Controlling the Assault of Non-Solicited Pornography and Marketing Rule, 13115-13121 [2019-06562]

Download as PDF Federal Register / Vol. 84, No. 65 / Thursday, April 4, 2019 / Rules and Regulations Penalty description Department of the Interior and Related Agencies Appropriations Act of 1989, Public Law 101–121, sec. 319. Department of the Interior and Related Agencies Appropriations Act of 1989, Public Law 101–121, sec. 319. Minimum penalty for failure to report certain lobbying transactions. 19,639 20,134 Maximum penalty for failure to report certain lobbying transactions. 196,387 201,340 III. Legal Authority and Effective Date NASA issues this rule under the Federal Civil Penalties Inflation Adjustment Act of 1990,3 as amended by the Debt Collection Improvement Act of 1996,4 and further amended by the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015,5 which requires NASA to adjust the civil penalties within its jurisdiction for inflation according to a statutorily prescribed formula. Section 553 of title 5 of the United States Code generally requires an agency to publish a rule at least 30 days before its effective date to allow for advance notice and opportunity for public comments.6 After the initial adjustment for 2016, however, the Civil Penalties Inflation Adjustment Act requires agencies to make subsequent annual adjustments for inflation ‘‘notwithstanding section 553 of title 5, United States Code.’’ Moreover, the 2019 adjustments are made according to a statutory formula that does not provide for agency discretion. Accordingly, a delay in effectiveness of the 2019 adjustments is not required. IV. Regulatory Requirements Regulatory Flexibility Act Because no notice of proposed rulemaking is required, the Regulatory Flexibility Act does not require an initial or final regulatory flexibility analysis.7 Paperwork Reduction Act In accordance with the Paperwork Reduction Act of 1995,8 NASA reviewed this final rule. No collections of information pursuant to the 3 Public jbell on DSK30RV082PROD with RULES Penalty adjusted for 2019 Law This rule codifies these civil penalty amounts by amending parts 1264 and 1271 of title 14 of the CFR. Law 101–410, 104 Stat. 890 (1990). 4 Public Law 104–134, section 31001(s)(1), 110 Stat. 1321, 1321–373 (1996). 5 Public Law 114–74, section 701, 129 Stat. 584, 599 (2015). 6 See 5 U.S.C. 533(d). 7 5 U.S.C. 603(a), 604(a). 8 44 U.S.C. 3506. VerDate Sep<11>2014 16:13 Apr 03, 2019 Jkt 247001 Paperwork Reduction Act are contained in the final rule. List of Subjects in 14 CFR Parts 1264 and 1271 Claims, Lobbying, Penalties. For the reasons stated in the preamble, the National Aeronautics and Space Administration is amending 14 CFR parts 1264 and 1271 as follows: 2018 penalty 13115 b. Remove the two occurrences of the number ‘‘$196,387’’ and add in its place the number ‘‘$201,340’’. ■ Cheryl E. Parker, NASA Federal Register Liaison Officer. [FR Doc. 2019–06555 Filed 4–3–19; 8:45 am] BILLING CODE 7510–13–P FEDERAL TRADE COMMISSION PART 1264—IMPLEMENTATION OF THE PROGRAM FRAUD CIVIL PENALTIES ACT OF 1986 16 CFR Part 316 1. The authority citation for part 1264 continues to read as follows: Controlling the Assault of NonSolicited Pornography and Marketing Rule ■ Authority: 31 U.S.C. 3809, 51 U.S.C. 20113(a). § 1264.102 [3084–AB38] ACTION: [Amended] Federal Trade Commission. Confirmation of rule. AGENCY: ■ The Federal Trade Commission (‘‘FTC’’ or ‘‘Commission’’) has completed its regulatory review of its rule implementing the Controlling the Assault of Non-Solicited Pornography and Marketing Act (‘‘CAN– SPAM Rule’’ or ‘‘Rule’’) as part of the agency’s periodic review of all its regulations and guides, and has determined to retain the Rule in its present form. DATES: This action is effective as of April 4, 2019. ADDRESSES: Relevant portions of the record of this proceeding, including this document, are available at https:// www.ftc.gov. ■ FOR FURTHER INFORMATION CONTACT: 2. In § 1264.102, remove the number ‘‘$11,181’’ and add in its place the number ‘‘$11,463’’ in the statements following paragraphs (a)(1)(iv) and (b)(1)(iii). ■ PART 1271—NEW RESTRICTIONS ON LOBBYING 3. The authority citation for part 1271 continues to read as follows: ■ Authority: Section 319, Pub. L. 101–121 (31 U.S.C. 1352); Pub. L. 97–258 (31 U.S.C. 6301 et seq.). § 1271.400 [Amended] 4. In § 1271.400: a. In paragraphs (a) and (b), remove the words ‘‘not less than $19,639 and not more than $196,387’’ and add in their place the words ‘‘not less than $20,134 and not more than $201,340’’. ■ b. In paragraph (e), remove the two occurrences of ‘‘$19,639’’ and add in their place ‘‘$20,134’’ and remove ‘‘$196,387’’ and add in its place ‘‘$201,340’’. Appendix A to Part 1271 [Amended] 5. In appendix A to part 1271: a. Remove the two occurrences of the number ‘‘$19,639’’ and add in its place the number ‘‘$20,134’’. ■ ■ PO 00000 Frm 00011 Fmt 4700 Sfmt 4700 SUMMARY: Christopher E. Brown, (202) 326–2825, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Ave. NW, CC–8528, Washington, DC 20580. SUPPLEMENTARY INFORMATION: I. Introduction The Commission reviews its rules and guides periodically to seek information about their costs and benefits, as well as their regulatory and economic impact. This information assists the Commission in identifying rules and guides that warrant modification or rescission. E:\FR\FM\04APR1.SGM 04APR1 13116 Federal Register / Vol. 84, No. 65 / Thursday, April 4, 2019 / Rules and Regulations Pursuant to this process, on June 28, 2017, the Commission initiated a regulatory rule review by publishing notice in the Federal Register requesting public comment on the CAN–SPAM Rule (‘‘Comment Request’’).1 The Commission sought comment on standard regulatory review questions such as whether or not the Rule continues to serve a useful purpose and continues to be needed; the costs and benefits of the Rule for consumers and businesses; and what effects, if any, technological or economic changes have had on the Rule. In addition to generally requesting comment recommending modifications to the Rule, the Commission also invited comment regarding three specific issues; namely, whether it should: (1) Expand or contract the categories of messages that are treated as ‘‘transactional or relationship messages;’’ (2) shorten the time-period for processing opt-out requests; and (3) specify additional activities or practices that constitute aggravated violations. After considering the comments and evidence, the Commission has determined to retain the Rule without modification. jbell on DSK30RV082PROD with RULES II. Background Enacted in 2003, and effective since January 1, 2004, the CAN–SPAM Act regulates the transmission of all commercial electronic mail (‘‘email’’) messages, and authorizes the Commission to issue mandatory rulemakings and discretionary regulations concerning certain definitions and provisions of the Act.2 In 2004, pursuant to the Act’s directive, the Commission promulgated the ‘‘Adult Labeling Rule,’’ which requires that commercial emails containing sexually oriented material include the phrase ‘‘SEXUALLY– EXPLICIT:’’ as the first 19 characters in the subject heading and exclude sexually oriented materials from both the subject heading and content of the email message that is initially viewable upon opening the message.3 In 2005, the Commission issued rule provisions that define the relevant criteria for determining the ‘‘primary purpose’’ of an email message.4 These rule provisions also clarify that the definitions of certain terms derived from 1 Federal Trade Commission: Rule Review; request for public comments, 82 FR 29254 (June 28, 2017). 2 15 U.S.C. 7701–7713. 3 Federal Trade Commission: Label for Email Messages Containing Sexually Oriented Material; Final Rule, 69 FR 21023 (Apr. 19, 2004). 4 Federal Trade Commission: Definitions and Implementation Under the CAN–SPAM Act; Final Rule, 70 FR 3110 (Jan. 19, 2005). VerDate Sep<11>2014 16:13 Apr 03, 2019 Jkt 247001 the Act and appearing in the Rule are prescribed by particular referenced sections of the Act. Finally, these rule provisions also include a severability provision, so that in the event a portion of the Rule is stricken, the remainder of the Rule will stay in effect. Pursuant to its discretionary authority, the Commission promulgated additional CAN–SPAM Rule provisions in 2008.5 These rule provisions: (1) Add a definition of the term ‘‘person’’ to clarify that the Act’s obligations are not limited to natural persons; (2) modify the definition of ‘‘sender’’ to make it easier to determine which of multiple parties advertising in a single email message is responsible for complying with the Act’s opt-out requirements; (3) clarify that a sender can include an accurately-registered post office box or private mailbox established under United States Postal Service regulations to satisfy the Act’s requirement that a commercial email display a ‘‘valid physical postal address;’’ and (4) clarify that an email recipient cannot be required to pay a fee, provide information other than his or her email address and opt-out preferences, or take any steps other than sending a reply email message or visiting a single internet web page to opt out of receiving future email from a sender. III. Regulatory Review Comments and Analysis The Commission considered ninetytwo comments in response to its Comment Request.6 Most of these comments were from individual consumers. Two comments were from consumer groups,7 seven comments were from industry and trade association groups,8 one comment was from an internet service provider,9 and two comments were from providers of 5 Federal Trade Commission: Definitions and Implementation Under the CAN–SPAM Act; Final Rule, 79 FR 29654 (May 21, 2008). 6 All rule review comments are on the public record and available on the Commission’s website at www.ftc.gov/policy/public-comments/2017/06/ initiative-704. This rule review notice cites comments using the last name of the individual commenter or the name of the organization, followed by the number assigned by the Commission. The Commission received 100 comments, but some of the comments were blank or not germane to the Rule Review, and therefore, removed from consideration. As a result, some of the comments discussed in this notice bear a comment number higher than 92. 7 Electronic Privacy Information Center (‘‘EPIC’’) (93); CAUCE North America (‘‘CAUCE’’) (96). 8 Lashback, LLC (‘‘Lashback’’) (89); Electronic Retailing Association (‘‘ERA’’) (94); Data & Marketing Association (‘‘DMA’’) (95); American Bankers Association (‘‘ABA’’) (97); Email Sender and Provider Coalition (‘‘ESPC)’’ (86); MPA-The Association of Magazine Media (‘‘MPA’’) (90); Online Trust Alliance (‘‘OTA’’) (85). 9 X Mission, L.C. (‘‘X Mission’’) (88). PO 00000 Frm 00012 Fmt 4700 Sfmt 4700 email-related services.10 This rule review notice summarizes the comments received and explains the Commission’s decision to retain the Rule. It also explains why the Commission declines to propose the adoption of commenters’ suggested modifications. The Commission discusses the comments in three sections. In Section A, the Commission considers the comments that address whether there is a continuing need for the Rule and the costs and benefits of the Rule for consumers and businesses. In Section B, the Commission analyzes the comments that respond to its specific requests for comments regarding whether the Commission should modify the definition of ‘‘transaction or relationship messages,’’ shorten the time-period for processing opt-out requests, and specify additional activities or practices that constitute aggravated violations. In Section C, the Commission discusses the comments that propose other modifications to or clarifications of the Rule. A. Continuing Need for the Rule Most of the commenters who addressed the issue supported retaining the Rule; only a few recommended rescinding it. Nineteen commenters explicitly stated that there is a continuing need for the Rule, citing benefits to consumers such as the value of having an enforcement tool for taking action against offenders and a reduction in the volume of unsolicited commercial emails.11 For example, the Electronic Privacy Information Center (‘‘EPIC’’), a consumer advocacy group, asserted that, ‘‘[w]hile the volume of spam is lower than it was just a few years ago, the need for the Rule continues.’’ 12 EPIC also asserted that ‘‘[c]ompanies and individuals still make use of the Rule[,] and its continued enforcement, including substantial financial judgments imposed against violators, will serve to dissuade others from sending spam emails.’’ 