Over on the Deliverability blog, Andrew Kordek has posted a piece discussing situations where COI doesn’t make sense. While I agree with Andrew’s basic premise – there are, absolutely, instances where COI, even in one-to-many communications, isn’t needed and may have a negative effect – the examples Andrew has chosen to highlight don’t support his thesis. Let’s dive into them, in reverse order.
The registration process consisted of creating a username and password (with CAPTCHA), filing out a long form with information, followed by another page where I had one pre-checked box for one newsletter and then a choice of 7 unchecked boxes for other email publications (with cadence/frequency info and examples) followed by a “confirmation of choices” page and ending with a welcome email which had all of my email choices dynamically assembled within the email. The permission purists or organizations who claim that COI is the ONLY way to acquire an email address would say that this is not enough.
So… signing up on this website is hard and requires a lot of work, so COI shouldn’t be needed? Those two thoughts are tangential. They don’t cross at all.
As much as we want to believe that people, in general, are good, there are any number of people who will try to put someone else’s email address into a web form for a million reasons. They may be a competitor trying to affect your reputation. They may not want email from you at all, but want access to your site, so they give you an address that they think they’ve made up which just happens to belong to someone else. They may legitimately typo the address – I mistype my own company’s domain name at least once a day, and I’ve been here almost a year and a half. None of the things Andrew called out that this site does will protect that site from any of these things.
There is some good advice in what Andrew wrote; there’s also some bad advice, and some things Andrew didn’t even touch on.
- CAPTCHA – all that does is “prove” the submitter’s not a bot. It doesn’t verify that an address hasn’t been misspelled, and it doesn’t stop determined individuals from putting in addresses that aren’t theirs.
- Pages of publications to choose, with a confirmation page – this is a fabulous idea. Presenting immediate feedback showing what the user has chosen to receive and how often they should receive it is an excellent example of transparency.
- Welcome email – also a fabulous idea. This is an opportunity for the website to remind the recipient to add them to an address book, or perform any other step required to facilitate inboxing, and to make sure they know when they might expect to receive emails.
Where does this advice miss? Well, nothing’s been done to make sure the user hasn’t mistyped (accidentally or purposefully) their email address. Playing that tune may make me a “permission purist” but confirming signups helps prevent typos, and minimizing typos goes a long way towards keeping your IP reputations clean, as Laura over at Word to the Wise has mentioned several times. Andrew also glosses over another great use of that confirmation page / welcome email combination – drive the user back to your website (after checking their spam folder) if they haven’t gotten their welcome mail in a relatively short period of time (say, 2-3 hours) so they can check that they haven’t typoed the address. You may not have to COI, but every step you take to bring typos to the user’s attention is one less possible ding to your reputation.
COI would make sense in a retail POS situation where the clerk is asking for email to send the receipt.
Well, no. If all you’re doing is mailing a single receipt, COI makes no sense. You probably want to take care to minimize Personally Identifiable Information, or anything else sensitive that might appear on the receipt, but you shouldn’t need COI for this. On the other hand, if you’re planning to store that email address in some way to send future receipts without input (for example, when I swipe my credit card to make a purchase at the Apple Store down the block, my receipt is immediately emailed to the email address associated with my App Store ID), then you should probably confirm that address in some way. The deciding factor here is “how many emails am I sending this person?” – if the answer isn’t “just one”, you may want to confirm the address.
To me, this is a wonderful opportunity for the company to send out a really fantastic confirmation email which could highlight the benefits of the program, tell a wonderful story incorporating things such as social proofing, give a discount and ask the recipient to confirm.
Yes, absolutely. Using an emailed receipt to drive folks to your newsletter subscriptions is a great idea. Hey, you’ve already got their address; if they subscribe to your newsletters from a link in a receipt, that’s awesome. You probably don’t need to COI those newsletter subscriptions, either, since the act of clicking the link in the email they’ve already received indicates engagement.
In fact, organizations could probably get away with send [sic] 2 or 3 of these emails, but should stop sending anything after X times (there is no “best practice” here) if the recipient does not confirm.
And, again, no. One transaction, one receipt with accompanying “Hey, do you want to receive other emails from us?” request. If you’re sending more than one email without being sure that you’re sending it to the right person, you run a real risk of typos biting you right in the reputation.
