule. It also explains why the Commission declines to 
propose the adoption of commenters' suggested modifications.
---------------------------------------------------------------------------

    \6\ All rule review comments are on the public record and 
available on the Commission's website at www.ftc.gov/policy/public-comments/2017/06/initiative-704. This rule review notice cites 
comments using the last name of the individual commenter or the name 
of the organization, followed by the number assigned by the 
Commission. The Commission received 100 comments, but some of the 
comments were blank or not germane to the Rule Review, and 
therefore, removed from consideration. As a result, some of the 
comments discussed in this notice bear a comment number higher than 
92.
    \7\ Electronic Privacy Information Center (``EPIC'') (93); CAUCE 
North America (``CAUCE'') (96).
    \8\ Lashback, LLC (``Lashback'') (89); Electronic Retailing 
Association (``ERA'') (94); Data & Marketing Association (``DMA'') 
(95); American Bankers Association (``ABA'') (97); Email Sender and 
Provider Coalition (``ESPC)'' (86); MPA-The Association of Magazine 
Media (``MPA'') (90); Online Trust Alliance (``OTA'') (85).
    \9\ X Mission, L.C. (``X Mission'') (88).
    \10\ ValiMail, Inc. (``ValiMail'') (91); L-Soft Sweden AB (``L-
Soft'') (98).
---------------------------------------------------------------------------

    The Commission discusses the comments in three sections. In Section 
A, the Commission considers the comments that address whether there is 
a continuing need for the Rule and the costs and benefits of the Rule 
for consumers and businesses. In Section B, the Commission analyzes the 
comments that respond to its specific requests for comments regarding 
whether the Commission should modify the definition of ``transaction or 
relationship messages,'' shorten the time-period for processing opt-out 
requests, and specify additional activities or practices that 
constitute aggravated violations. In Section C, the Commission 
discusses the comments that propose other modifications to or 
clarifications of the Rule.

A. Continuing Need for the Rule

    Most of the commenters who addressed the issue supported retaining 
the Rule; only a few recommended rescinding it. Nineteen commenters 
explicitly stated that there is a continuing need for the Rule, citing 
benefits to consumers such as the value of having an enforcement tool 
for taking action against offenders and a reduction in the volume of 
unsolicited commercial emails.\11\ For example, the Electronic Privacy 
Information Center (``EPIC''), a consumer advocacy group, asserted 
that, ``[w]hile the volume of spam is lower than it was just a few 
years ago, the need for the Rule continues.'' \12\ EPIC also asserted 
that ``[c]ompanies and individuals still make use of the Rule[,] and 
its continued enforcement, including substantial financial judgments 
imposed against violators, will serve to dissuade others from sending 
spam emails.'' \13\ Similarly, the Online Trust Alliance (``OTA'') 
maintained that ``there is a continuing need for the Rule and that it 
has been beneficial by setting guidelines that limit the amount of 
unwanted or deceptive email reaching consumers.''

[[Page 13117]]

The MPA--The Association of Magazine Media--also encouraged the 
Commission to retain the Rule, arguing that it ``strikes an appropriate 
balance of protecting consumers while avoiding overly burdensome or 
expensive regulatory requirements for businesses.'' \14\ One individual 
commenter opined that ``companies would not provide a method of opt-out 
. . . if they were not required to and subject to monetary penalties 
for noncompliance.'' \15\
---------------------------------------------------------------------------

    \11\ Santiago (2); Smith (3); Schenlle (28); Pesterfield (30); 
Freedman (33); Bristol (42); Kester (54); Garson (62); Schroeder 
(71); Davis (78); Hoofnagle (79); OTA (85); ESPC (86); Lashback 
(89); MPA (90); EPIC (93); ERA (94); DMA (95); Butler (100).
    \12\ EPIC (93).
    \13\ Id.
    \14\ MPA (90).
    \15\ Schnelle (28).
---------------------------------------------------------------------------

    Thirteen commenters indirectly addressed the question of whether 
there is a continuing need for the Rule, and impliedly supported its 
retention as evidenced by their descriptions of the Rule's benefits to 
consumers and/or recommendations for furthering the consumer-friendly 
practices required by the Rule.\16\ For example, XMission, L.C., a 
small-business internet service provider, explained its desire to more 
aggressively prosecute spammers and ``creat[e] a more compliant 
commercial email marketing industry.'' \17\ Another commenter wrote: 
``[t]he Commission should adjust the Rule to maintain its substantial 
consumer benefits while addressing its shortcomings.'' \18\
---------------------------------------------------------------------------

    \16\ CAUCE (96); ABA (97); ValiMail (91); XMission (88); Ford 
(99); Upton (87); Courchaine (43); Huff (36); McIntosh (26); Dayman 
(82); Garrett (81); Francis (67); Cinatl (45).
    \17\ XMission (88).
    \18\ Ford (99).
---------------------------------------------------------------------------

