There’s Still (Barely) Time to Get Your CASL in Gear

It’s been five years in the coming, but the new Canadian Anti-Spam Law (CASL) is nearly here at last. The new requirements go into effect July 1st, so if you haven’t made preparations for compliance yet, now’s the time to get started.

The new law applies to anyone who sends mail to recipients in Canada, and requires senders of email to have or to obtain permission from those recipients to send them marketing messages. The problem, of course, is that unless senders have been collecting geographic data about their recipients at the time they gathered permission, it’s hard to know whether any particular recipient is in Canada. Furthermore, the burden rests on the sender to prove that they had consent should any action be brought under under the law. Continue reading

Holiday Fail, Indeed.

You might have thought that a large, e-commerce-centric company like Pro Commerce, Inc. – owners of well-know brands like ProFlowers and Red Envelope – would know better than to send e-mail with deceptive subject lines, a clear and blatant violation of the CAN SPAM Act.

You’d have thought wrong.

I received the solicitation below with the subject line, “Flower Delivery Notice Failure.” I immediately assumed the message was a phish, possibly sent with data obtained in one of the recent ESP breaches. After all, I do have a Pro Flowers account, but I haven’t purchased from them in a few months.

But the message is signed with a valid DKIM signature and is authenticated with SPF, and both point at network assets under Pro Commerce’s control. They are not using an ESP; the mail came from their own servers, hosted in Cogent IP space.

Maybe they should consider using an ESP. They obviously could use a little help. I realize that businesses of every size are under enormous pressure to make their Q4 revenue numbers, but this is not the way to do it.


Assessing ESP Liability Under The Canadian Spam Law

Much analysis and guidance has been written about the new requirements (and significant penalties) imposed on senders of unsolicited e-mail by the Canadian Anti-Spam Law set to go into effect in the fall. What seems less thoroughly addressed to my non-lawyerly eyes is what specific liability is created by violations of CASL upon the ESP used by their clients to transmit the infringing commercial electronic message (CEM).

I put the question to Neil Schwartzman, a long-time colleague and Executive Director of CAUCE North America, one of the very earliest anti-spam advocacy groups and the primary driver of CASL through its storied journey across the Canadian legislative landscape. Neil recently left ReturnPath to start, a firm offering expertise on CASL compliance. He and consulting legal counsel Shaun Brown of nNovation LLP respond:

Continue reading

Street Legal E-mail

In this third set of questions following our recent deliverability webinar, we’ll try to clarify some confusion about the current legal state of affairs where bulk commercial e-mail is concerned. We’re also about to see some big changes go into effect in Canada that may have some impact on your e-mail strategy. We received this question from a webinar participant after the live session (if you haven’t caught it yet, you can still see the recorded version):

My e-mail is CAN SPAM compliant, but it still gets bounced or filtered. It’s not spam if it complies with the law, right?

First, let’s be clear: CAN SPAM does not actually make spam illegal, a common misconception among businesses that are new to e-mail marketing. Here’s a quick, simplified checklist of what the law actually requires of bulk commercial e-mail soliciations:

Don’t lie about the content or the source of the mail: If you’re sending an advertisement for a product or service, it has to be obvious that your mail is a solicitation. For example, senders can’t send mail purporting to contain photos from an uncle’s birthday party, when it really contains a sales flyer.

Provide clear instructions for opting out: Online opt-outs must use a single web page to accomplish the unsubscribe request. Forcing recipients to log into an account before they can opt-out is a no-no. Any opt-out mechanism (like an unsubscribe link) must remain functioning for at least 30 days, and opt-out requests must be honored within 10 business days.

Tell recipients where you are: Senders have to include a valid physical postal address in the body of the e-mail. Your business location or headquarters should appear here. A registered post office box is fine, too, as are any of the mailbox rental firms that are established under Postal Service regulations.

Perhaps what’s most notable about this short list of requirements is what’s missing: a prohibition from sending spam (howsoever one chooses to define the term). So, even if your mail is fully CAN SPAM compliant, that doesn’t necessarily mean to the ISPs or to recipients that your mail must not be spam. In fact, ISPs see millions of unsolicited bulk e-mail messages (a common definition of spam) every day that fulfills each requirement imposed by CAN SPAM, and they devote enormous resources to filter it.

So, CAN SPAM requirements actually represent the bare minimum for e-mail marketing standards, not the guarantee of delivery to the inbox that most newcomers assume it should be. To answer the question directly, then: mail that is CAN SPAM compliant can still be filtered or bounced by ISPs. In fact, CAN SPAM includes separate language that holds ISPs harmless when they filter mail.

What about the new Canadian spam law? Do senders in the U.S. have to abide by the law if they send to recipients in Canada?

Canada recently passed the world’s most stringent anti-spam law late last year, covering a broad range of electronic messaging, and it is expected to take effect in September of 2011. The Canadian law does what CAN SPAM never did: it requires senders of e-mail within or into Canada to have or to obtain explicit permission from their intended recipients. For most ISPs and recipient domains, it is a lack of permission that turns ordinary commercial e-mail into spam.

In theory, the Canadian law is enforceable in the U.S., though it wouldn’t be cheap or easy. Canadian plaintiffs would have to obtain a judgement in Canada, then find a court with jurisdiction in the U.S. that’s willing to enforce it. This requires a great deal of time and expense, so enforcement is likely to be rare. But if you’re already CAN SPAM compliant, and have implemented other best common sender practices, you’re likely already in compliance with the Canadian law (once it takes effect). Check my earlier blog post for a more complete analysis of the Canadian law.

