Just who is an Internet access service provider under CAN-SPAM?

Worded to prevent lawsuits by individual email recipients, the federal CAN-SPAM Act limits who can bring suit for a CAN-SPAM violation. In addition to state and federal enforcers, the Act allows suits by “Internet access service providers.” Just who are they, and can individuals find a way back in to court under this provision?

By Ethan Ackerman

One of the most distinct differences between the federal CAN-SPAM Act and state anti-spam laws is the federal law’s restrictions on who may bring suit for a violation. Like many federal laws, it’s vital to consider the environment in which it passed in attempting to understand the scope and intent of its provisions.

After several years of experience with state laws allowing individual email recipients to bring suit under state laws, and both actual and exaggerated instances of ‘professional plaintiffs’ bringing questionable suits against email marketers, many business and marketing lobbyists were eager to limit who could bring suits under a federal spam law. While efforts to expand or limit liability under federal laws are as old as the 1st Congress, 2003 was a notable high-water mark. At the same time as, and in the same Congress as, the CAN-SPAM Act, similar Acts altering liability standards and raising barriers to lawsuits and class actions were being passed under the mantra of “tort reform.” Limitations on environmental and manufacturer liability, extending sovereign immunity to vaccine developers, restrictions on class actions, preemption of state enforcement and consumer protection laws, statutorily-mandated settlements of active court litigation – these were some of the hallmarks of the 108th Congress’ involvement with the judicial branch.

In this environment, it’s not surprising that various provisions in the CAN SPAM Act were negotiated back and forth to expand or contract liability, standing and preemption. This blog has previously covered the preemption back-and-forth, but similar negotiation went into just who could sue, and how, and where, and for how much under the CAN SPAM Act.

The final version of s.877 signed into law in 2003 that became the CAN SPAM Act reflects the compromises on several issues necessary to get sufficiently broad political support. This post will attempt to identify each of those issues in turn.

The final bill allows suits by a broad swath of federal regulatory agencies to enforce the law, including most notably the FTC. The scope of state officials’ enforcement of the federal law, and just who else could sue, was somewhat more disputed. Prior year versions of the bill allowed suits in state as well as federal court. The initial Senate version of s.877 also allowed suit in federal or state court, but the final version negotiated with the more lawsuit-averse House of the 108th Congress restricted suits to only US federal District Courts, and now redundantly also granted the relevant federal agencies additional authority to removes suits filed by States to federal courts.

The issue of caps on damages and attorney’s fees was also near and dear (or anathema) to many in the 108th Congress, and extensive changes exist between various versions of the bill as conditions were horse-traded and various constituencies weighed in. State enforcement statutory damages swung from $20 to $250 over the course of the different Congresses, with treble damages being available, then dropped and replaced with discretionary ‘aggravated’ damages possibilities. State enforcers’ attorneys fees similarly went from mandatory to discretionary between the introduced Senate version and House-approved version. Statutory damages for internet access providers saw similar swings and horse trading, ultimately with certain egregious violations triggering $100 damages and other damages valued at $25, a far mark from a proposed ‘up to $10.’ Damages caps were also a feature, but swung from as little as $500,000 to in some cases $3 million.

Similarly, the political demands of the House resulted in additional, heightened pleading standards for civil suits by anyone other than federal enforcement agencies. These heightened standards, absent in the initial Senate version but added in sections 7(f)9 and 7(g)2 of the final version, raised a scienter pleading requirement for state enforcers and constricted the definition of ‘procure’ for suits brought by Internet access providers.

But back to the big difference

As initially indicated, the biggest difference between most state and the federal anti-spam law is the absence of a private right of action for spam recipients in the federal law. In the 108th Congress, a general private right of action was a non-starter. Even the initial Senate version of the bill restricted suits to enforcement officials and Internet access providers. Contrary to the desires of state enforcers from state with such provisions, and apparently an uncomfortable concession from the minority Democrat sponsors, the absence of a private right of action was a stated minimum.

The final wording of Section 7 of the CAN SPAM Act specifies who can bring suit, listing first federal enforcement, then state enforcement, and finally granting Internet access providers the right to bring some civil suits. So who is an ‘Internet access provider’?