    Forty-two commenters did not respond to the question of whether the 
Commission should retain the Rule.\19\ Many of these commenters merely 
described their personal experiences with spam emails or offered 
observations regarding industry compliance with the Rule, but did not 
articulate any recommendations concerning the Rule.\20\
---------------------------------------------------------------------------

    \19\ Silverstein (4); Lugo (7); Ohlstein (8); Boyd (9); Simone 
(10); Wheeler (11); Boyden (12); Reinoehl (13); Andrews (14); 
LaBerge (15); Kellner (16); Barr (17); Barry (18); Spencer (19); 
Willis (21); Evans (22); Burke (23); Nguyen (24); Donie (25); 
Wroblewski (27); Hildebrand (29); Blatnik (34); Vitale (38); E. 
Alterman (39); Menonna (40); T. Bell (41); Schulzrinne (56); 
Bothwell (57); Babineaux (59); Searcy (60); Phillips (61); Wippler 
(63); Barth (66); Atkinson (68); E. Smith (69); Walton (73); Masters 
(74); Shoemaker (75); Rucker (76); Hyde (77).
    \20\ See e.g., Simone (10); Barry (18); Spencer (19); Evans 
(22); Blatnik (34); Vitale (38).
---------------------------------------------------------------------------

    Eleven commenters were very critical of the Rule, expressing 
complaints such as the Rule is ``too weak,'' ``ineffectual,'' or ``an 
abject failure,'' but none recommended repeal or rescission.\21\ Only 
six individual commenters explicitly recommended repeal of the 
Rule.\22\ And, while these commenters typically urged the Commission to 
replace the Rule with something more effective, they did not suggest 
any alternatives. Moreover, none of these commenters identified any 
specific costs or burdens associated with complying with the Rule.
---------------------------------------------------------------------------

    \21\ L-Soft (98) (``it has failed''); Balsam (31) (``isn't 
working''); Nowlin (44) (``abject failure''); Crabtree (53) (``isn't 
working''); Bickers (47) (``let the Act expire''); Hofstee (50) 
(``effectiveness too low''); S. Smith (70) (``isn't working''); 
Przeclawski (65) (``sham''); Augenstein (58) (``does not work''); 
Winokur (48) (``ineffectual''); D. Alterman (52) (``too weak'').
    \22\ K. Bell (5); Wyckoff (35); Carlson (37); Dawson (49); Roth 
(51); St. Peters (64).
---------------------------------------------------------------------------

    In light of the comments received, the Commission concludes that a 
continuing need exists for the Rule. The comments predominantly 
indicate that the Rule benefits consumers and does not impose 
significant costs to businesses. Accordingly, the Commission will 
retain the Rule.

B. Rule Modifications Regarding Specific Issues

    The CAN-SPAM Act expressly authorizes the Commission to issue 
discretionary regulations concerning the Act's definition of the term 
``transaction or relationship messages,'' its provisions regarding the 
time-period for processing opt-out requests, and activities or 
practices that constitute aggravated violations.\23\ Accordingly, the 
Commission requested public comments regarding whether it should modify 
the Rule with respect to the aforementioned definition and provisions 
of the Act. As discussed below, several commenters addressed possible 
modifications to the Rule concerning these issues.
---------------------------------------------------------------------------

    \23\ See 15 U.S.C. 7702(17)(B) (``The Commission by regulation 
pursuant to section 7711 of this title may modify the definition in 
subparagraph (A) [the term ``transactional or relationship 
message''] to expand or contract the categories of messages that are 
treated as transactional or relationship messages . . .''); 15 
U.S.C. 7704(c).
---------------------------------------------------------------------------

1. Comments Regarding the Definition of ``Transactional or Relationship 
Messages''
    Six commenters considered whether the Commission should expand or 
contract the definition of ``transactional or relationship messages.'' 
\24\ Three commenters opposed modifying the definition and three 
commenters argued for the definition's expansion and/or clarification. 
Two individual commenters among the six cautioned the Commission not to 
contract the scope of messages defined as ``transactional or 
relationship,'' but offered no justification for their position.\25\ 
Lashback, LLC (``Lashback''), an email compliance service monitoring 
company, opposed modification of the definition because it ``do[es] not 
believe that this issue is at the crux of the problems in email,'' but 
rather, ``the focus should remain on misleading messages that are sent 
solely or primarily for marketing purposes.'' \26\
---------------------------------------------------------------------------

    \24\ Schnelle (28); Hoofnagle (79); OTA (85); Lashback (89); 
American Bankers Association (97); Butler (100).
    \25\ Hoofnagle (79); Butler (100).
    \26\ Lashback (89).
---------------------------------------------------------------------------

    Another commenter urged the Commission to modify the definition of 
``transactional or relationship messages'' to ``make clear that a 
company/business is allowed to email information to a consumer upon 
their request even when the email would otherwise be considered a 
commercial email message.'' \27\ The commenter further remarked that it 
is common for consumers to ``request[] various pieces of information 
through . . . email including product information,'' but companies are 
hesitant to respond ``for fear of potentially violating the Rule's 
requirements.'' \28\ It appears that the commenter, in essence, 
proposes that a subsequent commercial email message from a sender to a 
recipient of a commercial product or service purchased from the sender 
be deemed a ``transactional or relationship message'' based upon the 
prior existing business relationship. This would require modification 
of the definition of a ``transactional or relationship message'' as 
well as a ``commercial electronic mail message.'' The commenter, 
however, offered no evidence that this concern is widespread, or that 
the proposed modification would benefit consumers.
---------------------------------------------------------------------------

    \27\ Schnelle (28).
    \28\ Id.
---------------------------------------------------------------------------

    Another commenter, OTA, proposed that so-called ``informational'' 
messages concerning ``news items, site activity, product updates, 
etc.'' should be deemed ``transactional or relationship messages'' 
because ``they relate directly to the service or product that the 
consumer requested and clearly do not contain commercial content.'' 
\29\ The Commission notes, however, because the Rule already specifies 
that the definition of ``transactional or relationship message'' 
includes email messages whose primary purpose is to provide certain 
types of product information (e.g., warranty, recall, safety, security) 
and product updates or upgrades, no change is necessary.\30\
---------------------------------------------------------------------------

    \29\ OTA (85).
    \30\ See 16 CFR 316.2(o) (clarifying that the term ``transaction 
or relationship message'' is the same as the definition of that term 
in the Act, which includes an electronic mail message the primary 
purpose of which is to provide warranty information, product recall 
information, or safety or security information with respect to a 
commercial product or service used or purchased by the recipient).

---------------------------------------------------------------------------

[[Page 13118]]

    Finally, the American Bankers Association recommended that the 
Commission clarify that the definition of ``transactional or 
relationship message'' includes ``two types of emails that banks and 
other businesses frequently send . . . to existing customers: 
educational emails and invitations to events.'' \31\ Depending on the 
specific facts and subject matter, an invitation to an event or an 
educational email may be commercial in nature, might be transactional 
or relationship-related, or might be considered to be ``other content 
that is not transactional or relationship content'' that is not subject 
to the Act's commercial email message requirements.\32\ Given the fact-
specific nature of any determination, no rule modification is 
warranted.
---------------------------------------------------------------------------

    \31\ ABA (97).
    \32\ See 16 CFR 316.3(a)(3) (providing analysis for determining 
whether the Act's commercial email requirements apply to an 
``electronic mail message [that] contains both the commercial 
advertisement or promotion of a commercial product or service as 
well as other content that is not transactional or relationship 
content'').
---------------------------------------------------------------------------

    For each of the reasons stated above, the Commission believes that 
the record does not support modification of the Rule on this issue. To 
assist with businesses' understanding of these issues, however, the 
Commission will review and consider revising its existing Compliance 
Guide for Businesses.
2. Comments Regarding Time-Period for Processing Opt-Out Requests
    Twelve comments addressed whether the Commission should modify the 
Rule to shorten the time-period for processing opt-out requests to less 
than ten business days: Six comments opposed shortening the time-
period,\33\ while six comments favored shortening the time-period.\34\
---------------------------------------------------------------------------

    \33\ Schnelle (28); OTA (85); ESPC (86); Lashback (89); MPA 
(90); ERA (94).
    \34\ Huff (36); Bristol (42); Schulzrinne (56); Davis; Upton 
(87); CAUCE (96).
---------------------------------------------------------------------------

    Industry and trade association groups that opposed shortening the 
time-period typically noted the financial and/or operational burdens 
that such a modification would impose upon small businesses that often 
process opt-out requests manually or without the assistance of 
automated processing.\35\ The OTA regarded a shorter time-period as 
unnecessary, citing evidence that top retailers already comply ``well 
inside the ten-day time period for opt-outs, largely due to the 
sophisticated systems employed to manage their email communications to 
consumers.'' \36\
---------------------------------------------------------------------------

    \35\ ESPC (86); OTA (85); Lashback (89); MPA (90); ERA (94).
    \36\ OTA (85).
---------------------------------------------------------------------------

    Commenters that favored shortening the time-period, however, viewed 
ten business days as unnecessarily lengthy, particularly in light of 
available technologies that allow companies to conduct automated 
processing of opt-outs.\37\ Some of these commenters urged the 
Commission to adopt alternative time-periods as short as one day or one 
business day.\38\ However, none of these comments provided the 
Commission with evidence showing how or to what extent the current ten 
business-day time-period has negatively affected consumers, nor did 
they address the concerns noted by other commenters that such a change 
may pose substantial burdens on small businesses. For these reasons, 
the Commission declines to propose a modification to the Rule that 
would shorten the time-period for opting out of commercial email 
messages.
---------------------------------------------------------------------------