COI is a tool. Its purpose is to help you insure that the person asking you to send email to an address has the authority to make that request. It doesn’t make sense in every email-sending context – there are lots of cases where it could be intrusive and unnecessary. But if you’re contemplating sending multiple emails to an address, it’s one great way to make sure they’re the recipient you think they are.
In August of 2007, I submitted a resume to Kforce.com as a part of applying for some position or other. Shortly thereafter, I accepted a full-time position elsewhere, never heard back from Kforce, and promptly forgot about them until March of 2008 – that’s when a recruiter contacted me about a new full-time position that was opening. I replied to them, letting them know I wasn’t in the market for a job anymore, and they left me alone… for 3 months, when a second recruiter contacted me about yet another position. *That* email prompted me to unsubscribe, using the link in their email (which, conveniently, generated an outbound email with a time-stamp showing I sent it within minutes of receiving their email). And, that’s the last I heard of them…
Until this week. On June 2, I received a “Welcome to the Team!” email, congratulating me on my new position. This was followed a few hours later by an email with the subject “Email sent in error”, apologizing for the earlier email. At about the same time, they tweeted the following:
Due to system maintenance issues, we may have inadvertently sent an email to you earlier today our sincere apologies, please disregard.
— Kforce (@Kforce) June 2, 2012
Old-school paranoid that I am, this rings much too close to “the dog ate my suppression list” territory. I’ve opted out of their mails – their having emailed me, even by mistake, is a violation of the provisions of CAN-SPAM. Mildly irked that they believe that ‘oops’ is a sufficient explanation, I replied to them:
@Kforce Seriously? I opted out of communication from you *4 years ago*, and you managed to hit me today during this ‘issue’? Not cool.
— David Romerstein (@dromerstein) June 2, 2012
That generated two response tweets:
@dromerstein Our apologies. This email was an error, however we can’t opt your name out of our service as some candidates have the same name
— Kforce (@Kforce) June 4, 2012
@dromerstein Please refer to the email we sent you, there are instructions at the bottom of the page to unsubscribe. Thank you.
— Kforce (@Kforce) June 4, 2012
The first of these is *ludicrous*, for multiple reasons. I didn’t opt out my *name* – I unsubscribed my *email address*. No one else has that email address. Also? My name is pretty unique – I only know of one other person who shares it, and he’s 13. The second, however, is even worse. I’d already unsubscribed. Recommending that I unsubscribe *again*, when your actions have already put your unsubscribe mechanism on shaky ground, is not going to win hearts and minds. I tried to tell them this:
@Kforce Really? Is that the same unsubscribe mechanism I used 4 years ago that left me open to your ‘incident’?
— David Romerstein (@dromerstein) June 4, 2012
But, perhaps my sarcasm was a little too thick, since they didn’t understand:
@dromerstein We were updating our email system to improve communication with our customers. This caused the send error, our apologies.
— Kforce (@Kforce) June 4, 2012
Kforce screwed up, plain and simple. They’ve sent mail to people (yes, people – Kforce’s Twitter feed around June 3rd and 4th shows a number of response to “why did you email me?” questions) who had previously opted-out of communication with them. They’re compounding the error by asking those people to unsubscribe again, and by giving inadequate and ludicrously wrong answers on Twitter. One hopes that others learn from this bad example and think carefully about public responses to PR problems like this.
In 2003, Congress passed CAN-SPAM – the “Controlling the Assault of Non-Solicited Pornography and Marketing Act”. In the intervening 8 years, there have continued to be numerous misconceptions, misunderstandings, and outright fallacies regarding what CAN-SPAM covers or doesn’t cover, says or doesn’t say, and permits or doesn’t permit. Over the next few postings, I plan to address some of the more common questions regarding CAN-SPAM and show what it really does and doesn’t do for senders.
Before we can bust any myths, we need to understand the Act, as it was passed. The full text of the Act is online over at Legal Archiver. You might want to go read it first; I’ll be referring to the actual wording quite frequently. It’s OK – I’ll still be here when you’re done.
Now that everyone’s read it (or at least skimmed it), let’s talk about what it says, by section. Sections 1 and 2, for this discussion, are meaningless; they’re just backstory. The real meat starts in Section 3, the Definitions. As with many things, the email world is filled with its own jargon, and some people interpret words and phrases in different ways (as proof of this, ask any 10 random people to define ‘spam’; likely as not, you’ll get at least 5 distinct answers). The drafters attempt to avoid ambiguity by clearly spelling out what they mean by commercial messages, how those messages differ from transactional emails, what a recipient is, and so on. It’s important to note that the Act only covers those things as defined in the Definition section.
