Recently in CAN-SPAM Act Category

Don't Spam My Wall - California Court Rules that CAN-SPAM Act Applies to Social Media Messaging

Posted

By
On March 28, 2011, the U.S. District Court for the Northern District of California held in Facebook, Inc. v. MaxBounty, Inc. that messages sent by Facebook users to their Facebook friends' walls, news feeds or home pages are "electronic mail messages" under the CAN-SPAM Act. The court, in denying MaxBounty's motion to dismiss, rejected the argument that CAN-SPAM applies only to traditional e-mail messages. The ruling is the most expansive judicial interpretation to date of the types of messages falling within the purview of the CAN-SPAM Act. While the court did not address the underlying merits of the CAN-SPAM claims, companies using social media in marketing should verify that they (and any marketing services they engage) comply with CAN-SPAM's requirements for commercial messages sent via social media platforms.

While technically the court's decision means that a message posted by one Facebook user to a friend's wall promoting the poster's home business could potentially be construed as a commercial "electronic mail message" under CAN-SPAM, it seems unlikely that Facebook or other social networking sites would sue their users under CAN-SPAM's private right of action for small numbers of such individual messages (or even large numbers, provided a business was not violating the site's terms of use).

However, the broad interpretation of the applicability of the CAN-SPAM Act could have far-reaching consequences for companies that use social media platforms for marketing. It is unlikely that more mainstream companies would adopt the aggressive tactics allegedly taken by MaxBounty, or that most social media platforms would take action against companies or users who were not abusing the system. Nevertheless, the CAN-SPAM Act requires that all commercial "electronic mail messages" comply with the following:

  1. The header information for the message (including the "From," "To," "Reply-To," and routing information including the originating domain name and email address) must be accurate and identify the person or business who initiated the message;
  2. The subject line must accurately reflect the content of the message;
  3. The message must disclose clearly and conspicuously that it is an advertisement;
  4. The message must include a valid physical postal address for the person or business who  initiated the message;
  5. The message must include a clear and conspicuous explanation of how the recipient can opt out of getting email in the future from the person or business who initiated the message;
  6. Any opt-out mechanism must be able to process opt-out requests for at least 30 days after the message is sent. A recipient's opt-out request must be implemented within 10 business days.

The CAN-SPAM Act makes it clear that companies cannot contract away their legal responsibility to comply with the law. Both the company whose product is promoted in the message and the company that actually sends the message may be held legally responsible for compliance.

The FTC has been aggressive in pursuing violators of the CAN-SPAM Act's requirements, and those who use social media to send what have now been defined as "electronic mail messages" ignore the act's requirements at their peril.

Criminal Liability for Not Reading or Abiding by Terms of Service?

Posted

By
agree.jpg Thumbnail image for gotojail.jpg

Many people routinely click on the Agree button without reading the terms of service. Doing so can be perilous for many reasons. A pending case highlights another potential reason to read and abide by the terms of service - potential criminal liability. Granted, there are some unique facts here as discussed below, but it is to everyone's benefits to read and understand terms of service. For example, for users of a social media site, it is crazy to not understand what personal data is being collected and how it is being used and make an informed decision whether to use that site. For businesses (and investors in businesses) that interact with social media sites, it is critical that you understand and abide by the terms of service to assess whether your business model is "legal" and in compliance with the relevant terms of service. If not, your business (or investment) may be in peril, and in a worst case scenario you may face personal liability. Such was the case for the CEO of MDY when it created a tool that engaged in unauthorized access to Blizzard's World of Warcraft client software in violation of the relevant terms of service and EULA. In addition to the company being found to infringe, the CEO was held personally liable for $6 million in damages.

In a pending case, Facebook v. Power Ventures dba/Power.com, Facebook is relying on its terms of service and the Computer Fraud and Abuse Act and an analogous provision of the California Penal Code to prevent Power.com from using automated tools to populate a portal that aggregates a user's social networking profiles. This is deemed beneficial by many users, but not by Facebook. In its complaint, Facebook alleges that it grants a limited license to create applications that interact with Facebook's proprietary network subject to various terms of use agreements which prohibit, among other things, requesting, soliciting, or otherwise obtaining access to user names, passwords or other authentication credentials.

Facebook alleges that Power.com induces visitors to surrender their Facebook user names and passwords in order to "integrate" their Facebook account into the Power.com website, in violation of the Facebook's terms of service.

After notification from Facebook. Power.com allegedly initially agreed to cease the activity and purge the "ill-gotten data," but apparently later changed its mind and continued its practices. In response, Facebook claims to have implemented technical measures to block access to the site by Power.com but Power.com then allegedly circumvented the technological security measures without authorization in violation of the Computer Fraud and Abuse Act. Facebook also alleged violation of CALIFORNIA PENAL CODE 502(c), the "COMPREHENSIVE COMPUTER DATA ACCESS AND FRAUD ACT" (including Sections 1-4 and 7) and the anti-circumvention provisions of the DMCA, among other claims.

Additionally, Facebook alleges that Power.com used the names to send unsolicited email messages to Facebook users that contained false header information in violation of the CAN-SPAM (CONTROLLING THE ASSAULT OF NON-SOLICITED PORNOGRAPHY AND MARKETING) Act.

Even though this is a civil action the penalties that can flow from a finding of violation of the Computer Fraud and Abuse Act include: (A) a fine or imprisonment for not more than ten years, or both (for a first conviction) and (B) a fine under or imprisonment for not more than twenty years, or both, in the case of a repeat offender. Violation of the relevant sections of the California Penal Code can result in fines and imprisonment up to three years.

The Electronic Frontier Foundation filed an amicus brief in support of Power Ventures; arguing:

Facebook argues that by offering these enhanced services to users, Power violated California's computer crime law. It grounds its claim in the fact that Facebook's terms of service prohibit a user from having automated access to a user's own information and that Power continued to offer the service to Facebook users even after Facebook sent Power a cease and desist letter demanding that it stop. Yet merely providing a technology to assist a user in accessing his or her own data in a novel manner cannot and should not form the basis for criminal liability.

Many commenters have pointed out that taken to an extreme, any online service provider can create ridiculous terms of service and allege that there is a violation. While this may theoretically be true, in reality a court could strike down a frivolous clause if that were the case. However, when a company has a legitimate business interest to protect, and the terms of service relate to that business interest, an argument can be made that such terms should be upheld. Here Facebook appears to be alleging that it has a legitimate right to prevent third party application developers from requesting, soliciting, or otherwise obtaining access to user names, passwords or other authentication credentials. Perhaps this case will shed some light on this issue. Check back as we will provide updates on this case as it progresses.

Facebook Complaint