    \37\ Bristol (42); Schulzrinne (56); Davis (78).
    \38\ See e.g., Huff (36); Schulzrinne (56); Davis (78).
---------------------------------------------------------------------------

3. Comments Regarding Activities or Practices That Constitute 
Aggravated Violations
    Four commenters responded to the Commission's request for public 
comments regarding whether it should modify the Rule to specify 
additional activities or practices that constitute aggravated 
violations. Two commenters proposed that the Commission specify as 
``aggravated violations'' activities or practices that are already 
considered violations of the requirements for commercial messages under 
the Act or Rule.\39\ For example, Lashback urged the Commission to 
specify as an aggravated violation a sender's failure to identify a 
commercial email message as an advertisement ``[i]n order to increase 
the visibility and impact of this simple and clear requirement--and 
likely drive greater compliance and better disclosures to consumers.'' 
\40\ An individual commenter recommended that the Commission 
``substantially increase fines for entities that do not effectively 
provide methods for unsubscribing that require no further information 
beyond the email address and the desire to leave.'' \41\ Neither of 
these commenters, however, provided evidence indicating that ``those 
activities or practices are contributing substantially to the 
proliferation of commercial electronic mail messages that are unlawful 
under [section 7704(a) of the Act].'' \42\
---------------------------------------------------------------------------

    \39\ Lashback (89); Butler (100).
    \40\ Lashback (89); cf. 15 U.S.C. 7704(a)(5)(i) (``clear and 
conspicuous identification that the message is an advertisement or 
solicitation'').
    \41\ Butler (100); cf. 16 CFR 316.5.
    \42\ 15 U.S.C. 7704(c)(2).
---------------------------------------------------------------------------

    The Email Sender and Provider Coalition (``ESPC'') recommended that 
the Commission specify the practice known as ``snowshoeing'' as an 
aggravated violation, which it described as ``the use of multiple 
domains and IP addresses (obtained from different ISPs) . . . [to] keep 
the volume of emails sent [per domain or IP address] very low . . . 
while permitting large aggregate volumes to be distributed across 
hundreds or thousands of IP addresses and domains.'' \43\ According to 
the ESPC, snowshoeing can be, and often has been, used to ``send emails 
related to phishing, fraud, or identity theft schemes, but current 
tools are inadequate to combat the practice because restrictions placed 
upon the viewing and screening of email limit the effectiveness of 
content-based filters.\44\ The ESPC did not provide, however, any 
evidence regarding the prevalence or incidence of snowshoeing.\45\ Nor 
did it offer support for its assertion that specifying this practice as 
an aggravated violation would have a minimal impact on businesses. 
Moreover, depending on the facts, some snowshoeing already is deemed an 
aggravated violation under section 7704(b)(2), which proscribes the 
automated creation of multiple accounts so that those accounts may be 
used to send commercial email.
---------------------------------------------------------------------------

    \43\ ESPC (86).
    \44\ Id.
    \45\ Id.
---------------------------------------------------------------------------

    One individual commenter recommended that the Commission consider 
whether to specify the use of third-party lookups for email addresses 
as an aggravated violation under the Act.\46\ The commenter described, 
in particular, how companies regularly exchange ``anonymized'' or ``de-
identified'' email addresses that could ultimately be de-anonymized and 
linked to actual consumers, and emphasized that these companies engage 
in email marketing. Although not stated explicitly, the commenter's 
concern seems to be the potential use of such techniques by spammers to 
execute well-informed phishing attacks or identity theft schemes. The 
commenter did not provide, however, any evidence of widespread consumer 
harm resulting from the use of third-party lookups for email addresses, 
nor did the commenter address the potential costs to businesses of 
specifying such a practice as an aggravated violation. For all of the 
reasons stated above, the Commission

[[Page 13119]]

believes there is insufficient evidence in the record to support 
modification of the Rule to specify any additional activities or 
practices that constitute aggravated violations.
---------------------------------------------------------------------------

    \46\ Hoofnagle (79). The Hoofnagle comment did not expressly 
define the term ``third-party lookup.''
---------------------------------------------------------------------------

C. Other Proposed Modifications to or Clarifications of the Rule

    Various commenters supporting the Rule suggested additional 
modifications to, or clarifications of, the Rule. As discussed in 
detail below, while many of the proposed rule changes may describe 
effective email procedures that could inform industry best practices, 
the record does not justify a rulemaking to consider whether to 
incorporate these proposals into the existing Rule.
1. Comments Regarding an Opt-In Approach to Commercial Email Messages
    At least 40 commenters expressed concerns or dissatisfaction with 
the CAN-SPAM Act's opt-out approach to commercial email messages. Most 
of these commenters recommended that the Commission modify the Rule to 
require prior consent (opt-in) from recipients before initiating 
commercial email messages.\47\ Some even suggested that the Rule adopt 
a ``double opt-in'' approach that requires recipients to confirm their 
initial request by responding to a link sent to the recipients' email 
address.\48\ These commenters cumulatively identified a number of 
factors--the greater burden of self-help imposed on consumers, IT 
departments, and/or ISPs; privacy concerns; and lack of uniformity with 
anti-spam laws in other countries--arguing for the necessity of 
modifying the Rule to require an opt-in approach to commercial email 
messages.\49\ Modifying the Rule to require prior consent from 
recipients of commercial email messages, however, would be beyond the 
text and scope of the Act.\50\
---------------------------------------------------------------------------

    \47\ See e.g., K. Bell (6); Ohlstein (8); Boyden (12); Barr 
(17); Wroblewski (30); Hofstee (50); Schulzrinne (56); Upton (87); 
CAUCE (96); L-Soft (98).
    \48\ Boyden (12); L-Soft (98).
    \49\ See e.g., Boyd (9); Reinoehl (13); Donie (25); Balsam (31); 
Bristol (42); Bickers (47); Crabtree (53); Schulzrinne (56); Walton 
(73); ESPC (86); CAUCE (96); Butler (100).
    \50\ See 15 U.S.C. 7704(c); 15 U.S.C. 7711; CAUCE (96) (``We 
realize that the FTC cannot change the text of CAN SPAM, but we note 
that an opt-in rule, as in the European Union and Canadian laws, 
rather than opt-out, would be far more effective.''); Upton (87) 
(same).
---------------------------------------------------------------------------

2. Comments Regarding Modification of Rule To Enhance Opt-Out 
Provisions
    Several comments proposed modifications to the Rule intended to 
better effectuate the Act's provisions related to opt-out requirements 
for commercial email messages.\51\ Most of these comments expressly 
requested that the Commission clarify the requirement that opt-out 
notices be ``clear and conspicuous.'' \52\ A few comments argued that 
standardized terminology (e.g., ``unsubscribe,'' ``opt-out,'' or 
``remove'') and additional guidance on placement, language, color/
contrast ratio, and text size would benefit consumers without imposing 
extra costs on businesses.\53\ In support of this recommendation, the 
OTA cited its own ``Email Marketing Best Practices and Unsubscribe 
Audit,'' which showed that, from 2015 to 2016, the percentage of top 
retailers that had good opt-out practices fell from 96 percent to 88 
percent.\54\ The OTA further advocated, as did Lashback, that the Rule 
require opt-out links to be text, not images, so they have 
longevity.\55\ Another commenter urged the Commission to prohibit opt-
out mechanisms from setting tracking cookies unrelated to the 
recipient's decision to opt out.\56\ The Ford comment echoed the 
proposals regarding type size and visibility requirements, and further 
asked the Commission to require a ``standardized box containing 
information on how to unsubscribe, at the bottom of each email, akin to 
other standardized labels for food, drugs, and cigarettes.'' \57\ Such 
a standardized mechanism, Ford argued, would not only help to remedy 
the problem of inconspicuous opt-out instructions, but also simplify 
and expedite the opt-out process to the extent that it could ``be 
invoked by a user's email client software.'' Similarly, other 
commenters suggested that the Commission adopt a standardized opt-out 
approach that requires minimal participation by the recipient.\58\
---------------------------------------------------------------------------

    \51\ Schulzrinne (56); OTA (85); Ford (99); Hoofnagle (79); 
Lashback (89).
    \52\ Hoofnagle (79); OTA (85); Lashback (89); Ford (99); see 
also 15 U.S.C. 7704(a)(3) (requiring inclusion of a return address 
or comparable mechanism in commercial electronic mail that is 
``clearly and conspicuously displayed''); 7704(a)(5)(A)(i) 
(requiring that notice of recipient's opportunity to decline to 
receive further commercial electronic mail messages from the sender 
be ``clear and conspicuous'').
    \53\ Hoofnagle (79); OTA (85); Lashback (89); Ford (99).
    \54\ OTA (85).
    \55\ Id.; Lashback (89).
    \56\ Hoofnagle (79).
    \57\ Ford (99).
    \58\ Schulzrinne (56) (advocating for a ``standards-based opt-
out link (URL) that requires no further user input''); Butler (100) 
(recommending a ``one-click method'' for opting out).
---------------------------------------------------------------------------

    There is no evidence in the record to support the proposed changes 
to the opt-out instructions. Additionally, none of the comments 
provides the Commission with information about the costs and benefits 
of these proposed rule changes. Moreover, standardized opt-out 
terminology or mechanisms would need to be consistent with the 
authority of the Commission, which is somewhat circumscribed with 
respect to any requirement to include specific language or labels in a 
commercial email message.\59\ For these reasons, the Commission 
declines to propose the adoption of commenters' suggested rule 
modifications regarding opt-out requirements.
---------------------------------------------------------------------------

