The Need for New Federal Anti-Spam Legislation
Matthew Sipe | 31 Yale J. on Reg. Online 55 | View .PDF
The CAN-SPAM Act of 2003 was passed in an attempt to stop “the extremely rapid growth in the volume of unsolicited commercial electronic mail” and thereby reduce the costs to recipients and internet service providers of transmitting, accessing, and discarding unwanted email. The Act obligates the senders of commercial email to utilize accurate header information, to “clear[ly] and conspicuous[ly]” identify their emails as “advertisement or solicitation,” and to notify recipients of the opportunity to opt-out of receiving future emails. Once an individual has opted out, that sender is then prohibited from emailing them further. Despite high hopes, the Act has largely been considered a failure for four reasons: 1. It eliminates many pre-existing private causes of action against senders, 2. it does not require senders to receive permission before initiating contact, 3. it relies upon a system of opt-out links that are both distrusted and frequently abused, and 4. it has been under-enforced.
In the absence of comprehensive federal legislation, alternative solutions to the spam problem have proliferated, including state-by-state statutory regimes, decentralized private regulation, and restraints on the acquisition of email addresses itself. This paper examines some of the shortcomings of these alternative approaches, advocating instead for a new, more complete federal statutory regime.
I. State Solutions: Low Compliance, Low Enforcement
Some states have tried statutory approaches to curtailing spam. These regimes vary widely, ranging from completely prohibiting all “unsolicited commercial email,” to permitting unsolicited commercial emails but requiring that they contain certain keywords in the subject line, to merely requiring truthfulness in the sender and subject lines, to seemingly no regulation whatsoever. These broad categories have further differentiation—some states’ laws only apply to email sent to more than a certain number of recipients, for example—so that the result is a substantially heterogeneous patchwork of regulation across the country.
Since email addresses, unlike physical addresses, offer no indication of the location of the recipient, complying with each state’s particular laws becomes all but impossible for senders of commercial email. The result is low voluntary compliance, with weak enforcement mechanisms—low-incentive private causes of action and underfunded state investigators —unable to pick up the slack. Uniform federal legislation against spam that preempts these state regimes, includes greater incentives for bringing private action, and allocates funding for investigations would increase compliance and improve enforcement across the country.
II. Decentralized Private Regulation: Anticompetitive Concerns
Private internet service providers (ISPs) have also stepped in, generating lists of websites that they believe “send or support the sending of spam,” and “blocking transmission” between those websites and the addresses in its own system. This decentralized process of private regulation may be more flexible and adaptive to changing technology, but it creates significant anticompetitive concerns.
The criteria for blacklisting can be quite elastic—despite dedicating significant resources to fighting spam and policing relay use, MIT ran afoul of one such blacklist for simply having “bad email practices” —and could easily allow ISPs to engage in selective enforcement, disproportionately blocking the websites and communications of competitors. Since ISPs are already natural monopolies, with customers in a given location typically having few, if any, alternatives, market forces would do little to restrain capricious blocking activity. Furthermore, ISPs that operate as part of much larger corporations have added potential for abuse by leveraging their blocking power in other markets; AT&T, for example, might use its position as an ISP to block the website and commercial messages of a competing cell phone carrier while allowing its own to go through. In this way, allowing ISPs to maintain blacklists enables them to magnify their already significant market power. Federal legislation against spam can obviate the need for private blacklists, stopping spam without generating anticompetitive forces.
III. Restraints on Email Address Acquisition: No Protection in Many Cases
The Computer Fraud and Abuse Act (CFAA) as well as the common law of contract and trespass have been used to curtail spam indirectly by policing the illegitimate acquisition of email addresses. However, these solutions are incomplete at best. Focusing on the acquisition of email addresses does nothing for individuals whose email addresses are already in the hands of spammers. Additionally, these restraints miss a wide variety of email address acquisition techniques. Lists of email addresses can still be bought, sold, or posted for free by companies that acquired them. Users may unwittingly leave their contact information searchable on social media sites. Many email addresses can even be guessed. Federal legislation addressing the act of spamming directly is needed to close these gaps, and provide recourse once an email address has been acquired.
IV. Conclusion: Crafting Better Federal Spam Regulation
A new federal statutory regime regulating spam is needed to replace CAN-SPAM. State regulations are prohibitively difficult to comply with, and lack proper enforcement mechanisms. Private regulation raises too many anticompetitive concerns. Restrictions on email address acquisition, while beneficial, are an inadequate solution on their own. New federal regulation that directly targets spamming activity, requires opting in rather than opting out, provides sufficient incentives for private parties to file complaints or bring suit, and dedicates resources for investigations would go far in reducing spam below its current level.