[Senate Report 108-102]
[From the U.S. Government Publishing Office]
Calendar No. 209
108th Congress Report
SENATE
1st Session 108-102
======================================================================
CAN-SPAM ACT OF 2003
__________
R E P O R T
OF THE
COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
on
S. H.R. deg. 877
DATE deg.July 16, 2003.--Ordered to be printed
?
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
one hundred eighth congress
first session
JOHN McCAIN, Arizona, Chairman
TED STEVENS, Alaska ERNEST F. HOLLINGS, South Carolina
CONRAD BURNS, Montana DANIEL K. INOUYE, Hawaii
TRENT LOTT, Mississippi JOHN D. ROCKEFELLER IV, West
KAY BAILEY HUTCHISON, Texas Virginia
OLYMPIA J. SNOWE, Maine JOHN F. KERRY, Massachusetts
SAM BROWNBACK, Kansas JOHN B. BREAUX, Louisiana
GORDON SMITH, Oregon BYRON L. DORGAN, North Dakota
PETER G. FITZGERALD, Illinois RON WYDEN, Oregon
JOHN ENSIGN, Nevada BARBARA BOXER, California
GEORGE ALLEN, Virginia BILL NELSON, Florida
JOHN E. SUNUNU, New Hampshire MARIA CANTWELL, Washington
FRANK LAUTENBERG, New Jersey
Jeanne Bumpus, Staff Director and General Counsel
Ann Begeman, Deputy Staff Director
Robert W. Chamberlin, Chief Counsel
Kevin D. Kayes, Democratic Staff Director
Gregg Elias, Democratic General Counsel
(ii)
Calendar No. 209
108th Congress Report
SENATE
1st Session 108-102
======================================================================
CAN-SPAM ACT OF 2003
_______
July 16, 2003.--Ordered to be printed
_______
Mr. McCain, from the Committee on Commerce, Science, and
Transportation, submitted the following
R E P O R T
[To accompany S. 877]
The Committee on Commerce, Science, and Transportation, to
which was referred the bill (S. 877) to regulate interstate
commerce by imposing limitations and penalties on the
transmission of unsolicited commercial electronic mail via the
Internet, having considered the same, reports favorably thereon
with an amendment in the nature of a substitute and recommends
that the bill (as amended) do pass.
Purpose of the Bill
The purposes of this legislation are to: (i) prohibit senders
of electronic mail (e-mail) for primarily commercial
advertisement or promotional purposes from deceiving intended
recipients or Internet service providers as to the source or
subject matter of their e-mail messages; (ii) require such e-
mail senders to give recipients an opportunity to decline to
receive future commercial e-mail from them and to honor such
requests; (iii) require senders of unsolicited commercial e-
mail (UCE) to also include a valid physical address in the e-
mail message and a clear notice that the message is an
advertisement or solicitation; and (iv) prohibit businesses
from knowingly promoting, or permitting the promotion of, their
trade or business through e-mail transmitted with false or
misleading sender or routing information.
Background and Needs
Unsolicited commercial e-mail, commonly known as ``spam'',
has quickly become one of the most pervasive intrusions in the
lives of Americans. \1\
---------------------------------------------------------------------------
\1\ The history of how the word ``spam'' became synonymous with
UCE was printed in Computerworld on April 5, 1999, as follows: ``It all
started in early Internet chat rooms and interactive fantasy games
where someone repeating the same sentence or comment was said to be
making a `spam'. The term referred to a Monty Python's Flying Circus
scene in which actors keep saying `Spam, Spam, Spam, and Spam' when
reading options from a menu.''
---------------------------------------------------------------------------
Approximately 140 million Americans, or nearly half of all
United States citizens, regularly use e-mail, including 63
percent of full-time or part-time workers, according to the Pew
Internet & American Life Project. The ease of obtaining large
lists of these e-mail addresses has made e-mail a popular means
for individuals, organizations, and businesses to market goods
and services to consumers. Unlike direct mail delivered through
the post office to consumers, however, UCE can reach millions
of individuals at little to no cost and almost instantaneously.
Noting its effectiveness, the Direct Marketing Association has
reported that 37 percent of consumers it surveyed have bought
something as a result of receiving unsolicited e-mail from
marketers. However, in addition to legitimate businesses that
wish to use commercial e-mail as another channel for marketing
products or services, spam has become a favored mechanism of
those who seek to defraud consumers and make a living by
preying on unsuspecting e-mail users and those new to the
Internet. As a result, Americans using e-mail, whether new
users or those who have used it for decades, are finding their
e-mail in-boxes deluged with unsolicited, and in most instances
unwanted, promotions and advertisements that increasingly
contain fraudulent and other objectionable content.
In an April 2003 report entitled, False Claims in Spam, the
Federal Trade Commission (FTC) found that 66 percent of all
spam contains some kind of false, fraudulent, or misleading
information, either in the e-mail's routing information, its
subject line, or the body of its message. The FTC also
determined that most spam messages can generally be grouped
into one of several major categories, such as those promoting:
investment or get-rich-quick ``opportunities'' (20 percent);
pornographic websites or adult-oriented material (18 percent);
credit card or financial offers (17 percent); and health
products and services (10 percent).
Rapidly Increasing Volume Of Spam
The volume of spam has been rapidly increasing year after
year and today accounts for over 46 percent of all global e-
mail traffic. Many Internet analysts expect the volume of spam
to exceed 50 percent of all e-mail by the end of 2003, and
possibly sooner. By contrast, in September 2001, spam only
accounted for 8 percent of all e-mail sent worldwide, and just
18 percent of all e-mail as late as April 2002. However, over
the past year, the rate at which spam is increasing has
surpassed most observers' previous expectations and is reaching
critically high levels.
As of May 2003, the largest Internet service provider (ISP),
America Online, was blocking up to 2.4 billion spam messages
each day, or approximately 80 percent of its 3 billion daily
inbound e-mails. This number of blocked messages was up from 1
billion per day only 2 months beforehand, and 500 million per
day in December 2002. Microsoft, the country's second-largest
e-mail provider, also reported this past May that its MSN mail
and Hotmail services combined block up to 2.4 billion spam
messages each day. Earthlink, the third largest ISP in the
United States, reported a 500 percent increase in inbound spam
over the past 18 months. With many more similar reports in
recent months, the sheer volume of spam is threatening to
overwhelm not only the average consumer's in-box, but also the
network systems of ISPs, businesses, universities, and other
organizations. Putting this volume of spam in perspective, USA
Today recently reported that more than 2 trillion spam messages
are expected to be sent over the Internet this year, or 100
times the amount of direct mail advertising pieces delivered by
United States mail last year.
IDC, a leading technology industry analysis firm, recently
reported that Americans bear the brunt of this increased growth
in spam. According to IDC, North America was receiving
approximately 3.9 billion spam messages per day out of the 7.3
billion spam messages sent daily around the globe.
Deceptive Sender Information and Subject Lines
The inconvenience and intrusiveness to consumers of large
volumes of spam are exacerbated by the fact that, in many
instances, the senders of spam purposefully disguise the source
or content of the e-mail by falsifying or including misleading
information in the e-mail's ``from'', ``reply-to'', or
``subject'' lines. Thus, the recipient is left with no
effective ability to manage the constant inflow of spam into an
e-mail in-box because he or she cannot often tell without
opening the individual messages who is sending the messages or
what they contain. Even after opening a message, a consumer
often will not be able to ascertain the true identity of the
sender. Furthermore, once receiving unwanted messages, most
consumers do not have any way to dependably contact the senders
to instruct them to take the recipient off their mailing lists.