    \59\ See 15 U.S.C. 7711(b) (``Subsection (a) [granting the 
Commission authority to implement the provisions of the CAN-SPAM 
Act] may not be construed to authorize the Commission to establish a 
requirement pursuant to section 7704(a)(5)(A) [requiring the 
inclusion of advertisement identifier, opt-out notice, and physical 
address in commercial electronic mail messages] of this title to 
include any specific words, characters, marks, or labels in a 
commercial electronic mail message . . .'').
---------------------------------------------------------------------------

3. Comments Regarding Modification of Rule To Account for Changes in 
Technology
    A few commenters recommended that the Commission modify the Rule to 
account for technological developments that have occurred since the 
promulgation of the Rule. For example, two comments called attention to 
the emergence of technical approaches for mechanically processing opt-
out instructions, and suggested that the Commission encourage or 
mandate their use via Rule modification.\60\
---------------------------------------------------------------------------

    \60\ Upton (87) and CAUCE (96) (both citing a method for ``one-
click unsubscription'' as defined in the internet Engineering Task 
Force (IETF) Request for Comment (RFC) 8058).
---------------------------------------------------------------------------

    Other comments emphasized that email authentication standards aimed 
at helping email providers verify sender domains and thwart email 
spoofing and phishing attacks have been developed and are commonly 
employed.\61\ Two comments encouraged the Commission to facilitate the 
adoption of authenticated email standards--e.g., DomainKeys Identified 
Mail (DKIM), Sender Policy Framework (SPF), and Domain-Based Message 
Authentication, Reporting, and Conformance (DMARC)--through the 
Rule.\62\
---------------------------------------------------------------------------

    \61\ OTA (85); ValiMail (91); Ford (99).
    \62\ ValiMail (91); Ford (99).
---------------------------------------------------------------------------

    Other commenters pointed to the progress made on email 
authentication standards as a basis for the Commission to reconsider 
the feasibility of a Do Not Email Registry pursuant to 15 U.S.C. 
7708.\63\
---------------------------------------------------------------------------

    \63\ Hoofnagle (79); Ford (99); cf. EPIC (93) (advocating for a 
domain name based Do Not Email Registry without appealing to 
progress made on email authentication standards).
---------------------------------------------------------------------------

    The Commission appreciates the information provided by these 
comments, but notes that the record is

[[Page 13120]]

silent concerning the increased costs to businesses, if any, that would 
result from modifying the Rule to mandate the implementation of these 
various technologies. Nor does the record explain why the Commission's 
codification of developing technology into the Rule is necessary where 
private markets have produced email authentication and opt-out 
technologies that are already enjoying widespread use. Moreover, as 
some comments have acknowledged, the Commission's Bureau of Consumer 
Protection (BCP) has previously addressed the issue of email 
authentication in a Staff Perspective issued in March 2017.\64\ 
Specifically, BCP staff encouraged businesses to help reduce the volume 
of phishing email messages and protect their reputations by fully 
implementing various low cost, readily available email authentication 
solutions.\65\ Although the Commission is familiar with these technical 
solutions that can help reduce unsolicited commercial email, it is also 
mindful of the potential pitfalls in incorporating technological 
standards in regulations. In the absence of any evidence in the record 
regarding the costs and benefits of imposing technologically-based rule 
changes, the Commission is not persuaded that the proposed 
modifications are appropriate at this time. However, the Commission 
will continue to monitor this issue and encourage the private market in 
its move toward developing and implementing technology that reduces the 
volume of spam.
---------------------------------------------------------------------------

    \64\ OTA (85) and ValiMail (91) (both citing Businesses Can Help 
Stop Phishing and Protect their Brands Using Email Authentication, 
Staff Perspective, March 2017, available at https://www.ftc.gov/news-events/blogs/business-blog/2017/03/want-stop-phishers-use-email-authentication).
    \65\ Businesses Can Help Stop Phishing and Protect their Brands 
Using Email Authentication, Staff Perspective, March 2017, available 
at https://www.ftc.gov/news-events/blogs/business-blog/2017/03/want-stop-phishers-use-email-authentication.
---------------------------------------------------------------------------

4. Comments Regarding Modification of Rule To Clarify Definition of 
Certain Terms Derived From the Act
    It is a violation of the CAN-SPAM Act to initiate the transmission 
of a commercial message or a transaction or relationship message that 
contains, or is accompanied by, materially false or misleading header 
information.\66\ Accordingly, the Act provides that a ```from' line 
(the line identifying or purporting to identify a person initiating the 
message) that accurately identifies any person who initiated the 
message shall not be considered materially false or materially 
misleading.'' \67\ As both OTA and ValiMail explain in their comments, 
however, in addition to the ``from'' line that is displayed within the 
end user's email client, industry practice (via email authentication 
standards) permits senders to identify themselves using additional 
``from'' lines not visible to the end user, such as the Reply-to or 
Return-Path fields.\68\ Consequently, both comments urged the 
Commission to specify that the definition of ``from'' refers only to 
the ``from'' field displayed in a user's email client, alluding to 
concerns about phishing attacks involving scammers who put one address 
in Reply-to or Return-Path fields, but another address in the From 
field. Neither comment, however, offers any evidence that the absence 
of such a clarification impedes the Commission's ability to enforce 
CAN-SPAM violations involving false header information or that such a 
clarification would enable greater enforcement. Nonetheless, the 
Commission staff will continue to monitor this issue and use other 
resources available to ensure that marketers understand their 
obligations under the Rule.
---------------------------------------------------------------------------

