Controlling the Assault of Non-Solicited Pornography and Marketing Act

Dear Manager and Board of Directors:

The purpose of this letter is to inform Credit Unions that the sending of information by electronic mail, including marketing information initiated by the credit union or a third party, may trigger compliance requirements recently established by the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM).

Effective January 1, 2004, CAN-SPAM requires unsolicited commercial e-mail messages (“spam”) to be labeled as an advertisement or solicitation and to include opt-out instructions along with the sender's physical and electronic address. CAN-SPAM prohibits the use of deceptive subject lines and false headers in spam. CAN-SPAM also authorizes, but does not require, the Federal Trade Commission (FTC) to establish a "do-not-email" registry. In addition, CAN-SPAM preempts state laws that expressly regulate the use of electronic mail to send commercial messages, except to the extent the state law prohibits falsity and deception.

CAN-SPAM sets forth limitations on spam that include, among other things:

• a prohibition against false or misleading header (source, destination, and routing) information in spam or any transactional or relationship message;
• a prohibition against deceptive subject headings in spam;
• mandatory inclusion in spam of information identifying it as an advertisement or solicitation, notice of the opportunity to decline to receive further spam from the sender, and the sender's physical address;
• mandatory inclusion of a functioning electronic return address or a comparable mechanism in spam; and
• a prohibition against transmission of spam after objection (including transferring or releasing an email address after an objection).

The requirements listed above apply to any credit union that initiates spam. If a credit union does not prepare electronic messages itself, but instead uses a third party to promote its services, it should take all reasonable steps necessary to ensure the third party does not violate the requirements set forth in CAN-SPAM. In addition, a credit union that relays spam initiated by a third party, or assists a third party in initiating or relaying spam, should take reasonable steps to ensure the spam complies with CAN-SPAM.

The full text of CAN-SPAM, can be found via The Library of Congress’ website: https://www.ftc.gov/enforcement/statutes/controlling-assault-non-solicited-pornography-marketing-act-2003-can-spam-act. NCUA encourages credit unions to familiarize themselves with all the CAN-SPAM requirements if they intend to send unsolicited electronic advertisements or solicitations.

Should you have any questions regarding this subject, please do not hesitate to contact your Regional Director or State Supervisory Authority.