So you're glad that Congress passed the CAN-SPAM Act. After all, your "in" box is constantly filled with annoying messages; and your own company doesn't send unsolicited junk. Now the villains will get theirs, while you watch.

Think again.

Even if you don't send unsolicited junk e-mail, you can be held liable according to this new law, which took effect Jan. 1. It doesn't matter that you send e-mail messages to only those recipients who already are your customers -- or that they explicitly asked to receive your mailings (so called opt-in).

Under the act, if you send out only "transactional messages," such as completing a sale, or giving warranty updates or customer statements, or changing the terms of your existing relationship, it's easy to comply.

The key is to make sure that you don't mislead the recipient with false information -- in the subject, the body or in the "from" line. That means you cannot misidentify yourself. Nor can you omit your sender information or falsify your sending e-mail address. The reply-to address also must work for 30 days after you send your message.

Most marketing messages, though, are not transactional according to the strict definitions of the CAN-SPAM Act. They are subject to the act's rules for "commercial electronic mail."

Even if you normally send transactional messages to a recipient, your marketing messages to that same recipient need to abide by the rules pertaining to commercial e-mail. Start by conforming to the rules for transactional messages.

Allowing them to unsubscribe

One of the most important aspects of the CAN-SPAM Act is the requirement that you provide a way for recipients to "opt out." The act gives you flexibility to choose the manner in which the recipient requests to be off your list. But it must meet certain parameters.

Unsubscribe instructions must be included in the message.

You must remove the person from your list within 10 days if he opts out.

Once removed at the recipient's request, you may not send another commercial message to that person, or sell or lease his e-mail address to another party.

If you have more than one business unit in your company, and you send your message under the auspices of a particular division, when the recipient opts out, that entire division can no longer send commercial electronic messages.

However, it is implied in the act that if the message doesn't seem to come from a specific division or separate line of business, then you must remove his name from all commercial e-mail lists in your company.

Since many multidivisional companies communicate poorly between business units, I expect to hear about many violations. E-mail users are likely to unsubscribe to a corporate list and find that the corporation has taken them off only the division's list.

I predict arguments between middle managers and e-mail recipients, with the managers claiming that they are not covered by the opt-out request and many of these claims being caused by ignorance of the law.

I have already seen one part of the act ignored or violated numerous times in its first week. You must include a "valid physical postal address of the sender."

Nowhere to hide

Don't try to hide from the law by using an external company to send spam. If the message benefits you, and it violates the law, you may be liable -- even though your staff doesn't directly send the messages.

You're supposed to know and the violation penalties can be up to $250 per infraction up to $2 million.

I have posted the CAN-SPAM Act at my Web site, and will address more issues in my Megabyte Minute Tip Letter.

First Published: January 8, 2004, 5:00 a.m.