Programming, philosophy, pedaling.

Spotify is (Still) Violating CAN-SPAM

Jun 28, 2017     Tags: rant    

Caveat: I’m writing this, sleep deprived, on a delayed train.

I got an email from Spotify about an hour ago:

First of all, I never gave Spotify my location. It looks like they’ve fallen back to guessing based on my IP, incorrectly ascertained from a tunnel. That’s creepy, but whatever.

I could’ve sworn that I disabled all email notifications via their website, but also whatever. Maybe I missed a checkbox.

So, of course, I click on the (tiny) unsubscribe link at the bottom of the email, which brings me to this page:

Well, that’s nice. But what about my other “notification settings”?

Uh oh.

That (obnoxious but seemingly innocuous) login is a CAN-SPAM violation. In particular, it violates guideline 6 of CAN-SPAM:

Honor opt-out requests promptly. Any opt-out mechanism you offer must be able to process opt-out requests for at least 30 days after you send your message. You must honor a recipient’s opt-out request within 10 business days. You can’t charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request. Once people have told you they don’t want to receive more messages from you, you can’t sell or transfer their email addresses, even in the form of a mailing list. The only exception is that you may transfer the addresses to a company you’ve hired to help you comply with the CAN-SPAM Act.

(Emphasis mine.)

In other words, since I am already identified by virtue of the unique unsubscribe URL sent in the email address, Spotify is not allowed to force me to visit more than one page on the Internet (World Wide Web?) as part of my unsubscription request. By clicking first on the notification settings URL and then on the login button, I have visited three pages.

There is a sense, of course, in which they have followed the letter of the law: my unsubscription request for a single category has been honored. However, this completely violates the spirit of the law: under this loophole, there’s nothing stopping companies from simply claiming that users did not unsubscribe from the (new, constantly updating, &c) list of categories. Oh, and did we mention that every TOS change resets your subscription settings? Whoops, sorry about that.

At the end of the day, Spotify probably won’t care. As I mentioned in a post about two years ago, the FCC’s enforcement of CAN-SPAM is practically nonexistent. Companies know this, and are increasingly willing to stretch their compliance with the law to improve their email retention rates.

That’s pretty much all I have to say. From a user’s perspective, this is terrible behavior on Spotify’s part.