California’s Anti-Spam Laws May Provide a Potent Weapon for Private Parties to Wield Against Spammers (Eventually)

Private parties frustrated by spam often face significant legal hurdles to bringing suit against the spammer. Businesses and individuals, except for internet service providers, cannot sue under the main Federal anti-spam statute — CAN-SPAM. 15 U.S.C. § 7706. Some state anti-spam laws do permit email businesses and individuals to bring suit. For example, California’s anti-spam laws permit any email recipient to sue. Cal Bus. & Prof. Code § 17529.8. However, CAN-SPAM also unfortunately provides that all state laws regulating commercial emails are preempted (can’t be enforced), except to the extent that such laws prohibit “falsity or deception.” 15 U.S.C. § 7707(b)(1). This rule has often meant that businesses and consumers seeking to sue spammers under state laws are out of luck.
The reason for their ill-luck is that courts have generally interpreted the terms “falsity and deception” in CAN-SPAM to refer to common-law fraud. This means that the state law is invalid except to the extent that it merely prohibits common-law fraud. So to bring suit under a state anti-spam statute that prohibited falsity or deception, the plaintiff would have to prove that the spammer intentionally made a misrepresentation of material fact, on which the plaintiff actually relied and which caused him actual damages. See, e.g., Omega World Travel, Inc., 469 F.3d 348, 353 (4th Cir. 2006).
To penetrate anti-spam defenses, many spam emails contain false “header” information — in which a “friendly” email address, from an organization that the email recipient will not block — is substituted for that of the actual sender (the spammer). Sometime the “from” box in a spam email will contain a variant of the recipient’s email address, an email address of another person at the recipient’s firm, an email address of another legitimate business, or a misspelled email address from any of the foregoing.
Spam emails also often contain deceptive information in the reference line, such as “A free gift for you”, or “You have been selected for a cruise”, etc. This material convinces the recipient to open and read the file.
While this header information may be false, it may be difficult for the recipient to argue that this false header information gives rise to the common-law tort of fraud. The false information may have permitted the spammer to get around the recipient’s anti-spam software, or the recipient may have been induced by a false reference line to open the spam email. However, the recipient may have never relied on this false information to enter into a transaction in which he lost money. There lies the rub: if there was no actual reliance and no damages caused by the reliance — then there is no cause of action for common-law fraud. This eliminates most private suits against spammers.
However, some recent decisions regarding California’s anti-spam laws have begun to question the standard interpretation of “falsity and deception.”

Six Years After CAN-SPAM: Effective Spam Control Can Require Both Technical and Litigation Solutions

CAN-SPAM (15 U.S.C. § 7701-7713) was enacted in 2003 in response to a national hue and cry over spam. At the time, unsolicited commercial email was estimated to account for half of all electronic mail traffic. According to the Congressional “findings” in the preamble to the Act, the sheer quantity of spam was doing real damage to the internet, creating costs for storage, accessing, reviewing and discarding unwanted emails, and reducing the reliability and usefulness of electronic mail to the recipient. The findings further stated that “The growth in unsolicited commercial mail imposes significant monetary costs on providers of Internet access services, businesses and educational and nonprofit institutions that carry and receive such mail, as there is a finite volume of mail that such providers, businesses, and institutions can handle without further investment in infrastructure.” 15 U.S.C. § 7701(a).
Given these findings, one would think that CAN-SPAM would impose onerous penalties on spammers. Au contraire, mon frere! Instead of “canning” spam, the act became known as the “Yes, You CAN SPAM Act.” In fact, the Act does nothing to outlaw the sending of unsolicited emails per se.
Rather, the sending of unsolicited emails is permitted as long as a few basic rules are followed. In general: (i) the “from” and “subject matter” lines in the header must be accurate, relevant to the subject matter of the email and not misleading. A commercial advertiser must also provide its physical address, and a label must also be present if the email contains adult content; (ii) the email must contain an “opt-out” mechanism, that must be honored within 10 days; and (iii) the email must not be not sent to an email address obtained through “address harvesting” or a “dictionary attack” and must not be sent via automatically created email accounts or a computer network to which the sender has gained access without authorization.
Another important element of CAN-SPAM is that it provides that “any statute, regulation, or rule of a State . . . that expressly regulates the use of electronic mail to send commercial messages” is “superseded” — i.e., preempted. This means that states cannot enact laws that are expressly directed at preventing the sending of unsolicited email messages or at reducing the quantity of email messages that can be sent by a single person. In other words, CAN-SPAM means that the federal government has refused to prevent spamming per se and has declared that the states can’t do it either (unless the spam is accompanied by “falsity or deception”). The effect is that much of the job of preventing spam per se is in private hands.