RSK.IQ Question of the Week 6/8/20

CAN-SPAM Act and Opting Out


The Bank would like clarification as to what is considered as “unsolicited e-mail” under the federal CAN-SPAM Act of 2003 (“CAM-SPAM Act”). Since the Bank uses different campaigns, can it send a recipient who has unsubscribed from one campaign an e-mail from another sender address? In addition, is the Bank obligated to send confirmation to someone who has unsubscribed?

Response Summary

An “unsolicited e-mail” is one that is sent to a recipient without the recipient’s prior consent. If the Bank is the sender, then an opt-out from the recipient pertains to any unsolicited e-mails sent by the Bank to the recipient’s address, even if the Bank sends such e-mails from more than one address. If the sender is an affiliate of the Bank, then an opt-out from the recipient would pertain only to e-mails from the affiliate and does not affect the Bank. If the recipient has more than one e-mail address, then an opt-out pertains only to the address to which the e-mail was sent and has no effect on e-mails sent to another address of the recipient. In this instance, the Bank would not be required to send a confirmation in response to an opt-out.

Response Detail

If the Bank sends commercial electronic marketing messages to the recipient’s e-mail address without the recipient’s prior consent, such communications are considered unsolicited. In such case, the requirements of the CAN-SPAM Act, 15 U.S.C. chapter 103, section 7701 et seq. must be complied with. “Affirmative consent” means that the recipient has expressly consented to receive the message, either in response to a request from the sender or at the recipient’s own initiative. 15 U.S.C. 7702(1)(A).

Under the CAN-SPAM Act with respect to a commercial electronic mail message, the term “sender” means a person who initiates such a message and whose product, service, or Internet website is advertised or promoted by the message. 15 U.S.C. 7702(16)(A).  Even if the Bank uses a third-party service provider to send out these messages, it remains the “sender” for the purposes of the CAN-SPAM Act and is subject to the requirements of the law. FTC, BCP Business Center, “CAN-SPAM Act: A Compliance Guide for Business.”

On the other hand, if the Bank operates through separate lines of business or divisions and holds itself out to the recipient as that particular line of business or division, rather than as the Bank, then the line of business or division is treated as the sender. 15 U.S.C. 7702(16)(B).

The domain name of the Bank must be provided in the header of the message in order to identify the Bank as the sender. However, it does not matter whether the e-mail message is sent from a different domain so long as that domain is also registered in the name of the Bank. 15 U.S.C. 7702(8).

In this case, the question is how the Bank is identified in the e-mail. If the Bank appears in the “from” line as the sender, then it does not matter from what address the message was sent from. If the recipient unsubscribes from the e-mail, then the Bank would not be allowed to send other e-mails to the recipient from other addresses. However, if the e-mail is sent by an affiliate of the Bank, then the request of the recipient to unsubscribe prevents only the affiliate from sending unsolicited e-mails, while the Bank can continue to do so.

The term “recipient” means an authorized user of the electronic mail address to which the message was sent or delivered. If a recipient of a commercial electronic mail message has one or more electronic mail addresses in addition to the address to which the message was sent or delivered, then the recipient shall be treated as a separate recipient with respect to each individual address. 15 U.S.C. 7702(14). 

Therefore, if the Bank sends a commercial electronic mail message to a recipient at one address, and the recipient elects to opt-out, the Bank is permitted to send a subsequent message to the same recipient at another address until the recipient indicates from that address that it wishes to opt-out.

Any opt-out mechanism offered by the Bank must be able to process opt-out requests for at least 30 days after the message is sent, and the Bank must honor a recipient’s opt-out request within 10 business days. However, there is no obligation to send a confirmation to someone who chooses to opt out. FTC, BCP Business Center, “CAN-SPAM Act: A Compliance Guide for Business.

This response is for informational purposes only and is not intended for legal guidance.

This entry was posted on Monday, June 8th, 2020 at 9:44 am.

Leave a Reply

Your email address will not be published. Required fields are marked *