The CAN-SPAM act took effect in January 2004, and bad actors seemed to immediately begin using the law as their playbook.
For instance, CAN-SPAM forbids the use of false header information to hide the identity of the sender in the from, reply-to and subject lines. Even back then, cyber felons used software that helped them falsify header information, and are now reputedly utilizing generative AI.
In addition, CAN-SPAM disallows the sending of mass emails to people who do not want them.
No problem: The wiseguys employed several fraudulent means to send out as much spam as they could without providing the means to opt out -- so much so that the law was deemed a failure by many observers.
And botnets -- a network of computers infected with malicious software that can control entire networks? Obviously, they are prohibited.
All that said, legitimate companies might need a refresher of how to comply with the almost 20-year-old law.
Take the matter of giving consumers a chance to opt out of commercial emails. It depends on how you define “commercial,” according to an update issued last week by JD Supra.
The opt-out requirement doesn’t apply to “transactional” messages that “generally facilitate an already agreed-upon transaction or update a customer about an ongoing transaction,” JD Supra writes.
But what about messages that seem to have both forms of content? This is where it gets tricky.
The answer is that if “a message contains more than one type of content, the ‘primary purpose’ of the email is the deciding factor,” according to JD Supra.
Case in point: Experian, the mainstream credit bureau and data company, recently agreed to pay a $650,000 in a settlement with the Federal Trade Commission.
What was the problem?
“Some of the company’s emails told recipients that ‘this email was sent because it contains important information about your account’ and others reassured them that ‘this is not a marketing email – you’re receiving this message to notify you of a recent change to your account,’” JD Supra continues. “Despite these statements, the FTC alleged that the emails were primarily designed to pitch new products or services – making the messages commercial – and that the emails did not include an unsubscribe link.”
These days, most reputable companies require a double opt-in before they send commercial emails—that’s the best practice. A tweak to CAN-SPAM--or an entirely new law—might require that. But with rare exceptions, it would be have to be applied mostly to scam artists and hackers.