The FTC found in its recent report that one-third of all spam
contains a fraudulent return e-mail address that is included in
the routing information (known as the ``header'') of the e-mail
message. Early on, spam experts believed that fake return
addresses were used to entice recipients to reply to spam and
ask that their names be removed from the spammers' e-mail
lists. Replying like this was thought to confirm to the spammer
that the e-mail account was active, but the FTC did not find
enough evidence in a previous study to confirm this risk.
Regardless, as discussed further below, spammers have much
quicker and more automated ways to confirm valid e-mail
addresses even before sending out spam. Furthermore, headers
continue to be falsified not only to trick ISPs' increasingly
sophisticated spam filters, but also to lure consumers into
mistakenly opening messages from what appears to be people they
know.
One common method of collecting consumers' addresses, known
as a ``dictionary attack'', involves rapid, short-burst
communications with the target ISP's server (known as
``pinging'' the server) with automatically-generated, recipient
e-mail addresses in alphabetical (or dictionary) order. In this
attack, the spammer's software will record which addresses
cause the server to respond positively that it is ready to
accept e-mail for a tested recipient e-mail address. Each
positive response from the server confirms a valid address at
the target ISP, and the addresses are collected into a list
that is used to send a block of spam to that server at a later
time. Another common method of obtaining consumers' e-mail
addresses is to capture them from websites where users post
their addresses in order to communicate with other users of the
website. This practice, known as e-mail address ``harvesting'',
is often done by automated software robots that scour the
Internet looking for and recording posted e-mail addresses.
Additionally, many spam messages contain ``web bugs'' or
other hidden technological mechanisms to immediately notify a
spammer via the Internet when an unsolicited message has been
opened. Far short of replying to a spam message, a consumer's
mere act of opening a spam message containing a web bug may
eventually cause that consumer to receive more spam as a result
of confirming to the spammer his or her willingness or
susceptibility to open unsolicited e-mail.
In addition to false sender information, spammers often lure
consumers to open their e-mail by adding appealing or
misleading e-mail subject lines. The FTC reported that 42
percent of spam contains misleading subject lines that trick
the recipient into thinking that the e-mail sender has a
personal or business relationship with the recipient. Typical
examples are subject lines such as ``Hi, it's me'' and ``Your
order has been filled''. Moreover, e-mail messages with
deceptive subject lines may still lead unsuspecting consumers
to websites promoting completely unrelated products or even
scams, such as pornography or get-rich-quick pyramid schemes.
Pornographic spam is more likely than other spam to contain
fraudulent or misleading subject lines. In its recent report,
the FTC found that more than 40 percent of all pornographic
spam either did not alert recipients to images contained in the
message or contained false subject lines, thus ``making it more
likely that recipients would open the messages without knowing
that pornographic images will appear.'' Unsuspecting children
who simply open e-mails with seemingly benign subject lines may
be either affronted with pornographic images in the e-mail
message itself, or automatically and instantly taken--without
requiring any further action on their part (like clicking on a
link)--to an adult web page exhibiting sexually explicit
images.
Compounding these problems is the fact that nearly all spam
being sent today is considered untraceable back to its original
source without extensive and costly investigation. Although
many ISPs try to locate spammers in order to shut down their
operations, spammers can rather easily disguise their
whereabouts, quickly move to other ISPs, or set up websites at
new domains in order to avoid being caught. In addition, FTC
Chairman Muris and Commissioners Swindle and Thompson each
testified in hearings before the Committee this past spring to
the FTC's tremendous difficulty in tracking and finding
spammers who send out spam with fraudulent transmission
information. In response to members who questioned the FTC's
effectiveness in reducing the volume of spam, Chairman Muris
testified that their investigations are more effective when
``following the money'' through the business promoted in the e-
mail message to the spammer.
Testimony provided to the Committee by Brightmail Inc., a
leading company in anti-spam technology and services for ISPs
and corporations, supported the FTC's findings by concluding
that nearly 90 percent of all of the spam sent worldwide is
``untraceable'' to its actual source. Of the spam that does
``claim'' (in its header information) to come from a certain
region of the world, the overwhelming majority of it is sent
through computer e-mail servers in countries outside of North
America.\2\ According to the routing information of the spam
Brightmail has analyzed, approximately 60 percent comes from
Internet protocol (IP) addresses assigned to Europe (including
10-12 percent alone from Russia), and 16 percent originates in
Asia (with China leading that region). Although North America
receives over half of all spam sent each day, only 11 percent
of spam claims to emanate from North America.
---------------------------------------------------------------------------
\2\ Brightmail analyzes data it collects from its ``probe
network'', more than a million continually monitored e-mail addresses
seeded in ISPs around the world. These e-mail addresses never send out
e-mail and have never been used in e-commerce, but still attract 300-
350 million e-mail messages per month, 100 percent of which can be
classified as ``unsolicited''.
---------------------------------------------------------------------------
Some observers suspect that spammers located in North America
account for more of the global spam traffic. These observers
argue that data showing a small percentage of spam emanating
from North America is merely indicative of sophisticated North
American spammers' known practice of sending their messages
overseas first to ``bounce'' them off of misconfigured e-mail
servers known as ``open relays''--a process that masks the true
origin of the message. When successfully used, open relays pass
on the e-mail message to intended destinations in the United
States while deleting or over-writing the original source
information that would give away the spammer's true location.
However, because 90 percent of all spam is not easily traceable
back to its originating address, consumers, ISPs, government
investigators, and spam experts alike are left with only
theories about the countries truly responsible as the greatest
sources of spam.
Fraudulent Schemes, Privacy Risks, and Objectionable Content
The FTC has consistently reported that many unsolicited e-
mail messages contain fraudulent, misleading, or objectionable
content. Common types of fraudulent spam promote chain letters,
pyramid schemes, stock and investment scams, and solicitations
for bogus charitable causes, all of which may place consumers'
privacy and financial assets at significant risk. Also common
is spam with pornographic content or links to websites with
pornographic content, which many recipients find offensive and
which places additional burdens on parents to constantly
monitor their children's e-mail (even when they are already
using an ISP's ``parental controls'').
Consumers who buy products offered through spam face numerous
risks, including the exposure and sharing of sensitive personal
information over the Internet, and credit card or identity
theft. In a recent example, the FTC filed a complaint against
30 Minute Mortgage Inc., which it claimed used an array of
deceptions to lure consumers into sharing their personal
financial data. According to the FTC, the company advertised
itself as a national mortgage lender and used spam to urge
potential customers to complete detailed online loan
applications. The applications required consumers to supply
sensitive personal information, such as their names, addresses,
phone numbers, Social Security numbers, employment information,
income, first and second mortgage payments, and asset account
types and balances. The company assured consumers that when
they submitted the loan applications, their sensitive
information would be protected. Instead, the FTC alleges the
company and its principals sold or offered to sell thousands of
completed applications to nonaffiliated third parties.
Spam also is used to lure unwary users to websites that
contain viruses, spyware, or other malicious computer code.
Late last year, for instance, an Internet adult entertainment
company created a ``Trojan horse'' program that was downloaded
to unsuspecting users'' computers. Users were tricked into
accepting the program through a spam message that promised to
deliver an electronic greeting card. The downloaded program,
however, instead routed users to the company's pornography
websites.
