California Appeals Court Says Emails That Don’t Identify Sender Violate State Spam Statute – Balsam v. Trancos
[Post by Venkat Balasubramani]
Balsam v. Trancos, Inc., 2012 WL 593703 (Ca. Ct. App.; Feb. 24, 2012)
It seemed like most emailers and anti-spam activists have moved on from worrying about spam email to other things, such as social networks, but a few disputes continue to linger. One of them involves Dan Balsam, of danhatesspam.com fame, who is a lawyer and self-proclaimed anti-spam activist.
Balsam sued Trancos in 2008, alleging that he received numerous unsolicited emails from Trancos. After a bench trial, the trial court awarded Balsam $1,000 in liquidated damages for each of seven emails. (Here’s the prior blog post on this case: “Plaintiff Wins $7,000 Following Bench Trial on Claims Under California Anti-Spam Statute — Balsam v. Trancos.”) The trial court also awarded Balsam $81,900 in attorneys’ fees. The trial court rejected Balsam’s claims under California’s Consumer Legal Remedies Act and held that Trancos’ CEO, Brian Nelson, could not be held personally liable. Trancos appealed, alleging that the emails did not violate California’s anti-spam statute (B&P 17529.5(a)(2)). Trancos also argued that Balsam’s claims were preempted by CAN-SPAM. On appeal, the appeals court rejects both of Trancos’ arguments. Balsam cross appealed on the trial court’s resolution of the CLRA issue and rejection of personal liability to Nelson personally. The court also rejects Balsam’s arguments on cross appeal.
Violations of Cal. Code Sec. 17529.5(a)(2)
Section (a)(2) makes it unlawful for anyone to advertise in an email sent from or to a California email address where the email “contains or is accompanied by falsified, misrepresented, or forged header information.”
According to the opinion, Trancos’ company sent out emails from various “nonsense” domain names (e.g., misstepoutcome.com; modalworship.com; moussetogether.com) that were registered to Trancos via a privacy proxy. The emails did not identify Trancos, but mentioned that if recipients wanted to opt-out, they could forward the emails to USAProductsOnline, or click on a link provided in the email. USAProductsOnline was not a separately existing entity, but it had registered a PO Box. Nelson, the CEO of Trancos, testified that he registered the domain using privacy protection services because he and Trancos had been harassed in the past.
The court focuses on whether the California Supreme Court’s decision in Kleffman v. Vonage, which construed section 17529.5(a)(2), lets Trancos off the hook here. (See “Use of Multiple (Even Random or Garbled) Domain Names to Bypass Spam Filter Does not Violate Cal. Spam Statute — Kleffman v. Vonage.”) Kleffman involved emails sent on behalf of Verizon using nonsensical or random domain names that were designed to evade spam filters. Kleffman made a variety of unsuccessful arguments why using garbled or random domain names constituted “misrepresentation.”
The appeals court distinguishes Kleffman, saying that in Kleffman, all of the emails were sent using domain names that were “traceable” to Vonage’s marketing agent. In contrast, in this case, the court says the emails were not traceable to Trancos because Balsam could not determine the identity of the sender using a “publicly available database,” and thus Trancos’ email had misrepresented header information. The emails listed “USAProductsOnline” as the sender and provided a street address for USAProductsOnline, but this turned out to be a PO Box, and Balsam had to subpoena the information provided to the PO Box company to obtain the information provided by USAProductsOnline. The court also distinguishes the Fourth Circuit’s decision in Omega World Travel v. Mummagraphics saying that, in that case, the identity of the sender was readily obvious to the recipient, who had no trouble tracking down the sender.
Preemption Under CAN-SPAM
Trancos also argued that Balsam’s state law claims were preempted by CAN-SPAM. The court notes the split of authority in federal courts regarding whether CAN-SPAM preempts claims which fall short of common law fraud, or whether CAN-SPAM only preempts claims which do not involve “falsity or deception.” Citing to the California Appeals Court’s decision in Hypertouch v. Valueclick, the court says that claims which allege any sort of falsity or deception escape preemption under CAN-SPAM’s preemption clause. Balsam’s claims therefore aren’t preempted.
The thrust of the court’s decision is that emails have to identify some actual person or entity they are sent by or on behalf of, whether in the “from line” or the email body. Emails that do not so identify themselves violate the statute. There are a few problems with this from my perspective.
First, it broadens the definition of “header information” to include not just the from line but also the body of the email. The California statute does not define “header information” but Kleffman looked to CAN-SPAM’s definition, which clearly talks about either the human or computer readable parts of the “from line.” The overall structure of CAN-SPAM lends weight to the view that the header information prong does not deal with information in the actual body of an email.
Second, it injects the element of concealment into the California statute. It’s fair to presume that if the legislature intended the statute to cover not just misrepresentations of facts regarding an email’s origin but also concealment, the legislature would have made that explicit.
Third, the FTC rules interpreting CAN-SPAM allow the use of private mail boxes (that the sender registers with a commercial mail receiving agency established under US Postal Service regulations) to satisfy the requirement of listing the sender’s street address. The FTC announcement of these regulations indicate that the regulation accommodates the two interests of (1) law enforcement being able to track down the sender (ostensibly with a subpoena) and (2) recipients being able to communicate with the senders (by sending paper correspondence). Not only is the issue of identifying the sender comprehensively regulated by CAN-SPAM, CAN-SPAM regs allow the practice Balsam complained about.
The court distinguishes Kleffman. but I wasn’t persuaded by this. Everyone agreed in Kleffman that the emails were fairly traceable to Vonage, but importantly, the emails were traceable not to Vonage directly, but to its “marketing agent.” Because the emails all identified Vonage (who was being advertised in the emails), it’s tough to say for sure, but as far as identifying the actual sender of the email, Kleffman says nothing more than that if the emails can be identified as having been sent by some entity (e.g., Vonage’s “marketing agent”), that’s sufficient. Here, the problem seems to have been that the entities identified in the emails as senders were not actual legal entities.
The court’s decision slams the use of private registration services in the context of email marketing. Balsam previously tried to hold Tucows liable for emails sent via a domain name registered (privately) through Tucows. (See “Domain Name Privacy Protection Services Not Liable for Failure to Disclose Identity of Alleged Spammer — Balsam v. Tucows.”) Balsam was not successful in that case, but the court’s decision here contains plenty of bad juju towards the use of private registration services.
Although the California Supreme Cout may have better things to do with its time, this looks like a good candidate for review so it can clarify the scope of Kleffman v. Vonage.
It’s unclear how much mileage Balsam and company will get out of this ruling. As the court notes, several cases have held that claims such as this one are preempted, and it’s a likely bet that Balsam’s subsequent defendants would remove on the basis of preemption and try to get the claims dismissed on this basis. This is undoubtedly a significant ruling, but it’s unlikely to open the floodgates for judgments against emailers.