January 20, 2011
CA Appeals Court: Claims Under State Spam Statute Not Preempted by CAN-SPAM - Hypertouch v. Valueclick
[Post by Venkat Balasubramani with some comments from Eric]
Hypertouch, Inc. v. Valueclick, Inc., et al., B218603 (Cal. Ct. App.; Jan. 18, 2011)
A California appeals court weighed in on a long-running debate: whether CAN-SPAM preempts California's spam statute. This is a significant decision that covers a lot of ground (I think it mentions just about every major spam case), and it is sure to be appealed.
Background: Two of the seminal anti-anti-spam cases were Mummagraphics and Virtumundo. Mummagraphics said that CAN-SPAM is intended to cover material misstatements in emails and preempted contrary state laws (to the extent they imposed liability for immaterial misstatements). Virtumundo said that only legitimate ISPs that have suffered actual harm can sue under CAN-SPAM. In Virtumundo, the Ninth Circuit also rejected the plaintiff's claims under Washington's email statute. The plaintiff in Virtumundo was pushing the envelope, and it was unclear as to whether the Ninth Circuit's rejection of his state law claims was restricted to the plaintiff's fanciful claims which clearly stretched the scope of Washington's spam statute to the breaking point. Mummagraphics and Virtumundo were from the Fourth and Ninth Circuit respectively, and they left open the question of how other state spam statutes would fare, including California's, which is one of the most expansive (and important). Lower federal courts courts struggled with applying Virtumundo and Mummagraphics to the preemption question in California, and decisions were all over the place. Some courts held that CAN-SPAM's savings clause only saves state statutes that sound in traditional fraud, and since California's spam statute didn't require proof of reliance and damages, it did not fall into this category and was preempted. (Here's my April 2010 post on Hoang v. Reunion.com, a case that struggled with the preemption question: "Reunion.com Revisited Again: Claims Under CA Spam Law Not Preempted by CAN-SPAM -- Hoang v. Reunion.com.")
Factual Background: Hypertouch brought claims against Valueclick, various Valueclick subsidiaries, and PrimaryAds for violating section 17529.5 (California's spam statute). As the court describes it, Hypertouch is a small provider of email service to about 100 customers. Valueclick provides online marketing services to:
third-party advertisers who promote retail products. . . . Valueclick contracts with these third-party advertisers to place promotional offers on websites that are owned and operated by various Valueclick entities. Consumers, in turn, can visit Valueclick's websites and earn rewards in exchange for participating in the advertised promotional offers.
Valueclick contracts affiliates who "drive traffic" through methods chosen by the affiliates in their discretion. Valueclick provides the affiliates the creatives for a promotion, and the affiliates promote as they see fit (in many cases hiring sub-affiliates to effect the promotions). Valueclick alleged that it had no "knowledge of, or control over, the email delivery methods or header information used by [affiliates] or their sub-affiliates." [This is a risky admission!] PrimaryAds looks like it's similar to Valueclick - PrimaryAds operates a website which contains third party offers. PrimaryAds contracts with affiliates who download materials from PrimaryAds' website, engage in promotions (which are tracked by PrimaryAds). PrimaryAds requires its affiliates to sign agreements stating that the affiliates will comply with all laws, including anti-spam laws, in carrying out their promotion activities. PrimaryAds also alleged that it had "no control over the email delivery methods used by affiliates."
Hypertouch argued that Valueclick and PrimaryAds were advertised via emails that violated California spam statute in three ways: (1) the emails contained deceptive header information (because the from and to fields did not accurately reflect the sender or recipient); (2) the subject lines were likely to mislead recipients into thinking they would receive free stuff; and (3) the emails used third party domain names without the third party's permission. The trial court granted defendants' motion for summary judgment. The trial court held that defendants could only be held liable for emails they sent or caused to be sent (which cut out a chunk of the emails in question). The trial court also found that CAN-SPAM preempted state spam statutes which regulated misleading emails, unless the statutes covered "common law fraud or deceit." Since the claims did not cover the elements of common law fraud, they were preempted. Significantly, the court awarded defendants $100,000 in costs.
