October 29, 2008
CAN-Spam-a-Friend?--Hoang v. Reunion.com
Hoang v. Reunion.com sidesteps an eagerly anticipated legal dispute over the legality of commercial address book scraping and 'send-to-a-friend' emails, and also highlights the damage that can cascade when a federal Circuit Court woefully misreads a statute.
By Ethan Ackerman
In July 2008, Violetta Hoang filed a class action lawsuit under California's state anti-spam laws against Reunion.com, a Los Angeles-based social network site. On October 6th, the court ruled for Reunion.com, granting its motion to dismiss, but allowing Hoang leave to re-file an amended complaint. While a less-than-3-months turnaround is admirable, this case stands as an apt reminder that haste makes waste.
What was sent?
A series of May 2008 solicitations from plaintiffs' acquaintances were the origin of this suit. More precisely, the series of emails were sent from Reunion.com mail servers but bore the names (and in some cases, addresses) of plaintiff's acquaintances in the 'From' line of the email. The emails also contained subject lines like "[Acquaintance] Wants to Connect with You." The emails were sent by Reunion.com servers because plaintiffs' acquaintances had registered with Reunion.com and at some point agreed to, or failed to opt out of, Reunion.com's address scraping practices. In the lawsuit, plaintiffs alleged that these emails were sent to plaintiffs not by plaintiff's acquaintances, as the email 'From' line and subject suggested, but by Reunion.com after Reunion.com had scraped the plaintiffs' addresses from acquaintances' address books when acquaintances became Reunion.com members. In short, pursuant to a possibly agreed-to Terms of Service, Reunion.com scraped its members' address books and then sent solicitations to the resulting addresses, but also took several steps to make it appear that the solicitation was from the member.
This email-scraping-and-dodgy-addressing practice sounds consistent with other accounts of Reunion.com's less than desirable (or legal) efforts to expand its member base. The site claims tens of millions of registered members, suggesting these email campaigns seem to work. The frequency of critical coverage over Reunion.com's various advertising and data-gathering methods also seems to suggest the tactics are as commonly objectionable as they are effective.
In February of this year, Eric highlighted a Wired article about address book scraping and other common web gathering processes. It's a very interesting area with a lot of thorny legal questions. This post, however, is just about the resulting spam.
But was it spam?
Claiming a violation of all three portions of California's anti-spam law, plaintiff's brought a claim against Reunion.com. Plaintiffs alleged Reunion.com used a falsified, misrepresented or forged 'From' line. Plaintiffs alleged that the subject lines Reunion.com used were misleading. Plaintiffs also alleged Reunion.com used a 3rd party domain name (yahoo.com) without Yahoo's permission.
[Author's aside: From the complaint, which describes several instances of 'From' line name forging, but only one instance of 'yahoo.com' appearing as part of a 'From' line, it sounds like Reunion.com's address book scraping likely picked up an email address that was stored in the name field of a member's address book, rather than some more nefarious domain name forging.]
Smells like spam, so what does the law say?
Rather than denying these accusations, Reunion.com chose to counter with a preemption defense. Reunion.com claimed that its practices were sanctioned by federal law and thus, even if actionable under California law, the federal CAN-SPAM Act preempted plaintiffs' claims.
The CAN-SPAM Act's preemption clause, 15 USC 7707 (b)1, does broadly preempt most state anti-spam laws - "This chapter supersedes any [State law] that expressly regulates the use of electronic mail to send commercial messages." This first sentence makes Reunion.com's preemption defense sound pretty plausible. But wait, as the late night infomercials say, there's more. The rest of the clause identifies a significant exception that preserves many of these state laws - "except to the extent that any such statute, regulation, or rule prohibits falsity or deception in [an email]."
So state law claims, like the plaintiffs', are preempted, except to the extent that the state law addresses falsity or deception, in which case the claims may proceed. Courts have been handling the preemption and preemption exception clauses of CAN-SPAM now for several years, and have had more or less no problem concluding that compliant state anti-spam laws can survive if they fit in CAN-SPAM's exception.
OK, so that's what CAN-SPAM says. Let's compare that to the California state law at issue. As identified above, the plaintiffs made three claims under the California law: a falsified 'From' line, a deceptive subject line, and the deceptive use of a 3rd party's domain name in an email header. All three claims address falsity and deception in an email's header, the core of CAN-SPAM's preemption exception. While Reunion.com might dispute the facts of each claim (not misleading, not false because authorized, etc.) it seems pretty clear that the claims can survive CAN SPAM's preemption test as written.
