The CAN-SPAM Act of 2003 can be seen as reflecting broader patterns in the U.S. legal approach to privacy and the use of technology for commercial solicitation. The U.S. constitutional protection for commercial speech under the First Amendment, while comprising a relatively low level of protection, nonetheless also contributes significantly to the U.S. legal context for the CAN-SPAM Act and state anti-spam laws.
I. The U.S. Statutory Approach to Privacy: "Opt-Out" and Context-Specific Legislation
Despite the fact that the initial development of privacy law is often credited to U.S. jurists (Samuel Warren and Louis Brandeis in a famous Harvard Law Review article published in 1890), the U.S. approach to privacy legislation has been cautious. There is no general U.S. Federal privacy statute. Instead, there are a number of different Federal statutes that address privacy in particular legal contexts.
Among the best-known recent U.S. statutes addressing privacy are HIPAA ("Health Insurance Portability and Accountability Act of 1996"), COPPA ("Children's Online Privacy Protection Act of 1998"), and the "Gramm-Leach-Bliley Act of 1999." The Gramm-Leach-Bliley Act eliminated the legal boundaries between investment banking and other types of financial institutions, thus permitting the creation of financial "supermarkets" through extensive mergers and contractual data-sharing. Recognizing the threat this posed to informational privacy, the Gramm-Leach-Bliley Act also prescribed certain privacy-related information-sharing rules for financial institutions.
While HIPAA and COPPA both adopted an "opt-in" approach to privacy - meaning that the default rule is no information-sharing or data collection that isn't explicitly authorized by law, although an individual can consent to information-sharing or data collection if the consent is based on meaningful notice about information-sharing or data-collection practices - Gramm-Leach-Bliley shifted to an "opt-out" approach. Under Gramm-Leach-Bliley's "opt-out" approach to privacy, financial institutions can share personal information as long as they've provided notice about their information-sharing practices, and as long as they've provided customers with an option for "opting-out" of such practices.
The "opt-out" approach to privacy provides default rules that allow commercial actors (e.g. businesses or non-profits) to collect information and share information in ways that they judge to be profitable and/or useful. For this reason, such default rules tend to favor commerce. "Opt-in" approaches to privacy tend to favor individual autonomy, control, and dignity over the freedom of commercial actors.
With Gramm-Leach-Bliley, the U.S. can be seen as affirming an "opt-out" approach to privacy in commercial contexts. HIPAA and COPAA can be seen as signaling a U.S. willingness to shift to an "opt-in" default for certain special classes of persons (children) or sensitive information (health-related information). The CAN-SPAM Act of 2003 is consistent with this pattern in adopting an "opt-out" approach for commercial email. See CAN-SPAM Act of 2003: Core Requirements.
However, the case of unsolicited commercial email is somewhat distinct from cases of unwanted data-sharing and data-collection. If a "right of privacy" protects against receipt of unsolicited commercial email, it would be a right analogous to the right to be left alone in one's home - a right that the U.S. Supreme Court has recognized and upheld in relation to a statutory framework intended to give individuals "opt-out" control over their receipt of unsolicited commercial mail. See Rowan v. U.S. Post Office, 397 U.S. 728 (1970); see also State v. Drahota, 280 Neb. 627, 639-40; 788 N.W.2d 796, 805 (Neb. 2010) (dicta considering the extension of Rowan to private commercial email).
At a U.S. constitutional level, privacy protections have been interpreted as emanating from the Bill of Rights. See Griswold v. Connecticut, 381 U.S. 479 (1965). However, these constitutional privacy protections generally shelter individuals from state action (typically legislation) that can be seen as invading a zone of personal decision-making (e.g. prohibitions of birth control or abortion).
Privacy protections of various kinds may also be found in U.S. state statutes and state common law.
See also LII's Wex Entry: Privacy.
II. The U.S. Statutory Framework for Telephonic Commercial Solicitation: Telemarketing Fraud Prevention, the National Do-Not-Call Registry, and Technology Restrictions
In 1991, Congress enacted the Telephone Consumer Protection Act (Pub. L. 102-243). This Act is now codified at 47 U.S.C. § 227. According to the U.S. Senate Committee on Commerce, Science, and Transportation, the purpose of the Telephone Consumer Protection Act is to "protect the privacy interests of residential telephone subscribers by placing restrictions on unsolicited, automated telephone calls to the home and to facilitate interstate commerce by restricting certain uses of facsimile (fax) machines and automatic dialers." See S. Rep. No. 102-178 (1991). In accordance with these stated purposes, the law restricts the use of automatic dialing technologies, artificial voices and recorders, and the use of fax machines or computers to send unsolicited commercial faxes. See 47 U.S.C. §§ 227(b)(1), 227(d). The restrictions apply to mobile phones and pagers, along with traditional "land line" phones. See id. The Federal Communications Commission ("FCC") was authorized to issue regulations to implement the provisions of the Act; those rules are set forth at 47 C.F.R. § 64.1200. The FCC was also authorized to implement a "do-not-call" database. See 47 U.S.C. § 227(c); 47 C.F.R. § 64.1200(c)(2).
In 1994, Congress enacted the Telemarketing and Consumer Fraud and Abuse Prevention Act (Pub. L. 103-297). This Act is now codified at 15 U.S.C. §§ 6101-6108. This law authorized the Federal Trade Commission ("FTC") to issue regulations prohibiting deceptive telemarketing practices, and created a private right of action to enforce the FTC regulations. See 15 U.S.C §§ 6102, 6103. In 1995, the FTC issued regulations pursuant to this law; those rules are set forth at 16 C.F.R. Part 310.
In 2003, pursuant to its rulemaking powers under the Telemarketing and Consumer Fraud and Abuse Prevention Act, the FTC promulgated regulations to implement a "Do-Not-Call" registry. See 16 C.F.R. 310.4(b)(1)(iii). This approach was sanctioned by Congress later that same year in 15 U.S.C. §§ 6151-6155. In enacting this legislation, Congress ordered the FCC to complete the implementation of a complementary "do-not-call" database under the Telephone Consumer Protection Act. See 15 U.S.C. § 6153; see also FCC Report and Order of July 2003 revising the Telephone Consumer Protection Act to implement the "Do-Not-Call" registry together with the FTC.
The U.S. experience in regulating telemarketing and telephonic commercial solicitation can be seen as providing a pattern that was followed to some extent in dealing with commercial emails and spam in the CAN-SPAM Act of 2003. Furthermore, as can be seen in Canada and the European Union, the international trend is toward integrating anti-spam legislation within a broader framework for telecommunications regulation. For these reasons, it is useful for readers concerned about spam-related laws in the U.S. to have some familiarity with the U.S. framework for regulating other forms of electronic and telephonic commercial solicitation. See also U.S. State Anti-Spam Laws: Introduction and Broader Framework.
III. Constitutional Protections for Commercial Speech: The First Amendment
The U.S. Supreme Court has repeatedly affirmed that the First Amendment protects "commercial speech," along with other types of speech. See Central Hudson Gas & Electric Corporation v. Public Service Commission of New York, 447 U.S. 557 (1980). Commercial speech has been defined by the Supreme Court as "expression related solely to the economic interests of the speaker and its audience." See id. at 561. This protection extends to state regulations through the Fourteenth Amendment. See id.
Beyond protecting the economic interests of the speaker, the First Amendment protection for commercial speech has been premised by the Supreme Court on consumer interests in obtaining commercial information, and "the societal interest in the fullest possible dissemination of information." Central Hudson, 447 U.S. at 561-62.
Because the First Amendment has been held to protect commercial speech, there are limits on the extent to which commercial solicitation can be regulated. However, the constitutional protection for commercial speech under the First Amendment is lower than the protection for other types of speech. See Central Hudson, 447 U.S. at 562-63. This means that regulations can limit commercial speech as long as the regulation is "designed carefully" to achieve a "substantial" state objective. See id. at 564-66. If commercial speech is unlawful or misleading, it won't be protected by the First Amendment. See id. at 566.
These basic principles, articulated as a four-part test in Central Hudson, were applied to the University of Texas at Austin's IT policy pertaining to spam in White Buffalo Ventures v. University of Texas at Austin, 420 F.3d 366, 374-78 (5th Cir. 2005). While the Fifth Circuit was unpersuaded that the IT policy was necessary to preserve the efficiency of UT Austin email servers, it agreed that the policy was no more extensive than necessary to preserve user efficiency. See id. For this reason, the court upheld the constitutionality of UT Austin's IT policy. See id. at 378. However, the court refrained from deciding whether UT Austin servers should be treated as private or public fora for purposes of First Amendment jurisprudence. See id.