Ask Laura: Confused about CAN SPAM

AskLaura_Heading3

Dear Laura, 
I read your blog post about CAN SPAM earlier this week, and there’s one thing that confuses me. You never mention that harvesting addresses is a violation. I’ve seen many other people, including lawyers, assert that harvesting addresses is a violation of CAN SPAM. Why did you leave that out?
Signed,
Hopeful maker of musubi

Dear Hopeful,
The idea that harvesting is, in and of itself, a violation of CAN SPAM is one of those mis-conceptions that has become “common knowledge” and that “everyone knows.” But careful reading of the statute and the FTC rulemaking from 2008 makes it clear that harvesting is not a violation.

15 U.S. Code § 7704 Aggravated violations relating to commercial electronic mail
(A) In general It is unlawful for any person to initiate the transmission, to a protected computer, of a commercial electronic mail message that is unlawful under subsection (a), or to assist in the origination of such message through the provision or selection of addresses to which the message will be transmitted, if such person had actual knowledge, or knowledge fairly implied on the basis of objective circumstances, that—
(i) the electronic mail address of the recipient was obtained using an automated means from an Internet website or proprietary online service operated by another person, and such website or online service included, at the time the address was obtained, a notice stating that the operator of such website or online service will not give, sell, or otherwise transfer addresses maintained by such website or online service to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages; or
(ii) the electronic mail address of the recipient was obtained using an automated means that generates possible electronic mail addresses by combining names, letters, or numbers into numerous permutations.
(emphasis added)

That’s pretty clear to me. Harvesting is only an issue if the message is in violation of CAN SPAM. If you harvest an address and send CAN SPAM compliant mail, then there is no problem.
This was further clarified in the FTC Rulemaking from 2008.

[S]ection 7704(b) specifies four “aggravated violations” — practices that compound the available statutory damages when alleged and proven in combination with certain other CAN-SPAM violations. [3]
[3] 15 U.S.C. 7704(b). The four such practices set forth in the statute are: address harvesting; dictionary attacks; automated creation of multiple email accounts; and relaying or retransmitting through unauthorized access to a protected computer or network. The Act’s provisions relating to enforcement by state attorneys general and providers of Internet access service create the possibility of increased statutory damages if a court finds a defendant has engaged in one of the practices specified in section 7704(b) while also violating section 7704(a). Specifically, sections 7706(f)(3)(C) and (g)(3)(C) permit a court to increase a statutory damages award up to three times the amount that would have been granted without the commission of an aggravated violation. Sections 7706(f)(3)(C) and (g)(3)(C) also provide for this heightened statutory damages calculation when a court finds that the defendant’s violations of section 7704(a) were committed “willfully and knowingly.
(emphasis added)

Translating all of that out of legal government speak we get to the idea that only the things listed in 7704(a) are violations and there can be enhanced penalties. Also, these enhanced penalties are only available to state Attorneys General or ISPs.
It would be lovely if harvesting were a violation. It would cut out a lot of the “targeted” spam we see. I think my favorite was the time someone contacted us about advertising shovels on the domain samspade.org. Um… just because there is “spade” in the domain name doesn’t mean we’re a good target for your shovel advertising. But harvesting is only a problem if you violate CAN SPAM. That means spammers can send all the mail the want to harvested addresses as long as they include:

  • Functioning opt-out link
  • Physical address
  • Valid headers
  • Clear messaging that this is an advertisement.

Of course, most spammers don’t have functioning opt-out links and unsubscribing doesn’t actually stop spam. Harvesting would be a treble violation for much of the actual spam. But those folks who annoy the daylights out of me by scraping my address off LinkedIn and sending me their newsletter? Most of the time that’s not illegal.

Phone call of the week
Deliverability session at Connections 2016

Related Posts

TWSD: Don't honor opt-outs

One of the big arguments various mailers make is that they make it easy for users to opt-out of mail, so it’s not a big deal. Users who don’t want to receive the mail, can make it stop. This was one of the guiding principles of CAN SPAM. The sender can make the decision to send mail to any recipient but they have to offer an opt-out.
The problem is there are a lot of major companies out there that don’t honor opt-outs. Since earlier this year I’ve been tracking when I opt-out of mail. Why? Because I kept getting the feeling that I’d opted out of mail before, but kept getting it.
The good(?) news is that it wasn’t my imagination, some of these companies aren’t honoring their opt-outs. The bad news is that major companies are not honoring opt-outs.

Read More

Social invading everything

I discovered, inadvertently, that there is a business networking site modeled after dating site. If you’re selling something you go on the site and register as a seller. If you’re buying something you go on the site and register as a buyer. Buyers can post RFIs and sellers can respond.
Decent enough business model, they’ve even fleshed it out so the site itself acts as an invoicing and billing mechanism.
That’s how I discovered it, one of our very large international telco customers decided they wanted to use this site for billing. Many large telcos expect vendors to use their proprietary site, so I wasn’t that surprised when they asked. And, given they’re international being able to bill them electronically just means I don’t have to remember to use the international stamps.
At the behest of our customer, I signed up at the website. It’s like most social networking sites, create a profile, categorize yourself, make everything public. The thing is, I don’t want to use this site to find new customers. I am just using it because one of my current customers is expecting it. Don’t get me wrong, Abacus is a great product and our customers are extremely happy with it, but it’s pretty niche. It’s not something that’s going to be searched for on a generic website.
I thought that when I set my profile to private that would be some sort of signal to keep me out of the main directory of the site. This morning I realized that wasn’t true when I got a bunch of emails telling me about all these companies looking for “business software” (the closest category I could find).
Getting a bunch of irrelevant mail was annoying enough. Even worse, there was no unsub link in the email. Eventually, I discovered an entire page of email options that were not made clear to me up front. I also sent mail to support and suggested that they talk to their lawyers to clarify whether their opt-out option was consistent with CAN SPAM. I’m pretty sure it doesn’t, but I am not a lawyer.
To the company’s credit, they did have good support and my questions through support were answered in a timely fashion. One of their support reps even called me on the phone to clarify what it was that I wanted to happen and walk me through their email options. She was very upfront about yes, they opted everyone in to all the mail at the very beginning of the process. “We’re like match.com for businesses!”
I’m sure there are some businesses that will find this service to be great. But it’s not what I want or need. Despite the fact that their support was so helpful, I don’t have a great feeling about this company. It seems a bit dishonest that I thought I was signing up for a billing portal, but was actually joining “match.com for businesses. Why couldn’t they make that clear in the 7 emails in 2 days “inviting” me to sign up?
I know I’m a little more sensitive to bad mailing processes than most people, but this was quite an unpleasant experience from the multiple identical emails and reminders before I signed up to the irrelevant stuff I got afterwards.

Read More

Logging in to unsubscribe

I have been talking with a company about their unsubscribe process and their placement of all email preferences behind an account login. In the process, I found a number of extremely useful links about the requirements.
The short version is: under the 2008 FTC rulemaking senders cannot require any information other than an email address and an email preference to opt-out of mail. That means senders can’t charge a fee, they can’t ask for personal information and they can’t require a password or a login to unsubscribe.
I’ve talked about requiring a login to unsubscribe in the past here on the Word to the Wise blog.
Let them go
Questions about CAN SPAM
One click, two click, red click, blue click
How not to handle unsubscribes
I’m not the only person, though, that’s written about this.
The FTC has written about it in the FTC CAN SPAM Compliance Guide for business

Read More