So if the law passes the CAN-SPAM test, whose preemption test is it failing?
The court accepts Reunion.com's first source, the prior Mummagraphics case, and doesn't rely on the FTC's policy paper for its holding. As a result, its discussion of the FTC guidance is a very brief discussion at the opinion's end in its discussion over whether to grant leave to amend.
A brief tangent
Before addressing the Mummagraphics precedent, I want to address the FTC rulemaking and policy paper too. Reunion.com asserts that the FTC rulemaking and policy paper permit, as a matter of law, its address book scraping and subsequent emailing. As a threshold matter, there's the fairly complex question of which portions of the FTC's Rulemaking and policy paper on refer-a-friend emails are actual Rulemakings with the force of law and which are policy guidance. Fun APA stuff. But even if the refer-a-friend portions are construed as a rulemaking, a brief read of the guidance reveals that there's, to put this politely, no sane way to conclude that the guidance makes Reunion.com's actions "as a matter of law, exempt from liability under CAN-SPAM." The guidance is page after page of non-exclusive, hedged discussions of what may make a sender liable. The FTC doesn't hand out any 'exemptions from liability' in the rules. Even this otherwise preemption-accepting court is suspicious of this assertion, stating
The FTC did not rule that a commercial entity whose message is the subject of a "forward-to-a-'friend'" email is, as a matter of law, exempt from liability under CAN-SPAM or that such entity could never be held liable, as a matter of federal law, for initiating an email containing false information. Rather, the FTC found that a determination as to whether such entity is exempt from liability under CAN-SPAM would require a "highly fact specific inquiry.
To further beat a dead horse, I'll just focus the issue a bit more. The guidance discusses when a commercially motivated refer-a-friend email is, and very infrequently isn't, subject to CAN-SPAM's provisions. It is page after page addressing when an email will be held to CAN-SPAM's standards, not on when an email will be held to, or preempted from, a state law's standards. While it may be possible that the FTC rules could categorize a given email as "not covered" by CAN-SPAM, that's not the same thing as preempted by CAN-SPAM. Buried deep within a hypothetical set of facts there might be a negative implied preemption argument that could be teased out of the FTC ruling, but Reunion.com isn't making that argument.
Back to the holding, then...
It's not that common in the development of case law that a significant intellectual error can be traced to one particular case, but that's the case here. This case errs because the court was too quick to rely on the erroneous 4th Circuit holding of Omega World v. Mummagraphics to dismiss.
The Mummagraphics court was faced with a similar suit alleging state and CAN-SPAM claims over emails with similar false and misleading subjects and headers, including subject lines falsely suggesting the recipient had requested the email, and "from:" addresses from unaffiliated domains that were not even in the actual transmission path.
A more critical argument against the Mummagraphics opinion could easily be made, but I'll simply opine that Judge Wilkerson of the Fourth Circuit sent spam jurisprudence down the wrong path in several key respects with this holding. While each of the errors will likely cause a lot of damage, several of them (e.g. the re-writing of the statute's 'materiality' standard, concluding that truthful email body text 'cures' header falsity) only have to do with claims under CAN-SPAM, and not on state law preemption. As a result, I'll focus on the error of Mummagraphics that causes so much headache for preemption claims - what constitutes a "falsity or deception" for purposes of determining preemption.
The statute says 'falsity and deception,' but this court thinks it should say fraud instead, so we now hold that it does...
The Mummagraphics court was faced with a claim under an Oklahoma statute that prohibited falsity and deception in email headers. While acknowledging that 'falsity' means just that - "erroneous, wrong," or "untrue", the court proceeded to construe the CAN-SPAM exception as preempting any state law using any standard less than "fraudulent".
This shift is no angels-on-the-head-of-a-pin difference. It's more analogous to the difference between murder and simple assault. Fraud requires misrepresentation and knowledge of falsity and intent to defraud and justifiable reliance and damage. Fraud is a significant enough legal claim that it has its own pleading standards in Federal court. In contrast, falsity or deception are just individual elements of fraud.
