Spam is one of those daily problems we deal with when communicating via the internet. For the 20-year anniversary of the CAN-SPAM Act, we explore what you can do about spam and what a spam-free future might look like. 

It’s been 20 years since the CAN-SPAM Act (2003) passed in the United States. Since that time, similar legislation has passed around the world. While some of these laws focus specifically on data privacy, there is a huge overlap between cybersecurity and data privacy risks related to spam.

Penalties for breaking any of these laws are steep—sometimes in the tens of millions of dollars. So, why are we still drowning in spam? Is there really anything we can do about it?

The Impact of Spam Messages

A typical spam email emits around 0.03g of CO2 emissions, though longer messages read on a laptop can go all the way up to 26g. Now multiply that by 333 billion—roughly the number of emails that get sent every day in 2022.

— Becca Inglis, How Your Internet Habits Are Increasing Your Carbon Footprint, Reader’s Digest

To prepare for writing this post, I spent a month asking friends, family, and colleagues how much time they spent dealing with spam. I also asked if spam interfered with their work and personal lives. 

Everyone said it was a serious problem. Most lamented the 15-20 minutes per day that they spent deleting spam from their inboxes. Some folks who ran businesses with online submissions spent even more time making sure valid business inquiries weren’t lumped in with the endless deluge of promotional and spam messages.

Day to day, spam is annoying. However, when you look at the bigger picture, it’s a significant problem:

• Spread across the global workforce, spam constitutes a considerate amount of lost productivity. 
• Spam is a huge security and data privacy risk. In many countries, this is a legal risk as well. 
• Plus, machine learning, automation, and other emerging marketing technologies—in addition to streamlining campaign processes—also generate new opportunities for bad actors to ‘scam at scale’.
• Finally, trillions of spam emails are sent every month. Considering the carbon cost of sending a single email, spam represents a sizable source of CO2_e emissions that fuel climate change.

During our conversations, I learned that most people felt burnt out, frustrated, and confused by what they could do about the seemingly ever-present spam problem. Few knew what was being done about the issue or even if something could be done. As it turns out, something has been done. It’s just clearly not working. 

What’s Been Done: The CAN-SPAM Act

Originally intended only to apply to mobile devices, the CAN-SPAM Act of 2003 protects U.S. consumers from “unwanted mobile service communications.” It was meant as a measured response to guide what appropriate emails looked like without interrupting commerce.

The CAN-SPAM Act includes a set of guidelines that businesses must follow or risk being fined for non-compliance. The most influential of these are:

• Email subject lines must be truthful about email content
• Emails need a clear way for recipients to opt-out of further communications 

 Twenty years later, this modest effort has outperformed its initial mobile-specific intentions. Reputable organizations attempt to comply with CAN-SPAM by using descriptive email subject lines and unsubscribe features in email communications. They follow these guidelines because penalties can be hefty. 

The law also benefits consumers who want accurate information and the ability to unsubscribe from email lists they do not wish to be on. 

Beyond that, however, its usefulness falls short. In fact, people have been suggesting we “can the CAN-SPAM Act” for years now. Is there more that could or should be done? Absolutely. Will that happen? It’s complicated.

An Evolving Spam Landscape

People hate spam. However, email is an important channel through which legitimate businesses market their products and services. When done well, it works. 

This is also why email is equally appealing to bad actors. Solutions to spam problems have to thread the needle between limiting scammers and supporting legitimate communications. Because of this and other reasons, spam legislation tends to be rare and tentative. 

In reality, most major anti-spam strides come from private entities, not the public sector. For example, email software providers regularly provide more effective and useful spam filters. 

More recently, AI-powered email marketing solutions claim that they can more effectively bypass spam filters at scale with automated, data-driven marketing messages. While this undoubtedly saves time for marketers, it also presents big opportunities for spammers.

Whether we find it distasteful or not, those who send unsolicited and unwanted emails benefit from the practice. Even with clear legal risks, spammers continue to abuse consumers. While the U.S. is the world’s largest spam contributor, billions of spam emails also originate outside the United States. 

With that in mind, let’s explore a few ways we might improve the CAN-SPAM Act of 2003.

Four Ways to Upgrade the CAN-SPAM Act

Here are some update ideas for the CAN-SPAM Act that could disincentivize bad actors and help good actors send fewer unwanted emails.

1. Add FATE Requirements

Fair. Accountable. Transparent. Ethical. Legislators could feasibly incorporate the FATE framework that is common in AI circles into spam legislation as well. 

Adding this framework to the CAN-SPAM Act could require senders to disclose the use of technologies or practices that misinform, misrepresent, or mislead recipients. It might also require senders to share contact information with recipients and prohibit promotions for illicit or otherwise illegal products or services. Finally, we might consider requiring email providers to share more data about spam on their platforms.

