Gordon v. Virtumundo (9th Cir. Aug. 6, 2009) concerns whether plaintiff James Gordon, a serial CAN-SPAM Act litigant and “professional plaintiff,” had standing to bring a civil action for damages under the Act. There have been inconsistent rulings on CAN-SPAM standing in the lower courts, several of them involving Gordon. Compare the lower court ruling in this case, Gordon v. Virtumundo, Inc., 2007 U.S. Dist. LEXIS 35544 (W.D. Wash. May 15, 2007), that because Gordon did not experience “substantial actual harm” as a result of unsolicited commercial e-mail sent to its users he lacked standing under the Act with Gordon v. Ascentive, LLC, 2007 U.S. Dist. LEXIS 44207 (E.D. Wash. June 19, 2007), finding that Gordon’s provision of free e-mail accounts to a small number of individuals conferred standing to pursue CAN-SPAM civil claims.

Here, the Ninth Circuit upheld the district court ruling above that dismissed Gordon’s claims for lack of standing. The appeals court also upheld the district court’s conclusion that the Washington anti-spam statute is preempted by CAN-SPAM, and therefore Gordon’s claims under the Washington statute were properly dismissed as well.

In determining the issue of standing, the court construed 5 U.S.C. § 7706(g)(4), which permits a civil action under the Act to be brought by a “provider of Internet access service adversely affected by a violation of” specified sections of Act.

Provider of Internet access service”

The court first addressed whether Gordon qualified as a “provider of Internet access service,” given the nature of his services:


Gordon is a registrant of a domain name, which he, through Omni, hosts on leased server space. He neither has physical control over nor access to the hardware, which GoDaddy owns, houses, maintains, and configures. From our review of the record, Gordon’s service appears to be limited to using his “Plesk” control panel, which he accesses via an ordinary Internet connection through an ISP, to set up e-mail accounts and log-in passwords and to execute other administrative tasks. Verizon enables his online access. GoDaddy provides the service that enables ordinary consumers to create e-mail accounts, register domain names, and build personalized web pages. Gordon has simply utilized that service for himself and on behalf of others. It matters not that he entered the keystrokes or clicked the mouse. Nor is it relevant that he created gordonworks.com e-mail addresses for family and friends, and not merely himself. While Verizon and GoDaddy might have a compelling argument that they are IAS providers within the meaning of the CAN-SPAM Act, Gordon’s claim that he holds such elite status is unconvincing. In addition to his nominal role in providing Internet-related services, we are also troubled by the extent to which Gordon fails to operate as a bona fide e-mail provider. As discussed in greater detail below, Gordon has purposefully avoided taking even minimal efforts to avoid or block spam messages. Instead, Gordon devotes his resources to adding his “clients’ ”e-mail addresses to mailing lists and accumulating spam through a variety of means for the purpose of facilitating litigation.

The court declined to address the limits of the scope of the statutory term “internet access service provider,” but found that Gordon did not meet the definition:

While we agree that statutory standing is not limited to traditional ISPs, we reject any overly broad interpretation of “Internet access service” that ignores congressional intent. Contrary to Gordon’s suggestion, providing e-mail accounts cannot alone be sufficient.

But the opinion does contain a number of comments that seem designed to preserve some wiggle room for the lower courts in separating the sheep from the goats so far as CAN-SPAM plaintiffs are concerned. First, the court commented that while Congress intended to limit the right of action to “bona fide” providers, that term is not limited to “fee for service” providers. The court also had an eye to the proliferation of spam on online services that are not traditional ISPs, and appeared to leave the door open for CAN-SPAM claims by such services:

The marketplace has developed a panoply of related products and services not available when Congress authored the federal legislation. Significantly, no longer are typical Internet users primarily limited to accessing e-mail accounts and searching for content or information. With the rise of social networking sites, blogs, and other user-driven websites, the ability to post content on the Internet or to create forums for others to do so is no longer a privilege reserved for the technologically savvy or the financially elite. The rate of development will only accelerate. As this inevitably occurs and the gateway to the online world further widens for the masses, courts should be mindful that the lines Congress intended to draw when drafting the statutory text might lose clarity.

The court noted several lower court rulings that have held that such services have CAN-SPAM standing, e.g., Facebook,Inc. v. ConnectU LLC, 489 F. Supp. 2d 1087 (N.D. Cal. 2007)and MySpace, Inc. v. The Globe.com, Inc., No. 06-3391, 2007 WL 1686966 (C.D. Cal. Feb. 27, 2007).

Adversely Affected”

The court also found that Gordon failed to establish that he was adversely affected within the meaning of the Act because he failed to suffer any “real harm contemplated” by the Act:

He has not hired additional personnel, nor has he experienced technical concerns or incurred costs that can be necessarily attributed to commercial e-mail. It is also compelling that Gordon purposefully refuses to implement spam filters in a typical manner or otherwise make any attempt to block allegedly unwanted spam or exclude such messages from users’ email inboxes. In fact, Gordon acknowledges that he was able to “blacklist” domain names at the server level, so that the GoDaddy server would reject e-mails from online marketers such as Virtumundo. Still, even without taking even basic precautions, he has not “come close” to using the 500 gigabytes of bandwidth available to him through GoDaddy. He has presented nothing beyond the negligible burdens typically experienced by bona fide IAS providers. As the district court concluded, Gordon has “suffered no harm related to bandwidth, hardware, Internet connectivity, network integrity, overhead costs, fees, staffing, or equipment costs.” Gordon, 2007 WL 1459395, at *8. Indeed, given his heavy dependence on the services and hardware of third parties, it would be difficult, if not impossible, for him to incur many of these harms. Gordon’s claimed harms almost exclusively relate to litigation preparation, not to the operation of a bona fide service.

The court attempted to set a standard for determining adverse effect, although it is stated in somewhat abstract terms:

To give the statutory text meaning there must be, at bare minimum, a demonstrated relationship between purported harms and the type of e-mail practices regulated by the Act—i.e., a showing that the identified concerns are linked in some meaningful way to unwanted spam and, in turn, represent actual harm. The e-mails at issue in a particular case must, at the very least, contribute to a larger, collective spam problem that caused ISP-type harms.


The CAN-SPAM Act preempts state anti-spam statutes, “except to the extent that any such statute, regulation, or rule prohibits falsity or deception in any portion of a commercial electronic mail message or information attached thereto.” On this issue the appeals court lined up with the ruling of the Fourth Circuit in Omega World Travel, Inc. v. Mummagraphics, Inc., 469 F.3d 348 (4th Cir.

2006), that the phrase “falsity or deception” refers to “fraud or deception,” not mere errors or insignificant inaccuracies. The Washington statute prohibits the sending of an e-mail message that “(a) … misrepresents or obscures any information in identifying the point of origin or the transmission path of a commercial electronic mail message; or (b) Contains false or misleading information in the subject line.” The court concluded that this language extends beyond fraud or deception, and therefore the statute is preempted.

Venkat Balasubramani has posted an analysis of the ruling on his Spam Notes blog.