Computer and Internet Law

On July 22, 2008, Robert Soloway was sentenced to 47 months in federal prison for violation of the federal CAN-SPAM Act of 2003. [Article] This sentence follows two civil judgments in 2005 against Mr. Soloway related to the sending of spam mail – one in favor of Microsoft for over $7 million dollars, and a second in favor of an Oklahoma internet service provider for over $10 million. [Article]

Mr. Soloway is not the first person to fall afoul to the CAN-SPAM Act, nor will he be the last. Since the CAN-SPAM Act may serve as a basis for both civil and criminal liability, it is important that all business owners advertising via e-mail, either directly or through an ‘affiliate’ program or third-party advertiser, understand its provisions.

The CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003, 15 U.S.C. § 7701 et seq.) restricts, but does not prohibit, the sending of unsolicited commercial electronic mail messages. A commercial electronic mail message is defined as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose).” (15 U.S.C. § 7702.) Unsolicited commercial electronic mail messages must comply with certain requirements, including, but not limited to: accurate e-mail header information; non-deceptive subject lines; clear and conspicuous identification of the e-mail as an advertisement or solicitation, or as containing adult materials, if appropriate; provision of a valid unsubscribe or opt-out mechanism; and the inclusion of the sender’s postal address. (15 U.S.C. § 7704.) Furthermore, the sender must comply with opt-out requests within a certain short period of time.

It is also important to note that the CAN-SPAM Act does not only apply to the e-mail sender. Instead, a person or business whose products are being promoted by the e-mails may also be liable under the CAN-SPAM Act if the person or business: knew, or should have known, that the products were being promoted in the e-mails; received, or expected to receive, an economic benefit from the promotion; and took no reasonable action to prevent the transmission, or detect the transmission and report it to the FTC. (15 U.S.C. § 7705.)

Finally, while the CAN-SPAM Act expressly supersedes many state laws that regulate commercial e-mail messages (see 15 U.S.C. § 7707), it permits states to maintain laws governing false or deceptive commercial e-mail messages, laws not specific to e-mail, and laws related to fraud and computer crime. Furthermore, other states have enacted statutes to protect the privacy rights of children, Internet users, etc.

[Note: The FTC occasionally updates the CAN-SPAM Act. Its most recent update (16 C.F.R. § 316, effective July 7, 2008) supplements several definitions and clarifies some ambiguities - and perhaps most importantly, bars an e-mail sender from imposing opt-out fees, and limits the number of steps that the recipient must undertake in order to opt out of future e-mails.]

Over the next few weeks, I will discuss recent, noteworthy legal developments that occurred prior to the launch of this blog. The first development pertains to the Ninth Circuit’s decision in Quon et al. v. Arch Wireless Operating Co. Inc. et al., 529 F.3d 892 (9th Cir. 2008), filed on June 18, 2008. [Decision]

In Quon, the City of Ontario had a Computer Usage, Internet and E-Mail Policy, which Quon acknowledged, and agreed to comply with, as part of his employment. However, the City failed to enforce the policy. In fact, the City acted contrary to the policy by allowing its employees to avoid audits of their cell phone usage so long as they reimbursed the City for overage charges, which Quon did.

When the City subsequently enforced the Policy, the plaintiffs sued the City, wireless provider and other defendants for invasion of privacy. The Court noted that the Policy may have been enforceable if the City had complied with it. However, the Court found that the plaintiffs enjoyed a reasonable expectation of privacy in their cell phone text messages – notwithstanding Quon’s prior agreement to the Computer Usage, Internet and E-Mail Policy – due to the City’s inconsistent and contrary conduct (the “operational reality”) with respect to that Policy.

This decision ultimately serves as a strong reminder that employers may inadvertently undermine their computer, Internet and e-mail policies by acting inconsistently with those policies. Employers should take special care not to do so, and emphasize such care to their supervisors and managers, especially given the importance of computer, Internet and e-mail data in discovering instances of employee misconduct.