Of course, this would be hard to enforce outside the U.S., but a global spam task force could help build consensus on best practices between countries. With that being said, they tried a global spam task force in 2004 and, well, here we are. ¯\_(ツ)_/¯

2. Opt-In, Not Opt-Out

If you’ve ever submitted your email address to any online form, you’ve probably seen an innocuous checkbox labeled “sign-up for promotional emails” helpfully pre-checked for you. If you’re like most internet users, you probably forgot to uncheck that box before you hit submit. Or, even if you did, perhaps it was purely decorative. Before you know it, your inbox is filled with spam. 

The fix here is obvious—users should opt-in to receive emails and never have to opt-out of them on sign-up forms or other subscription methods. It shows greater respect for users and it reduces the number of people subscribed to unwanted email lists.

Europe’s primary data privacy legislation, GDPR, requires websites to show informed consent before collecting any user data (including email addresses). This should be a requirement in the U.S. and other countries as well.

3. Make Opt-Out Easier

Right now there is no guidance for how easy it should be to unsubscribe from marketing lists. In fact, there is a known dark pattern called a ‘roach motel’ which is all over the internet. Roach motels make it easy for users to subscribe but difficult to unsubscribe. Typically, this is done by adding often confusing or misleading steps to the unsubscribe process. 

Each layer of friction in an opt-out process reduces the chance that an unwilling email recipient will successfully unsubscribe, despite their best intentions. A set standard for this process would disincentivize spammers to overcomplicate what should be a very simple process.

4. Stricter Data Brokering Penalties

Online scammers sell data. It’s what they do. If you’re on one list, it won’t be long before your name is on hundreds more. However, stiffer penalties—coupled with stronger enforcement—could curtail some spammers’ efforts. 

Stiffer penalties alone won’t solve this problem, especially since current penalties are already pretty severe. Plus, illegal data sharing is already at the heart of existing flagship privacy legislation like Europe’s GDPR and the California Consumer Privacy Act. However, dovetailing higher penalties with stronger enforcement backed up by more resources could potentially make a meaningful difference.

Three Anti-Spam Actions You Can Take Right Now

1. Policy Advocacy

If the last 20 years have been proof of anything, it is that the CAN-SPAM Act is ineffective at combating spam in the United States. Though it has incentivized marketers to include opt-outs in email campaigns, that’s not nearly enough to address the issue in any meaningful way. 

It is time we create more robust legislation to address the issue of spam. That push must come from the voters because politicians benefit from inundating constituents with emails and vast networks of email list sharing. 

When talking to politicians, clearly understanding the issue you plan to talk about is key to finding shared ground. IAPP’s Privacy Legislation Tracker can help you learn more about which states have pending rules on the books and what those rules entail. Start there. 

2. Report Spam When You See it

Most email software makes it easy to report spam while perusing your inbox. Often, it’s as simple as pressing the ‘report spam’ button. 

When you see a spam email, make sure to flag it as such. Doing this trains your email software to better identify and filter spam messages. In turn, this should reduce the amount of spam you receive and provide you with a better overall email experience.

3. Ethical Email Marketing

The CAN-SPAM Act should be considered a baseline in the fight against spam. There’s so much more you can do to promote ethical marketing behavior when communicating with customers or other stakeholders. 

In addition to the suggestions already mentioned in this post, consider the following:

• Pursue truth always: Make sure all your communications are fact-checked and truthful.
• Provide real value: Pointless emails destroy productivity and elicit more unsubscribes than leads. Make sure that your email marketing is done with purpose and offers real value to recipients.
• Be authoritative & unique: Well-researched content that showcases your expertise will always be more appreciated than a slapdash effort. More importantly, make the extra effort to find a unique angle that’s different from standard content in your subject matter area. 

What’s Next: Beyond the CAN-SPAM Act

Spam is a constant hindrance. It makes the workplace less efficient, adds difficulty to our personal lives, and has a huge environmental impact. 

What’s more, the CAN-SPAM Act only seeks to address email spam which represents just a small fraction of the overall spam landscape. Every day, forum and website owners are inundated with comments and messages created by ever more capable bots outmaneuvering their anti-spam measures. 

Plus, AI is being used to scrape and process huge amounts of data identifying targets for spam, helping to dox people, and sometimes worse. As AI becomes more proficient, all of these elements of its potential usage will require a formal response and better policies.

Through a combination of good policy, technological advancement, and improving the enforcement of current and future policies, we can address this issue in a meaningful way. 

Ultimately, our fight against spam will require that governments from many countries cooperate to identify spammers, remove their spam, and punish bad behavior.  That goal is lofty, and well worth fighting for. However, it won’t come easy. And there are things we can do right now, today.