13 Similarly, the Online Trust Alliance (‘‘OTA’’) maintained that ‘‘there is a continuing need for the Rule and that it has been beneficial by setting guidelines that limit the amount of unwanted or deceptive email reaching consumers.’’ 10 ValiMail, Inc. (‘‘ValiMail’’) (91); L-Soft Sweden AB (‘‘L-Soft’’) (98). 11 Santiago (2); Smith (3); Schenlle (28); Pesterfield (30); Freedman (33); Bristol (42); Kester (54); Garson (62); Schroeder (71); Davis (78); Hoofnagle (79); OTA (85); ESPC (86); Lashback (89); MPA (90); EPIC (93); ERA (94); DMA (95); Butler (100). 12 EPIC (93). 13 Id. E:\FR\FM\04APR1.SGM 04APR1 Federal Register / Vol. 84, No. 65 / Thursday, April 4, 2019 / Rules and Regulations The MPA—The Association of Magazine Media—also encouraged the Commission to retain the Rule, arguing that it ‘‘strikes an appropriate balance of protecting consumers while avoiding overly burdensome or expensive regulatory requirements for businesses.’’ 14 One individual commenter opined that ‘‘companies would not provide a method of opt-out . . . if they were not required to and subject to monetary penalties for noncompliance.’’ 15 Thirteen commenters indirectly addressed the question of whether there is a continuing need for the Rule, and impliedly supported its retention as evidenced by their descriptions of the Rule’s benefits to consumers and/or recommendations for furthering the consumer-friendly practices required by the Rule.16 For example, XMission, L.C., a small-business internet service provider, explained its desire to more aggressively prosecute spammers and ‘‘creat[e] a more compliant commercial email marketing industry.’’ 17 Another commenter wrote: ‘‘[t]he Commission should adjust the Rule to maintain its substantial consumer benefits while addressing its shortcomings.’’ 18 Forty-two commenters did not respond to the question of whether the Commission should retain the Rule.19 Many of these commenters merely described their personal experiences with spam emails or offered observations regarding industry compliance with the Rule, but did not articulate any recommendations concerning the Rule.20 Eleven commenters were very critical of the Rule, expressing complaints such as the Rule is ‘‘too weak,’’ ‘‘ineffectual,’’ or ‘‘an abject failure,’’ but none recommended repeal or rescission.21 14 MPA (90). (28). 16 CAUCE (96); ABA (97); ValiMail (91); XMission (88); Ford (99); Upton (87); Courchaine (43); Huff (36); McIntosh (26); Dayman (82); Garrett (81); Francis (67); Cinatl (45). 17 XMission (88). 18 Ford (99). 19 Silverstein (4); Lugo (7); Ohlstein (8); Boyd (9); Simone (10); Wheeler (11); Boyden (12); Reinoehl (13); Andrews (14); LaBerge (15); Kellner (16); Barr (17); Barry (18); Spencer (19); Willis (21); Evans (22); Burke (23); Nguyen (24); Donie (25); Wroblewski (27); Hildebrand (29); Blatnik (34); Vitale (38); E. Alterman (39); Menonna (40); T. Bell (41); Schulzrinne (56); Bothwell (57); Babineaux (59); Searcy (60); Phillips (61); Wippler (63); Barth (66); Atkinson (68); E. Smith (69); Walton (73); Masters (74); Shoemaker (75); Rucker (76); Hyde (77). 20 See e.g., Simone (10); Barry (18); Spencer (19); Evans (22); Blatnik (34); Vitale (38). 21 L-Soft (98) (‘‘it has failed’’); Balsam (31) (‘‘isn’t working’’); Nowlin (44) (‘‘abject failure’’); Crabtree (53) (‘‘isn’t working’’); Bickers (47) (‘‘let the Act expire’’); Hofstee (50) (‘‘effectiveness too low’’); S. jbell on DSK30RV082PROD with RULES 15 Schnelle VerDate Sep<11>2014 16:13 Apr 03, 2019 Jkt 247001 Only six individual commenters explicitly recommended repeal of the Rule.22 And, while these commenters typically urged the Commission to replace the Rule with something more effective, they did not suggest any alternatives. Moreover, none of these commenters identified any specific costs or burdens associated with complying with the Rule. In light of the comments received, the Commission concludes that a continuing need exists for the Rule. The comments predominantly indicate that the Rule benefits consumers and does not impose significant costs to businesses. Accordingly, the Commission will retain the Rule. B. Rule Modifications Regarding Specific Issues The CAN–SPAM Act expressly authorizes the Commission to issue discretionary regulations concerning the Act’s definition of the term ‘‘transaction or relationship messages,’’ its provisions regarding the time-period for processing opt-out requests, and activities or practices that constitute aggravated violations.23 Accordingly, the Commission requested public comments regarding whether it should modify the Rule with respect to the aforementioned definition and provisions of the Act. As discussed below, several commenters addressed possible modifications to the Rule concerning these issues. 1. Comments Regarding the Definition of ‘‘Transactional or Relationship Messages’’ Six commenters considered whether the Commission should expand or contract the definition of ‘‘transactional or relationship messages.’’ 24 Three commenters opposed modifying the definition and three commenters argued for the definition’s expansion and/or clarification. Two individual commenters among the six cautioned the Commission not to contract the scope of messages defined as ‘‘transactional or relationship,’’ but offered no justification for their Smith (70) (‘‘isn’t working’’); Przeclawski (65) (‘‘sham’’); Augenstein (58) (‘‘does not work’’); Winokur (48) (‘‘ineffectual’’); D. Alterman (52) (‘‘too weak’’). 22 K. Bell (5); Wyckoff (35); Carlson (37); Dawson (49); Roth (51); St. Peters (64). 23 See 15 U.S.C. 7702(17)(B) (‘‘The Commission by regulation pursuant to section 7711 of this title may modify the definition in subparagraph (A) [the term ‘‘transactional or relationship message’’] to expand or contract the categories of messages that are treated as transactional or relationship messages . . .’’); 15 U.S.C. 7704(c). 24 Schnelle (28); Hoofnagle (79); OTA (85); Lashback (89); American Bankers Association (97); Butler (100). PO 00000 Frm 00013 Fmt 4700 Sfmt 4700 13117 position.25 Lashback, LLC (‘‘Lashback’’), an email compliance service monitoring company, opposed modification of the definition because it ‘‘do[es] not believe that this issue is at the crux of the problems in email,’’ but rather, ‘‘the focus should remain on misleading messages that are sent solely or primarily for marketing purposes.’’ 26 Another commenter urged the Commission to modify the definition of ‘‘transactional or relationship messages’’ to ‘‘make clear that a company/business is allowed to email information to a consumer upon their request even when the email would otherwise be considered a commercial email message.’’ 27 The commenter further remarked that it is common for consumers to ‘‘request[] various pieces of information through . . . email including product information,’’ but companies are hesitant to respond ‘‘for fear of potentially violating the Rule’s requirements.’’ 28 It appears that the commenter, in essence, proposes that a subsequent commercial email message from a sender to a recipient of a commercial product or service purchased from the sender be deemed a ‘‘transactional or relationship message’’ based upon the prior existing business relationship. This would require modification of the definition of a ‘‘transactional or relationship message’’ as well as a ‘‘commercial electronic mail message.’’ The commenter, however, offered no evidence that this concern is widespread, or that the proposed modification would benefit consumers. Another commenter, OTA, proposed that so-called ‘‘informational’’ messages concerning ‘‘news items, site activity, product updates, etc.’’ should be deemed ‘‘transactional or relationship messages’’ because ‘‘they relate directly to the service or product that the consumer requested and clearly do not contain commercial content.’’ 29 The Commission notes, however, because the Rule already specifies that the definition of ‘‘transactional or relationship message’’ includes email messages whose primary purpose is to provide certain types of product information (e.g., warranty, recall, safety, security) and product updates or upgrades, no change is necessary.30 25 Hoofnagle (79); Butler (100). (89). 27 Schnelle (28). 28 Id. 29 OTA (85). 30 See 16 CFR 316.2(o) (clarifying that the term ‘‘transaction or relationship message’’ is the same as the definition of that term in the Act, which includes an electronic mail message the primary purpose of which is to provide warranty 26 Lashback E:\FR\FM\04APR1.SGM Continued 04APR1 13118 Federal Register / Vol. 84, No. 65 / Thursday, April 4, 2019 / Rules and Regulations Finally, the American Bankers Association recommended that the Commission clarify that the definition of ‘‘transactional or relationship message’’ includes ‘‘two types of emails that banks and other businesses frequently send . . . to existing customers: educational emails and invitations to events.’’ 31 Depending on the specific facts and subject matter, an invitation to an event or an educational email may be commercial in nature, might be transactional or relationshiprelated, or might be considered to be ‘‘other content that is not transactional or relationship content’’ that is not subject to the Act’s commercial email message requirements.32 Given the factspecific nature of any determination, no rule modification is warranted. For each of the reasons stated above, the Commission believes that the record does not support modification of the Rule on this issue. To assist with businesses’ understanding of these issues, however, the Commission will review and consider revising its existing Compliance Guide for Businesses. 2. Comments Regarding Time-Period for Processing Opt-Out Requests jbell on DSK30RV082PROD with RULES Twelve comments addressed whether the Commission should modify the Rule to shorten the time-period for processing opt-out requests to less than ten business days: Six comments opposed shortening the time-period,33 while six comments favored shortening the time-period.34 Industry and trade association groups that opposed shortening the time-period typically noted the financial and/or operational burdens that such a modification would impose upon small businesses that often process opt-out requests manually or without the assistance of automated processing.35 The OTA regarded a shorter time-period as unnecessary, citing evidence that top retailers already comply ‘‘well inside the ten-day time period for opt-outs, largely due to the sophisticated systems information, product recall information, or safety or security information with respect to a commercial product or service used or purchased by the recipient). 31 ABA (97). 32 See 16 CFR 316.3(a)(3) (providing analysis for determining whether the Act’s commercial email requirements apply to an ‘‘electronic mail message [that] contains both the commercial advertisement or promotion of a commercial product or service as well as other content that is not transactional or relationship content’’). 33 Schnelle (28); OTA (85); ESPC (86); Lashback (89); MPA (90); ERA (94). 34 Huff (36); Bristol (42); Schulzrinne (56); Davis; Upton (87); CAUCE (96). 35 ESPC (86); OTA (85); Lashback (89); MPA (90); ERA (94). VerDate Sep<11>2014 16:13 Apr 03, 2019 Jkt 247001 employed to manage their email communications to consumers.’’ 36 Commenters that favored shortening the time-period, however, viewed ten business days as unnecessarily lengthy, particularly in light of available technologies that allow companies to conduct automated processing of optouts.37 Some of these commenters urged the Commission to adopt alternative time-periods as short as one day or one business day.38 However, none of these comments provided the Commission with evidence showing how or to what extent the current ten business-day time-period has negatively affected consumers, nor did they address the concerns noted by other commenters that such a change may pose substantial burdens on small businesses. For these reasons, the Commission declines to propose a modification to the Rule that would shorten the time-period for opting out of commercial email messages. 3. Comments Regarding Activities or Practices That Constitute Aggravated Violations Four commenters responded to the Commission’s request for public comments regarding whether it should modify the Rule to specify additional activities or practices that constitute aggravated violations. Two commenters proposed that the Commission specify as ‘‘aggravated violations’’ activities or practices that are already considered violations of the requirements for commercial messages under the Act or Rule.39 For example, Lashback urged the Commission to specify as an aggravated violation a sender’s failure to identify a commercial email message as an advertisement ‘‘[i]n order to increase the visibility and impact of this simple and clear requirement—and likely drive greater compliance and better disclosures to consumers.’’ 