Best Practices

CAN-SPAM Act Violations: How to Avoid Costly Penalties and Protect Your Business

The FTC's recent settlement with Verkada Inc. underscores the severe CAN-SPAM Penalties businesses face for non-compliance. Verkada's $2.95 million fine highlights the importance of adhering to email marketing regulations and maintaining transparent practices.

CAN-SPAM Act Violations can lead to significant financial penalties and damage to your business's reputation. Staying compliant with the law is crucial to avoid these costly mistakes. By understanding the requirements of the CAN-SPAM Act, including proper opt-out procedures and accurate sender information, you can protect your brand from legal risks and maintain customer trust. Don’t let your business fall victim to common compliance pitfalls—stay proactive and informed to safeguard your operations against CAN-SPAM Act violations.

In light of the FTC’s recent focus on website dark patterns and scam robocalls, it is easy to overlook the fact that its broad mission also encompasses enforcement of the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act. As written in the body of the statute (15 U.S.C. § 7706(a)), a CAN-SPAM violation is treated as a violation of a rule promulgated under the FTC Act regarding unfair or deceptive acts or practices.

At least one company that may have forgotten this mandate was reminded of it on August 30, 2024, when the FTC announced a proposed order settling a federal Complaint filed against Verkada Inc. that included allegations CAN-SPAM violations.

FTC v. Verkada, Inc.

California-based Verkada manufactures, markets, and sells IP-enabled video security systems to a wide variety of businesses, including hospitals and health clinics. The main crux of the FTC’s Complaint concerned Verkada’s alleged failure to utilize appropriate information security practices to protect its customers’ personal information; a failure that facilitated a hacker’s successful attempt to access the company’s internet-connected security cameras to view patients in psychiatric hospitals and women’s health clinics.

Stemming from the initial investigation into the hack, the Complaint also alleged that company employees, officers, and at least one investor posted positive ratings and reviews of Verkada and its products without disclosing their association with the company, in direct violation of Section 5(a) of the FTC Act.

In addition to misrepresentations concerning its privacy and data security practices, the FTC’s investigation revealed that Verkada allegedly violated the CAN-SPAM Act by flooding prospective customer inboxes with 30 million commercial emails over a three-year period that violated CAN-SPAM in the following ways:

o Failing to include in each email a clear and conspicuous notice of the opportunity to unsubscribe/opt-out of future emails.

o Failing to include a physical postal address in each email.

o Disregarding email opt-out requests sent by email recipients.

CAN-SPAM Act Requirements

Since becoming effective on January 1, 2004, the CAN-SPAM Act established regulations to prevent CAN-SPAM Act Violations by making it unlawful for any person to send commercial electronic mail messages to protected computers without specific requirements. According to 15 U.S.C. § 7704(a)(5)(A), these requirements include providing a clear and conspicuous notice of the opportunity to opt out of receiving further commercial emails and including a valid physical postal address of the sender.

To avoid CAN-SPAM Act Violations, the law also mandates that if a recipient requests not to receive certain commercial emails, the sender must cease sending messages within 10 business days of the request. Continuing to send emails after this period constitutes a violation, as outlined in 15 U.S.C. § 7704(a)(4)(A). These provisions are designed to enforce compliance and protect consumers from unwanted email communications.

The Settlement

Under the terms of a proposed order settling the Complaint, Verkada will be required to pay a $2.95 million monetary penalty to settle the CAN-SPAM allegations, which represents the largest penalty obtained by the FTC for a CAN-SPAM act violation.

In addition to the monetary penalty, the proposed order also prohibits the company from further CAN-SPAM violations, as well as making misrepresentations about Verkada’s privacy and data security practices. The order also requires the company to implement a comprehensive information security program with third-party audits.

If nothing else, this case should highlight the FTC’s role in enforcing CAN-SPAM, which for various reasons (including the lack of a private right of action), many businesses tend to disregard. CAN-SPAM nevertheless includes hefty penalties for non-compliance, including fines that can be as high as $51,000 per violation, as Verkada learned to its detriment.

CAN-SPAM Act Violations
CAN-SPAM Act Violations