The Mummagraphics court dresses up this statutory re-writing by pointing to instances in CAN-SPAM where a heightened standard beyond 'falsity' is used, and argues that these other instances prove Congress intended a heightened standard. Unfortunately, this argument just proves the opposite. Far from being another instance of the same standard, the other language proves Congress knew how to state the particular standard it wanted. When 'falsity' was intended, as in 15 USC 7707(b)1, 'falsity' was used. When 'fraud' was intended, as in a mere paragraph later in 15 USC 7707(b)2, 'fraud' was used. When 'falsity' wasn't enough, but 'fraud' was too much, as in 15 USC 7701(a)1, 'materially false' was used. When Congress wanted to require actual knowledge, or a specific intent, as in 7704(a)2 and 7702(12), it used the terms "actual knowledge" and "intentionally."
Eh, so Mummagraphics was probably based on an erroneous conclusion, what's the harm?
The Mummagraphics opinion represents a Circuit-level opinion on federal law, so it is wholly binding in state and federal courts in the 4th Circuit and persuasive in all others. Additionally, it construes the scope of federal law, the CAN-SPAM Act, rather than just a particular state's law, so it is, if not controlling, at least pertinent in every case that raises a CAN-SPAM preemption defense. Not surprisingly, the opinion is having an effect. Several courts, even before Reunion.com, have relied on Mummagraphics' impossible to meet preemption standard to summarily dismiss cases raising state law anti-spam claims. State enforcers and legislatures are even starting to take notice and drafting amicus briefs and legislation to circumvent the results of the holding.
Eric's comments: Ethan makes a persuasive case that the statutory language in CAN-SPAM distinguished fraud from falsity. Nevertheless, I still support the Mummagraphics holding because I always thought it was unnecessary and counterproductive for Congress to let any state anti-spam statute survive preemption. From my vantage point, state anti-spam laws have done nothing useful to curb abusive spam. Instead, they have just littered the court system with junk cases, often from serial entrepreneurial litigants trying to punch lottery tickets. So if Mummagraphics provides defendants with a quick way to squelch unnecessary state law claims, I'm all for it.
I think Ethan is right that this case may misread Mummagraphics to extend the preemption even further than the 4th Circuit intended. Given my predisposition towards broad preemption, this is still a good outcome, but I am more troubled. In particular, I think the Reunion.com approach does not comfortably fit in the refer-a-friend bucket, and their efforts to leverage off the implicit social network connections bring to mind the worst aspects of the Facebook Beacon program. In this sense, the line between a true refer-a-friend program and a pretend referral that's just blatant marketing by grabbing email addresses reminds me a little of the first party/third party marketing representation distinction in 47 USC 230 jurisprudence. If the friend asks the site to send the email, it's a referral and not spam. If the friend provides the email address but doesn't endorse the message, it's governable by CAN-SPAM. This distinction is cloudy in 230 jurisprudence too, and it is giving the SEC fits too. Smells like a paper topic here.
On a personal note, mazel tov to Ethan and his wife on the arrival of their daughter Lily!
10/30 UPDATE: Venkat's comments include a link to the plaintiffs' amended complaint. It takes a legally correct, tactically courageous approach. Rather than taking the Court up on its invitation to amend the pleadings to meet the various elements of a fraud standard, the plaintiffs' complaint reiterates its earlier falsity standard pleadings and then attempts to distinguish Mummagraphics, or at least limit the holding. The amended complaint distinguishes and notes that the Mummagraphics holding, for all its strong dicta about fraud and broad preemption, only held that CAN-SPAM would preempt a strict liability statute. The plaintiffs then proceed to show that the California statute is more than a strict liability statute, and even helpfully point to 9th Circuit precedent that distinguishes falsity from fraud for federal law purposes, clearly holding falsity as a lesser standard. I suspect Reunion.com could make the strong counter-argument that the Mummagraphics results matter more than the holding, because the Mummagraphics result, preemption, was of an almost identical statute that wasn't strict liability either. But making such an argument only invites closer scrutiny of Mummagraphics and highlights its error. Not only was Mummagraphics' stated holding (strict liability is preempted) inconsistent with the Mummagraphics result (a 'more-than-strict-liability' statute was preempted) but the holding was legally wrong in attempting to re-write the carefully negotiated preemption standard up from falsity to something higher. Before giving the benefit of the doubt to the Mummagraphics court in its re-writing, consider that the precise wording and standards in the preemption provisions of a federal spam law were one of its most-negotiated provisions. They changed from one Congress to the next, were different between various bills in the 108th congress, and were even switched between the different versions introduced and ultimately passed in the 108th Congress.
TrackBack URL for this entry: