Logging in to unsubscribe

I have been talking with a company about their unsubscribe process and their placement of all email preferences behind an account login. In the process, I found a number of extremely useful links about the requirements.
The short version is: under the 2008 FTC rulemaking senders cannot require any information other than an email address and an email preference to opt-out of mail. That means senders can’t charge a fee, they can’t ask for personal information and they can’t require a password or a login to unsubscribe.
I’ve talked about requiring a login to unsubscribe in the past here on the Word to the Wise blog.
Let them go
Questions about CAN SPAM
One click, two click, red click, blue click
How not to handle unsubscribes
I’m not the only person, though, that’s written about this.
The FTC has written about it in the FTC CAN SPAM Compliance Guide for business

You can’t charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request.

Al Iverson at Exacttarget has written about it in his blog post Require a login to opt-out

Senders are not allowed to require recipients to “provide any information other than the recipient’s electronic mail address and opt-out preferences.” That means you can’t require them to login to your website before continuing on to a preference center or other page. The only thing a recipient has to give you is their email address, and the opt-out preference. (i.e. do you want to opt-out from all messages, or would you like to opt-out only from certain specific lists.)

Even the forums at Y combinator have mentioned it.

It is definitely illegal to require a login. CAN-SPAM has many (many) faults, but it is extremely explicit about there being no funny business in the unsubscribe process.
Current FTC rules say that your unsubscribe link must either immediately unsubscribe the user or lead to a page that (at most) asks for only your email address and does not try to confuse or dissuade you.

The underlying goal of the rules is to give recipients the ability to make email stop. Requiring a password is one of the things bad senders do to add friction to the process. Because of the abuse of the login process, and the fact that sometimes the recipient doesn’t have the password (and can’t recover it) the FTC has decided no passwords for an opt-out.
This company is also a good example of how COI doesn’t fix everything. All registrations are fully confirmed. Yet, they still can’t manage to stop sending mail to people who didn’t ask for it or want it.
I’m pretty sure the company that triggered this discussion didn’t mean to violate CAN SPAM. But they did. I also expect that this may be the first time anyone pointed out the problem to them.

Related Posts

Social invading everything

I discovered, inadvertently, that there is a business networking site modeled after dating site. If you’re selling something you go on the site and register as a seller. If you’re buying something you go on the site and register as a buyer. Buyers can post RFIs and sellers can respond.
Decent enough business model, they’ve even fleshed it out so the site itself acts as an invoicing and billing mechanism.
That’s how I discovered it, one of our very large international telco customers decided they wanted to use this site for billing. Many large telcos expect vendors to use their proprietary site, so I wasn’t that surprised when they asked. And, given they’re international being able to bill them electronically just means I don’t have to remember to use the international stamps.
At the behest of our customer, I signed up at the website. It’s like most social networking sites, create a profile, categorize yourself, make everything public. The thing is, I don’t want to use this site to find new customers. I am just using it because one of my current customers is expecting it. Don’t get me wrong, Abacus is a great product and our customers are extremely happy with it, but it’s pretty niche. It’s not something that’s going to be searched for on a generic website.
I thought that when I set my profile to private that would be some sort of signal to keep me out of the main directory of the site. This morning I realized that wasn’t true when I got a bunch of emails telling me about all these companies looking for “business software” (the closest category I could find).
Getting a bunch of irrelevant mail was annoying enough. Even worse, there was no unsub link in the email. Eventually, I discovered an entire page of email options that were not made clear to me up front. I also sent mail to support and suggested that they talk to their lawyers to clarify whether their opt-out option was consistent with CAN SPAM. I’m pretty sure it doesn’t, but I am not a lawyer.
To the company’s credit, they did have good support and my questions through support were answered in a timely fashion. One of their support reps even called me on the phone to clarify what it was that I wanted to happen and walk me through their email options. She was very upfront about yes, they opted everyone in to all the mail at the very beginning of the process. “We’re like match.com for businesses!”
I’m sure there are some businesses that will find this service to be great. But it’s not what I want or need. Despite the fact that their support was so helpful, I don’t have a great feeling about this company. It seems a bit dishonest that I thought I was signing up for a billing portal, but was actually joining “match.com for businesses. Why couldn’t they make that clear in the 7 emails in 2 days “inviting” me to sign up?
I know I’m a little more sensitive to bad mailing processes than most people, but this was quite an unpleasant experience from the multiple identical emails and reminders before I signed up to the irrelevant stuff I got afterwards.

Read More

Expectations

One of the themes I harp on with clients is setting recipient expectations. Senders that give recipients the information they need to make an informed subscription decision have much higher inbox and response rates than senders that try to mislead their recipients.
Despite the evidence that correctly setting expectations results in better delivery and higher ROI on lists some senders go out of their way to hide terms from recipients. I’ve heard many of those types of comments over the years.

Read More

One Click, Two Click, Red Click, Blue Click

I’ve seen a lot of discussion and arguments over the CAN SPAM rule about whether or not an unsubscribe needs to be a One-Click unsubscribe. It’s gotten so common, I have a stock email I use as a template when wading into such discussions. It’s probably useful for a lot of other people, too, so I thought I’d share.
The regs say:

Read More