April 13, 2006
Advertiser Not Liable for Spam--Hypertouch v. Kennedy-Western University
By Eric Goldman
In this case, Hypertouch claims that emails promoting an online educational institution, Kennedy-Western University, violated a long list of CAN-SPAM provisions. The two principal issues in this case are: (1) does Hypertouch qualify as an "Internet access service" for purposes of having standing to privately enforce CAN-SPAM?, and (2) if Kennedy-Western didn't initiate the emails, did Kennedy-Western have the requisite scienter to be liable for procuring the illegal email services?
Definition of Internet Access Service
The statute defines "Internet access service" as a service that enables users to access content or services over the Internet. There's no question that Hypertouch runs email servers, but there is a factual dispute about exactly what Hypertouch does. Kennedy-Western alleges that Hypertouch has no customers; Hypertouch claims to have 120 email accounts, many of which is provides at no charge.
Still, Hypertouch's allegation seems to leave open a key question: are any of these accounts used by third parties/non-employees? The distinction is critical because if all of Hypertouch's email services are used by employees, then Hypertouch is similarly situated to every company that gives employees email accounts. Under that reading, then, virtually every employer can be a private plaintiff under CAN-SPAM.
The other reading--the one I think Congress meant--is that an IAS provides email or connectivity to third party non-employees. Thus, if a company is in the business of providing email services to the public (even if the number of customers is small, and even if the company provides email accounts for free), then it should have a private right of action under CAN-SPAM. If the company merely provides email accounts to employees, then I think Congress did not intend to create a private right of action under CAN-SPAM. Note that these employers may still have recourse under the CFAA, common law trespass to chattels, any surviving state anti-spam laws, and various state computer crime laws.
The court sidesteps this entire distinction, merely saying that CAN-SPAM's private cause of action exists even if the IAS provides free email accounts and even if the IAS does not provide services other than email. All of this is true but, I think, misses the fundamental question.
Did Kennedy-Western "Procure" the Illegal Emails?
The spams at issue were sent by a variety of email marketers. Kennedy-Western claims that it didn't know these third parties were spamming. Instead, Kennedy-Western presented evidence that it had policies restricting spam and had monitored its marketing agents. On this basis, the court says that Kennedy-Western had sufficiently produced evidence that it lacked the requisite scienter.
Hypertouch could have adduced evidence to defeat the summary judgment motion, but the court says that Hypertouch didn't introduce any concrete evidence of Kennedy-Western's scienter. Instead, Hypertouch only made a conclusory allegation of knowledge, and this was further undercut by Hypertouch's admission in a deposition that Hypertouch had no evidence of Kennedy-Western's knowledge that spam was being sent on its behalf. Accordingly, Kennedy-Western wins summary judgment on knowledge, defeating the CAN-SPAM claim.
This case reaches an outcome consistent with Fenn v. Redmond Venture, a 2004 Utah state court case (under Utah's state anti-spam law) where the defendant defeated the claim simply by showing that it had an anti-spam policy. In that case, the anti-spam policy was dispositive, while in this case the plaintiff might have been able to overcome the policy with sufficient evidence of knowledge from other sources. However, once again this shows the benefit to advertisers of having an anti-spam/anti-illegal-adware provision in their advertising contracts.
Also, this case is another datapoint in the running dialogue about when advertisers are liable for the acts of their media partners. In this respect, anti-spam laws generally (and CAN-SPAM in particular) are a little unusual because they statutorily enact advertiser liability provisions. In contrast, I've yet to find another medium where advertisers are clearly liable for the acts of their media vendors. Yet, with rulings like this and the Fenn case, defendants might be encouraged that courts will carefully evaluate advertiser liability even when there's a statute creating such liability. From a defense standpoint, this is good news.
Brian McWilliams' comments on the Hypertouch case.
Spam that has false or deceptive headers does not currently have a limit to damages, as the law allows for unlimited monetary damages for offenders who send spam with inaccurate or materially misleading header information. Why is this the case, and how is it constitutional to have no limit to the damages that can be received?
Posted by: Pre-law Carrie at July 17, 2006 08:28 AM