Whose physical address do we use for Can-Spam compliance?
April 30, 2015 7:06 AM Subscribe
We send emails on behalf of other clients. Who physical address do we need to use for CAN-SPAM compliance? Us (the agency) or the organization we are doing work for? Or both?
May matter:
1) Some clients also use our email software to send some of their own "newsletter" type emails vs. our more marketing emails that we send.
2) Other clients have no access to the email system and anything that is sent for them we send.
If you have an answer pointing to an "official" source would be very helpful.
My guess is only the clients info need be present, but no one seems to believe me (and I may be wrong).
May matter:
1) Some clients also use our email software to send some of their own "newsletter" type emails vs. our more marketing emails that we send.
2) Other clients have no access to the email system and anything that is sent for them we send.
If you have an answer pointing to an "official" source would be very helpful.
My guess is only the clients info need be present, but no one seems to believe me (and I may be wrong).
Response by poster: My understanding is that both organizations hold the bag so to speak…
posted by IzzeYum at 7:20 AM on April 30, 2015
posted by IzzeYum at 7:20 AM on April 30, 2015
IANAL, but I have some familiarity with CAN-SPAM from doing banking compliance work. Usual "get a lawyer to be sure" advice applies.
15 USC 7704(5)(a)(5)(iii) says that commercial mail messages must provide "a valid physical postal address of the sender" as part of the required notifications and disclosures (that the message is an advertisement or solicitation, that the recipient has a right to decline to receive further messages, etc.) under CAN-SPAM. Depending on the nature of the "software" you're providing, this could mean multiple things, as you have noted. Generally, when you sell or license a software product for a customer's private, independent use, you include in the license a clause absolving yourself or your company of responsibility for what they do with it - in such a case, (check your terms to be sure,) you would have no duty to ensure their CAN-SPAM compliance. (After all, if you're selling a product like Outlook, you don't have access to their email system, so you can't very well control what they're sending.) On the other hand, if you're sending messages as a service on behalf of customers, MailChimp-style, you are arguably the "sender" for the purpose of CAN-SPAM, and do need to ensure that you have a contact person.
As a matter of compliance safety, this is definitely a situation where you should get outside counsel or retain an internal compliance department. Indeed, I'd be somewhat surprised if you don't already have somebody in-house to handle this kind of thing, since companies with any kind of web presence and/or marketing focus have fairly significant affirmative compliance duties. (COPPA, TCPA, etc.) Plus, that in-house compliance person could also serve as your CAN-SPAM contact.
tl;dr: get a lawyer, and start a compliance program. In the meantime, I'd be strongly considering putting both your address and the address of the business being advertised in the mailing, and establishing procedures to ensure that opt-out requests and other legal contacts are properly handled.
posted by fifthrider at 7:39 AM on April 30, 2015
15 USC 7704(5)(a)(5)(iii) says that commercial mail messages must provide "a valid physical postal address of the sender" as part of the required notifications and disclosures (that the message is an advertisement or solicitation, that the recipient has a right to decline to receive further messages, etc.) under CAN-SPAM. Depending on the nature of the "software" you're providing, this could mean multiple things, as you have noted. Generally, when you sell or license a software product for a customer's private, independent use, you include in the license a clause absolving yourself or your company of responsibility for what they do with it - in such a case, (check your terms to be sure,) you would have no duty to ensure their CAN-SPAM compliance. (After all, if you're selling a product like Outlook, you don't have access to their email system, so you can't very well control what they're sending.) On the other hand, if you're sending messages as a service on behalf of customers, MailChimp-style, you are arguably the "sender" for the purpose of CAN-SPAM, and do need to ensure that you have a contact person.
As a matter of compliance safety, this is definitely a situation where you should get outside counsel or retain an internal compliance department. Indeed, I'd be somewhat surprised if you don't already have somebody in-house to handle this kind of thing, since companies with any kind of web presence and/or marketing focus have fairly significant affirmative compliance duties. (COPPA, TCPA, etc.) Plus, that in-house compliance person could also serve as your CAN-SPAM contact.
tl;dr: get a lawyer, and start a compliance program. In the meantime, I'd be strongly considering putting both your address and the address of the business being advertised in the mailing, and establishing procedures to ensure that opt-out requests and other legal contacts are properly handled.
posted by fifthrider at 7:39 AM on April 30, 2015
Purely speaking as a risk manager, I'd have my org's address on it simply to make sure that a lack of action by the client didn't put me at risk.
posted by bfranklin at 7:41 AM on April 30, 2015
posted by bfranklin at 7:41 AM on April 30, 2015
« Older Recommend me a camping trip near Columbus Ohio | We created a household budget! Now how do we keep... Newer »
This thread is closed to new comments.
posted by bfranklin at 7:17 AM on April 30, 2015