By Karen A. Kidd

Legal observers are watching Virginia’s new antispam legislation, which faces jurisdiction and constitutional questions, but one thing is clear, warned Bill Camp, an e-commerce attorney at Eckert Seamans Cherin & Mellott,“ A spammer should not be located in Virginia.”

Virginia’s legislation, passed in April, is touted as one of the toughest in the United States because it hits spammers hard with civil and criminal penalties. The worst spam (euphemistically referred to as Unsolicited Commercial E-mail or UCE) in Virginia is now a Class C Felony, which means a convicted spammer in that state could spend five years in prison. The state also may seize a spammer’s property and profits.

However, what really has people talking about Virginia’s legislation are the eye-catching (some could say “profitable”) civil penalties. The new legislation gives ISPs broader powers and incentives “to go after their hit list,” Camp said. And one of the ISPs operating in Virginia is the online giant America Online.

Virginia’s law does not require companies to go after spammers. “What it does do is give them the ability to go after them,” Camp said.

So what’s in it for AOL? Plenty. The Virginia law provides for civil penalties of up to $25,000 a day per spamming attempt per spammer. You don’t need a calculator to figure out that a committed spammer routing spam through an ISP could mean big money in civil penalties for that ISP. “Every day, I turn on my computer and I may have two or three (unsolicited) e-mails,” Camp said. “And I’m only one person.”

And one person victimized by spam can effectively claim $10 per spam, under the Virginia legislation. That may not seem like much, but individual victims also can receive attorney fees and other costs, which normally would not be covered. This makes class-action lawsuits very attractive to victims—and their attorneys, Camp said.

Despite those incentives, enforcing the new law is not as easy as it sounds. Virginia’s legislation applies only in Virginia. What that could mean outside the state is very much up in the air, Camp said. “Now we’re talking about jurisdiction,” he said. “Jurisdiction is not an easy thing. Each state would want to have jurisdiction over the person they want to prosecute.”

Other spam legislation
Most states already have antispam legislation on the books. Broken down by state, some of the antispam legislation over the past half-decade looks like this:

July 1997: Nevada becomes the first state in the United States to enact legislation against spam. Nevada enacted a second spam statute in 1999 and, in 2001, amended the statute. In Nevada, UCE is legal only if labeled or clearly identified as an advertisement and includes the sender’s name, street address, and e-mail address. Opt-out instructions are required. Falsified routing information also is illegal.

March 1998: Washington enacts antispam legislation prohibiting UCE that uses a third-party domain name without permission, contains false or missing routing information, or has misleading subject lines.

September 1998: California enacts antispam legislation that requires UCE to include opt-out instructions, contact information, and subject lines that include “ADV” or “ADV:ADLT.”

March 1999: Virginia and West Virginia enact antispam legislation. Virginia’s legislation prohibits UCE that contains falsified routing information. West Virginia’s legislation is more far-reaching. In that state, it is illegal for UCE to use third-party domain names without permission, misrepresent points of origin, use false routing information, or include false or misleading subject lines.

May 1999: Iowa enacts antispam legislation that prohibits UCE with third-party return addresses (unless permission is provided) or false or missing routing information. The legislation requires UCE to include opt-out instructions and contact information and that those opt-out requests be honored.

June 1999: Connecticut, Oklahoma, Tennessee, and North Carolina all enact antispam legislation covering falsified routing information, opt-out options, and subject lines.

July 1999: Delaware enacts antispam legislation dealing with routing information but also prohibiting UCE from outside the state to in-state residents whom the sender has “reasonable possibility” of knowing are Delaware residents.

June 1999: North Carolina enacts legislation that makes UCE with falsified routing information illegal if the UCE is in violation of an ISP’s policies. This legislation covers UCE sent into and within the state.

July 1999: Illinois, Louisiana, and Rhode Island enact antispam legislation that covers UCE using third-party domain names without permission, falsified routing information, and misleading subject lines. Louisiana’s law prohibits UCE with falsified routing information to be sent to more than 1,000 recipients.

April 2000: Idaho enacts antispam legislation requiring UCE to include opt-out requests that must be honored and prohibits the use of third-party return addresses unless the senders have permission. Idaho also requires UCE senders to use accurate routing information.

June 2000: Colorado, Missouri, and Pennsylvania pass antispam legislation that covers UCE with third-party domain names, false routing information, and opt-out requirements. Colorado requires UCE to include a subject line and sender e-mail address. Pennsylvania’s law requires UCE containing “explicit sexual materials” to say so in the subject line.

April 2001: Arkansas passes legislation that prohibits third-party domain names without permission and false point of origin and routing information.

June 2001: Wisconsin enacts legislation requiring subject-line labels on UCE with obscene or sexually explicit content. An additional Wisconsin statute makes it illegal to harass someone via e-mail.

February 2002: South Dakota enacts antispam legislation prohibiting UCE with false return e-mail addresses, routing information, or subject lines.

March 2002: Utah enacts legislation requiring UCE to identify the sender’s name, street address, and accurate point of origin.

May 2002: Kansas, Maryland, and Minnesota pass antispam legislation that covers routing information; third-party domain names and subject lines are prohibited. Minnesota’s legislation took effect last March.

August 2002: Ohio enacts antispam legislation that requires UCE to include the sender’s name, physical address, e-mail address, and opt-out instruction (which must be honored), and prohibits false routing information. However, Ohio does not consider messages based on a “direct referral” to be UCE. An ISP can sue a UCE sender for damages if it can prove the sender knowingly violated its rights.

Spam is curtailed even in states that haven’t yet passed antispam legislation. For instance, neither Florida nor Oregon have antispam legislation but the Florida Bar and Oregon Bar associations require member attorneys who use UCE to include “legal advertisement” and “advertisement,” respectively, in the subject line. A Kentucky Supreme Court ruling requires attorneys in that state to use “this is an advertisement” in UCE subject lines.

Each state can enforce these laws only within their respective borders. Spammers operating outside the United States also enjoy peculiar, if unintentional, protection through treaties and extradition agreements, which effectively puts them beyond the reach of most state statutes. So Virginia’s enactment is tough but the state may find itself waiting in line. “Getting jurisdiction over somebody for work they do over the Internet isn’t as easy as people think,” Camp said. “While this law has very big teeth, it may not have a very big bite.”

The jurisdiction question is not a new one. An example of what antispam legislation could face is online gambling. Gambling is illegal over the Internet in many states. However, jurisdiction issues around Internet gambling have meant those laws are, effectively, not enforceable, Camp said.

Then there are the inevitable constitutional questions, namely free speech issues, which the new Virginia law seems to have covered. Free speech is protected as long as it isn’t fraudulent or misrepresentative. So commercial speech that isn’t trying to rip someone off is covered by constitutional protection but fraudulent claims would not be, Camp said. The only other constitutional question is whether one state would be able to prosecute a spammer operating in another state.

While those questions certainly loom and more legislation is pending (including three Federal antispam bills under consideration and an Oregon house bill), Camp cautioned that spammers in Virginia should make no mistake. “The effect has been to put them on notice that people (spammers) need to check their practices,” he said.

Here are a few other resources on the topic of spam: