Affiliate Spam Liability is Fact Question–US v. Cyberheat

By Eric Goldman

U.S. v. Cyberheat, Inc., 2007 WL 686678 (D. Ariz. March 2, 2007)

This case deals with one of the great unresolved Cyberlaw questions: when is an online advertiser liable for the downstream behavior of its media outlets? This question is so important because advertising fuels the Internet economy, both the good–such as the great social benefits produced by ad-supported search engines–and the bad–such as unwanted spam and pernicious spyware. Accordingly, it is critical that advertiser liability policy be set very carefully. Set correctly, bad spam/spyware could dry up. Set incorrectly, the Internet ecology could be destroyed.

Typically, consumer protection advocates favor strict liability for online advertisers. Thus, regardless of advertiser scienter, advertisers should have absolute liability for running ads via unwanted adware or spam. On the plus side, such a theory would probably have the desired benefit of cutting off the flow of advertising to spam and adware.

On the minus side, strict liability for online advertisers also would reduce online advertising across-the-board. Advertisers don’t want the additional liability, nor would they want to spend the time/money to monitor downstream behavior. Perhaps more importantly, I am not aware of any equivalent liability on the part of offline advertisers, so strict liability for online advertisers would represent a type of cyberspace exceptionalism that would likely direct dollars away from online advertisement back to offline advertising.

Interestingly, we have surprisingly little law involving online advertiser liability for media outlets. Statutorily, advertiser liability was enacted in CAN-SPAM and the Utah/Alaska anti-adware laws, but I’m not aware of other statutes. From a case law standpoint, there is surprisingly little precedent. Two relatively recent spam cases, Fenn and Hypertouch, have implicitly rejected strict liability for advertisers (the Fenn case dealt with Utah’s anti-spam statute, not CAN-SPAM); in both cases, the advertiser’s use of a contract prohibiting advertising by spam was sufficient to cut off liability for downstream behavior. The Cyberheat case pointed to another case I hadn’t caught before, the Fare Deals v. World Choice Travel.com case, 180 F. Supp. 2d 678 (D. Md. 2001), which also rejected advertiser liability (in that case, for ads running on a website that allegedly infringed trademarks). Finally, there was the recently hyped settlement between the NY Attorney Generals’ office and three adware advertisers. However, it’s hard to divine much precedent from a settlement, and the chicken-scratch settlement terms imply that the defendants didn’t settle because they were quaking in their boots over their legal liability.

(There are other cases, and I haven’t done a complete regression to validate this point–but I trust the point is clear that the case law is scrappy and defense-favorable).

The dearth of relevant case law makes the newest case on the topic, US v. Cyberheat, so interesting. The FTC went guns ablazin’ after a porn website for spam sent by its affiliates that allegedly violated CAN-SPAM, arguing under the terms of the statutory advertising liability provision that the advertiser is strictly liable for these spam or should be liable under an implied negligence theory (the case doesn’t use the term “implied negligence,” but the term is designed to characterize the FTC’s theory that the facts so clearly establish negligence that the defendant should be liable without any further showing about its mental state).

This tussle over the appropriate scienter requirement appeared to overwhelm the judge, and we get a pretty garbled opinion in response. However, we get one clear statement here: the judge unambiguously rejects strict liability for the affiliate’s behavior. Instead, after chasing his tail articulating various vicarious liability/respondeat superior/agency theories, the judge concludes that the advertiser is liable for the affiliate spam only if the advertiser had sufficient knowledge of and control over the affiliates’ behavior.

But…how much knowledge and control is sufficient? I have no idea, and frankly, I don’t think the judge does either. However, let’s look at the facts alleged by the FTC that weren’t sufficient to win summary judgment:

* the advertiser didn’t have a significant screening process for retaining affiliates

* the advertiser didn’t ask affiliates if they planned to do email marketing

* the advertiser had an agreement prohibiting spam but terminated affiliates slowly/inconsistently even when the advertiser received consumer complaints about an affiliate’s behavior

* when the advertiser terminated affiliates, it didn’t always terminate multiple accounts held by the same affiliate

* the advertiser provided web hosting, marketing and promotional tools to affiliates, including (I believe) serving up the porn images displayed in the emails when opened

The advertiser’s principal counterarguments were that it had its contract restriction against spam and that the affiliates were independent contractors. (It was unclear to what extent the advertiser disputed the other facts alleged by the FTC).

So this case will go to trial to determine the advertiser’s knowledge/control and whether it acted reasonably under these circumstances. While the FTC might still win this case, this ruling nevertheless must be a sobering wake-up call that the government can’t simply allege that liability follows ad dollars and expect to win.

More commentary on this case: Venkat and Reasonable Basis.