Pornographers, long on the cutting edge of technology, have
taken to employing increasingly brazen techniques to sell their
products and services. As mentioned above, the FTC estimates
that 18 percent of all spam is pornographic or ``adult-
oriented'' material. While not all of such spam contains
images, spammers often do send graphic sexual images embedded
in the body of spam so that simply upon opening the e-mail
message, a user is assaulted with explicit photographs or video
images. More frequently, though, spam contains HTML code and a
JavaScript applet that together automatically load a
pornographic web page as soon as the spam message is either
opened or, in some cases, simply ``previewed'' in certain e-
mail programs'' preview panes.
Costs to ISPs, Consumers, and Businesses
Spam imposes significant economic burdens on ISPs, consumers,
and businesses. Left unchecked at its present rate of increase,
spam may soon undermine the usefulness and efficiency of e-mail
as a communications tool. Massive volumes of spam can clog a
computer network, slowing Internet service for those who share
that network. ISPs must respond to rising volumes of spam by
investing in new equipment to increase capacity and customer
service personnel to deal with increased subscriber complaints.
ISPs also face high costs maintaining e-mail filtering systems
and other anti-spam technology on their networks to reduce the
deluge of spam. Increasingly, ISPs are also undertaking
extensive investigative and legal efforts to track down and
prosecute those who send the most spam, in some cases spending
over a million dollars to find and sue a single, heavy-volume
spammer.
Though major service providers tend to disagree about the
overall monetary impact spam has had on their respective
networks, anti-spam initiatives cost providers time and money,
and those expenses typically have been passed on as increased
charges to consumers. A 2001 European Union study found that
spam cost Internet subscribers worldwide $9.4 billion each
year, and USA Today reported in April that research
organizations estimate that fighting spam adds an average of $2
per month to an individual's Internet bill. Additionally, some
observers expect that free e-mail services (often used by
students and employees who obtain free Internet access) will be
downsized as the costs of spam increase, which may result in
consumers facing significant ``switching costs'' as they are
forced to migrate to subscription-based services. As reported
by the Boston Globe, industry analysts are concerned that this
trend could influence millions of consumers to abandon the use
of e-mail messaging as a viable means of communication.
Spam presents other real costs to consumers who live in
remote areas or travel on business when they are forced to
spend time sorting through crowded e-mail in-boxes and deleting
unwanted messages. Although Internet access through broadband
connections is steadily growing, a dial-up modem continues to
be the method by which a vast majority of Americans access the
Internet and their e-mail accounts. In rural areas, however,
dial-up customers may pay per-minute access charges while
online or, in some cases, long distance charges for their
Internet connection. In addition, business travelers who sign
onto e-mail services from remote locations must either pay
long-distance fees or elevated per-minute surcharges in hotel
rooms. In these cases, deleting spam is more than just a loss
of time or productivity; it is actually an additional charge to
the consumer or business traveler.
In addition to the costs to ISPs and consumers, recent
industry research has focused on the impact of spam's growth on
businesses and e-commerce. Ferris Research currently estimates
that costs to United States businesses from spam in lost
productivity, network system upgrades, unrecoverable data, and
increased personnel costs, combined, will top $10 billion in
2003. Of that total, Ferris estimates that employee
productivity losses from sifting through and deleting spam
accounts for nearly $4 billion alone. Recent press reports also
indicate that large companies with corporate networks typically
spend between $1 to $2 per user each month to prevent spam,
which is currently estimated to make up 24 percent of such
corporations' inbound e-mail. At current growth rates, however,
spam could account for nearly 50 percent of all inbound e-mail
to large corporations by 2004. Ferris reports that corporate
costs of fighting spam today represent a 300 percent increase
from 2 years ago, and the Yankee Group estimates that costs to
corporations could reach $12 billion globally within the next
18 months. Based on current spam growth rates, the Radicati
Group estimates that, on a worldwide basis, spam could cost
corporations over $113 billion by 2007.
Summary of Provisions
The CAN-SPAM Act, S. 877, aims to address the problem of spam
by creating a Federal statutory regime that would give
consumers the right to demand that a spammer cease sending them
messages, while creating civil and criminal sanctions for the
sending of spam meant to deceive recipients as to its source or
content. Under the legislation, enforcement would be undertaken
by the FTC and, in some cases, industry-specific regulatory
authorities. In addition, the bill would enable State attorneys
general and ISPs to bring actions against violators.
If enacted, S. 877 would require senders of all commercial e-
mail to include a valid return e-mail address and other header
information with the message that accurately identifies the
sender and Internet location from which the message has been
sent. Except for transactional or relationship e-mail messages
(as defined therein), the legislation would also require
senders of commercial e-mail to provide an Internet-based
system for consumers to opt out of receiving further messages
from that sender. Moreover, a sender of UCE would be required
additionally to include in the e-mail message itself a valid
physical address of the sender as well as clear and conspicuous
notice that both the message is an advertisement or
solicitation and that the recipient may opt out of further UCE
from the sender.
S. 877 would also require businesses to ensure that they are
not promoted in e-mail sent with false or misleading
transmission information. The bill would hold the promoted
businesses responsible if they: (i) know or should know about
such deceptive promotion; (ii) are receiving or expect to
receive an economic benefit from it; and (iii) are taking no
reasonable precautions to prevent such promotion or to detect
and report it to the FTC.
S. 877 would permit criminal sanctions to be imposed on
senders of e-mail who intentionally disguise the source of
their messages by falsifying header information. Civil
sanctions would also be available for this violation as well as
all other violations of the bill. Additionally, aggravated
violations would apply to those who violate the provisions of
the bill while employing certain problematic techniques used to
either generate recipient e-mail addresses, or remove or mask
the true identity of the sender.
Legislative History
Senator Burns, the chairman of the Communications
Subcommittee, introduced S. 877 on April 10, 2003, with Senator
Wyden as an original cosponsor. The bill is also cosponsored by
Senators Breaux, Carper, Chambliss, Dodd, Edwards, Gregg,
Johnson, Landrieu, Lautenberg, Lieberman, Murkowski, Nelson of
Florida, Schumer, Snowe, Stevens, Talent, and Thomas.
S. 877 is based on legislation (S. 630) that was approved and
reported out of the Committee during the 107th Congress. In
addition to S. 877, 4 other bills relating to spam have been
introduced and referred to the Committee during the 108th
Congress. The bills are: S. 563, introduced by Senator Dayton;
S. 1052, introduced by Senator Nelson of Florida and
cosponsored by Senator Pryor; S. 1231, introduced by Senator
Schumer and cosponsored by Senator Graham of South Carolina;
and S. 1237, introduced by Senator Corzine.
On May 21, 2003, the Committee held a full committee hearing
chaired by Senator McCain on the proliferation of spam and
options for addressing the threat it poses to consumers,
business, ISPs, and the very medium of e-mail. Witnesses at the
hearing included two FTC commissioners and a diverse group of
companies, associations, and private parties interested in
spam. Additionally, several other individuals and organizations
provided written testimony for the record.
On June 19, 2003, the Committee held an executive session
chaired by Senator McCain at which S. 877 was considered. The
bill was approved unanimously by voice vote and was ordered
reported with an amendment in the nature of a substitute.