    \66\ 15 U.S.C. 7704(a)(1).
    \67\ 15 U.S.C. 7704(a)(1)(B) (emphasis added).
    \68\ OTA (85); ValiMail (91).
---------------------------------------------------------------------------

    The CAN-SPAM Act also authorizes providers of internet access 
service to enforce certain provisions of the Act.\69\ Where an internet 
access service brings a claim against a sender of email messages, the 
statute requires that the person providing consideration or inducing 
another person to initiate the electronic mail message has actual or 
constructive knowledge that the person initiating the email is 
engaging, or will engage, in a pattern or practice violating the 
Act.\70\ XMission, L.C. (``XMission''), on behalf of itself and other 
small to mid-sized internet service providers (ISPs), advocated that 
the Commission eliminate the scienter requirement from the definition 
of ``procure'' so that ``bona fide [Plaintiff] internet service 
provider[s] . . . [are] held to the same standard as FTC or government 
plaintiffs.'' \71\ The scienter requirement, however, is statutory--a 
requirement that the Commission likely cannot alter via a rule.
---------------------------------------------------------------------------

    \69\ 15 U.S.C. 7706(g)(1).
    \70\ 15 U.S.C. 7706(g)(2).
    \71\ XMission (88).
---------------------------------------------------------------------------

    The CAN-SPAM Act prohibits a person from initiating a commercial 
mail message with a subject heading that is ``deceptive,'' which the 
Act defines as ``be[ing] likely to mislead a recipient, acting 
reasonably under the circumstances, about a material fact regarding the 
contents or subject matter of the message.'' \72\ The Lashback comment 
urges the Commission to modify the Rule to clarify the definition of 
``deceptive'' by adding language that describes examples of deceptive 
messages,\73\ but the Act expressly states that the prohibition against 
deceptive subject headings is ``consistent with the criteria used in 
enforcement of [Section 5 of the FTC Act],'' \74\ and therefore, 
already provides clarity concerning the meaning of ``deceptive.'' \75\ 
Moreover, in the absence of any evidence in the record demonstrating 
confusion regarding what constitutes a deceptive subject heading, the 
Commission is not persuaded that the proposed modification is 
necessary.
---------------------------------------------------------------------------

    \72\ 15 U.S.C. 7704(a)(2).
    \73\ Lashback (89).
    \74\ 15 U.S.C. 7704(a)(2).
    \75\ See e.g., FTC Policy Statement on Deception (October 14, 
1983), available at https://www.ftc.gov/system/files/documents/public_statements/410531/831014deceptionstmt.pdf.
---------------------------------------------------------------------------

5. Comments Regarding Modification of Rule That Would Be Contrary to 
Congressional Intent Under the Act
    A number of comments expressed support for modifications to the 
Rule that arguably exceed the Commission's authority to issue 
regulations implementing the Act.\76\ Such recommendations included: 
(1) Requiring that language identifying a commercial email message as 
an advertisement be included in the subject line; \77\ (2) extending 
opt-out obligations to third-party list providers; \78\ (3) requiring 
consumer permission before transferring or selling a consumer's email 
address to a third-party; \79\ (4) blocking all unsolicited spam from 
servers outside the U.S.; \80\ (5) limiting the frequency at which 
emails may be sent to recipients; \81\ (6) minimizing or

[[Page 13121]]

eliminating federal preemption; \82\ (7) requiring companies that 
provide access to transmission lines connecting users to the internet 
to filter out and report spam to regulatory authorities; \83\ (8) 
providing email recipients a private right of action to enforce CAN-
SPAM Act violations; \84\ and (9) permitting class-action lawsuits.\85\
---------------------------------------------------------------------------

