EPIC logo

June 27, 2005

Federal Trade Commission
Office of the Secretary
Room H-159
600 Pennsylvania Avenue, NW.,
Washington, DC 20580

Re:      CAN-SPAM Act Rulemaking, Project No. R411008[1]

To Whom It May Concern:

The Electronic Privacy Information Center offers the following comment in the above-captioned rulemaking:

1    c. Should opt-out obligations be extended to third-party list providers who do nothing more than provide a list of names to whom others send commercial e-mails?

At its signing, the CAN-SPAM Act was described by the White House as a "pro-consumer law that allows consumers to choose to stop further unsolicited spam ...."[2] Nonetheless, U. S. consumers continue to be plagued by the unsolicited email of spammers in larger numbers.[3] By law, the consumer may opt out of receiving future email advertisements by notifying the offending company. However, the sheer number of companies using email spam marketing makes it nearly impossible for the consumer to be free of undesired email.

It would be more efficient for the consumer to be able to opt out of inclusion in the databases of the of third-party list providers. These list providers, known as "list brokers," regularly buy, rent, and sell lists of consumer email addresses. Although thousands of companies are involved in the trade of consumer email addresses, most of the business is concentrated within about 100 companies.  Over 8,000 e-mail lists are advertised by list brokers on Direct Magazine's web site.[4]  These companies are responsible for selling the information that results in spam.

The consumer could more easily opt-out from major list brokers than the entire universe of websites eligible to send spam under CAN-SPAM.

We can draw a useful analogy to the Commission's highly successful Do-Not-Call Registry.[5] The purpose behind that program was to give customers the right to choose the communications they wanted to hear and protect customers from an unmanageable onslaught of calls.  It used to be the case that individuals had to opt out of telemarketing calls on a per-company basis, as is the case with spam messages today.  But practical experience showed that telemarketing operations were so efficient in initiating calls that company-specific opt out didn't work.  Individuals were deluged with calls in the hopes that just 1% of recipients would fall for the solicitation.  Some companies ignored opt out requests, or otherwise frustrated individuals' attempts to opt out.  Centralizing the opt-out with a national Registry controlled by the Commission was a common sense step to giving individuals control over telemarketing. 

A similar, intermediate step can be taken with the list brokers.  Individuals should be able to opt out of having their personal information sold by these companies.  Neither the market, nor self-regulatory initiatives are likely to produce this right, and so we think the Commission should establish it on behalf of consumers.

This right would be significantly less burdensome than the telemarketing Registry—this right would not require the creation of a new government collection of information, it would not require fees to be collected from industry, nor would it require a complicated technology infrastructure. 

There are, admittedly, substantial differences between the problems of telemarketing and spam, but the message is the same: strike at the root of the problem, rather than plucking at the leaves. Customers can quickly and easily curb the flow of spam by opting out of the list brokers' lists; or they can undertake the long, arduous, and unending task of opting out of every single individual marketer's list. One must believe that the Commission, acting in the interest of consumers, would allow those consumers the first of those options.

If so, how could this be accomplished, given the statutory language which defines "sender" in terms of an entity that both initiates a message and advertises its product, service, or Internet web site in the message?

The Commission could accomplish this effective step towards ending spam by in several ways.  First, with respect to companies that both sells lists through brokers and proclaim that information is only shared with "trusted partners," the Commission could bring an enforcement action under the agency's deception authority. 

EPIC has observed numerous websites that ensure that customers' addresses will only be given to "trusted partners.''  In fact, some of these same companies use list brokers, and the e-mail addresses apparently are available to anyone (not just "trusted partners") online.  1-800-Patches sells transdermal patches over the Internet to help consumers who wish to stop smoking, lose weight, or achieve other health-related goals. The company's privacy policy states that customer information may be shared "with partners who may provide products of interest to you."[6] However, in a recent issue of Direct Magazines' online newsletter, 1-800 Patches' customer list, over 50,000 consumers, was available to anyone for $5,000.[7] The privacy policy at lux-cruise.com states that it will only share consumer information with third parties who have been "carefully prescreened by TTK. [lux-cruise's parent company]"[8] Yet, there was no mention of prescreening in lux-cruise's advertisement of 24,000 mailing addresses and 54,000 email addresses for almost $8,000.[9] 

Second, the Commission could pursue list brokers under the agency's unfairness authority, since the trafficking in data promoted by these companies is unavoidable by consumers, causes them harm, and its benefits are outweighed by costs imposed on individuals and Internet Service Providers. 

Third, the Commission could establish an opt-out right at listbrokers by rulemaking. 

Finally, the Commission could seek specific authority from Congress to protect consumers in this fashion.

Respectfully Submitted,

Chris Jay Hoofnagle
Director, EPIC West Coast Office
944 Market St. #709
San Francisco, CA 94102

Charles Duan
EPIC IPIOP Clerk

Rakeim Hadley
EPIC IPIOP Clerk


[1] Definitions, Implementation, and Reporting Requirements Under the CAN-SPAM Act; Proposed Rule, 70 Fed. Reg. 25425 (May 12, 2005).

[2] "Fact Sheet: President Bush Signs Anti-Spam Law," Office of the Press Secretary, December 13, 2003, available at <http://www.whitehouse.gov/news/releases/2003/12/20031216-4.html>.

[3] Grant Gross, "Is the CAN-SPAM Law Working?," IDG News Service, December 28, 2004, available at < http://www.pcworld.com/news/article/0,aid,119058,00.asp>.

[4] See http://listfinder.directmag.com/market.

[5] "Do Not Call Registry is Working Well," Harris Interactive Poll, February 13, 2004, available at <http://www.harrisinteractive.com/harris_poll/index.asp?PID=439>.

[6] "Privacy Policy," 1-800 Patches.com, available at <http://1800patches.com/privacy_policy.html>.

[7] "Listlines e-Newsletter," Direct Magazine online, June 15, 2005, available at <http://directmag.com/listline/listline-06-15-05/>.

[8] "Privacy Policy - TTK Publications, Web sites and Databases," lux-cruise.com, available at <http://www.statetourismboard.com/privacy.html>.

[9] "Listlines e-Newsletter," Direct Magazine online, June 21, 2005, available at <http://directmag.com/listline/listline-06-21-05/>.


EPIC Privacy Page | EPIC Home Page

Last Updated: June 27, 2005
Page URL: http://www.epic.org/privacy/junk_mail/spam/canspamcomment6.27.05.html