Amendments were offered by Senator Burns, to make substantive
modifications to the bill as introduced, and also by Senator
McCain to make businesses knowingly promoted through e-mail
with false or misleading transmission information subject to
FTC Act penalties and enforcement.
Estimated Costs
In accordance with paragraph 11(a) of rule XXVI of the
Standing Rules of the Senate and section 403 of the
Congressional Budget Act of 1974, the Committee provides the
following cost estimate, prepared by the Congressional Budget
Office:
U.S. Congress,
Congressional Budget Office,
Washington, DC, July 14, 2003.
Hon. John McCain,
Chairman, Committee on Commerce, Science, and Transportation,
U.S. Senate, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for S. 877, the Controlling
the Assault of Non-Solicited Pornography and Marketing Act of
2003.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contacts are Melissa E.
Zimmerman (for federal spending), Annabelle Bartsch (for
revenues), Victoria Heid Hall (for the state and local impact),
and Paige Piper/Bach (for the impact on the private sector).
Sincerely,
Douglas Holtz-Eakin,
Director.
Enclosure.
S. 877--Controlling the Assault of Non-Solicited Pornography and
Marketing Act of 2003
Summary: S. 877 would impose new restrictions on the
transmission of unsolicited commercial electronic mail (UCE),
often referred to as ``spam.'' The bill would require all
senders of UCE to identify the messages as UCE, provide
accurate header information, include a functioning return email
address, and stop sending messages to recipients who opt not to
receive them. In addition, the bill would create criminal
penalties for knowingly sending UCE that contains false
information on the email's header line.
The provisions of S. 877 would be enforced primarily by the
Federal Trade Commission (FTC) under the authorities provided
in the Federal Trade Commission Act, which includes assessments
of civil penalties for violations of the act. However, agencies
such as the Office of the Comptroller of the Currency (OCC),
the Board of Governors of the Federal Reserve System, the
Federal Deposit Insurance Corporation (FDIC), the Office of
Thrift Supervision (OTS), the National Credit Union
Administration (NCUA), the Securities and Exchange Commission
(SEC), and the Secretary of Transportation would enforce the
bill as it applies to businesses within the agencies'
respective jurisdictions. Those agencies would punish
violations of the bill's provisions with civil and criminal
penalties.
CBO estimates that implementing S. 877 would cost about $1
million in 2004 and about $2 million a year in 2005 and
thereafter, assuming appropriation of the necessary amounts.
CBO estimates that civil penalties collected as a result of
enacting this bill would increase governmental receipts
(revenues) by about $3 million a year when fully implemented
(by 2005). The bill also would have additional effects on
revenues and direct spending by imposing costs on banking
regulators and by creating new penalties. However, CBO
estimates that those additional effects would be negligible.
S. 877 would preempt certain state or local laws that
regulate the use of electronic mail to send commercial
messages. Such a preemption is a mandate as defined in the
Unfunded Mandates Reform Act (UMRA), but CBO estimates that the
budgetary impact of the mandate would be minimal and would not
exceed the threshold established in UMRA ($59 million in 2003,
adjusted for inflation).
S. 877 would impose private-sector mandates as defined in
UMRA by requiring that senders of commercial electronic mail
include certain information within their messages. Based on
information provided by government and industry sources, CBO
expects that the direct costs of complying with those mandates
would fall below the annual threshold established by UMRA ($117
million in 2003, adjusted annually for inflation).
Estimated Cost to the Federal Government: The estimated
budgetary impact of S. 877 is shown in the following table. The
costs of this legislation fall within budget function 370
(commerce and housing credit).
----------------------------------------------------------------------------------------------------------------
By fiscal year, in millions of dollars--
--------------------------------------------
2004 2005 2006 2007 2008
----------------------------------------------------------------------------------------------------------------
CHANGES IN FTC SPENDING SUBJECT TO APPROPRIATION \1\
Estimated Authorization Level \2\.................................. 1 2 2 2 2
Estimated Outlays.................................................. 1 2 2 2 2
CHANGES IN REVENUE
Estimated Revenues................................................. 1 3 3 3 3
----------------------------------------------------------------------------------------------------------------
\1\ S. 877 also would increase direct spending by less than $500,000 a year.
\2\ The FTC received a gross 2003 appropriation of $177 million. This amount will be offset by an estimated $95
million in fees the FTC collects for merger reviews and administering a national ``do-not-call'' registry.
Basis of estimate: S. 877 would require the FTC to enforce
the provisions of the bill under the Federal Trade Commission
Act. Based on information from the FTC, CBO expects that the
agency would need to upgrade its database of UCE complaints,
hire additional staff to investigate possible violations, and
assist companies attempting to comply with the bill's
provisions. CBO estimates that those activities would cost $1
million in 2004 and $2 million a year in subsequent years,
assuming appropriation of the necessary amounts.
S. 877 would create a variety of new civil and criminal
penalties, which are classified in the budget as governmental
receipts (revenues). The FTC would enforce the bill with civil
penalties using its authority under the Federal Trade
Commission Act. Based on information from the FTC, CBO
estimates that those enforcement efforts would cause revenues
to rise by $3 million a year under the bill. The bill also
would create new criminal penalties and authorize other
agencies, including the SEC and the Department of
Transportation, to enforce the bill's provisions on industries
within their jurisdictions using both civil and criminal
penalties. However, CBO estimates that the effect of those
additional provisions on revenues would not be significant in
any year.
Collections of criminal fines are deposited in the Crime
Victims Fund and spent in subsequent years. Because any
increase in direct spending would equal the amount of fines
collected (with a lag of one year or more), the additional
direct spending also would be negligible.
The OCC, NCUA, OTS, FDIC, and the Board of Governors of the
Federal Reserve System would enforce the provisions of S. 877
as they apply to financial institutions. The OCC, NCUA, and OTS
charge fees to the institutions they regulate to cover all of
their administrative costs; therefore, any additional spending
by these agencies to implement the bill would have no net
budgetary effect. That is not the case with the FDIC, however,
which uses insurance premiums paid by all banks to cover the
expenses it incurs to supervise state-chartered banks. The
bill's requirement that the FDIC enforce the bill's
restrictions on UCE sent by these banks would cause a small
increase in FDIC spending but would not affect its premium
income. In total, CBO estimates that S. 877 would increase net
direct spending of the OCC, NCUA, OTS, and FDIC by less than
$500,000 a year.
Budgetary effects on the Federal Reserve are recorded as
changes in revenues (governmental receipts). Based on
information from the Federal Reserve, CBO estimates that
enacting S. 877 would reduce such revenues by less than
$500,000 a year.
Estimated impact on state, local, and tribal governments:
S. 877 would establish new federal prohibitions on certain
types of commercial electronic mail. While the Federal Trade
Commission and other federal agencies would generally enforce
these prohibitions, in the case of any person engaged in
providing insurance, the prohibitions would be enforced under
state insurance laws. However, any such state enforcement would
be voluntary.
S. 877 would preempt certain state or local laws that
regulate the use of electronic mail to send commercial
messages. Such a preemption is a mandate under UMRA. CBO
estimates that the mandate would have little budgetary impact
on state and local governments and would not, therefore, exceed
the threshold established in UMRA ($59 million in 2003,
adjusted for inflation).
Estimated impact on the private sector: S. 877 would impose
private-sector mandates as defined in the UMRA by requiring
that senders of commercial electronic mail include certain
information within their messages. The bill would require that
all senders of commercial electronic mail include a valid
return electronic-mail address and an accurate subject heading
within their message. Senders of unsolicited commercial
electronic mail would further be required to include a valid
physical postal address and to identify their messages as UCE
within their messages. The bill would require that the
electronic-mail address of the UCE sender must remain
functioning for at least 30 days after transmission of UCE.
In addition, S. 877 would require persons who send UCE to
provide the recipients of their messages with an option to
discontinue receiving UCE from the sender and to notify
recipients of that option to discontinue in each UCE message.
If a recipient makes a request to a sender not to receive some
or any UCE messages from such sender, then the sender, or
anyone acting on the sender's behalf, would be prohibited from
initiating the transmission to the recipient starting 10
business days after the receipt of such request. Based on
information from government and industry sources, CBO estimates
that the direct costs of complying with the mandates contained
in the bill would fall below the annual threshold established
by UMRA for private-sector mandates ($117 million in 2003,
adjusted annually for inflation).
Estimate prepared by: Federal Spending: Melissa E.
Zimmerman; Federal Revenues: Annabelle Bartsch; Impact on
State, Local, and Tribal Governments: Victoria Heid Hall; and
Impact on the Private Sector: Paige Piper/Bach.
Estimate approved by: Peter H. Fontaine, Deputy Assistant
Director for Budget Analysis.
Regulatory Impact Statement
In accordance with paragraph 11(b) of rule XXVI of the
Standing Rules of the Senate, the Committee provides the
following evaluation of the regulatory impact of the
legislation, as reported:
NUMBER OF PERSONS COVERED
S. 877 would provide all individuals using e-mail certain
protections from fraudulent or misleading behavior by senders
of commercial e-mail, and an opportunity to elect whether or
not to receive UCE. Additionally, the legislation would mandate
that all persons who send commercial e-mail meet certain
requirements, including proper identification and providing an
Internet-based reply system for recipients so they may opt out
of future UCE sent by that sender. Therefore, S. 877 would
cover all consumers who receive e-mail, and all senders of
commercial e-mail.
ECONOMIC IMPACT
The legislation would result in new or incremental costs for
senders of commercial e-mail to comply with the legislation's
requirements, to the extent that those senders have not already
made provisions to prevent fraudulent or misleading headers or
subject headings, ensure proper identification of the sender,
and provide Internet-based reply mechanisms that allow
recipients to choose whether to receive future messages.
Certain reports have noted the fairly low cost borne by senders
of commercial e-mail and the increased costs that ISPs and
their customers pay to handle increasing commercial e-mail
traffic. The Committee notes that many direct marketing groups
and companies that use commercial e-mail have already
implemented Internet-based response systems for recipients.
Therefore, many of the costs that would be expected to be
incurred from S. 877 have already been absorbed by the
marketing and sales industries that send commercial e-mail.
However, certain industries with extensive marketing affiliates
claim that the costs of integrating opt-out systems network-
wide may be significant.
PRIVACY
S. 877 would increase the personal privacy of all users of e-
mail by providing them with the ability to decline to receive
future UCE from the same sender. S. 877 also would require
senders of UCE to identify themselves to the recipients by
truthful header information and a mailing address where a
recipient can contact the sender, thereby better informing the
recipient of the identity of the sender. S. 877 would
furthermore prohibit the unauthorized use of a consumer's e-
mail account (also known as ``hijacking'') for the purposes of
sending out spam. S. 877 also would increase the privacy
protection of consumers' e-mail addresses and accounts by
outlawing the use of e-mail address collection methods, such as
e-mail harvesting and dictionary attacks, when used in
connection with the sending of commercial e-mail in violation
of S. 877.
PAPERWORK
S. 877 would require the FTC to make recommendations to
Congress for a workable plan to create a nationwide marketing
Do-Not-E-mail list within 6 months of completing implementation
of its national telemarketing Do-Not-Call list. S. 877 would
also require the FTC to perform a study and submit a report to
the Congress within 24 months after the date of enactment of
the legislation. The legislation is expected to generate
similar amounts of administrative paperwork as other
legislation requiring multiple agency enforcement,
recommendations for implementing a program, and a report to
Congress.
Section-by-Section Analysis
Section 1. Short title
This section would provide that the legislation may be cited
as the ``Controlling the Assault of Non-Solicited Pornography
and Marketing Act of 2003'' or as the ``CAN-SPAM Act of 2003''.
Section 2. Congressional findings and policy
This section describes the rising volume of UCE, the threat
it poses to e-mail's popularity and utility, the costs it
imposes, and a number of practices that spammers commonly use
to frustrate recipients' ability to identify and control the
flow of UCE. This section also notes that State statutes have
not been effective in managing the problem to date, and that
Federal legislation will need to be coupled with technological
approaches and international cooperation. Based on these
findings, this section would, if enacted, express the policy
determination that there is a substantial government interest
in regulating commercial e-mail on a Federal basis to prevent
commercial e-mail that misleads recipients as to the source or
content of the message and to ensure that recipients have a way
to tell a sender of commercial e-mail to stop.
Section 3. Definitions
This section would define 19 terms used throughout the bill,
some of which have a specific contextual meaning in the
statutory regime created by the legislation. The following
definitions included in S. 877 are of particular importance:
Affirmative Consent.--The term ``affirmative
consent'' means that the message is being sent with the
express consent of the recipient. Pursuant to this
definition, affirmative consent is intended to require
some kind of active choice or selection by the
recipient; merely remaining passive, as in the case
where a consumer fails to modify a default setting
expressing consent, is not a sufficient basis for
affirmative consent. If the recipient's consent was
prompted by a request for such consent, as opposed to
consent expressed at the recipient's own initiation (as
in the case where a consumer wants a product catalogue
and e-mails the company to ask for it), then such
request must be clear and conspicuous or affirmative
consent will not be deemed present. This definition
does not require consent on an individual, sender-by-
sender basis. A recipient could affirmatively consent
to messages from one particular company, but could also
consent to receive either messages on a particular
subject matter (e.g., gardening products) without
regard to the identity of the sender, or messages from
unnamed marketing partners of a particular company. The
only limitation on such third-party affirmative consent
is that the person granting such consent must have been
provided clear and conspicuous notice, at the time such
consent is granted, that the person's e-mail address
may be transferred to such third parties. The purpose
of this limitation is to ensure that consumers are
fully informed of the scope of any third-party consent
they may grant.
Commercial Electronic Mail Message.--The term
``commercial electronic mail message'' means any
electronic mail message where the primary purpose is
the commercial advertisement or promotion of a product
or service. This definition is intended to cover
marketing e-mails. Advertisements for content on an
Internet website operated for a commercial purpose are
included within the definition because an e-mail urging
the recipient to visit a particular commercial website
is just as much a marketing message as an e-mail urging
the purchase of a specific product or service. However,
the definition is not intended to cover an e-mail that
has a primary purpose other than marketing, even if it
mentions or contains a link to the website of a
commercial company or contains an ancillary marketing
pitch.
Electronic Mail Message.--The term ``electronic mail
message'' means a message sent to a unique electronic
mail address. The definition is intended to apply to
the message in the form that it is sent, regardless of
whether or in what form it is received. For example, an
electronic mail message may be blocked by filtering
software, or truncated or altered by some other type of
software installed by the recipient or the recipient's
Internet service provider. Such downstream effects have
no impact on what constitutes the underlying electronic
mail message for purposes of this Act.
