The Can Spam Act of 2003, signed into law by President Bush on December 16, 2003, establishes the first national standards for the sending of commercial e-mail and requires the Federal Trade Commission (FTC) to enforce its provisions. The bill's full name is an apparently contrived acronym: Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003.

It also requires the FTC to promulgate rules to shield consumers from unwanted mobile service commercial messages.

The bill permits e-mail marketers to send unsolicited commercial e-mail as long as it contains all of the following:

  • an opt-out mechanism;
  • a functioning return e-mail address;
  • a valid subject line indicating it is an advertisement; and
  • the legitimate physical address of the mailer.

The legislation also prohibits the sale or other transfer of an e-mail address obtained through an opt-out request. It criminalizes the use of automated means to register for multiple e-mail accounts from which to send spam. It prohibits sending sexually-oriented spam without clear markings.

It pre-empts existing state anti-spam laws, and makes it a misdemeanor to send spam with falsified header information. It sets out civil penalties for a host of other common spamming practices used to obtain e-mail addresses, including harvesting, dictionary attacks, Internet protocol spoofing, hijacking computers through Trojan horses or worms, or using open mail relays for the purpose of sending spam.

It allows the FTC to introduce a national do-not-spam list similar to the FTC's popular do-not-call registry, or to report back to Congress why the creation of such a list is not currently feasible. This was in response to testimony by the FTC at a Senate hearing that a do-not-spam list raises significant technical, security, and privacy questions. Some have raised concerns that such a list would simply be used by spammers for targeting, particularly if the spammers are not located in the US.

The legislation does not allow e-mail recipients to sue spammers, but does not prohibit the FTC, State Attorneys General, and Internet service providers from doing so. In the past, spammers have been sued under state law.

Senator John McCain is responsible for a last-minute amendment which makes businesses promoted in spam subject to FTC penalties and enforcement remedies, regardless of whether the FTC is able to identify the specific spammer who initiated the e-mail.

Reaction

Anti-spam activists greeted the new law with dismay and disappointment. Internet activists who work to stop spam stated that the Act would not prevent any spam -- in fact, it appeared to give Federal approval to the practice, and it was feared that spam would increase as a result of the law. The Coalition Against Unsolicited Commercial Email stated:

"This legislation fails the most fundamental test of any anti-spam law, in that it neglects to actually tell any marketers not to spam. Instead, it gives each marketer in the United States one free shot at each consumer's e-mail inbox, and will force companies to continue to deploy costly and disruptive anti-spam technologies to block advertising messages from reaching their employees on company time and using company resources. It also fails to learn from the experiences of the states and other countries that have tried "opt-out" legal frameworks, where marketers must be asked to stop, to no avail. In fact, the bill would preempt an opt-in law set to go into effect in California on January 1, 2004, which was passed after an state opt-out law similar to the current federal legislation was found to be a failure." -- CAUCE Press Release, November 25, 2003

The Onion commented on the Act as well: