New Email Laws Create New Legal Issues
By Eric Goldman and Max P. Ochoa
1. Introduction.
Since 1994, the World Wide Web has been a hotbed for new business activity and growth. While the Web is a robust tool for publishing content and interacting with users, the Web is inherently limited by the fact that users affirmatively must “go” to a website to access its content. In contrast, email allows Internet businesses to “push” content into the users’ attention space. Thus, recently email has become a medium of choice for many businesses trying to communicate with users.
Unfortunately, beginning with vigor in the mid-1990s, unscrupulous marketers have used email to send unsolicited and unwanted communications to users. Users responded negatively to receiving these messages, commonly called “spam.” In addition, many spammers use technological tricks, such as forging headers, that negatively impact Internet service providers (ISPs).
Collectively, frustrated consumers and ISPs have caused various state legislatures to pass laws regulating or prohibiting spam in various forms. At last count, 14 states have passed a total of 16 anti-spam laws. Nine states restrict sending unsolicited commercial messages unless the sender has the recipient’s consent or has an existing relationship with the recipient. A dozen states also restrict the use of forged headers. Many of the statutes specify civil statutory damages and, in some cases, criminal sanctions for violations.
In addition to the anti-spam laws, there are a number of legal issues that can be implicated by email-related activities, including privacy laws, the Electronic Communications Privacy Act, and the emerging “trespass to chattels” doctrine. Further, there are a number of technical problems that can arise with email abuses, including losing ISP connectivity or being “blacklisted” by the Realtime Blackhole List (RBL).
Thus, the Internet once again has provoked a collision between emerging business practices and legal and technical consequences—companies want to more aggressively use email as a commercial venture but must navigate through a large number of legal regulations and other risks to do so. This article discusses some of the recent types of email activities in which clients have wanted to engage and the potential consequences of such behavior.
2. “Tell a Friend” Features.
Many websites now permit users to “tell a friend” about the web service or the page the user is visiting by use a web-based email utility to send an email notice to an email address specified by the user. Depending on the context, these features have many names, such as “tell a friend,” “refer a friend,” or “email this page to a friend.”
These utilities can be categorized in one of two ways:
- these tools legitimately help users communicate with each other, and thus are no different from other email utilities; or
- these tools induce users to provide the website with valid email addresses, which the website then uses to send commercial email messages to people who did not request them.
Under the first paradigm, the tool is mostly legally benign from the website’s standpoint. The user sending the email might be violating the anti-spam laws, but such violations should not be imputed back to the website.
Nevertheless, if the website does not use technical controls or authentication procedures with the tool, users can easily engage in bad behavior. For example, with many tools, it is easy to “mail bomb” a recipient—completely anonymously—merely by pasting a single email address in the “to” field dozens, hundred or thousands of times. Also, to the extent that a user is capable of editing the text sent to the recipient, the user can engage in all sorts of bad communications or, for that matter, use the tool to send spam using the website’s servers. In any respect, because so few websites place technological controls on these tools, these tools can form the basis for a site to be blacklisted by the RBL.
Under the second paradigm, the website is probably sending spam to the recipients in violation of numerous anti-spam laws. The fact that the recipients are purportedly “friends” does not cure the violations, since the anti-spam laws do not contemplate that “friends” will submit email addresses to mass marketers who will send messages containing commercial promotions.
It is impossible to tell which of the two paradigms above would prevail if a website was sued under one of the state anti-spam laws for its tell-a-friend feature. In part, the website’s implementation of the feature may affect the court’s willingness to be sympathetic. However, the anti-spam laws were not written with the precision or foresight to contemplate the use of these features, and thus many implementations of the features violate the literal text of some statutes. As a result of the legal uncertainty and technology risk (i.e., being blacklisted), many clients would be wise to take these features down.
3. Moving Email Outsourcers.
Many websites offer free web-based email as part of their package of services. In many cases, these websites in turn have outsourced the operation of the email service to an email service provider.