Header Information.--The term ``header information''
means the source, destination, and routing information
attached to the beginning of an e-mail message,
including the originating domain name and originating
e-mail address, and any other information that appears
in the line purporting to identify the person
initiating the message (commonly referred to as the
``from'' line).
Implied Consent.--The term ``implied consent'', in
reference to a commercial e-mail message, means that
two requirements are met. First, a business
transaction, between the sender and recipient, must
have occurred within a 3-year period ending upon
receipt of the message. A business transaction may
include a transaction involving the provision, free of
charge, of information, goods, or services requested by
the recipient. However, merely visiting a free website
and browsing its content does not constitute a
``transaction'' for purposes of this definition.
Second, the recipient of the message must have been
given clear and conspicuous notice of an opportunity
not to receive UCE from the sender and has not
exercised that opportunity. Unlike affirmative consent,
implied consent does not require an active choice or
request by the recipient, so long as the recipient has
been given the ability via conspicuous notice to
decline receiving additional messages from the sender.
The definition also clarifies that a recipient's
implied consent may apply only to a particular division
or line of business within a particular corporation,
rather than the entire corporation, if the corporation
represented itself as a particular division or line of
business in its dealings with the recipient. The
rationale for this is that it would be unfair to read
the recipient's implied consent more broadly, when the
recipient may not have been aware of the identity of
the broader corporation.
Initiate.--The term ``initiate'', in reference to a
commercial e-mail message, means to originate or
transmit, or procure the origination or transmission
of, such an e-mail message. More than one person may be
considered to have initiated a message. Thus, if one
company hires another to handle the tasks of composing,
addressing, and coordinating the sending of a marketing
appeal, both companies could be considered to have
initiated the message--one for procuring the
origination of the message; the other for actually
originating it. However, the definition specifies that
a company that merely engages in routine conveyance,
such as an ISP that simply plays a technical role in
transmitting or routing a message and is not involved
in coordinating the recipient addresses for the
marketing appeal, shall not be considered to have
initiated the message.
Procure.--The term ``procure'', when used with
respect to the initiation of a commercial electronic
mail message, means intentionally to pay or induce
another person to initiate the message on one's behalf,
while knowingly or consciously avoiding knowing the
extent to which that person intends to comply with this
Act. The intent of this definition is to make a company
responsible for e-mail messages that it hires a third
party to send, unless that third party engages in
renegade behavior that the hiring company did not know
about. However, the hiring company cannot avoid
responsibility by purposefully remaining ignorant of
the third party's practices. The ``consciously avoids
knowing'' portion of this definition is meant to impose
a responsibility on a company hiring an e-mail marketer
to inquire and confirm that the marketer intends to
comply with the requirements of this Act.
Recipient.--The term ``recipient'' means an
authorized user of the e-mail address to which an e-
mail message was sent or delivered. If such a user has
other e-mail addresses in addition to the address to
which the message was sent, each of those addresses
will be treated as an independent recipient for
purposes of this legislation. For example, a person may
have an e-mail address provided by his ISP and also
subscribe to a second, free e-mail service. Under the
legislation, each of these addresses is considered
independent, although they are both owned by the same
person. Therefore, if an unsolicited commercial message
is sent by the same sender to each of the recipient's
e-mail addresses and the recipient does not wish to
receive future messages, the recipient must opt out for
each address. However, if an e-mail address is
reassigned to a new user, as may happen after one user
gives up an e-mail address in connection with a change
in ISP or a change in employer, the new user shall not
be treated as a recipient of any commercial e-mail
message sent or delivered to that address before it was
reassigned.
Sender.--The term ``sender'' means a person who
initiates a commercial e-mail and whose product,
service, or Internet web site is advertised or promoted
by the message. Thus, if one company hires another to
coordinate an e-mail marketing campaign on its behalf,
only the first company is the sender, because the
second company's product is not advertised by the
message. If the second company in this example,
however, originates or transmits e-mail on behalf of
the first company, then, under the definitions in
section 3 of the bill, both companies would be
considered to have ``initiated'' the e-mail, even
though only the first company is considered to be the
``sender''.
Transactional or Relationship Message.--The term
``transactional or relationship message'' means an
electronic mail message the primary purpose of which is
to: facilitate, complete, or confirm a transaction;
provide specified types of information with respect to
a product or service used or purchased by the
recipient; provide information directly related to a
current employment relationship or benefit plan; or
deliver goods or services that are included under the
terms of a previous transaction. This definition is
intended to cover messages directly related to a
commercial transaction or relationship that the
recipient has already agreed to enter into, such as
receipts, monthly account statements, or product recall
notices. Such messages could also include some
promotional information about other products or
services, but only if the promotional material is truly
ancillary to a primary purpose listed in this
definition.
Unsolicited Commercial Electronic Mail Message.--The
term ``unsolicited commercial electronic mail message''
means any commercial electronic message that is not a
transactional or relationship message and is sent to a
recipient without the recipient's prior affirmative or
implied consent.
Section 4. Criminal penalty for commercial electronic mail containing
fraudulent routing information
This section would provide misdemeanor criminal liability for
intentionally sending commercial electronic mail with falsified
information concerning the transmission or source of the
message. The section would amend chapter 63 of title 18, United
States Code, to require that a person who sends commercial e-
mail, with knowledge and intent that the message contains or is
accompanied by header information that is materially false or
materially misleading, shall be fined or imprisoned for up to 1
year, or both. This section further states that header
information that is technically correct but includes an
originating e-mail address, the access to which was obtained by
means of false or fraudulent pretense or representations, would
be considered materially misleading. This provision is intended
to address the situation where a spammer hacks into, or upon
false pretenses obtains access to, an innocent party's e-mail
account and uses it to send out spam.
Section 5. Other protections for users of commercial electronic mail
This section contains the bill's principal requirements for
persons initiating commercial e-mail and UCE, violations of
which would not be criminal but would be unfair or deceptive
acts or practices enforced by the FTC and other Federal
agencies.
Section 5(a)(1) would prohibit falsified transmission
information. Specifically, it would be unlawful to initiate a
commercial e-mail message that contains or is accompanied by
header information (source, destination and routing
information, ``from'' line) that is false or misleading. As in
section 4, if the e-mail includes an originating e-mail address
in the header the access to which was obtained fraudulently,
the commercial e-mail would be considered materially
misleading. The intent of this subsection is to eliminate the
use of inaccurate originating e-mail addresses that disguise
the identities of the senders.
Section 5(a)(2) would prohibit the knowing use of deceptive
subject headings in commercial e-mail messages. The test is
whether the person initiating the message knows that the
subject heading would be likely to mislead a reasonable
recipient about a material fact regarding the content or
subject matter of the message. Thus, minor typographical errors
or truly accidental mislabeling should not give rise to
liability under this section.
Section 5(a)(3) would require that a commercial e-mail
message must have a functioning return e-mail address or other
Internet-based reply mechanism (such as a link to a web page at
which a user can ``click'' to select e-mail options) through
which a recipient can opt out of future messages. The return
address, or other Internet-based reply mechanism, must remain
capable of receiving communications from recipients for at
least 30 days from the date of the original e-mail. The
temporary inability of a return address to accept e-mails due
to a technical or capacity problem would not be a violation of
the law if the problem was not foreseeable in light of the
potential volume of response messages and if the problem is
corrected within a reasonable time period. It is recognized
that computer systems are fallible on occasion, and this
exception is intended to protect persons who act in good faith
to receive opt-out messages but are unable do to so because of
these occasional and accidental system failures. However, the
exception is not available to a person who sends out a large
volume of commercial e-mail but sets up a reply mechanism with
very limited capacity. In such a case, the failure of the
system is foreseeable. The exception is also not available to a
person who fails to make repairs in a reasonable time. The
intent of this exception is to protect against truly accidental
outages, not to protect parties who have not made a reasonable
and good faith effort to ensure a working opt-out mechanism.
Subparagraph (B) is intended to make clear that the opt-out
mechanism required by the subsection would not need to be an
``all or nothing'' proposition. A recipient must have the
option of declining to receive all further messages, but a
sender could also give the recipient the option of receiving
some types of messages but not others.
Section 5(a)(4) would require that once a sender receives a
request from a recipient to not send any more UCE, the sender
must cease the transmission of UCE to that recipient within 10
business days after receiving the recipient's request. This 10
business-day window also applies to any person acting on behalf
of the sender to initiate the transmission of the UCE, or any
person who provides or selects e-mail addresses for the sender,
so long as those persons know that a request to cease the
messages was made by the recipient. Those persons cannot avoid
liability under this section by consciously avoiding knowing
that a recipient requested to opt out of receiving unsolicited
commercial messages. The intent of this requirement is to
ensure that persons providing e-mail marketing services will be
responsible for making a good faith inquiry of their clients
(the senders, under the definitions of this bill) to determine
whether there are recipients who should not be e-mailed because
they have previously requested not to receive e-mails from that
sender. E-mail marketers who willfully remain unaware of prior
recipient opt-outs would not be excused from liability under
this legislation. In addition, subparagraph (D) prohibits the
sale or other transfer of the e-mail address of a recipient
submitting an opt-out request. This is intended to prevent a
sender or other person from treating an opt-out request as a
confirmation of a ``live'' e-mail address, and selling that
information to other would-be spammers.
Section 5(a)(5) would require UCE to contain clear and
conspicuous identification that the e-mail is an advertisement
or solicitation. The section would also require clear and
conspicuous notice of the opportunity to decline receiving
further UCE, and would require the inclusion of a valid
physical postal address for the sender.
Section 5(b) addresses several techniques frequently employed
by the most problematic spammers. These techniques would be
classified as aggravated violations, and parties that use them
would be subject to sharply increased liability.
Paragraph (1)(A)(i) deals with ``address harvesting''.
Specifically, it would make it an aggravated violation to send
unlawful UCE to a recipient whose address was obtained using an
automatic address gathering program or process from a website
or proprietary online service that has a policy of not sharing
its users' e-mails for purposes of sending spam. Paragraph
(1)(A)(ii) would do the same thing with respect to unlawful UCE
sent to addresses generated through ``dictionary attacks'', in
which a spammer sends messages to a succession of automatically
generated e-mail addresses (such as [email protected],
[email protected], [email protected]) in the expectation that some of
them will turn out to be the addresses of real people. The
paragraph contains a disclaimer to clarify that these
provisions should not be read as establishing ``ownership'' of
e-mail addresses by a person operating a website or proprietary
online service from which those addresses are harvested, or by
any other person.
Paragraph (2) would make it an aggravated violation for ISP
or other e-mail service subscribers to use an automated means
to register for multiple e-mail accounts from which to send
unlawful UCE. This is a technique spammers use to cycle rapidly
through different originating addresses, making the spammers
hard to track down and the UCE they send more difficult for
ISPs and other e-mail service providers to filter. Finally,
paragraph (3) is intended to make it an aggravated violation to
hijack computers or open relays for the purpose of sending
unlawful spam.
Section 5(c) would provide an opportunity for a defendant in
an action alleging a violation of this bill (other than a
violation involving falsified header information) to escape
liability by showing that it had adopted reasonable practices
and procedures to prevent violations and has made good faith
efforts to maintain compliance with the provisions of the bill.
This defense is intended to protect those persons who have
preventive practices in place but through unforeseen
circumstances find themselves in violation. It is expected that
persons who regularly fail to comply with the bill's provisions
would not meet the requirements of reasonable practices or
procedures, nor be able to make a clear showing of good faith
efforts to be compliant.
Section 6. Businesses knowingly promoted by electronic mail with false
or misleading transmission information
Section 6, which was offered as an amendment by Senator
McCain at the Committee's executive session, would make
businesses knowingly promoted in an e-mail with false or
misleading transmission information subject to FTC Act
penalties and enforcement remedies. Unlike other violations of
the bill, enforcing violations of this section would not be
dependent upon finding the person who ``initiated'' the e-mail
(as defined in section 3). Instead, this section would hold
businesses that use deliberately falsified spam as a means to
promote themselves liable to FTC enforcement, regardless of
whether the FTC is able to identify the spammer who initiated
the e-mail.
The purpose of this section would be to give the FTC a tool
to more effectively ``follow the money'' and enforce the law
against businesses that hire spammers to send e-mail to
consumers in large volumes with deliberately falsified header
information. These businesses might otherwise escape liability
under section 5 of the bill because that section would require
the FTC to prove that a business ``procured'' a spammer to send
the e-mail on its behalf. This section would therefore set a
different standard for the FTC to meet when enforcing the law
against online or offline businesses that promote themselves
through spam messages with deliberately falsified sender and
routing information. Additionally, this section is limited in
important ways that focus FTC enforcement on the deliberately
falsified header spam used by high-volume spammers, minimizing
the risk to legitimate retailers who do not disguise their
identity in e-mail marketing.
Section 6(a) would prohibit any person from promoting, or
knowingly permitting the promotion of, that person's trade or
business in a commercial e-mail message that is in violation of
section 5(a)(1). Section 6(a) would therefore apply only to e-
mail that contains false sender or routing information, the key
element of the criminal provisions under section 4 as well as a
violation of section 5. Testimony from the Committee's hearings
indicated that the use of falsified identity information is
something that legitimate marketers and retailers will never
do; however, it is exactly what volume spammers will continue
to do in order to get their e-mails past ISP filters. As such,
the use of false headers for commercial e-mail is a bright-
line, objective standard that all parties can agree identifies
a message as ``spam''.
Section 6(a) would hold a promoted business subject to
enforcement only when it: (1) knows or should know it is being
promoted by falsified spam, (2) is receiving or expects to
receive an economic benefit from such promotion, and (3) is
taking no reasonable precautions to prevent such spam, or to
detect and report it to the FTC. The latter provision is an
important safeguard to give legitimate companies an opportunity
to proactively avoid mistaken FTC action if they have been
victimized by ``spoofed sender'' spam--unauthorized messages
sent using their corporate name or one of their employee's e-
mail addresses as the purported sender. This is increasingly
becoming a preferred tactic of spammers who include a
legitimate company's information in the e-mail's ``from'' line
(or other parts of the header information) in order to either
bypass ISP filters, trick consumers into opening the message,
or sell counterfeit goods of that company.
Section 6(b) would prevent the extension of liability under
section 6(a) to website hosts, landlords, equipment lessors and
other third parties that may provide goods or services
unwittingly to a falsely promoted business. These businesses
would be protected against FTC enforcement action unless they
own or control the falsely promoted business, or actually know
about the falsified spam and financially benefit from it.
