New Email Laws
Create New Legal Issues
By Eric Goldman and Max P. Ochoa
1. Introduction.
Since 1994, the World Wide Web has been a hotbed for new business activity and
growth. While the Web is a robust tool for publishing content and interacting
with users, the Web is inherently limited by the fact that users affirmatively
must "go" to a website to access its content. In contrast, email
allows Internet businesses to "push" content into the users’
attention space. Thus, recently email has become a medium of choice for many
businesses trying to communicate with users.
Unfortunately, beginning with vigor in the mid-1990s, unscrupulous marketers
have used email to send unsolicited and unwanted communications to users. Users
responded negatively to receiving these messages, commonly called
"spam." In addition, many spammers use technological tricks, such as
forging headers, that negatively impact Internet service providers (ISPs).
Collectively, frustrated consumers and ISPs have caused various state
legislatures to pass laws regulating or prohibiting spam in various forms. At
last count, 14 states have passed a total of 16 anti-spam laws. Nine states
restrict sending unsolicited commercial messages unless the sender has the
recipient’s consent or has an existing relationship with the recipient. A dozen
states also restrict the use of forged headers. Many of the statutes specify
civil statutory damages and, in some cases, criminal sanctions for violations.
In addition to the anti-spam laws, there are a number of legal issues that
can be implicated by email-related activities, including privacy laws, the
Electronic Communications Privacy Act, and the emerging "trespass to
chattels" doctrine. Further, there are a number of technical problems that
can arise with email abuses, including losing ISP connectivity or being
"blacklisted" by the Realtime Blackhole List (RBL).
Thus, the Internet once again has provoked a collision between emerging business
practices and legal and technical consequences—companies want to more
aggressively use email as a commercial venture but must navigate through a
large number of legal regulations and other risks to do so. This article
discusses some of the recent types of email activities in which clients have
wanted to engage and the potential consequences of such behavior.
2. "Tell a Friend" Features.
Many websites now permit users to "tell a friend" about the web
service or the page the user is visiting by use a web-based email utility to
send an email notice to an email address specified by the user. Depending on
the context, these features have many names, such as "tell a friend,"
"refer a friend," or "email this page to a friend."
These utilities can be categorized in one of two ways:
· these tools legitimately help users
communicate with each other, and thus are no different from other email
utilities; or
· these tools induce users to provide the
website with valid email addresses, which the website then uses to send
commercial email messages to people who did not request them.
Under the first paradigm, the tool is mostly legally benign
from the website’s standpoint. The user sending the email might be violating
the anti-spam laws, but such violations should not be imputed back to the
website.
Nevertheless, if the website does not use technical controls or
authentication procedures with the tool, users can easily engage in bad
behavior. For example, with many tools, it is easy to "mail bomb" a
recipient—completely anonymously—merely by pasting a single email address in
the "to" field dozens, hundred or thousands of times. Also, to the
extent that a user is capable of editing the text sent to the recipient, the
user can engage in all sorts of bad communications or, for that matter, use the
tool to send spam using the website’s servers. In any respect, because so few
websites place technological controls on these tools, these tools can form the
basis for a site to be blacklisted by the RBL.
Under the second paradigm, the website is probably sending spam to the
recipients in violation of numerous anti-spam laws. The fact that the
recipients are purportedly "friends" does not cure the violations,
since the anti-spam laws do not contemplate that "friends" will
submit email addresses to mass marketers who will send messages containing
commercial promotions.
It is impossible to tell which of the two paradigms above would prevail if a
website was sued under one of the state anti-spam laws for its tell-a-friend
feature. In part, the website’s implementation of the feature may affect the
court’s willingness to be sympathetic. However, the anti-spam laws were not
written with the precision or foresight to contemplate the use of these
features, and thus many implementations of the features violate the literal
text of some statutes. As a result of the legal uncertainty and technology risk
(i.e., being blacklisted), many clients would be wise to take these features
down.
3. Moving Email Outsourcers.
Many websites offer free web-based email as part of their package of services.
In many cases, these websites in turn have outsourced the operation of the
email service to an email service provider.
Problems can arise when the outsourcing website wants to change email service
providers. To do so, almost invariably user emails will need to be transferred
from service provider A to service provider B. This, in turn, is a disclosure
of private communications governed by the Electronic Communication Privacy Act
(ECPA), a statute last substantially revised in the mid-1980s and wholly
unsuited to the Internet era. The ECPA does not contemplate such transfers of
private communications between providers, leaving such transfers in a gray
area. Arguably the outsourcer is acting as an agent of the website and thus can
fit into certain exceptions under the ECPA allowing agents to access private
emails, but if this interpretation is not accepted by the courts, the
outsourcer—and potentially the website—could face serious civil and criminal
sanctions.
Ironically, the gray area is entirely avoidable since the user could consent
in advance to the transfer of emails between service providers in the user
agreement. However, email user agreements almost never say this; usually, if
anything, the user agreement has a privacy policy-like restriction that says
the service provider will NEVER disclose private emails to third parties absent
certain levels of subpoena, warrant or court order. Also, the problem could be
avoided by getting consent individually from each user whose account is being
transferred, but this would require the website to email each user and get
their affirmative response, something that is logistically difficult and rather
unpleasant.
4. Selling Databases of Email Addresses.
Occasionally clients will inquire about "buying" a database of email
addresses. Usually this arises in the context of buying email addresses from a
company going bankrupt or leaving a certain line of business who wants to
unload its list of users who legitimately signed up with the company.
If the email address database seller is also selling other assets, and the
database is integrally associated with these assets, the acquirer’s use of the
database may not violate the anti-spam laws—especially if the acquirer uses the
email address database only to communicate messages related to the line of
business it has acquired. Otherwise, the seller probably cannot transfer the
user’s consent or prior business relationship to the database acquirer, and
thus the acquirer’s use of the database would violate the anti-spam laws.
5. Emailing Co-Registered Users.
Increasingly, a website will allow users registering with it to
"co-register" with other websites by checking (or, in some cases,
failing to uncheck) a box on the registration page. Usually, when the user
completes the registration, their contact information (including email address)
is passed over the co-registered website. The co-registered website may then
send a welcome message to the user or otherwise begin emailing the user.
In some circumstances, the co-registered website’s email could violate the
anti-spam laws. The language on the registration page can operate as
"consent" which is extended to the co-registered website, in which
case the resulting emails are legal. However, the wording of that consent is
crucial—if a user can argue that they did not consent to the email, then the
resulting email could be illegal spam. Thus, the legal advisor on such
transactions should carefully review the registration page from a legal
compliance standpoint.
6. Conclusion.
As much as Internet law remains a relatively untamed frontier, many of the
rules related to new web-based business practices are becoming well-understood
if not actually resolved. In contrast, email remains a truly untamed frontier
which has suffered from the comparative lack of attention paid to it over the
past 5 years. Thus, while many websites are aggressively pursuing new and
innovative efforts on the Web with comparatively little regard for the legal
consequences, it would be a grave mistake for these companies to proceed with
such reckless abandon with respect to email. Companies launching new email
ventures need to tread very advisedly, with due respect for the thicket of
problems that must be negotiated to achieve their objectives.
About
the authors: Eric Goldman (formerly Eric Schlachter) is an attorney
practicing cyberspace law with Cooley Godward LLP, Palo Alto, CA. He also is an
adjunct professor of Cyberspace Law at Santa Clara University School of Law.
Cooley Godward’s web page is located at http://www.cooley.com, and Eric’s
personal home page is located at http://members.theglobe.com/ericgoldman/. Eric
can be reached at egoldman@cooley.com.
Max P. Ochoa is an associate in the Information Technology Group of
Cooley Godward LLP, Palo Alto, CA. He regularly advises clients on compliance
with anti-spam laws and other email legal issues. Max can be reached at
mochoa@cooley.com.
The views in this article reflect the authors’ viewpoints only and do not
necessarily reflect the viewpoints of Cooley Godward or its clients.