Remember my 2023 blog post about a CAN-SPAM enforcement action? (No?!?) I noted the rarity of such actions and remarked that the FTC’s action against Experian, involving transactional emails (or, rather, would-be transactional emails) was a major wake-up call, reminding us marketing lawyers that the FTC still cares about CAN-SPAM (formally, the Controlling the Assault of Non-Solicited Pornography and Marketing Act). A more recent action underscores this point in spades.
The action involves California-based Verkada, which sells IP-enabled security cameras and other physical security offerings to its customers. The cameras store customers’ data and archived video footage using Amazon Web Services’ cloud-based storage. They operate from various locations, including sensitive locations like schools and hospitals. In its complaint, the Department of Justice (DOJ), upon notification and referral from the FTC, alleged that, contrary to its promises, Verkada failed to use appropriate information security practices to protect consumers’ personal information. Verkada’s failure allegedly allowed a hacker to access internet-connected security cameras and view patients in psychiatric hospitals and women’s health clinics.
The complaint also alleged that Verkada’s employees and a venture capital investor who invested in the company posted positive ratings and reviews of Verkada without disclosing their material connection to the company. And, as to the headline issue of this post, the complaint also alleged that Verkada violated CAN-SPAM by “flooding prospective customers with a barrage of commercial emails,” failing to include the legally-required unsubscribe option, failing to honor opt-out requests, and failing to include a physical postal address in its emails.
The Stipulated Order, recently signed by the court, requires Verkada to develop and implement a comprehensive security program. Verkada must also pay a whopping $2.95 million monetary penalty to settle the CAN-SPAM charges. The FTC characterizes this as the largest penalty obtained by the FTC for a CAN-SPAM violation. It’s interesting that the CAN-SPAM charges allege pretty classic spamming conduct: too many emails, no effective opt-out and the pretty technical violation of no physical postal address. Even if the security breach was the conduct that really got the FTC’s attention in the first place, the CAN-SPAM charges allowed the FTC to get a sizeable penalty.
How’s your email marketing hygiene? Time to take a look.