That wraps up our brief look at spam laws in the U.S. and Canada. In our next installment of the deliverability webinar questions series, we’ll look at various types of content filtering, and what senders can do test their content for optimal deliverability.

Canada Passes the Ten Million Dollar Spam Law

Earlier this fall, I penned a summary of what senders and deliverability professionals need to know about Canada’s proposed electronic messaging abuse law, FISA or C-28. Comes word this morning that the bill has been adopted into law, largely without amendment.

Canada is the last G-8 country to pass anti-spam legislation, but they’ve passed the most stringent national law to date. Find out now how these new requirements will impact your e-mail program.

Reply-All: Lumber Cartel (TINLC) Edition

Back in the day, a spammer who found himself on the wrong side of an e-mail block list publicly asserted in all seriousness that anti-spam activities are funded in secret by a shadowy cartel of lumber producers who were seeing their margins from paper production erode as marketers made the shift from postal junk mail to e-mail. It became a sort of running joke in the usenet newsgroup One of the straw arguments frequently mounted by spammers to justify their business model was the environmental friendliness of e-mail. We now have a credible estimate of the carbon foot print of e-mail: about 135kg per user, annually – or the equivalent of a 200-mile drive in a car. Turns out e-mail isn’t all that green.

Facebook this week announced three more spam-related lawsuits, and among the defendants they’ve named is a guy named Steven Richter. A bunch of blogs and media outlets assumed this is the same Steve Richter, who is the father of spammer Scott Richter and president of his son’s company Media Breakaway, LLC. The company was quick to respond with a press release, pointing out that the named defendant is actually a different Steve Richter.

ISPs who use SORBS blocklist data for e-mail filtering woke up one morning two weeks ago to discover that they were unintentionally blocking mail from great swathes of the Intarwebs, including Yahoo!, Apple, and Google Groups. SORBS operator Michelle Sullivan at first claimed they were the target of a massive DDOS attack, but later disclosed that they had inadvertently placed a bunch of historical block list entries in their current listings database during a server migration. Oy.

Just in time for Halloween, notorious spammer (and unintentional comedian) Bill Waggoner has risen from the grave with the launch of (you may want to mute audio before you click through). His new site solicits contributions to be used (somehow) against Steve Linford of Spamhaus and SpamCop founder Julian Haight (never mind that Haight hasn’t had a thing to do with SpamCop for years).

The Ten Million Dollar Spam Law

Our neighbors to the north may be the last of the G8 countries to adopt an anti-spam law, but when it’s enacted later this year (as most analysts agree it will), Canada’s new law will be among the very strictest, creating penalties of up to 10-million Canadian dollars (or just under 9.87-million U.S. dollars) for businesses who send spam into or within Canada.

Bill C-28, dubbed the “Fighting Internet and Wireless Spam” Act (or “FISA”, for short) imposes new requirements on senders of just about every type of electronic messaging, including mandates that stretch well-past the minimal requirements for e-mail under the U.S. CAN SPAM Act of 2003.

Under CAN SPAM, senders are required to abide by a series of labelling requirements, provide a working unsubscribe mechanism, and honor unsubscribe requests within ten business days. CAN SPAM, however, has never required that senders obtain prior consent from recipients. FISA requires either explicit permission, or implicit permission in the form of an existing business relationship or a conspicuous publication of the recipient e-mail address. If the publication of the address is accompanied by an instruction not to send unsolicited e-mail, it doesn’t count as implicit permission. FISA creates a two-year window from the date an address was collected with implicit permission to try and convert it to explicit permission. If after two years explicit permission is not obtained, the sender must suppress the address. Both CAN SPAM and FISA explicitly preclude sending to addresses that have been automatically “harvested” from web sites.

CAN SPAM grants enforcement powers to the FTC, and gives ISPs the right to bring action against infringing senders themselves. FISA, in contrast, provides no criminal penalties, but allows both ISPs and individual recipients of spam to pursue civil action against senders.

The requirements seem to create significant new hurdles for senders, but authors of the Canadian law insist that the legislation is aimed squarely at only the worst of the worst offenders. FISA includes a “due diligence defense”, in which senders should not be held liable for violations if they can show they were making reasonable efforts to abide by the law when the offense was committed. Honest mistakes won’t count against senders.

Should U.S. senders be worried about the new Canadian law? Obviously, the law doesn’t apply if you’re not sending to recipients in Canada, but senders may not always know where (geopolitically speaking) the owner of a particular address receives their mail. However, if you’re already abiding by CAN SPAM and best common practices, you’re likely already in compliance.

The short answer is that (in theory at least) FISA is enforceable in the US, though the process is neither simple nor cheap. It takes about as much time and and money to obtain a judgement in Canada as it does in the U.S., so enforcement action is likely to be as rare, and therefore reserved only for the most egregious of offenders. Canadian plaintiffs would also have to find a U.S. court willing to enforce the judgement, which is by no means a given. However, there is an open pledge between the U.S. and Canadian governments to support law enforcement efforts across borders. Earlier this month, a Canadian court was willing to enforce a judgement obtained by Facebook in a California court against a Canadian spammer who racked up $873-million in fines for CAN SPAM violations. It will be instructive to see whether U.S. courts will be willing to reciprocate once FISA is enacted.

Within the e-mail community, the new law is regarded as further evidence of a trend in which legal requirements and best practices appear to be converging, albeit at a glacial pace. The take-away for senders, then, should sound familiar: adhere to CAN SPAM and best sender practices. Send to those who have granted permission, and try to engage with and obtain permission from any segments for whom you do not have it.