40 An individual commenter recommended that the Commission ‘‘substantially increase fines for entities that do not effectively provide methods for unsubscribing that require no further information beyond the email address and the desire to leave.’’ 41 Neither of these commenters, however, provided evidence indicating that ‘‘those activities or practices are contributing substantially to the proliferation of commercial electronic mail messages 36 OTA (85). (42); Schulzrinne (56); Davis (78). 38 See e.g., Huff (36); Schulzrinne (56); Davis (78). 39 Lashback (89); Butler (100). 40 Lashback (89); cf. 15 U.S.C. 7704(a)(5)(i) (‘‘clear and conspicuous identification that the message is an advertisement or solicitation’’). 41 Butler (100); cf. 16 CFR 316.5. that are unlawful under [section 7704(a) of the Act].’’ 42 The Email Sender and Provider Coalition (‘‘ESPC’’) recommended that the Commission specify the practice known as ‘‘snowshoeing’’ as an aggravated violation, which it described as ‘‘the use of multiple domains and IP addresses (obtained from different ISPs) . . . [to] keep the volume of emails sent [per domain or IP address] very low . . . while permitting large aggregate volumes to be distributed across hundreds or thousands of IP addresses and domains.’’ 43 According to the ESPC, snowshoeing can be, and often has been, used to ‘‘send emails related to phishing, fraud, or identity theft schemes, but current tools are inadequate to combat the practice because restrictions placed upon the viewing and screening of email limit the effectiveness of content-based filters.44 The ESPC did not provide, however, any evidence regarding the prevalence or incidence of snowshoeing.45 Nor did it offer support for its assertion that specifying this practice as an aggravated violation would have a minimal impact on businesses. Moreover, depending on the facts, some snowshoeing already is deemed an aggravated violation under section 7704(b)(2), which proscribes the automated creation of multiple accounts so that those accounts may be used to send commercial email. One individual commenter recommended that the Commission consider whether to specify the use of third-party lookups for email addresses as an aggravated violation under the Act.46 The commenter described, in particular, how companies regularly exchange ‘‘anonymized’’ or ‘‘deidentified’’ email addresses that could ultimately be de-anonymized and linked to actual consumers, and emphasized that these companies engage in email marketing. Although not stated explicitly, the commenter’s concern seems to be the potential use of such techniques by spammers to execute well-informed phishing attacks or identity theft schemes. The commenter did not provide, however, any evidence of widespread consumer harm resulting from the use of third-party lookups for email addresses, nor did the commenter address the potential costs to businesses of specifying such a practice as an aggravated violation. For all of the reasons stated above, the Commission 37 Bristol PO 00000 Frm 00014 Fmt 4700 Sfmt 4700 42 15 U.S.C. 7704(c)(2). (86). 43 ESPC 44 Id. 45 Id. 46 Hoofnagle (79). The Hoofnagle comment did not expressly define the term ‘‘third-party lookup.’’ E:\FR\FM\04APR1.SGM 04APR1 Federal Register / Vol. 84, No. 65 / Thursday, April 4, 2019 / Rules and Regulations believes there is insufficient evidence in the record to support modification of the Rule to specify any additional activities or practices that constitute aggravated violations. C. Other Proposed Modifications to or Clarifications of the Rule Various commenters supporting the Rule suggested additional modifications to, or clarifications of, the Rule. As discussed in detail below, while many of the proposed rule changes may describe effective email procedures that could inform industry best practices, the record does not justify a rulemaking to consider whether to incorporate these proposals into the existing Rule. 1. Comments Regarding an Opt-In Approach to Commercial Email Messages At least 40 commenters expressed concerns or dissatisfaction with the CAN–SPAM Act’s opt-out approach to commercial email messages. Most of these commenters recommended that the Commission modify the Rule to require prior consent (opt-in) from recipients before initiating commercial email messages.47 Some even suggested that the Rule adopt a ‘‘double opt-in’’ approach that requires recipients to confirm their initial request by responding to a link sent to the recipients’ email address.48 These commenters cumulatively identified a number of factors—the greater burden of self-help imposed on consumers, IT departments, and/or ISPs; privacy concerns; and lack of uniformity with anti-spam laws in other countries— arguing for the necessity of modifying the Rule to require an opt-in approach to commercial email messages.49 Modifying the Rule to require prior consent from recipients of commercial email messages, however, would be beyond the text and scope of the Act.50 jbell on DSK30RV082PROD with RULES 2. Comments Regarding Modification of Rule To Enhance Opt-Out Provisions Several comments proposed modifications to the Rule intended to better effectuate the Act’s provisions related to opt-out requirements for 47 See e.g., K. Bell (6); Ohlstein (8); Boyden (12); Barr (17); Wroblewski (30); Hofstee (50); Schulzrinne (56); Upton (87); CAUCE (96); L-Soft (98). 48 Boyden (12); L-Soft (98). 49 See e.g., Boyd (9); Reinoehl (13); Donie (25); Balsam (31); Bristol (42); Bickers (47); Crabtree (53); Schulzrinne (56); Walton (73); ESPC (86); CAUCE (96); Butler (100). 50 See 15 U.S.C. 7704(c); 15 U.S.C. 7711; CAUCE (96) (‘‘We realize that the FTC cannot change the text of CAN SPAM, but we note that an opt-in rule, as in the European Union and Canadian laws, rather than opt-out, would be far more effective.’’); Upton (87) (same). VerDate Sep<11>2014 16:13 Apr 03, 2019 Jkt 247001 commercial email messages.51 Most of these comments expressly requested that the Commission clarify the requirement that opt-out notices be ‘‘clear and conspicuous.’’ 52 A few comments argued that standardized terminology (e.g., ‘‘unsubscribe,’’ ‘‘optout,’’ or ‘‘remove’’) and additional guidance on placement, language, color/ contrast ratio, and text size would benefit consumers without imposing extra costs on businesses.53 In support of this recommendation, the OTA cited its own ‘‘Email Marketing Best Practices and Unsubscribe Audit,’’ which showed that, from 2015 to 2016, the percentage of top retailers that had good opt-out practices fell from 96 percent to 88 percent.54 The OTA further advocated, as did Lashback, that the Rule require opt-out links to be text, not images, so they have longevity.55 Another commenter urged the Commission to prohibit opt-out mechanisms from setting tracking cookies unrelated to the recipient’s decision to opt out.56 The Ford comment echoed the proposals regarding type size and visibility requirements, and further asked the Commission to require a ‘‘standardized box containing information on how to unsubscribe, at the bottom of each email, akin to other standardized labels for food, drugs, and cigarettes.’’ 57 Such a standardized mechanism, Ford argued, would not only help to remedy the problem of inconspicuous opt-out instructions, but also simplify and expedite the opt-out process to the extent that it could ‘‘be invoked by a user’s email client software.’’ Similarly, other commenters suggested that the Commission adopt a standardized optout approach that requires minimal participation by the recipient.58 There is no evidence in the record to support the proposed changes to the opt-out instructions. Additionally, none of the comments provides the Commission with information about the 51 Schulzrinne (56); OTA (85); Ford (99); Hoofnagle (79); Lashback (89). 52 Hoofnagle (79); OTA (85); Lashback (89); Ford (99); see also 15 U.S.C. 7704(a)(3) (requiring inclusion of a return address or comparable mechanism in commercial electronic mail that is ‘‘clearly and conspicuously displayed’’); 7704(a)(5)(A)(i) (requiring that notice of recipient’s opportunity to decline to receive further commercial electronic mail messages from the sender be ‘‘clear and conspicuous’’). 53 Hoofnagle (79); OTA (85); Lashback (89); Ford (99). 54 OTA (85). 55 Id.; Lashback (89). 56 Hoofnagle (79). 57 Ford (99). 58 Schulzrinne (56) (advocating for a ‘‘standardsbased opt-out link (URL) that requires no further user input’’); Butler (100) (recommending a ‘‘oneclick method’’ for opting out). PO 00000 Frm 00015 Fmt 4700 Sfmt 4700 13119 costs and benefits of these proposed rule changes. Moreover, standardized optout terminology or mechanisms would need to be consistent with the authority of the Commission, which is somewhat circumscribed with respect to any requirement to include specific language or labels in a commercial email message.59 For these reasons, the Commission declines to propose the adoption of commenters’ suggested rule modifications regarding opt-out requirements. 3. Comments Regarding Modification of Rule To Account for Changes in Technology A few commenters recommended that the Commission modify the Rule to account for technological developments that have occurred since the promulgation of the Rule. For example, two comments called attention to the emergence of technical approaches for mechanically processing opt-out instructions, and suggested that the Commission encourage or mandate their use via Rule modification.60 Other comments emphasized that email authentication standards aimed at helping email providers verify sender domains and thwart email spoofing and phishing attacks have been developed and are commonly employed.61 Two comments encouraged the Commission to facilitate the adoption of authenticated email standards—e.g., DomainKeys Identified Mail (DKIM), Sender Policy Framework (SPF), and Domain-Based Message Authentication, Reporting, and Conformance (DMARC)—through the Rule.62 Other commenters pointed to the progress made on email authentication standards as a basis for the Commission to reconsider the feasibility of a Do Not Email Registry pursuant to 15 U.S.C. 7708.63 The Commission appreciates the information provided by these comments, but notes that the record is 59 See 15 U.S.C. 7711(b) (‘‘Subsection (a) [granting the Commission authority to implement the provisions of the CAN–SPAM Act] may not be construed to authorize the Commission to establish a requirement pursuant to section 7704(a)(5)(A) [requiring the inclusion of advertisement identifier, opt-out notice, and physical address in commercial electronic mail messages] of this title to include any specific words, characters, marks, or labels in a commercial electronic mail message . . .’’). 60 Upton (87) and CAUCE (96) (both citing a method for ‘‘one-click unsubscription’’ as defined in the internet Engineering Task Force (IETF) Request for Comment (RFC) 8058). 61 OTA (85); ValiMail (91); Ford (99). 62 ValiMail (91); Ford (99). 63 Hoofnagle (79); Ford (99); cf. EPIC (93) (advocating for a domain name based Do Not Email Registry without appealing to progress made on email authentication standards). E:\FR\FM\04APR1.SGM 04APR1 13120 Federal Register / Vol. 84, No. 65 / Thursday, April 4, 2019 / Rules and Regulations silent concerning the increased costs to businesses, if any, that would result from modifying the Rule to mandate the implementation of these various technologies. Nor does the record explain why the Commission’s codification of developing technology into the Rule is necessary where private markets have produced email authentication and opt-out technologies that are already enjoying widespread use. Moreover, as some comments have acknowledged, the Commission’s Bureau of Consumer Protection (BCP) has previously addressed the issue of email authentication in a Staff Perspective issued in March 2017.64 Specifically, BCP staff encouraged businesses to help reduce the volume of phishing email messages and protect their reputations by fully implementing various low cost, readily available email authentication solutions.65 Although the Commission is familiar with these technical solutions that can help reduce unsolicited commercial email, it is also mindful of the potential pitfalls in incorporating technological standards in regulations. In the absence of any evidence in the record regarding the costs and benefits of imposing technologically-based rule changes, the Commission is not persuaded that the proposed modifications are appropriate at this time. However, the Commission will continue to monitor this issue and encourage the private market in its move toward developing and implementing technology that reduces the volume of spam. jbell on DSK30RV082PROD with RULES 4. Comments Regarding Modification of Rule To Clarify Definition of Certain Terms Derived From the Act It is a violation of the CAN–SPAM Act to initiate the transmission of a commercial message or a transaction or relationship message that contains, or is accompanied by, materially false or misleading header information.66 Accordingly, the Act provides that a ‘‘‘from’ line (the line identifying or purporting to identify a person initiating the message) that accurately identifies any person who initiated the message shall not be considered materially false or materially misleading.’’ 