Section 6(c) would limit enforcement of this section to the
FTC. This section, however, would not in any way revise,
remove, or diminish any other FTC, State attorney general, or
ISP enforcement provisions set forth elsewhere in S. 877.
Section 7. Enforcement by the Federal Trade Commission
Sections 7(a) and 7(d) prescribe that section 5 would be
enforced by the FTC under section 18 of the FTC Act (15 U.S.C.
41 et seq.) as if the violation were an unfair or deceptive act
or practice. The Commission would be required to prevent
persons from violating this legislation in the same manner, by
the same means, and with the same jurisdiction, powers, and
duties as though all applicable terms and provisions of the FTC
Act were incorporated and made a part of this legislation.
Therefore, all the jurisdictional, remedial, and civil
enforcement provisions of the FTC Act would be applicable to
commercial e-mail under the provisions of this legislation.
Sections 7(b) and 7(c) would provide for enforcement by other
agencies for entities subject to their jurisdiction due to the
jurisdictional limitations of the FTC. These agencies include
the Office of the Comptroller of the Currency, the Federal
Reserve Board, the Federal Deposit Insurance Corporation, the
Office of Thrift Supervision, the Department of Transportation,
the Department of Agriculture, the Farm Credit Administration,
the Securities and Exchange Commission, and the Federal
Communications Commission, for those entities subject to their
jurisdiction. Under section 7(c), these agencies and the others
set forth in section 7(b), may exercise authority provided by
their own statutory grants to enforce the substantive
provisions of this legislation.
Section 7(e) would grant State attorneys general the right to
bring a civil action for violations of section 5. A State may
bring an action in parens patriae for aggrieved citizens of the
State in Federal district court or other court of competent
jurisdiction to obtain injunctive relief or recover actual or
statutory damages, whichever is greater. Statutory damages
under this section are (i) up to $100 per message with
falsified header information; or (ii) $25 per message that is
otherwise unlawful under this legislation, up to cap of
$1,000,000. If the court finds violations of section 5 were
committed willfully or knowingly, or if the defendant's
unlawful activity included one or more of the aggravated
violations set forth in section 5(b), the statutory damage
amount could be tripled. Reasonable attorneys' fees would be
awarded to the State for a successful action.
Section 7(f) would allow a provider of Internet access
service adversely affected by a violation of section 5 to bring
a civil action in Federal district court or other court of
competent jurisdiction. This could include a service provider
who carried unlawful spam over its facilities, or who operated
a website or online service from which recipient e-mail
addresses were harvested in connection with a violation of
section 5(b)(1)(A)(i). The provider may obtain injunctive
relief or actual or statutory damages calculated in the same
manner as section 7(e). The court would be permitted to assess
the costs of such an action, including reasonable attorneys'
fees, against any party.
Section 8. Effect on other laws
Section 8(a) would limit the effect the legislation would
have on current Federal statutes. It clarifies that nothing in
the legislation should be construed to interfere with the
enforcement of the provisions of the Communications Act of 1934
relating to obscenity, or sexual exploitation of children, or
of the FTC Act for materially false or deceptive
representations or unfair practices in commercial e-mail
messages.
Section 8(b)(1) sets forth the general rule concerning the
preemption of State law by the legislation. The legislation
would supersede State and local statutes, regulations, and
rules that expressly regulate the use of e-mail to send
commercial messages except for statutes, regulations, or rules
that target fraud or deception in such e-mail. Thus, a State
law requiring some or all commercial e-mail to carry specific
types of labels, or to follow a certain format or contain
specified content, would be preempted. By contrast, a State law
prohibiting fraudulent or deceptive headers, subject lines, or
content in commercial e-mail would not be preempted. Given the
inherently interstate nature of e-mail communications, the
Committee believes that this bill's creation of one national
standard is a proper exercise of the Congress's power to
regulate interstate commerce that is essential to resolving the
significant harms from spam faced by American consumers,
organizations, and businesses throughout the United States.
This is particularly true because, in contrast to telephone
numbers, e-mail addresses do not reveal the State where the
holder is located. As a result, a sender of e-mail has no easy
way to determine with which State law to comply. Statutes that
prohibit fraud and deception in e-mail do not raise the same
concern, because they target behavior that a legitimate
business trying to comply with relevant laws would not be
engaging in anyway. Section 8(b)(2) of the legislation
clarifies that there would be no preemption of State laws that
do not expressly regulate e-mail, such as State common law,
general anti-fraud law, and computer crime law.
Section 8(c) would clarify that this legislation would have
no impact on the lawfulness of ISPs' efforts to filter or block
e-mails traversing their systems.
Section 9. Recommendations concerning Do-Not-E-mail Registry
This section would require the FTC, within 6 months of
implementing its national telemarketing Do-Not-Call list, to
come up with a plan for creating a Do-Not-E-mail list or else
explain to Congress why the creation of such a list is not
feasible at such time. The FTC is currently in the process of
implementing the Do-Not-Call list, and the timing of this
provision is intended to permit the FTC to analyze its
experience with Do-Not-Call before turning to the question of
Do-Not-E-mail. The Committee therefore intends that the 6-month
deadline established by this section would be measured from the
date that the Do-Not-Call list is fully enforceable against
telemarketers, not from the date when consumers may first sign
up for the list. The Committee also notes that a Do-Not-E-mail
list appears to raise significant technical, security, and
privacy questions that would need to be resolved before such a
list could be implemented, and this provision gives the FTC
time to consider such issues and their impact on the efficacy
of creating such a list.
Section 10. Study of effects of unsolicited commercial electronic mail
This section would require the FTC, in consultation with the
Department of Justice and other appropriate agencies, to submit
a report to Congress, within 24 months after enactment of this
legislation, on the effectiveness and enforcement of the
provisions of this legislation and any modifications to the
legislation which may be considered appropriate. The FTC would
also be required to include in the report: an analysis of the
extent to which technological and marketplace developments may
affect the practicality and effectiveness of the legislation;
an analysis of ways to address the international aspects of the
spam problem; and an analysis of what could be done to protect
consumers, especially children, from pornographic UCE.
Section 11. Separability
This section states that if any provision or application of a
provision of the legislation is held invalid, the remainder of
the legislation and application of its provisions would not be
affected.
Section 12. Effective date
This section provides that the provisions of this legislation
would take effect 120 days after the date of enactment.
Changes in Existing Law
In compliance with paragraph 12 of rule XXVI of the Standing
Rules of the Senate, changes in existing law made by the bill,
as reported, are shown as follows (existing law proposed to be
omitted is enclosed in black brackets, new material is printed
in italic, existing law in which no change is proposed is shown
in roman):
TITLE 18, UNITED STATES CODE
CHAPTER 63. MAIL FRAUD
Sec. 1351. Commercial electronic mail containing fraudulent
transmission information
(a) In General.--Any person who initiates the transmission,
to a protected computer in the United States, of a commercial
electronic mail message, with knowledge and intent that the
message contains or is accompanied by header information that
is materially false or materially misleading shall be fined or
imprisoned for not more than 1 year, or both, under this title.
For purposes of this subsection, header information that is
technically accurate but includes an originating electronic
mail address the access to which for purposes of initiating the
message was obtained by means of false or fraudulent pretense
or representations, shall be considered materially misleading.
(b) Definitions.-- Any term used in subsection (a) that is
defined in section 3 of the CAN-SPAM Act of 2003 has the
meaning given it in that section.