The short answer – the definition written in the ‘definitions’ section of CAN SPAM – is that the “term `Internet access service’ has the meaning given that term in section 231(e)(4) of the Communications Act of 1934 (47 U.S.C. 231(e)(4)).” This somewhat unenlightening reference leads to the actual statutory definition of:

The term “Internet access service” means a service that enables users to access content, information, electronic mail, or other services offered over the Internet, and may also include access to proprietary content, information, and other services as part of a package of services offered to consumers. Such term does not include telecommunications services.

This broad definition originally was passed into law as part of the earlier Child Online Protection Act (not to be confused with the Childrens’ Online Privacy Protection Act). Importantly, CAN SPAM also used other definitions from other prior laws defining similar terms. One example, one short line above the CAN SPAM ‘internet access provider’ definition, is the definition of ‘Internet.’ CAN SPAM defines ‘Internet’ by reference to the earlier passed Internet Tax Freedom Act, 47 USC 151 note. Importantly, CAN SPAM did not adopt the much narrower, more ISP-centric definition of ‘internet access provider’ in that Act. The Internet Tax Freedom Act defines an internet access provider as “a person engaged in the business of providing a computer and communications facility through which a customer may obtain access to the Internet…”

This definitional difference is important because CAN SPAM was written with service providers above and beyond just then-traditional modem-pooling, DNS-providing traditional ISPs in mind. Spam impacts next-generation services like online website hosts, online email providers, online proxies and filtering services, and CAN SPAM was drafted to take into account not just the dial-up AOLs of the world, but also the Rackspaces, the Hotmails, and the TUCOWs.

So courts have uniformly picked up this clear distinction, right?

If they had, what would there be to write about? While CAN SPAM was commonly understood to prevent end-user lawsuits, that portion of the law is implicit, not explicit. CAN SPAM was, however, explicitly written broadly to cover all, even the as-of-yet-uninvented, online service providers that spam negatively impacted. Unfortunately, subsequent court cases addressing the issue of whether it is an ‘internet access provider’ bringing suit have sometimes attempted to reinsert traditional ISP-style definitions into the Act.

A recent case getting the issue correct is Haselton v. Quicken Loans Inc.. Though anti-filtering activist Bennett Haselton, administrator of peacefire.org, sued Quicken in his individual capacity, separately incorporated Peacefire also was a named plaintiff. Defendant Quicken made much of the fact that Haselton was the sole employee of the organization and alleged Haselton was simply an individual end-user filing suit. Haselton countered, and the court agreed, that Peacefire’s filter-circumventing service, even if operated only by Haselton, was clearly an ‘internet access service provider’ within the meaning of the Act.

Unfortunately, other courts, and commenters, have often channeled their skepticism over the litigation intentions of a plaintiff into interpreting this broad definition narrowly. For example, the Gordon v. Virtumundo court’s palpable disagreement with serial plaintiff Gordon’s litigation intentions and strategy led it to reach to hold, contrary to the plain wording of the definition, that Gordon’s multi-user internet email service was not a ” a service that enables users to access …electronic mail… offered over the Internet.” UPDATE

While they may be legitimate concerns over the capacity and legitimacy of serial plaintiffs’ anti-spam suits, courts can address them without resorting to unnecessarily adjusting definitions in the statute. In Hypertouch v. Kennedy-Western University, for example, the court correctly recognized that an email service provider, even though small and providing accounts without charge, was nonetheless a ‘internet access service provider.’ As Eric blogged earlier, this court addressed its, and defendant’s, concern that the plaintiffs allegations were inadequate and more properly addressed towards the actual marketing company in its ruling that plaintiff was an internet access service provider, but its claims were inadequate to survive a motion for summary judgment.

12/08 Update An observant Tri-cities reader gently corrects me, noting that Judge Coughenour ultimately did, contrary to what I suggested, conclude the plaintiff qualified as an Internet access service provider in Gordon v. Virtumundo. After reviewing all the criticisms and interpretation of legisaltive history and analogous cases that suggested Gorden was not intended to qualify, Judge Coughenour did ultimately conclude Gorden qualified “under the statute’s capacious definition.” So, my speedy reading aside, Gordon v. Virtumundo stands as an appropriate example of a court properly addressing questions about the propriety of a suit without narrowing the definition of an Internet access service provider after all.