Programming, philosophy, pedaling.

CAN-SPAM Compliance is Important

Jul 2, 2015     Tags: programming, rant    

This post is at least a year old.

Administrivia: I’m still working on Part 2 of Decoding the Metrocard, my apologies to anybody waiting on it. It’ll be done soon, I promise!

CAN-SPAM is a mixed bag. Unlike the 1986 Computer Fraud and Abuse Act, CAN-SPAM’s goal is fundamentally good: reduce the amount of email spam consumers receive from companies, advertisers, and marketers. Unfortunately, in my experience, it’s also on the verge of being unenforced.

Although companies have done a good job of putting little links on the bottoms of their emails offering to unsubscribe you from their announcements, a growing number have taken to violating CAN-SPAM’s deadline for action or, more insidiously, taking no action whatsoever. This is a dangerous lapse in the FTC’s already shaky enforcement of online consumer protection laws, and is a source of annoyance and dissatisfaction for customers like me.

By posting this, I’m hoping that I can inform other consumers to take action against CAN-SPAM violations and hopefully even get the attention of the FTC or the offending companies.

The important bits of CAN-SPAM

Taken from the FTC’s CAN-SPAM Compliance Guide:

My interpretations are in italics.

This one is especially important. The full text (emphasis added):

Any opt-out mechanism you offer must be able to process opt-out requests for at least 30 days after you send your message. You must honor a recipient’s opt-out request within 10 business days. You can’t charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request. Once people have told you they don’t want to receive more messages from you, you can’t sell or transfer their email addresses, even in the form of a mailing list. The only exception is that you may transfer the addresses to a company you’ve hired to help you comply with the CAN-SPAM Act.

In summary, the FTC’s CAN-SPAM guidelines are fairly straightforward. Companies cannot misrepresent the origins or intentions of their messages, must facilitate opt-out requests, are responsible for messages sent by contracted services, and must honor opt-out requests within 10 business days of receipt.

The offenders

Based on the unsolicited spam I’ve received, let’s name some names:

Spotify was the worst of all, sending 16 unsolicited messages (the 17th was a password reset request) over a period of approximately two months despite an initial opt-out request, multiple subsequent requests, an FTC complaint, and a chat with a representative:

Spotify emails

In addition, I was told that the “unsubscribe process can take up two (2) weeks …to take effect”, a clear violation of the 10-day action mandate imposed by CAN-SPAM.

PayPal was also fairly bad, sending 7 unsolicited messages over a 5 month period:

PayPal emails

More interestingly, PayPal’s unsubscription page forgot my previous request with each visit, conveniently re-checking the ‘News and Promotions’ option:

PayPal request page

(Dis)honorable mentions go to Dropbox (4 unsolicited messages) and Ticketmaster (for requiring a login constituting “personally identifying information beyond an email address” to change subscription preferences):

Ticketmaster login page

What needs to be done

For one, companies need to take CAN-SPAM more seriously. No large company can feign ignorance to its mandates (not that ignorance is an excuse), and all should be aware that failing to obey the law both hurts consumer perceptions and makes them vulnerable to legal action and substantial fines.

The FTC also needs to take its role in combating spam more seriously. Although it has pursued legal action against CAN-SPAM violators, the frequency of those actions has diminished significantly over the years. In order to prevent a lapse of enforcement (which are all too common in consumer protection jurisprudence), the FTC needs to investigate more CAN-SPAM complaints and increase public awareness of its duty to enforce CAN-SPAM and similar bills.

Finally, email users need to be made more aware of the protections afforded to them by CAN-SPAM. Virtually everybody knows about the little ‘unsubscribe from future messages’ links at the bottom of marketing emails but few know about the 10 day action or non-identification mandates imposed by CAN-SPAM. Once more users are informed about their rights with respect to unsolicited mail, more valid complaints can be registered with the FTC.

- William