Section 4 lists things that are prohibited as ‘predatory and abusive’. Note the wording of the amended Section 1037a – it’s an ‘OR’ series of prohibited things. Doing any one of them (accessing a protected computer without authorization, or falsifying headers, or…) qualifies your email as being in violation of the Act. The penalties for violating Section 4 are pretty stiff. This section is mostly designed to cover compromised PCs/email accounts, and is less applicable to general commercial email.
Section 5 covers what your commercial email email must include (and, in some cases, must not do) to be legal under the Act. It is the absolute minimum that a commercial sender must do for their email not to leave them liable for fines or imprisonment. Things that must be done include having a working unsubscribe mechanism and including your physical address in all mailings. Things that must not be done include sending mail to people who unsubscribed more than 10 days ago, falsifying any header information, or including a misleading Subject line. Section 5 also includes an ‘Aggravated Violation’ – if your email is already in violation of the Act and it can be shown that you harvested addresses, engaged in a ‘dictionary attack’, or relayed your email through a server for which you were not authorized, extra penalties can be added. Those are not violations in and of themselves, however; they require that you have already violated the Act before they start counting.
Section 6 details who is liable for email sent in violation of the Act. Specifically, if a company knows, or should know, that an advertiser they’ve hired is using email that violates the Act to promote their products, the company can be held liable for that email. Section 7 lays out the process by which action is taken against violators, and defines the various penalties.
Lastly (for this discussion), Section 8 defines how the Act (a Federal law) interacts with state laws, as well as detailing the effect it has on ISPs’ attempts to curtail the inflow of unwanted mail. In general, the Act supplants previous state laws that govern commercial email, and it does not in any way affect (positively or negatively) an ISP’s right to block or reject mail it considers unwanted. Sections 9 through 16, while interesting, don’t impact what the Act does or covers.
That’s a lot for today. But, with a solid understanding of what’s in the Act, we can start debunking some of the myths that ESPs, individual senders, and large companies have regarding CAN-SPAM.
Next up: Myth #1 – “Since my email is CAN-SPAM compliant, you have to let it through.”
I received an interesting email yesterday. Well, no, not really interesting, but it shows that many of the practices that email receivers have been saying, for years, are wrong are still being used by major companies.
First, a screenshot (click to embiggen):
Now, technically, they’re right – I was a PEOPLE subscriber. Not by choice (it’s a long story involving a compromised credit card) but, for a time, I had a subscription to PEOPLE. However, I never gave them an email address, nor permission to email me. No, they went to an ESP (Experian/Cheetahmail), who dug up an old email address that had no connection to my PEOPLE subscription other than my name, and they decided it must actually be me, the PEOPLE subscriber, and I must want them to send me email. The process of determining a user’s email address by matching datapoints in multiple databases is called “email appending” or “e-pending”.
The email address to which this was sent is… special. In 2004, I was working for Bonded Sender, evaluating new applicants to their program. One of the methods I used to test whether an entity was complying with standards was to create a tagged address, at my vanity domain, specific to that applicant and use that tagged address in their sign-up process. Because the address was tagged, I could determine if it had been sold or traded to other email marketers, which would have been a violation of the Bonded Sender standards. This address was used to test an entity that, ultimately, didn’t make it into the program (and who, obviously, have sold or traded their email data to other entities).
In 2004, when this email address was created, I was living in Virginia, I had a different phone number and all different credit card numbers. There’s really nothing tied to the creation of that address that matches any of my current data (as a PEOPLE subscriber, I lived in California). Yet, somehow, between Cheetahmail and PEOPLE, it was decided that this must be someone who wants to receive PEOPLE’s email.
So, once again, we have a large corporation deciding what’s best for consumers (“They will obviously want OUR email, so let’s find a way to get it to them”), and we have an ESP willing to ignore “permission”, “engagement”, and “the desires of the end-users”. This is a bad combination.
MAAWG, the Messaging Anti-Abuse Working Group, just put out a position paper decrying e-pending as a “direct violation of core MAAWG values” and “abusive”. I hope that Cheetahmail/Experian, as a full MAAWG member, will take this to heart and change their practices… but I don’t see that happening anytime soon.
I had to go digging into my Gmail junk folder today (looking for posts to an anti-spam mailing list that had gone missing), and found something even more interesting. Two emails, sent a couple of days apart at the end of May (and caught by Google’s spam filters), telling me that some randomly-named woman (‘Ashley’ or ‘Jackie’) had ‘sent [me] LivingSocial Deal Bucks’. The emails themselves were fairly standard service invitation emails, and both of them actually came from a guy named Josiah Wartak (whose Twitter and Gmail handles both appear to be “Jawartak”). I don’t think I have any kind of relationship with Josiah – he apparently has something to do with a textbook-brokering website called Fairbooks – but that’s not the kicker.
At the bottom of both of these invitations is the following text: “You are receiving this email because you have an existing relationship with LivingSocial”.
Well. No. No, I do not, actually. I’ve never used LivingSocial. I was completely unimpressed by their early advertising tactics (a guy holding a sign up to the window of the Today Show? Really?), and had no interest in their concept of deals. I’ve searched that Gmail address’s entire corpus of email, and I can’t find anything from or related to LivingSocial, except for those two emails.
So, two problems here. Yet another “invite a friend” feature that allows uploading of random addresses (compounded by the inability to link a LivingSocial username to a real name, for email purposes), and an assumption of relationship on LivingSocial’s part. The first can be easily solved, if LivingSocial wants to prevent abuse. The second is much more insidious, and probably requires a complete change of LivingSocial’s understanding of what a relationship is. I hope that second one can actually come to pass.
At some point in the last few years, I gave Kodak my email address. I suspect that it was probably to access a friend’s photo gallery at kodakgallery.com, but the actual reason is lost to the mists of antiquity. Over that time, they’ve sent me a few emails, which I’ve dutifully ignored. Today, however, the email I received was something different – an extreme example of what not to do to ensure continued delivery.
The email reads, in part:
Welcome to 2011 from the KODAK Gallery. As a valued member, we would like to be sure you have the opportunity to receive important and valuable messages via email about other KODAK consumer products, offers, news, and services. We've made this easy for you. Your permission status has been updated and if you are ok with it, there's nothing else you need to do. If you do not wish to receive those communications, click the "No Thanks" button below. Either way, your Gallery subscription status will not change.
Now, I don’t mind companies with whom I’ve done business asking me for permission to share my personal data. In some instances, I’ve been more than happy to allow it. But to assume that I will allow it, to require me to actively tell them that I do not want this, and to “update” my “permission status” without getting my permission first, is presumptuous in the extreme. In the wake of the Google Buzz fiasco, and the numerous complaints about companies like Ebay and Amazon (in the bad old days) resetting email permissions for folks that hadn’t used the site in a while, I’m shocked that a major company would still believe that it knows, better than its customers, what its customers want.
I’ve been a customer of a major DVD rental company for the last few years. I find the convenience of their rather unusual type of service to be excellent, their stock on new movies has always been good, and the discounts I got for giving them my email address back in the day were handy. Unfortunately, after moving I haven’t used them in a while as their locations just aren’t as convenient to me anymore.
Several weeks ago (just a couple of weeks after their most recent “New releases” email), I got a message from them with a subject of “Confirmation request: Confirm your subscription to [REDACTED]“. Now, I’ve been receiving almost weekly mails from this company since 2007, so I didn’t really think anything about it, and I didn’t confirm. Nothing for a week, and then another, identical message popped up. Slightly confused, I Twittered a message to them: “Hey, [REDACTED]? How about you stop sending ‘confirm your email address’ emails after I’ve obviously made the choice not to respond to the 1st?”. The response I got back was less than encouraging: “Sorry, but we need 2 confirm your subscription. If you choose to not confirm nor unsubscribe, you’ll get few more confirm emails.”
I’m now up to *5*. Once a week, like clockwork. After two “Confirmation requests”, I received a “Response requested” message, and, now, two “Urgent Confirmation Requests”. I’m dismayed, to say the least. At some point, senders need to realize that inaction on the part of a recipient is the functional equivalent of an unsubscribe request. If your recipients are not clicking on those confirmation links, they’re going to start taking further messages from you as intrusions.
Don’t get me wrong – I understand and support reconfirmation campaigns. Attempts to reengage your recipients are good, and can energize what was a lackluster response from long-time subscribers. But there’s a flip side – sometimes, you need to be able to say ‘goodbye’. Understanding that, and being willing to stop sending to recipients who have shown indifference to your reengagement attempts, is an important step.