Problems can arise when the outsourcing website wants to change email service providers. To do so, almost invariably user emails will need to be transferred from service provider A to service provider B. This, in turn, is a disclosure of private communications governed by the Electronic Communication Privacy Act (ECPA), a statute last substantially revised in the mid-1980s and wholly unsuited to the Internet era. The ECPA does not contemplate such transfers of private communications between providers, leaving such transfers in a gray area. Arguably the outsourcer is acting as an agent of the website and thus can fit into certain exceptions under the ECPA allowing agents to access private emails, but if this interpretation is not accepted by the courts, the outsourcer—and potentially the website—could face serious civil and criminal sanctions.
Ironically, the gray area is entirely avoidable since the user could consent in advance to the transfer of emails between service providers in the user agreement. However, email user agreements almost never say this; usually, if anything, the user agreement has a privacy policy-like restriction that says the service provider will NEVER disclose private emails to third parties absent certain levels of subpoena, warrant or court order. Also, the problem could be avoided by getting consent individually from each user whose account is being transferred, but this would require the website to email each user and get their affirmative response, something that is logistically difficult and rather unpleasant.
4. Selling Databases of Email Addresses.
Occasionally clients will inquire about “buying” a database of email addresses. Usually this arises in the context of buying email addresses from a company going bankrupt or leaving a certain line of business who wants to unload its list of users who legitimately signed up with the company.
If the email address database seller is also selling other assets, and the database is integrally associated with these assets, the acquirer’s use of the database may not violate the anti-spam laws—especially if the acquirer uses the email address database only to communicate messages related to the line of business it has acquired. Otherwise, the seller probably cannot transfer the user’s consent or prior business relationship to the database acquirer, and thus the acquirer’s use of the database would violate the anti-spam laws.
5. Emailing Co-Registered Users.
Increasingly, a website will allow users registering with it to “co-register” with other websites by checking (or, in some cases, failing to uncheck) a box on the registration page. Usually, when the user completes the registration, their contact information (including email address) is passed over the co-registered website. The co-registered website may then send a welcome message to the user or otherwise begin emailing the user.
In some circumstances, the co-registered website’s email could violate the anti-spam laws. The language on the registration page can operate as “consent” which is extended to the co-registered website, in which case the resulting emails are legal. However, the wording of that consent is crucial—if a user can argue that they did not consent to the email, then the resulting email could be illegal spam. Thus, the legal advisor on such transactions should carefully review the registration page from a legal compliance standpoint.
6. Conclusion.
As much as Internet law remains a relatively untamed frontier, many of the rules related to new web-based business practices are becoming well-understood if not actually resolved. In contrast, email remains a truly untamed frontier which has suffered from the comparative lack of attention paid to it over the past 5 years. Thus, while many websites are aggressively pursuing new and innovative efforts on the Web with comparatively little regard for the legal consequences, it would be a grave mistake for these companies to proceed with such reckless abandon with respect to email. Companies launching new email ventures need to tread very advisedly, with due respect for the thicket of problems that must be negotiated to achieve their objectives.
About the authors: Eric Goldman (formerly Eric Schlachter) is an attorney practicing cyberspace law with Cooley Godward LLP, Palo Alto, CA. He also is an adjunct professor of Cyberspace Law at Santa Clara University School of Law. Cooley Godward’s web page is located at http://www.cooley.com, and Eric’s personal home page is located at http://members.theglobe.com/ericgoldman/. Eric can be reached at egoldman@cooley.com.
Max P. Ochoa is an associate in the Information Technology Group of Cooley Godward LLP, Palo Alto, CA. He regularly advises clients on compliance with anti-spam laws and other email legal issues. Max can be reached at mochoa@cooley.com.
The views in this article reflect the authors’ viewpoints only and do not necessarily reflect the viewpoints of Cooley Godward or its clients.