CAN-SPAM preemption didn't stop Utah, Maryland, and Florida from passing their own spam laws
in 2004, after CAN-SPAM went into effect. So how far does this pre-emption reach? What kind
of state laws will follow CAN-SPAM?continued...
Preemption Scale
By design, CAN-SPAM preempts a good deal of state spam law. This was designed to prevent an
environment in which compliance is impossible--7 different state labeling requirements, for
example.
(1) In general
This chapter supersedes any statute, regulation, or rule of a
State or political subdivision of a State that expressly regulates the use of electronic mail
to send commercial messages, except to the extent that any such statute, regulation, or rule
prohibits falsity or deception in any portion of a commercial electronic mail message or
information attached thereto.
(2) State law not specific to electronic mail
This chapter shall not be construed to preempt the applicability of--
(A) State laws that are not specific to electronic mail, including State trespass, contract,
or tort law; or
(B) other State laws to the extent that those laws relate to acts of fraud or
computer crime.
15 USCA ยง 7707 (West Supp. 2003). This means a state cannot, say, implement an opt-in
policy, require its own labels, or make content restrictions, such as a phone number in
addition to the CAN-SPAM physical address requirement. This is good news for those trying to
comply with spam regulations and not so devestating to states. All fraud claims are still
viable in state court. This incorporates virtually all of the state laws which actually led
to judgments before CAN-SPAM: trademark, hacking, false advertising, and far more creative
strategies.
The state laws which were preempted--labeling, opt-outs, harvesting--were much less used, if
at all. Many state spam laws, including the recently upheld Washington state fraud laws, are
still valid. Virginia is still pursuing spammers vigorously using its falsification of
headers and routing prohibitions. Washington keeps its individual cause of action even
though CAN-SPAM doesn't make one, and Virginia outpaces the FTC in criminal charges, with a
head start, of course.
This article looks at three pieces of law passed after CAN-SPAM to see if they are
within its bounds. Obviously, there is much more spam law on the books with varying levels
of validity, but these lawmakers lacked the benefit of foresight and can hardly be expected
to draft a law that would not later be preempted.
Florida
Florida has long been a spam haven. Its gaping lack of spam laws made CAN-SPAM even more
critical. Dumbstruck by federal legislation, Florida became "one of the last states in the
universe" to enact spam law, when it joined the crowd this year.
S2574
is well-crafted, parallel to similar law elsewhere. It prohibits false headers, routing,
domains, subject lines, and content. It has a civil enforcement scheme with administrative
enforcement for actual damages or $500 per violating message.
Florida's new law is entirely within CAN-SPAM. Though it regulates commercial electronic
mail, it only prohibits false information.
Maryland
House Bill 1320 is a nod
to Virginia's strong criminal spam laws. Maryland regulates bouncing, falsifying headers,
sending messages from unauthorized computers or IPs, and, interestingly, registering for two
or more domains or fifteen or more e-mail address with false information and subsequently
sending commercial e-mail. This law is a strong criminal statute with an array of felonies,
but it also contains civil provisions, enforced by the attorney general.
Though somewhat troubling to think of anonymous speech as fraudulent, Maryland's law also
only regulates fraud or computer crime
Utah
Utah has long regulated spam heavily. Its private right of action under previous law
generated 33,000 suits.
Utah spam law now has several regulations; the newest was passed this year, H.B. 165, the Child Protection
Registry. This law, passed shortly before the FTC rejected the Do-Not-Email registry,
establishes a list of e-mail addresses (and other data) that belong to Utah minors.
It is illegal to send a message which
(a) advertises a product or service that a
minor is prohibited by law from purchasing; or
(b) contains or advertises material that is harmful to minors, as defined in Section
76-10-1201.
This law is running awfully close to the pre-emption. It has nothing to do with fraud or
computer crime (except the felony for using the list inappropriatly). Instead, it comes
awfully close, but just misses pre-emption, at least the letter if not the spirit of
CAN-SPAM.
As written, the registry applies to all senders; that is all senders who might send e-mails harmful to minors must pay the fee to use Utah's system (which has not been implemented yet). However, the advertisements are clearly a limitation on commercial speech, but this law also (in letter at least) applies to fax and phone and well, so it isn't exactly limited to commercial e-mail.
What gets struck in this pre-emption battle? Could CAN-SPAM really create a result in which a court might strike the commercial provisions and not the general ones--i.e. strike the advertising ban but not the harmful content, which arguably includes the advertising. Better yet, a court might strike the registry as applied to commercial senders, allowing non-commercial senders (entirely outside the scope of CAN-SPAM) to continue.
Utah, of course, is hoping nothing gets struck by throwing in other forms of communication and senders--that is making an unneccesarily broad law. Is this the outcome we want? To ban cigarette ads to minors, Utah has to ban all cigarette ads everywhere? Or just those by some media including--but not exclusivly--e-mail. No cigarette ads via e-mail. Or fax. Oh, and no e-mails or telemarketing without opt-in. There. Utah-style CAN-SPAM complaint law!