    \76\ Cf. 15 U.S.C. 7702(17)(B) (granting the Commission 
rulemaking authority to modify the definition of the term 
``transactional or relationship'' message); 15 U.S.C. 7704(c) 
(granting the Commission supplementary rulemaking authority 
regarding the time-period for processing opt-out requests and 
activities or practices that constitute aggravated violations); 15 
U.S.C. 7711 (granting the Commission authority to issue regulations 
implementing certain CAN-SPAM Act provisions in accordance with the 
Administrative Procedure Act).
    \77\ Silverstein (4) (``The FTC should issue a rule requiring 
all spam to have the subject line prefixed with ``ADV:''); Bristol 
(42) (``require unsolicited commercial emails to include a word or 
phrase in the send line that indicates that the email is an 
advertisement'').
    \78\ EPIC (93).
    \79\ Barr (17).
    \80\ Davis (78).
    \81\ Santiago (2) (``have a Rule that commercial senders could 
only send such emails 1-2 times per year absent a specific request 
from the consumer that such emails continue more frequently''); 
Wippler (63) (``1 marketing email from the company per 32 or 48 
hours'').
    \82\ Bristol (42); St. Peters (64); Ford (99).
    \83\ Davis (78).
    \84\ Balsam (31) (``enable the spam recipients to file lawsuits, 
not just the AG, FTC, and ISPs''); Wippler (63) (expressly 
recommending modification of the CAN-SPAM Act); Walton (73) (``the 
rules should allow for recipients of spam to enforce opt-out 
requests''); cf. 15 U.S.C. 7706.
    \85\ Barth (66); cf. 15 U.S.C. 7706.
---------------------------------------------------------------------------

    The first suggestion is unfeasible, because the Act expressly 
prohibits the Commission from designating ``any specific words, 
characters, marks, or labels'' to satisfy the requirement that 
initiators identify a commercial electronic mail message as an 
advertisement or solicitation.\86\ The second suggestion also conflicts 
with the plain language of certain definitions under both the Act and 
Rule. As the Commission has previously stated, ``a list owner must 
honor opt-out requests only if it qualifies as the `sender' of a 
commercial email (i.e., it is an initiator and its `product, service, 
or internet website' are `advertised or promoted' in the email).'' \87\ 
The Commission also declines to consider the remaining proposed 
modifications because each would be inconsistent with the Commission's 
circumscribed authority under the Act.
---------------------------------------------------------------------------

    \86\ 15 U.S.C. 7711(b).
    \87\ 79 FR at 29660.
---------------------------------------------------------------------------

6. Comments Regarding Law Enforcement Priorities and Policies
    A number of comments made proposals better understood as 
recommendations for how the Commission should implement enforcement 
priorities and policies rather than modifications to the Rule. These 
proposals included: (1) Allowing consumers to report and/or forward 
spam to the FTC; \88\ (2) sending violators a link to CAN-SPAM 
regulations and guidance documents; \89\ (3) including willful 
violators of CAN-SPAM on a ``blacklist'' for circulation among email 
service providers; \90\ (4) working with payment processors and other 
intermediaries to shutter accounts belonging to spammers; \91\ and (5) 
providing guidance to states regarding the scope of preemption under 
the Act.\92\
---------------------------------------------------------------------------

    \88\ Pesterfield (30); Francis (67).
    \89\ Pesterfield (30).
    \90\ Id.
    \91\ Ford (99).
    \92\ Id.
---------------------------------------------------------------------------

    The Commission has already adopted the first recommendation, and 
continues to encourage consumers to report illegal spam to 
ftccomplaintassistant.gov or forward it directly to [email protected]. Such 
complaints from consumers help the Commission to detect patterns of 
fraud and abuse, and identify potential investigative targets. The 
Commission also appreciates the recommendations provided by the 
remaining comments, and will take such information into consideration 
as it continues to formulate enforcement priorities that would benefit 
consumers and secure industrywide compliance with the CAN-SPAM Rule.

IV. Conclusion

    The comments overwhelmingly: (1) Favor retention of the Rule and 
assert that there is a continuing need for the Rule; (2) conclude that 
the Rule benefits consumers; (3) assert that the Rule does not impose 
substantial economic burdens; and (4) conclude that the benefits 
outweigh the minimal costs the Rule imposes. The Commission has 
analyzed the proposed benefits to consumers of proposed changes to the 
Rule, including any evidence provided of those benefits, and balanced 
those proposed benefits against the cost of implementing the changes, 
the need for the change, and alternative means of providing these 
benefits for consumers, such as consumer education materials. Despite 
some comments recommending that the Commission adopt modifications to 
the Rule, there is insufficient evidence in the record to demonstrate 
that such modifications are necessary and would, in fact, help 
consumers. Additionally, none of the comments proposing modifications 
or clarifications that could potentially burden industry sufficiently 
analyzed the associated costs.
    The FTC plans to review and consider revising its consumer and 
business education materials to address the concerns raised in the 
comments submitted pursuant to this Rule Review to ensure that 
consumers and businesses more easily understand the Rule's protections 
and requirements. Furthermore, the Commission has a variety of 
enforcement tools available to help consumers better understand the 
Rule's protections and ensure compliance. If, at a later date, the 
Commission concludes that the Rule, case law interpreting the Rule, and 
the FTC's other enforcement tools do not provide adequate guidance and 
protection for consumers in the marketplace, it can then consider, 
based on a further record, whether and how to amend the Rule. 
Accordingly, the Commission has determined to retain the current Rule 
and is terminating this review.

    By direction of the Commission.
April J. Tabor,
Acting Secretary.
[FR Doc. 2019-06562 Filed 4-3-19; 8:45 am]
 BILLING CODE 6750-01-P