67 As both 64 OTA (85) and ValiMail (91) (both citing Businesses Can Help Stop Phishing and Protect their Brands Using Email Authentication, Staff Perspective, March 2017, available at https:// www.ftc.gov/news-events/blogs/business-blog/2017/ 03/want-stop-phishers-use-email-authentication). 65 Businesses Can Help Stop Phishing and Protect their Brands Using Email Authentication, Staff Perspective, March 2017, available at https:// www.ftc.gov/news-events/blogs/business-blog/2017/ 03/want-stop-phishers-use-email-authentication. 66 15 U.S.C. 7704(a)(1). 67 15 U.S.C. 7704(a)(1)(B) (emphasis added). VerDate Sep<11>2014 16:13 Apr 03, 2019 Jkt 247001 OTA and ValiMail explain in their comments, however, in addition to the ‘‘from’’ line that is displayed within the end user’s email client, industry practice (via email authentication standards) permits senders to identify themselves using additional ‘‘from’’ lines not visible to the end user, such as the Reply-to or Return-Path fields.68 Consequently, both comments urged the Commission to specify that the definition of ‘‘from’’ refers only to the ‘‘from’’ field displayed in a user’s email client, alluding to concerns about phishing attacks involving scammers who put one address in Reply-to or Return-Path fields, but another address in the From field. Neither comment, however, offers any evidence that the absence of such a clarification impedes the Commission’s ability to enforce CAN–SPAM violations involving false header information or that such a clarification would enable greater enforcement. Nonetheless, the Commission staff will continue to monitor this issue and use other resources available to ensure that marketers understand their obligations under the Rule. The CAN–SPAM Act also authorizes providers of internet access service to enforce certain provisions of the Act.69 Where an internet access service brings a claim against a sender of email messages, the statute requires that the person providing consideration or inducing another person to initiate the electronic mail message has actual or constructive knowledge that the person initiating the email is engaging, or will engage, in a pattern or practice violating the Act.70 XMission, L.C. (‘‘XMission’’), on behalf of itself and other small to mid-sized internet service providers (ISPs), advocated that the Commission eliminate the scienter requirement from the definition of ‘‘procure’’ so that ‘‘bona fide [Plaintiff] internet service provider[s] . . . [are] held to the same standard as FTC or government plaintiffs.’’ 71 The scienter requirement, however, is statutory—a requirement that the Commission likely cannot alter via a rule. The CAN–SPAM Act prohibits a person from initiating a commercial mail message with a subject heading that is ‘‘deceptive,’’ which the Act defines as ‘‘be[ing] likely to mislead a recipient, acting reasonably under the circumstances, about a material fact regarding the contents or subject matter 68 OTA (85); ValiMail (91). U.S.C. 7706(g)(1). 70 15 U.S.C. 7706(g)(2). 71 XMission (88). 69 15 PO 00000 Frm 00016 Fmt 4700 Sfmt 4700 of the message.’’ 72 The Lashback comment urges the Commission to modify the Rule to clarify the definition of ‘‘deceptive’’ by adding language that describes examples of deceptive messages,73 but the Act expressly states that the prohibition against deceptive subject headings is ‘‘consistent with the criteria used in enforcement of [Section 5 of the FTC Act],’’ 74 and therefore, already provides clarity concerning the meaning of ‘‘deceptive.’’ 75 Moreover, in the absence of any evidence in the record demonstrating confusion regarding what constitutes a deceptive subject heading, the Commission is not persuaded that the proposed modification is necessary. 5. Comments Regarding Modification of Rule That Would Be Contrary to Congressional Intent Under the Act A number of comments expressed support for modifications to the Rule that arguably exceed the Commission’s authority to issue regulations implementing the Act.76 Such recommendations included: (1) Requiring that language identifying a commercial email message as an advertisement be included in the subject line; 77 (2) extending opt-out obligations to third-party list providers; 78 (3) requiring consumer permission before transferring or selling a consumer’s email address to a third-party; 79 (4) blocking all unsolicited spam from servers outside the U.S.; 80 (5) limiting the frequency at which emails may be sent to recipients; 81 (6) minimizing or 72 15 U.S.C. 7704(a)(2). (89). 74 15 U.S.C. 7704(a)(2). 75 See e.g., FTC Policy Statement on Deception (October 14, 1983), available at https://www.ftc.gov/ system/files/documents/public_statements/410531/ 831014deceptionstmt.pdf. 76 Cf. 15 U.S.C. 7702(17)(B) (granting the Commission rulemaking authority to modify the definition of the term ‘‘transactional or relationship’’ message); 15 U.S.C. 7704(c) (granting the Commission supplementary rulemaking authority regarding the time-period for processing opt-out requests and activities or practices that constitute aggravated violations); 15 U.S.C. 7711 (granting the Commission authority to issue regulations implementing certain CAN–SPAM Act provisions in accordance with the Administrative Procedure Act). 77 Silverstein (4) (‘‘The FTC should issue a rule requiring all spam to have the subject line prefixed with ‘‘ADV:’’); Bristol (42) (‘‘require unsolicited commercial emails to include a word or phrase in the send line that indicates that the email is an advertisement’’). 78 EPIC (93). 79 Barr (17). 80 Davis (78). 81 Santiago (2) (‘‘have a Rule that commercial senders could only send such emails 1–2 times per year absent a specific request from the consumer that such emails continue more frequently’’); Wippler (63) (‘‘1 marketing email from the company per 32 or 48 hours’’). 73 Lashback E:\FR\FM\04APR1.SGM 04APR1 Federal Register / Vol. 84, No. 65 / Thursday, April 4, 2019 / Rules and Regulations eliminating federal preemption; 82 (7) requiring companies that provide access to transmission lines connecting users to the internet to filter out and report spam to regulatory authorities; 83 (8) providing email recipients a private right of action to enforce CAN–SPAM Act violations; 84 and (9) permitting class-action lawsuits.85 The first suggestion is unfeasible, because the Act expressly prohibits the Commission from designating ‘‘any specific words, characters, marks, or labels’’ to satisfy the requirement that initiators identify a commercial electronic mail message as an advertisement or solicitation.86 The second suggestion also conflicts with the plain language of certain definitions under both the Act and Rule. As the Commission has previously stated, ‘‘a list owner must honor opt-out requests only if it qualifies as the ‘sender’ of a commercial email (i.e., it is an initiator and its ‘product, service, or internet website’ are ‘advertised or promoted’ in the email).’’ 87 The Commission also declines to consider the remaining proposed modifications because each would be inconsistent with the Commission’s circumscribed authority under the Act. 6. Comments Regarding Law Enforcement Priorities and Policies A number of comments made proposals better understood as recommendations for how the Commission should implement enforcement priorities and policies rather than modifications to the Rule. These proposals included: (1) Allowing consumers to report and/or forward spam to the FTC; 88 (2) sending violators a link to CAN–SPAM regulations and guidance documents; 89 (3) including willful violators of CAN–SPAM on a ‘‘blacklist’’ for circulation among email service providers; 90 (4) working with payment processors and other intermediaries to shutter accounts belonging to spammers; 91 and (5) providing guidance to states regarding 82 Bristol (42); St. Peters (64); Ford (99). (78). 84 Balsam (31) (‘‘enable the spam recipients to file lawsuits, not just the AG, FTC, and ISPs’’); Wippler (63) (expressly recommending modification of the CAN–SPAM Act); Walton (73) (‘‘the rules should allow for recipients of spam to enforce opt-out requests’’); cf. 15 U.S.C. 7706. 85 Barth (66); cf. 15 U.S.C. 7706. 86 15 U.S.C. 7711(b). 87 79 FR at 29660. 88 Pesterfield (30); Francis (67). 89 Pesterfield (30). 90 Id. 91 Ford (99). jbell on DSK30RV082PROD with RULES 83 Davis VerDate Sep<11>2014 16:13 Apr 03, 2019 Jkt 247001 the scope of preemption under the Act.92 The Commission has already adopted the first recommendation, and continues to encourage consumers to report illegal spam to ftccomplaintassistant.gov or forward it directly to spam@uce.gov. Such complaints from consumers help the Commission to detect patterns of fraud and abuse, and identify potential investigative targets. The Commission also appreciates the recommendations provided by the remaining comments, and will take such information into consideration as it continues to formulate enforcement priorities that would benefit consumers and secure industrywide compliance with the CAN–SPAM Rule. IV. Conclusion The comments overwhelmingly: (1) Favor retention of the Rule and assert that there is a continuing need for the Rule; (2) conclude that the Rule benefits consumers; (3) assert that the Rule does not impose substantial economic burdens; and (4) conclude that the benefits outweigh the minimal costs the Rule imposes. The Commission has analyzed the proposed benefits to consumers of proposed changes to the Rule, including any evidence provided of those benefits, and balanced those proposed benefits against the cost of implementing the changes, the need for the change, and alternative means of providing these benefits for consumers, such as consumer education materials. Despite some comments recommending that the Commission adopt modifications to the Rule, there is insufficient evidence in the record to demonstrate that such modifications are necessary and would, in fact, help consumers. Additionally, none of the comments proposing modifications or clarifications that could potentially burden industry sufficiently analyzed the associated costs. The FTC plans to review and consider revising its consumer and business education materials to address the concerns raised in the comments submitted pursuant to this Rule Review to ensure that consumers and businesses more easily understand the Rule’s protections and requirements. Furthermore, the Commission has a variety of enforcement tools available to help consumers better understand the Rule’s protections and ensure compliance. If, at a later date, the Commission concludes that the Rule, case law interpreting the Rule, and the FTC’s other enforcement tools do not provide adequate guidance and protection for consumers in the marketplace, it can then consider, based on a further record, whether and how to amend the Rule. Accordingly, the Commission has determined to retain the current Rule and is terminating this review. By direction of the Commission. April J. Tabor, Acting Secretary. [FR Doc. 2019–06562 Filed 4–3–19; 8:45 am] BILLING CODE 6750–01–P DEPARTMENT OF THE TREASURY Internal Revenue Service 26 CFR Part 1 [TD 9852] RIN 1545–BL96 Chapter 4 Regulations Relating to Verification and Certification Requirements for Certain Entities and Reporting by Foreign Financial Institutions Correction In rule document 2019–05527 appearing on pages 10976–10989 in the issue of March 25, 2019, make the following corrections: § 1.1471–4 [Corrected] 1. On page 10981, in the third column, in paragraph (j), in the 6th and 10th lines ‘‘March 26, 2019’’ should read ‘‘March 25, 2019’’. ■ § 1.1471–5 [Corrected] 2. On page 10987, in the first column, in paragraph (m), in the 6th and 11th lines ‘‘March 26, 2019’’ should read ‘‘March 25, 2019’’. ■ § 1.1472–1 [Corrected] 3. On page 10989, in the third column, in paragraph (h), in the 5th and 9th lines ‘‘March 26, 2019’’ should read ‘‘March 25, 2019’’. ■ [FR Doc. C1–2019–05527 Filed 4–3–19; 8:45 am] BILLING CODE 1301–00–D 92 Id. PO 00000 Frm 00017 Fmt 4700 Sfmt 9990 13121 E:\FR\FM\04APR1.SGM 04APR1

Agencies

[Federal Register Volume 84, Number 65 (Thursday, April 4, 2019)]
[Rules and Regulations]
[Pages 13115-13121]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-06562]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

16 CFR Part 316

[3084-AB38]


Controlling the Assault of Non-Solicited Pornography and 
Marketing Rule

AGENCY: Federal Trade Commission.

ACTION: Confirmation of rule.

-----------------------------------------------------------------------

SUMMARY: The Federal Trade Commission (``FTC'' or ``Commission'') has 
completed its regulatory review of its rule implementing the 
Controlling the Assault of Non-Solicited Pornography and Marketing Act 
(``CAN-SPAM Rule'' or ``Rule'') as part of the agency's periodic review 
of all its regulations and guides, and has determined to retain the 
Rule in its present form.

DATES: This action is effective as of April 4, 2019.

ADDRESSES: Relevant portions of the record of this proceeding, 
including this document, are available at https://www.ftc.gov.

FOR FURTHER INFORMATION CONTACT: Christopher E. Brown, (202) 326-2825, 
Bureau of Consumer Protection, Federal Trade Commission, 600 
Pennsylvania Ave. NW, CC-8528, Washington, DC 20580.

SUPPLEMENTARY INFORMATION: 

I. Introduction

    The Commission reviews its rules and guides periodically to seek 
information about their costs and benefits, as well as their regulatory 
and economic impact. This information assists the Commission in 
identifying rules and guides that warrant modification or rescission.

[[Page 13116]]

    Pursuant to this process, on June 28, 2017, the Commission 
initiated a regulatory rule review by publishing notice in the Federal 
Register requesting public comment on the CAN-SPAM Rule (``Comment 
Request'').\1\ The Commission sought comment on standard regulatory 
review questions such as whether or not the Rule continues to serve a 
useful purpose and continues to be needed; the costs and benefits of 
the Rule for consumers and businesses; and what effects, if any, 
technological or economic changes have had on the Rule. In addition to 
generally requesting comment recommending modifications to the Rule, 
the Commission also invited comment regarding three specific issues; 
namely, whether it should: (1) Expand or contract the categories of 
messages that are treated as ``transactional or relationship 
messages;'' (2) shorten the time-period for processing opt-out 
requests; and (3) specify additional activities or practices that 
constitute aggravated violations. After considering the comments and 
evidence, the Commission has determined to retain the Rule without 
modification.
---------------------------------------------------------------------------

    \1\ Federal Trade Commission: Rule Review; request for public 
comments, 82 FR 29254 (June 28, 2017).
---------------------------------------------------------------------------

II. Background

    Enacted in 2003, and effective since January 1, 2004, the CAN-SPAM 
Act regulates the transmission of all commercial electronic mail 
(``email'') messages, and authorizes the Commission to issue mandatory 
rulemakings and discretionary regulations concerning certain 
definitions and provisions of the Act.\2\
---------------------------------------------------------------------------

    \2\ 15 U.S.C. 7701-7713.
---------------------------------------------------------------------------

    In 2004, pursuant to the Act's directive, the Commission 
promulgated the ``Adult Labeling Rule,'' which requires that commercial 
emails containing sexually oriented material include the phrase 
``SEXUALLY-EXPLICIT:'' as the first 19 characters in the subject 
heading and exclude sexually oriented materials from both the subject 
heading and content of the email message that is initially viewable 
upon opening the message.\3\
---------------------------------------------------------------------------

    \3\ Federal Trade Commission: Label for Email Messages 
Containing Sexually Oriented Material; Final Rule, 69 FR 21023 (Apr. 
19, 2004).
---------------------------------------------------------------------------

    In 2005, the Commission issued rule provisions that define the 
relevant criteria for determining the ``primary purpose'' of an email 
message.\4\ These rule provisions also clarify that the definitions of 
certain terms derived from the Act and appearing in the Rule are 
prescribed by particular referenced sections of the Act. Finally, these 
rule provisions also include a severability provision, so that in the 
event a portion of the Rule is stricken, the remainder of the Rule will 
stay in effect.
---------------------------------------------------------------------------

    \4\ Federal Trade Commission: Definitions and Implementation 
Under the CAN-SPAM Act; Final Rule, 70 FR 3110 (Jan. 19, 2005).
---------------------------------------------------------------------------

    Pursuant to its discretionary authority, the Commission promulgated 
additional CAN-SPAM Rule provisions in 2008.\5\ These rule provisions: 
(1) Add a definition of the term ``person'' to clarify that the Act's 
obligations are not limited to natural persons; (2) modify the 
definition of ``sender'' to make it easier to determine which of 
multiple parties advertising in a single email message is responsible 
for complying with the Act's opt-out requirements; (3) clarify that a 
sender can include an accurately-registered post office box or private 
mailbox established under United States Postal Service regulations to 
satisfy the Act's requirement that a commercial email display a ``valid 
physical postal address;'' and (4) clarify that an email recipient 
cannot be required to pay a fee, provide information other than his or 
her email address and opt-out preferences, or take any steps other than 
sending a reply email message or visiting a single internet web page to 
opt out of receiving future email from a sender.
---------------------------------------------------------------------------

    \5\ Federal Trade Commission: Definitions and Implementation 
Under the CAN-SPAM Act; Final Rule, 79 FR 29654 (May 21, 2008).
---------------------------------------------------------------------------

III. Regulatory Review Comments and Analysis

    The Commission considered ninety-two comments in response to its 
Comment Request.\6\ Most of these comments were from individual 
consumers. Two comments were from consumer groups,\7\ seven comments 
were from industry and trade association groups,\8\ one comment was 
from an internet service provider,\9\ and two comments were from 
providers of email-related services.\10\ This rule review notice 
summarizes the comments received and explains the Commission's decision 
to retain the Rule. It also explains why the Commission declines to 
propose the adoption of commenters' suggested modifications.
---------------------------------------------------------------------------

    \6\ All rule review comments are on the public record and 
available on the Commission's website at www.ftc.gov/policy/public-comments/2017/06/initiative-704. This rule review notice cites 
comments using the last name of the individual commenter or the name 
of the organization, followed by the number assigned by the 
Commission. The Commission received 100 comments, but some of the 
comments were blank or not germane to the Rule Review, and 
therefore, removed from consideration. As a result, some of the 
comments discussed in this notice bear a comment number higher than 
92.
    \7\ Electronic Privacy Information Center (``EPIC'') (93); CAUCE 
North America (``CAUCE'') (96).
    \8\ Lashback, LLC (``Lashback'') (89); Electronic Retailing 
Association (``ERA'') (94); Data & Marketing Association (``DMA'') 
(95); American Bankers Association (``ABA'') (97); Email Sender and 
Provider Coalition (``ESPC)'' (86); MPA-The Association of Magazine 
Media (``MPA'') (90); Online Trust Alliance (``OTA'') (85).
    \9\ X Mission, L.C. (``X Mission'') (88).
    \10\ ValiMail, Inc. (``ValiMail'') (91); L-Soft Sweden AB (``L-
Soft'') (98).
---------------------------------------------------------------------------

    The Commission discusses the comments in three sections. In Section 
A, the Commission considers the comments that address whether there is 
a continuing need for the Rule and the costs and benefits of the Rule 
for consumers and businesses. In Section B, the Commission analyzes the 
comments that respond to its specific requests for comments regarding 
whether the Commission should modify the definition of ``transaction or 
relationship messages,'' shorten the time-period for processing opt-out 
requests, and specify additional activities or practices that 
constitute aggravated violations. In Section C, the Commission 
discusses the comments that propose other modifications to or 
clarifications of the Rule.

A. Continuing Need for the Rule

    Most of the commenters who addressed the issue supported retaining 
the Rule; only a few recommended rescinding it. Nineteen commenters 
explicitly stated that there is a continuing need for the Rule, citing 
benefits to consumers such as the value of having an enforcement tool 
for taking action against offenders and a reduction in the volume of 
unsolicited commercial emails.\11\ For example, the Electronic Privacy 
Information Center (``EPIC''), a consumer advocacy group, asserted 
that, ``[w]hile the volume of spam is lower than it was just a few 
years ago, the need for the Rule continues.'' \12\ EPIC also asserted 
that ``[c]ompanies and individuals still make use of the Rule[,] and 
its continued enforcement, including substantial financial judgments 
imposed against violators, will serve to dissuade others from sending 
spam emails.'' \13\ Similarly, the Online Trust Alliance (``OTA'') 
maintained that ``there is a continuing need for the Rule and that it 
has been beneficial by setting guidelines that limit the amount of 
unwanted or deceptive email reaching consumers.''