The appeals court's decision: The court reversed and ruled for Hypertouch, with an order that dramatically expands the reach of potential liability for products or companies that are advertised via email (regardless of whether they send the email). It's a blockbuster ruling for the anti-spam community.
Preemption: CAN-SPAM's preemption provision states that it preempts state statutes that regulate the use of commercial email "except to the extent that any such statute prohibits falsity or deception in any portion of a commercial email." The court acknowledges that CAN-SPAM's preemption was intended to accomplish a uniform standard for email regulation (to avoid requiring compliance with a "patchwork" of laws). The court also cites to a Senate Report that says that states laws prohibiting things like "fraudulent or deceptive headers, subject lines, or content" should not be preempted "because they target behavior that a legitimate business trying to comply with relevant laws would not be engaging in anyway."
The court disagrees with the trial court's conclusion on preemption and provides two main reasons, along with a lengthy discussion (and canvassing of the case law): (1) the language of the preemption clause does not support a finding of preemption; (2) allowing state law claims that reach misleading but not fraudulent emails would not undermine a national standard.
Hypertouch's claims survive summary judgment: Defendants argued that Hypertouch failed to put forth evidence that defendants either sent the emails or "knew" they were being sent by an affiliate in a misleading manner. The court responds that:
the plain text of 17529.5 indicates that its application is not limited to entities that 'send' the offending emails nor does it require plaintiff to establish that defendant had knowledge of such emails. Rather, the statute imposes liability on any 'person or entity' that 'advertises' in an email containing any of the forms of deceptive content described in section 17529.5 [(a)(1)-(3)].
Do the emails Violate the Statute?: Although plaintiffs asserted that the emails at issue violated three different prongs of section 17529.5, the court doesn't discuss the other two prongs, and merely focuses on the subject line prong. Section (a)(3) is the no misleading subject line prong, and the court finds that the following representative subject lines potentially violate the statute:
Get a FREE Golf Retreat to 1 of 10 destinations;
Let us know your opinion and win a free gift card;
Do you think Hillary will win? Participate now for a Visa card
In support of its summary judgment burden, Hypertouch put forth the testimony of its president (?) who says that he clicked on links in these emails and found out that in order to receive anything for free, you had to purchase something. As the court phrases it, the statute requires the subject line to mislead a recipient about a "material fact," and
if a subject line "creates the impression that the content of the email will allow the recipient to obtain a free gift by doing one act (such as opening the email or participating in a simple survey) and the content of the email reveal [sic] that the 'gift' can only be obtained by undertaking more onerous tasks . . . the subject line is misleading about the contents of the email.
1 year statute of limitations on liquidated damages claims: The California statute allows for statutory damages or actual damages. If the statutory damages are considered a penalty, then they are subject to a one year statute of limitations under California law. Hypertouch argued that statutory damages should not be subject to the one year time-bar because they are discretionary, but the court disagrees, holding that although the court has discretion with respect to the amount of damages it awards, it must award some amount of damages. Therefore, the court concludes that Hypertouch may seek actual damages for emails within three years of their receipt, but may only seek statutory damages for emails within one year of their receipt.
This is a big ruling on several levels.
The big practical effect is that it provides an avenue for California spam plaintiffs to seek relief under the California statute. Previous spam cases have backfired on spam plaintiffs due to over-reaching, but I wonder if the preemption argument backfired on defendants due to their over-reaching. Arguing that the preemption clause only saved claims which sounded in actual fraud was a stretch, and both Ethan and I expressed discomfort with rulings that embraced this standard. The court almost has an easy argument to knock down, and it happened to be an aggressive interpretation of the preemption clause that defendants were responsible for pushing.
The even bigger effect of this ruling is the fact that persons or entities who do not themselves send email but who are advertised in non-compliant email can now be held liable, without a showing that they knew or should have known that they were being promoted via non-compliant spam. This is going to throw a big monkey wrench in affiliate programs. Previous cases dealing with affiliate liability in the CAN-SPAM context required plaintiffs to show some sort of knowledge or facts sufficient to impute knowledge. ("Affiliate Spam Liability is Fact Question--US v. Cyberheat"; "Affiliate Liability Extravaganza".) .
In fact, the court expressly embraces a strict liability standard for affiliate liability. This is going to lead to some wacky results - for example, think of the case where a company located outside California is being promoted via email but does not know that its affiliates are emailing to California residents (the affiliates themselves may not know). All of a sudden, they find themselves subject to liability in California for violations of the California spam statute? (Does this present a section 230 issue, since neither of the defendants created the copy which allegedly violated the statute?)
The court's assessment of the substantive violations of the statute is cursory. The court tackles the subject line violations but where's the court's assessment of the violations of subsections (a)(1) (the domain name prong) and (a)(2) (misleading or forged header information prong). Setting aside the fact that the court's interpretation of the subject line prong is charitable (and aimed at protecting people who take on face value a claim via email that the recipient is getting something for free), there's no discussion from the court on how the emails violate the prong which prohibits the use of third party domain names without permission. The court similarly doesn't deal with the misleading header information prong, but Hypertouch's claims sound similar to the claims the Ninth Circuit rejected in virtumundo ("there is . . . nothing inherently deceptive in Virtumundo's use of fanciful domain names").
Interestingly, the California Supreme Court weighed on its spam statute just once. In a ruling last year in (Kleffman v. Vonage) the court held that use of random and multiple domain names even if they were intended to bypass spam filters does not violate California spam statute. ("Use of Multiple (Even Random or Garbled) Domain Names to Bypass Spam Filter Does not Violate Cal. Spam Statute -- Kleffman v. Vonage.")
Additional coverage: "C.A. Revives Action Charging Advertiser Under Anti-Spam Law" (Metropolitan News-Enterprise)
Comments by Eric:
This is an incredibly noteworthy opinion for several reasons.
First, published opinions on Internet law from California appeals courts are becoming rarer than a hen's tooth, so this is likely to be one of the few citable opinions by a California state court on spam issues for the foreseeable future (unless the Supreme Court takes it on appeal). As a practical matter, then, this opinion not only sets California law, but all federal courts interpreting federal law will also have to acknowledge this opinion. I anticipate this will be a heavily cited opinion in the future.
Second, the court's imposition of strict liability for advertisers promoted by spam is breathtaking. The court says "imposing strict liability on the advertisers who benefit from (and are the ultimate cause of) deceptive e-mails, forces those entities to take a more active role in supervising the complex web of affiliates who are promoting their products." Well, that's true in theory, but it's completely divorced from reality. Because of strict liability, even advertisers who undertake substantial efforts to police their affiliate network ARE STILL LIABLE FOR ANY PROBLEMS CREATED BY AFFILIATES. Maybe the court got confused about what it meant to impose STRICT LIABILITY. In reality, many advertisers won't rely on affiliates at all if they are strictly liable for what they do. I bet this court would view that as a perfectly fine outcome, but the it's disingenuous to say that strict liability will ratchet up the policing effort. A negligence standard might have done that; strict liability squashes the endeavor altogether.
For that reason, the strict liability standard for advertisers is the #1 thing (of a pretty long list) that needs to get fixed on appeal.
Venkat raised the issue of 47 USC 230's role here. I haven't had a chance to see if the issue was raised by the litigants, but my initial instinct is that an advertiser's 230 defense for ad copy written by a third party sounds pretty meritorious.
Overall, rulings like this reinforce to me how desperately we need to get states out of the business of trying to regulate the Internet. First, Congress built a structure to hold advertisers should be liable for spam violations in CAN-SPAM (a narrow liability scope, although I question the wisdom of even that). If California can impose a supplemental and much more expansive advertiser liability doctrine, Congress clearly did a crummy job with its preemption clause (so what else is new?). Second, this liability rule, if it sticks, is terrible policy destined to generate lots more of wasteful profit-seeking litigation. Third, it's unclear how California's policy would affect interstate advertising campaigns--a question we shouldn't even have to ask when dealing with Internet activities. We really, desperately, need to rethink our governance scheme that puts states in the business of regulating the Internet. IT DOESN'T WORK, and we lose a lot in the process.
Finally, a gossipy note. This is an unusual spam opinion in that it had big firm lawyers on both sides (Steptoe on the plaintiff side; Gibson Dunn on Valueclick's defense). I wonder if the court's decision to write a lengthy, detailed, footnoted and published opinion is the result of that.