If my bot breaks the law… who pays the fines?

The CAN-SPAM Act of 2003 may put business at risk for fines if they let their chat bots use the company's email system.

The quirks of AI may drive the most clicks on news sites today, but the rate at which AI is replacing human-customer interactions is the real headline. Every major tech company is now playing catch-up to ChatGPT by creating bots with surprisingly good results. These AI services promise to help you generate content, curate your customer’s experience, or even name your baby (yes, really). However, if companies allow AI to do their texting[mfn] While the CAN-SPAM act does not specifically identify SMS messages as being within the scope, the FTC did include SMS messages as long as it “includes a reference to the Internet”. 19 FCC Rcd 15927, 15933 [/mfn] or emailing, thanks to the CAN-SPAM Act, they risk civil fines for any “false or misleading” information that might sneak into them. 

The backdrop of the CAN-SPAM Act – A New Frontier 

In 2003, email message technology was still in its early stages of development. The most popular email providers were Yahoo!, Hotmail, and AOL. Gmail was still a year away from upending the market by giving away 1 GB of storage for free. Myspace and Facebook had yet to even enter the ring. 

Early email was a simple affair. Text only, no attachments or images. Email servers were slow, and messages could take literal minutes to arrive. But the potential of email was clear, and unsolicited emails quickly flooded inboxes, ranging from gibberish to explicit content. With no laws or penalties, senders were free to push pyramid schemes, chain letter scams, and even ply the oldest profession with the cost of a click. 

Congress steps in with the CAN-SPAM Act of 2003 

The CAN-SPAM Act of 2003[mfn] CONTROLLING THE ASSAULT OF NON-SOLICITED PORNOGRAPHY AND MARKETING ACT OF 2003; CAN-SPAM ACT OF 2003, 108 P.L. 187, 117 Stat. 2699[/mfn] is a federal law that set rules for commercial email. It provides for civil penalties up to $16,000 per occurrence for recklessly sending any commercial email that contains “false or misleading information.” The statute provides a three-part test [mfn]117 Stat. 2699[/mfn]: 

  1. Business must know, or should have known, the email contained false or misleading information 
  1. Business must have expected to receive economic benefit from the email 
  1. Business takes no reasonable steps to prevent or detect the communication and report it to the commission. 

So what is a “commercial electronic mail message?” 

Congress narrowly and specifically defined an electronic mail message to exactly what you would think it should mean. The FTC expanded that basic interpretation to included internet-to-phone SMS messages so long as it included a reference to the Internet.[mfn]19 FCC Rcd 15927, 15933[/mfn] It further narrowed the scope to “commercial” messages identified by their “primary purpose.” Neither Congress nor the FTC has addressed whether email adjacent communications, such as Facebook Messenger, Signal, WhatsApp, or various other instant message services. All these services function virtually identically to SMS in delivering unwanted commercial messages to a device, with the notable exception that you can uninstall the app to block them. 

How do I know what the primary purpose of an email is? 

Congress left it up to the FTC to define the “relevant criteria” in deciding the “primary purpose” of an email message. The FTC uses several factors to figure out the primary purpose of an email, including the subject line, content, sender, and recipient, as well as whether a reasonable person would consider the email to be commercial.  

Do you trust your bot to tell the truth, the whole truth, and nothing but the truth? 

Besides requiring an ability to opt out (a topic for different post), the CAN-SPAM Act also requires that commercial email senders must not send false, deceptive, or misleading subjects, content, or headers. But let’s face it, even well-designed bots can have a hard time with the truth, and some have been tricked into violating their own guardrails and going on “inappropriate” rants. 

How can you protect yourself from a bad bot? 

 Before you turn your bot loose to message with customers or share any information created by a bot via email or text message, get your polices straight, and make sure your customers read them. 

Your website terms and conditions are one of the most important legal documents you’ll ever have. They protect you from liability, ensure that you have the right to use your content, and define the relationship between you and your visitors.  

But drafting a comprehensive and enforceable terms and conditions agreement is no easy task, and drafting one that is easy enough for your customers to understand is even harder. And even if you have the world’s greatest terms and conditions, enticing your customers to read it is like getting a toddler to choose broccoli over chocolate milk. That’s why it’s so important to work with an experienced attorney who understands the technology, law, and the Internet best practices.

 Once your terms and agreements are ready to go – test, review, disclaim, repeat. 

  1. Before your bot emails or texts, get as many people as you can test it out and try to break it. Ask it every offensive, abusive, and derisive thing you can think of, and then ask everyone you know to do the same thing. The Internet can be a dark place, lousy with irate customers and bored high schoolers, and your bot needs to be ready. 
  1. After you go live, record and review every message your bot sends and keep it in a database. Assign someone to monitor the outputs constantly to ensure you get the desired results. Before you do that, make sure you update your privacy policy to allow you to capture, store, review, and process this information. Also ensure your security is on point to filter or secure sensitive information that may be included (whether or not it is intended). 
  1. Do not oversell what your bot can do and make sure there are properly drafted disclaimers about unintended results. Create human driven pathways that visitors and customers can use to verify information before relying on it. Best yet, have the bot deliver these disclaimers in every conversation. 


WordPress Cookie Plugin by Real Cookie Banner