[[Page 13117]]

The MPA--The Association of Magazine Media--also encouraged the 
Commission to retain the Rule, arguing that it ``strikes an appropriate 
balance of protecting consumers while avoiding overly burdensome or 
expensive regulatory requirements for businesses.'' \14\ One individual 
commenter opined that ``companies would not provide a method of opt-out 
. . . if they were not required to and subject to monetary penalties 
for noncompliance.'' \15\
---------------------------------------------------------------------------

    \11\ Santiago (2); Smith (3); Schenlle (28); Pesterfield (30); 
Freedman (33); Bristol (42); Kester (54); Garson (62); Schroeder 
(71); Davis (78); Hoofnagle (79); OTA (85); ESPC (86); Lashback 
(89); MPA (90); EPIC (93); ERA (94); DMA (95); Butler (100).
    \12\ EPIC (93).
    \13\ Id.
    \14\ MPA (90).
    \15\ Schnelle (28).
---------------------------------------------------------------------------

    Thirteen commenters indirectly addressed the question of whether 
there is a continuing need for the Rule, and impliedly supported its 
retention as evidenced by their descriptions of the Rule's benefits to 
consumers and/or recommendations for furthering the consumer-friendly 
practices required by the Rule.\16\ For example, XMission, L.C., a 
small-business internet service provider, explained its desire to more 
aggressively prosecute spammers and ``creat[e] a more compliant 
commercial email marketing industry.'' \17\ Another commenter wrote: 
``[t]he Commission should adjust the Rule to maintain its substantial 
consumer benefits while addressing its shortcomings.'' \18\
---------------------------------------------------------------------------

    \16\ CAUCE (96); ABA (97); ValiMail (91); XMission (88); Ford 
(99); Upton (87); Courchaine (43); Huff (36); McIntosh (26); Dayman 
(82); Garrett (81); Francis (67); Cinatl (45).
    \17\ XMission (88).
    \18\ Ford (99).
---------------------------------------------------------------------------

    Forty-two commenters did not respond to the question of whether the 
Commission should retain the Rule.\19\ Many of these commenters merely 
described their personal experiences with spam emails or offered 
observations regarding industry compliance with the Rule, but did not 
articulate any recommendations concerning the Rule.\20\
---------------------------------------------------------------------------

    \19\ Silverstein (4); Lugo (7); Ohlstein (8); Boyd (9); Simone 
(10); Wheeler (11); Boyden (12); Reinoehl (13); Andrews (14); 
LaBerge (15); Kellner (16); Barr (17); Barry (18); Spencer (19); 
Willis (21); Evans (22); Burke (23); Nguyen (24); Donie (25); 
Wroblewski (27); Hildebrand (29); Blatnik (34); Vitale (38); E. 
Alterman (39); Menonna (40); T. Bell (41); Schulzrinne (56); 
Bothwell (57); Babineaux (59); Searcy (60); Phillips (61); Wippler 
(63); Barth (66); Atkinson (68); E. Smith (69); Walton (73); Masters 
(74); Shoemaker (75); Rucker (76); Hyde (77).
    \20\ See e.g., Simone (10); Barry (18); Spencer (19); Evans 
(22); Blatnik (34); Vitale (38).
---------------------------------------------------------------------------

    Eleven commenters were very critical of the Rule, expressing 
complaints such as the Rule is ``too weak,'' ``ineffectual,'' or ``an 
abject failure,'' but none recommended repeal or rescission.\21\ Only 
six individual commenters explicitly recommended repeal of the 
Rule.\22\ And, while these commenters typically urged the Commission to 
replace the Rule with something more effective, they did not suggest 
any alternatives. Moreover, none of these commenters identified any 
specific costs or burdens associated with complying with the Rule.
---------------------------------------------------------------------------

    \21\ L-Soft (98) (``it has failed''); Balsam (31) (``isn't 
working''); Nowlin (44) (``abject failure''); Crabtree (53) (``isn't 
working''); Bickers (47) (``let the Act expire''); Hofstee (50) 
(``effectiveness too low''); S. Smith (70) (``isn't working''); 
Przeclawski (65) (``sham''); Augenstein (58) (``does not work''); 
Winokur (48) (``ineffectual''); D. Alterman (52) (``too weak'').
    \22\ K. Bell (5); Wyckoff (35); Carlson (37); Dawson (49); Roth 
(51); St. Peters (64).
---------------------------------------------------------------------------

    In light of the comments received, the Commission concludes that a 
continuing need exists for the Rule. The comments predominantly 
indicate that the Rule benefits consumers and does not impose 
significant costs to businesses. Accordingly, the Commission will 
retain the Rule.

B. Rule Modifications Regarding Specific Issues

    The CAN-SPAM Act expressly authorizes the Commission to issue 
discretionary regulations concerning the Act's definition of the term 
``transaction or relationship messages,'' its provisions regarding the 
time-period for processing opt-out requests, and activities or 
practices that constitute aggravated violations.\23\ Accordingly, the 
Commission requested public comments regarding whether it should modify 
the Rule with respect to the aforementioned definition and provisions 
of the Act. As discussed below, several commenters addressed possible 
modifications to the Rule concerning these issues.
---------------------------------------------------------------------------

    \23\ See 15 U.S.C. 7702(17)(B) (``The Commission by regulation 
pursuant to section 7711 of this title may modify the definition in 
subparagraph (A) [the term ``transactional or relationship 
message''] to expand or contract the categories of messages that are 
treated as transactional or relationship messages . . .''); 15 
U.S.C. 7704(c).
---------------------------------------------------------------------------

1. Comments Regarding the Definition of ``Transactional or Relationship 
Messages''
    Six commenters considered whether the Commission should expand or 
contract the definition of ``transactional or relationship messages.'' 
\24\ Three commenters opposed modifying the definition and three 
commenters argued for the definition's expansion and/or clarification. 
Two individual commenters among the six cautioned the Commission not to 
contract the scope of messages defined as ``transactional or 
relationship,'' but offered no justification for their position.\25\ 
Lashback, LLC (``Lashback''), an email compliance service monitoring 
company, opposed modification of the definition because it ``do[es] not 
believe that this issue is at the crux of the problems in email,'' but 
rather, ``the focus should remain on misleading messages that are sent 
solely or primarily for marketing purposes.'' \26\
---------------------------------------------------------------------------

    \24\ Schnelle (28); Hoofnagle (79); OTA (85); Lashback (89); 
American Bankers Association (97); Butler (100).
    \25\ Hoofnagle (79); Butler (100).
    \26\ Lashback (89).
---------------------------------------------------------------------------

    Another commenter urged the Commission to modify the definition of 
``transactional or relationship messages'' to ``make clear that a 
company/business is allowed to email information to a consumer upon 
their request even when the email would otherwise be considered a 
commercial email message.'' \27\ The commenter further remarked that it 
is common for consumers to ``request[] various pieces of information 
through . . . email including product information,'' but companies are 
hesitant to respond ``for fear of potentially violating the Rule's 
requirements.'' \28\ It appears that the commenter, in essence, 
proposes that a subsequent commercial email message from a sender to a 
recipient of a commercial product or service purchased from the sender 
be deemed a ``transactional or relationship message'' based upon the 
prior existing business relationship. This would require modification 
of the definition of a ``transactional or relationship message'' as 
well as a ``commercial electronic mail message.'' The commenter, 
however, offered no evidence that this concern is widespread, or that 
the proposed modification would benefit consumers.
---------------------------------------------------------------------------

    \27\ Schnelle (28).
    \28\ Id.
---------------------------------------------------------------------------

    Another commenter, OTA, proposed that so-called ``informational'' 
messages concerning ``news items, site activity, product updates, 
etc.'' should be deemed ``transactional or relationship messages'' 
because ``they relate directly to the service or product that the 
consumer requested and clearly do not contain commercial content.'' 
\29\ The Commission notes, however, because the Rule already specifies 
that the definition of ``transactional or relationship message'' 
includes email messages whose primary purpose is to provide certain 
types of product information (e.g., warranty, recall, safety, security) 
and product updates or upgrades, no change is necessary.\30\
---------------------------------------------------------------------------

    \29\ OTA (85).
    \30\ See 16 CFR 316.2(o) (clarifying that the term ``transaction 
or relationship message'' is the same as the definition of that term 
in the Act, which includes an electronic mail message the primary 
purpose of which is to provide warranty information, product recall 
information, or safety or security information with respect to a 
commercial product or service used or purchased by the recipient).

---------------------------------------------------------------------------

[[Page 13118]]

    Finally, the American Bankers Association recommended that the 
Commission clarify that the definition of ``transactional or 
relationship message'' includes ``two types of emails that banks and 
other businesses frequently send . . . to existing customers: 
educational emails and invitations to events.'' \31\ Depending on the 
specific facts and subject matter, an invitation to an event or an 
educational email may be commercial in nature, might be transactional 
or relationship-related, or might be considered to be ``other content 
that is not transactional or relationship content'' that is not subject 
to the Act's commercial email message requirements.\32\ Given the fact-
specific nature of any determination, no rule modification is 
warranted.
---------------------------------------------------------------------------

    \31\ ABA (97).
    \32\ See 16 CFR 316.3(a)(3) (providing analysis for determining 
whether the Act's commercial email requirements apply to an 
``electronic mail message [that] contains both the commercial 
advertisement or promotion of a commercial product or service as 
well as other content that is not transactional or relationship 
content'').
---------------------------------------------------------------------------

    For each of the reasons stated above, the Commission believes that 
the record does not support modification of the Rule on this issue. To 
assist with businesses' understanding of these issues, however, the 
Commission will review and consider revising its existing Compliance 
Guide for Businesses.
2. Comments Regarding Time-Period for Processing Opt-Out Requests
    Twelve comments addressed whether the Commission should modify the 
Rule to shorten the time-period for processing opt-out requests to less 
than ten business days: Six comments opposed shortening the time-
period,\33\ while six comments favored shortening the time-period.\34\
---------------------------------------------------------------------------

    \33\ Schnelle (28); OTA (85); ESPC (86); Lashback (89); MPA 
(90); ERA (94).
    \34\ Huff (36); Bristol (42); Schulzrinne (56); Davis; Upton 
(87); CAUCE (96).
---------------------------------------------------------------------------

    Industry and trade association groups that opposed shortening the 
time-period typically noted the financial and/or operational burdens 
that such a modification would impose upon small businesses that often 
process opt-out requests manually or without the assistance of 
automated processing.\35\ The OTA regarded a shorter time-period as 
unnecessary, citing evidence that top retailers already comply ``well 
inside the ten-day time period for opt-outs, largely due to the 
sophisticated systems employed to manage their email communications to 
consumers.'' \36\
---------------------------------------------------------------------------

    \35\ ESPC (86); OTA (85); Lashback (89); MPA (90); ERA (94).
    \36\ OTA (85).
---------------------------------------------------------------------------

    Commenters that favored shortening the time-period, however, viewed 
ten business days as unnecessarily lengthy, particularly in light of 
available technologies that allow companies to conduct automated 
processing of opt-outs.\37\ Some of these commenters urged the 
Commission to adopt alternative time-periods as short as one day or one 
business day.\38\ However, none of these comments provided the 
Commission with evidence showing how or to what extent the current ten 
business-day time-period has negatively affected consumers, nor did 
they address the concerns noted by other commenters that such a change 
may pose substantial burdens on small businesses. For these reasons, 
the Commission declines to propose a modification to the Rule that 
would shorten the time-period for opting out of commercial email 
messages.
---------------------------------------------------------------------------

    \37\ Bristol (42); Schulzrinne (56); Davis (78).
    \38\ See e.g., Huff (36); Schulzrinne (56); Davis (78).
---------------------------------------------------------------------------

3. Comments Regarding Activities or Practices That Constitute 
Aggravated Violations
    Four commenters responded to the Commission's request for public 
comments regarding whether it should modify the Rule to specify 
additional activities or practices that constitute aggravated 
violations. Two commenters proposed that the Commission specify as 
``aggravated violations'' activities or practices that are already 
considered violations of the requirements for commercial messages under 
the Act or Rule.\39\ For example, Lashback urged the Commission to 
specify as an aggravated violation a sender's failure to identify a 
commercial email message as an advertisement ``[i]n order to increase 
the visibility and impact of this simple and clear requirement--and 
likely drive greater compliance and better disclosures to consumers.'' 
\40\ An individual commenter recommended that the Commission 
``substantially increase fines for entities that do not effectively 
provide methods for unsubscribing that require no further information 
beyond the email address and the desire to leave.'' \41\ Neither of 
these commenters, however, provided evidence indicating that ``those 
activities or practices are contributing substantially to the 
proliferation of commercial electronic mail messages that are unlawful 
under [section 7704(a) of the Act].'' \42\
---------------------------------------------------------------------------

    \39\ Lashback (89); Butler (100).
    \40\ Lashback (89); cf. 15 U.S.C. 7704(a)(5)(i) (``clear and 
conspicuous identification that the message is an advertisement or 
solicitation'').
    \41\ Butler (100); cf. 16 CFR 316.5.
    \42\ 15 U.S.C. 7704(c)(2).
---------------------------------------------------------------------------

    The Email Sender and Provider Coalition (``ESPC'') recommended that 
the Commission specify the practice known as ``snowshoeing'' as an 
aggravated violation, which it described as ``the use of multiple 
domains and IP addresses (obtained from different ISPs) . . . [to] keep 
the volume of emails sent [per domain or IP address] very low . . . 
while permitting large aggregate volumes to be distributed across 
hundreds or thousands of IP addresses and domains.'' \43\ According to 
the ESPC, snowshoeing can be, and often has been, used to ``send emails 
related to phishing, fraud, or identity theft schemes, but current 
tools are inadequate to combat the practice because restrictions placed 
upon the viewing and screening of email limit the effectiveness of 
content-based filters.\44\ The ESPC did not provide, however, any 
evidence regarding the prevalence or incidence of snowshoeing.\45\ Nor 
did it offer support for its assertion that specifying this practice as 
an aggravated violation would have a minimal impact on businesses. 
Moreover, depending on the facts, some snowshoeing already is deemed an 
aggravated violation under section 7704(b)(2), which proscribes the 
automated creation of multiple accounts so that those accounts may be 
used to send commercial email.
---------------------------------------------------------------------------

    \43\ ESPC (86).
    \44\ Id.
    \45\ Id.
---------------------------------------------------------------------------

    One individual commenter recommended that the Commission consider 
whether to specify the use of third-party lookups for email addresses 
as an aggravated violation under the Act.\46\ The commenter described, 
in particular, how companies regularly exchange ``anonymized'' or ``de-
identified'' email addresses that could ultimately be de-anonymized and 
linked to actual consumers, and emphasized that these companies engage 
in email marketing. Although not stated explicitly, the commenter's 
concern seems to be the potential use of such techniques by spammers to 
execute well-informed phishing attacks or identity theft schemes. The 
commenter did not provide, however, any evidence of widespread consumer 
harm resulting from the use of third-party lookups for email addresses, 
nor did the commenter address the potential costs to businesses of 
specifying such a practice as an aggravated violation. For all of the 
reasons stated above, the Commission

[[Page 13119]]

believes there is insufficient evidence in the record to support 
modification of the Rule to specify any additional activities or 
practices that constitute aggravated violations.
---------------------------------------------------------------------------

    \46\ Hoofnagle (79). The Hoofnagle comment did not expressly 
define the term ``third-party lookup.''
---------------------------------------------------------------------------

C. Other Proposed Modifications to or Clarifications of the Rule

    Various commenters supporting the Rule suggested additional 
modifications to, or clarifications of, the Rule. As discussed in 
detail below, while many of the proposed rule changes may describe 
effective email procedures that could inform industry best practices, 
the record does not justify a rulemaking to consider whether to 
incorporate these proposals into the existing Rule.
1. Comments Regarding an Opt-In Approach to Commercial Email Messages
    At least 40 commenters expressed concerns or dissatisfaction with 
the CAN-SPAM Act's opt-out approach to commercial email messages. Most 
of these commenters recommended that the Commission modify the Rule to 
require prior consent (opt-in) from recipients before initiating 
commercial email messages.\47\ Some even suggested that the Rule adopt 
a ``double opt-in'' approach that requires recipients to confirm their 
initial request by responding to a link sent to the recipients' email 
address.\48\ These commenters cumulatively identified a number of 
factors--the greater burden of self-help imposed on consumers, IT 
departments, and/or ISPs; privacy concerns; and lack of uniformity with 
anti-spam laws in other countries--arguing for the necessity of 
modifying the Rule to require an opt-in approach to commercial email 
messages.\49\ Modifying the Rule to require prior consent from 
recipients of commercial email messages, however, would be beyond the 
text and scope of the Act.\50\
---------------------------------------------------------------------------

    \47\ See e.g., K. Bell (6); Ohlstein (8); Boyden (12); Barr 
(17); Wroblewski (30); Hofstee (50); Schulzrinne (56); Upton (87); 
CAUCE (96); L-Soft (98).
    \48\ Boyden (12); L-Soft (98).
    \49\ See e.g., Boyd (9); Reinoehl (13); Donie (25); Balsam (31); 
Bristol (42); Bickers (47); Crabtree (53); Schulzrinne (56); Walton 
(73); ESPC (86); CAUCE (96); Butler (100).
    \50\ See 15 U.S.C. 7704(c); 15 U.S.C. 7711; CAUCE (96) (``We 
realize that the FTC cannot change the text of CAN SPAM, but we note 
that an opt-in rule, as in the European Union and Canadian laws, 
rather than opt-out, would be far more effective.''); Upton (87) 
(same).
---------------------------------------------------------------------------

2. Comments Regarding Modification of Rule To Enhance Opt-Out 
Provisions
    Several comments proposed modifications to the Rule intended to 
better effectuate the Act's provisions related to opt-out requirements 
for commercial email messages.\51\ Most of these comments expressly 
requested that the Commission clarify the requirement that opt-out 
notices be ``clear and conspicuous.'' \52\ A few comments argued that 
standardized terminology (e.g., ``unsubscribe,'' ``opt-out,'' or 
``remove'') and additional guidance on placement, language, color/
contrast ratio, and text size would benefit consumers without imposing 
extra costs on businesses.\53\ In support of this recommendation, the 
OTA cited its own ``Email Marketing Best Practices and Unsubscribe 
Audit,'' which showed that, from 2015 to 2016, the percentage of top 
retailers that had good opt-out practices fell from 96 percent to 88 
percent.\54\ The OTA further advocated, as did Lashback, that the Rule 
require opt-out links to be text, not images, so they have 
longevity.\55\ Another commenter urged the Commission to prohibit opt-
out mechanisms from setting tracking cookies unrelated to the 
recipient's decision to opt out.\56\ The Ford comment echoed the 
proposals regarding type size and visibility requirements, and further 
asked the Commission to require a ``standardized box containing 
information on how to unsubscribe, at the bottom of each email, akin to 
other standardized labels for food, drugs, and cigarettes.'' \57\ Such 
a standardized mechanism, Ford argued, would not only help to remedy 
the problem of inconspicuous opt-out instructions, but also simplify 
and expedite the opt-out process to the extent that it could ``be 
invoked by a user's email client software.'' Similarly, other 
commenters suggested that the Commission adopt a standardized opt-out 
approach that requires minimal participation by the recipient.\58\
---------------------------------------------------------------------------

    \51\ Schulzrinne (56); OTA (85); Ford (99); Hoofnagle (79); 
Lashback (89).
    \52\ Hoofnagle (79); OTA (85); Lashback (89); Ford (99); see 
also 15 U.S.C. 7704(a)(3) (requiring inclusion of a return address 
or comparable mechanism in commercial electronic mail that is 
``clearly and conspicuously displayed''); 7704(a)(5)(A)(i) 
(requiring that notice of recipient's opportunity to decline to 
receive further commercial electronic mail messages from the sender 
be ``clear and conspicuous'').
    \53\ Hoofnagle (79); OTA (85); Lashback (89); Ford (99).
    \54\ OTA (85).
    \55\ Id.; Lashback (89).
    \56\ Hoofnagle (79).
    \57\ Ford (99).
    \58\ Schulzrinne (56) (advocating for a ``standards-based opt-
out link (URL) that requires no further user input''); Butler (100) 
(recommending a ``one-click method'' for opting out).
---------------------------------------------------------------------------

    There is no evidence in the record to support the proposed changes 
to the opt-out instructions. Additionally, none of the comments 
provides the Commission with information about the costs and benefits 
of these proposed rule changes. Moreover, standardized opt-out 
terminology or mechanisms would need to be consistent with the 
authority of the Commission, which is somewhat circumscribed with 
respect to any requirement to include specific language or labels in a 
commercial email message.\59\ For these reasons, the Commission 
declines to propose the adoption of commenters' suggested rule 
modifications regarding opt-out requirements.
---------------------------------------------------------------------------

    \59\ See 15 U.S.C. 7711(b) (``Subsection (a) [granting the 
Commission authority to implement the provisions of the CAN-SPAM 
Act] may not be construed to authorize the Commission to establish a 
requirement pursuant to section 7704(a)(5)(A) [requiring the 
inclusion of advertisement identifier, opt-out notice, and physical 
address in commercial electronic mail messages] of this title to 
include any specific words, characters, marks, or labels in a 
commercial electronic mail message . . .'').
---------------------------------------------------------------------------

3. Comments Regarding Modification of Rule To Account for Changes in 
Technology
    A few commenters recommended that the Commission modify the Rule to 
account for technological developments that have occurred since the 
promulgation of the Rule. For example, two comments called attention to 
the emergence of technical approaches for mechanically processing opt-
out instructions, and suggested that the Commission encourage or 
mandate their use via Rule modification.\60\
---------------------------------------------------------------------------

    \60\ Upton (87) and CAUCE (96) (both citing a method for ``one-
click unsubscription'' as defined in the internet Engineering Task 
Force (IETF) Request for Comment (RFC) 8058).
---------------------------------------------------------------------------

    Other comments emphasized that email authentication standards aimed 
at helping email providers verify sender domains and thwart email 
spoofing and phishing attacks have been developed and are commonly 
employed.\61\ Two comments encouraged the Commission to facilitate the 
adoption of authenticated email standards--e.g., DomainKeys Identified 
Mail (DKIM), Sender Policy Framework (SPF), and Domain-Based Message 
Authentication, Reporting, and Conformance (DMARC)--through the 
Rule.\62\
---------------------------------------------------------------------------

    \61\ OTA (85); ValiMail (91); Ford (99).
    \62\ ValiMail (91); Ford (99).
---------------------------------------------------------------------------

    Other commenters pointed to the progress made on email 
authentication standards as a basis for the Commission to reconsider 
the feasibility of a Do Not Email Registry pursuant to 15 U.S.C. 
7708.\63\
---------------------------------------------------------------------------

    \63\ Hoofnagle (79); Ford (99); cf. EPIC (93) (advocating for a 
domain name based Do Not Email Registry without appealing to 
progress made on email authentication standards).
---------------------------------------------------------------------------

    The Commission appreciates the information provided by these 
comments, but notes that the record is

[[Page 13120]]

silent concerning the increased costs to businesses, if any, that would 
result from modifying the Rule to mandate the implementation of these 
various technologies. Nor does the record explain why the Commission's 
codification of developing technology into the Rule is necessary where 
private markets have produced email authentication and opt-out 
technologies that are already enjoying widespread use. Moreover, as 
some comments have acknowledged, the Commission's Bureau of Consumer 
Protection (BCP) has previously addressed the issue of email 
authentication in a Staff Perspective issued in March 2017.\64\ 
Specifically, BCP staff encouraged businesses to help reduce the volume 
of phishing email messages and protect their reputations by fully 
implementing various low cost, readily available email authentication 
solutions.\65\ Although the Commission is familiar with these technical 
solutions that can help reduce unsolicited commercial email, it is also 
mindful of the potential pitfalls in incorporating technological 
standards in regulations. In the absence of any evidence in the record 
regarding the costs and benefits of imposing technologically-based rule 
changes, the Commission is not persuaded that the proposed 
modifications are appropriate at this time. However, the Commission 
will continue to monitor this issue and encourage the private market in 
its move toward developing and implementing technology that reduces the 
volume of spam.
---------------------------------------------------------------------------

    \64\ OTA (85) and ValiMail (91) (both citing Businesses Can Help 
Stop Phishing and Protect their Brands Using Email Authentication, 
Staff Perspective, March 2017, available at https://www.ftc.gov/news-events/blogs/business-blog/2017/03/want-stop-phishers-use-email-authentication).
    \65\ Businesses Can Help Stop Phishing and Protect their Brands 
Using Email Authentication, Staff Perspective, March 2017, available 
at https://www.ftc.gov/news-events/blogs/business-blog/2017/03/want-stop-phishers-use-email-authentication.
---------------------------------------------------------------------------

4. Comments Regarding Modification of Rule To Clarify Definition of 
Certain Terms Derived From the Act
    It is a violation of the CAN-SPAM Act to initiate the transmission 
of a commercial message or a transaction or relationship message that 
contains, or is accompanied by, materially false or misleading header 
information.\66\ Accordingly, the Act provides that a ```from' line 
(the line identifying or purporting to identify a person initiating the 
message) that accurately identifies any person who initiated the 
message shall not be considered materially false or materially 
misleading.'' \67\ As both OTA and ValiMail explain in their comments, 
however, in addition to the ``from'' line that is displayed within the 
end user's email client, industry practice (via email authentication 
standards) permits senders to identify themselves using additional 
``from'' lines not visible to the end user, such as the Reply-to or 
Return-Path fields.\68\ Consequently, both comments urged the 
Commission to specify that the definition of ``from'' refers only to 
the ``from'' field displayed in a user's email client, alluding to 
concerns about phishing attacks involving scammers who put one address 
in Reply-to or Return-Path fields, but another address in the From 
field. Neither comment, however, offers any evidence that the absence 
of such a clarification impedes the Commission's ability to enforce 
CAN-SPAM violations involving false header information or that such a 
clarification would enable greater enforcement. Nonetheless, the 
Commission staff will continue to monitor this issue and use other 
resources available to ensure that marketers understand their 
obligations under the Rule.
---------------------------------------------------------------------------

    \66\ 15 U.S.C. 7704(a)(1).
    \67\ 15 U.S.C. 7704(a)(1)(B) (emphasis added).
    \68\ OTA (85); ValiMail (91).
---------------------------------------------------------------------------

    The CAN-SPAM Act also authorizes providers of internet access 
service to enforce certain provisions of the Act.\69\ Where an internet 
access service brings a claim against a sender of email messages, the 
statute requires that the person providing consideration or inducing 
another person to initiate the electronic mail message has actual or 
constructive knowledge that the person initiating the email is 
engaging, or will engage, in a pattern or practice violating the 
Act.\70\ XMission, L.C. (``XMission''), on behalf of itself and other 
small to mid-sized internet service providers (ISPs), advocated that 
the Commission eliminate the scienter requirement from the definition 
of ``procure'' so that ``bona fide [Plaintiff] internet service 
provider[s] . . . [are] held to the same standard as FTC or government 
plaintiffs.'' \71\ The scienter requirement, however, is statutory--a 
requirement that the Commission likely cannot alter via a rule.
---------------------------------------------------------------------------

    \69\ 15 U.S.C. 7706(g)(1).
    \70\ 15 U.S.C. 7706(g)(2).
    \71\ XMission (88).
---------------------------------------------------------------------------

    The CAN-SPAM Act prohibits a person from initiating a commercial 
mail message with a subject heading that is ``deceptive,'' which the 
Act defines as ``be[ing] likely to mislead a recipient, acting 
reasonably under the circumstances, about a material fact regarding the 
contents or subject matter of the message.'' \72\ The Lashback comment 
urges the Commission to modify the Rule to clarify the definition of 
``deceptive'' by adding language that describes examples of deceptive 
messages,\73\ but the Act expressly states that the prohibition against 
deceptive subject headings is ``consistent with the criteria used in 
enforcement of [Section 5 of the FTC Act],'' \74\ and therefore, 
already provides clarity concerning the meaning of ``deceptive.'' \75\ 
Moreover, in the absence of any evidence in the record demonstrating 
confusion regarding what constitutes a deceptive subject heading, the 
Commission is not persuaded that the proposed modification is 
necessary.
---------------------------------------------------------------------------

    \72\ 15 U.S.C. 7704(a)(2).
    \73\ Lashback (89).
    \74\ 15 U.S.C. 7704(a)(2).
    \75\ See e.g., FTC Policy Statement on Deception (October 14, 
1983), available at https://www.ftc.gov/system/files/documents/public_statements/410531/831014deceptionstmt.pdf.
---------------------------------------------------------------------------

5. Comments Regarding Modification of Rule That Would Be Contrary to 
Congressional Intent Under the Act
    A number of comments expressed support for modifications to the 
Rule that arguably exceed the Commission's authority to issue 
regulations implementing the Act.\76\ Such recommendations included: 
(1) Requiring that language identifying a commercial email message as 
an advertisement be included in the subject line; \77\ (2) extending 
opt-out obligations to third-party list providers; \78\ (3) requiring 
consumer permission before transferring or selling a consumer's email 
address to a third-party; \79\ (4) blocking all unsolicited spam from 
servers outside the U.S.; \80\ (5) limiting the frequency at which 
emails may be sent to recipients; \81\ (6) minimizing or

[[Page 13121]]

eliminating federal preemption; \82\ (7) requiring companies that 
provide access to transmission lines connecting users to the internet 
to filter out and report spam to regulatory authorities; \83\ (8) 
providing email recipients a private right of action to enforce CAN-
SPAM Act violations; \84\ and (9) permitting class-action lawsuits.\85\
---------------------------------------------------------------------------

    \76\ Cf. 15 U.S.C. 7702(17)(B) (granting the Commission 
rulemaking authority to modify the definition of the term 
``transactional or relationship'' message); 15 U.S.C. 7704(c) 
(granting the Commission supplementary rulemaking authority 
regarding the time-period for processing opt-out requests and 
activities or practices that constitute aggravated violations); 15 
U.S.C. 7711 (granting the Commission authority to issue regulations 
implementing certain CAN-SPAM Act provisions in accordance with the 
Administrative Procedure Act).
    \77\ Silverstein (4) (``The FTC should issue a rule requiring 
all spam to have the subject line prefixed with ``ADV:''); Bristol 
(42) (``require unsolicited commercial emails to include a word or 
phrase in the send line that indicates that the email is an 
advertisement'').
    \78\ EPIC (93).
    \79\ Barr (17).
    \80\ Davis (78).
    \81\ Santiago (2) (``have a Rule that commercial senders could 
only send such emails 1-2 times per year absent a specific request 
from the consumer that such emails continue more frequently''); 
Wippler (63) (``1 marketing email from the company per 32 or 48 
hours'').
    \82\ Bristol (42); St. Peters (64); Ford (99).
    \83\ Davis (78).
    \84\ Balsam (31) (``enable the spam recipients to file lawsuits, 
not just the AG, FTC, and ISPs''); Wippler (63) (expressly 
recommending modification of the CAN-SPAM Act); Walton (73) (``the 
rules should allow for recipients of spam to enforce opt-out 
requests''); cf. 15 U.S.C. 7706.
    \85\ Barth (66); cf. 15 U.S.C. 7706.
---------------------------------------------------------------------------

    The first suggestion is unfeasible, because the Act expressly 
prohibits the Commission from designating ``any specific words, 
characters, marks, or labels'' to satisfy the requirement that 
initiators identify a commercial electronic mail message as an 
advertisement or solicitation.\86\ The second suggestion also conflicts 
with the plain language of certain definitions under both the Act and 
Rule. As the Commission has previously stated, ``a list owner must 
honor opt-out requests only if it qualifies as the `sender' of a 
commercial email (i.e., it is an initiator and its `product, service, 
or internet website' are `advertised or promoted' in the email).'' \87\ 
The Commission also declines to consider the remaining proposed 
modifications because each would be inconsistent with the Commission's 
circumscribed authority under the Act.
---------------------------------------------------------------------------

    \86\ 15 U.S.C. 7711(b).
    \87\ 79 FR at 29660.
---------------------------------------------------------------------------

6. Comments Regarding Law Enforcement Priorities and Policies
    A number of comments made proposals better understood as 
recommendations for how the Commission should implement enforcement 
priorities and policies rather than modifications to the Rule. These 
proposals included: (1) Allowing consumers to report and/or forward 
spam to the FTC; \88\ (2) sending violators a link to CAN-SPAM 
regulations and guidance documents; \89\ (3) including willful 
violators of CAN-SPAM on a ``blacklist'' for circulation among email 
service providers; \90\ (4) working with payment processors and other 
intermediaries to shutter accounts belonging to spammers; \91\ and (5) 
providing guidance to states regarding the scope of preemption under 
the Act.\92\
---------------------------------------------------------------------------

    \88\ Pesterfield (30); Francis (67).
    \89\ Pesterfield (30).
    \90\ Id.
    \91\ Ford (99).
    \92\ Id.
---------------------------------------------------------------------------

    The Commission has already adopted the first recommendation, and 
continues to encourage consumers to report illegal spam to 
ftccomplaintassistant.gov or forward it directly to [email protected]. Such 
complaints from consumers help the Commission to detect patterns of 
fraud and abuse, and identify potential investigative targets. The 
Commission also appreciates the recommendations provided by the 
remaining comments, and will take such information into consideration 
as it continues to formulate enforcement priorities that would benefit 
consumers and secure industrywide compliance with the CAN-SPAM Rule.

IV. Conclusion

    The comments overwhelmingly: (1) Favor retention of the Rule and 
assert that there is a continuing need for the Rule; (2) conclude that 
the Rule benefits consumers; (3) assert that the Rule does not impose 
substantial economic burdens; and (4) conclude that the benefits 
outweigh the minimal costs the Rule imposes. The Commission has 
analyzed the proposed benefits to consumers of proposed changes to the 
Rule, including any evidence provided of those benefits, and balanced 
those proposed benefits against the cost of implementing the changes, 
the need for the change, and alternative means of providing these 
benefits for consumers, such as consumer education materials. Despite 
some comments recommending that the Commission adopt modifications to 
the Rule, there is insufficient evidence in the record to demonstrate 
that such modifications are necessary and would, in fact, help 
consumers. Additionally, none of the comments proposing modifications 
or clarifications that could potentially burden industry sufficiently 
analyzed the associated costs.
    The FTC plans to review and consider revising its consumer and 
business education materials to address the concerns raised in the 
comments submitted pursuant to this Rule Review to ensure that 
consumers and businesses more easily understand the Rule's protections 
and requirements. Furthermore, the Commission has a variety of 
enforcement tools available to help consumers better understand the 
Rule's protections and ensure compliance. If, at a later date, the 
Commission concludes that the Rule, case law interpreting the Rule, and 
the FTC's other enforcement tools do not provide adequate guidance and 
protection for consumers in the marketplace, it can then consider, 
based on a further record, whether and how to amend the Rule. 
Accordingly, the Commission has determined to retain the current Rule 
and is terminating this review.

    By direction of the Commission.
April J. Tabor,
Acting Secretary.
[FR Doc. 2019-06562 Filed 4-3-19; 8:45 am]
 BILLING CODE 6750-01-P