The final iteration of the CAN-SPAM Act regulations take effect this week, so this is as good a time as any to review the requirements of the law and to make sure the latest twists given by the Federal Trade Commission (FTC) are baked into your email, web, e-commerce and/or marketing operations.

 

The basics of the CAN-SPAM Act remain the same as they were under the interim regulations:

1. Do not have false or misleading header information or deceptive subject lines.  When you send email, the "from," "to," and email routing information must be truthful and accurately describe the entity who is initiating the email. The subject line must also accurately reflect the contents of the email.

2. Identify the message as an advertisement. Every commercial email must include clear and conspicuous notice that the email is an advertisement and that the recipient can opt-out of future messages.

3. Include a valid return email address or other Internet-based method for receiving and processing opt-out requests. You must give recipients a simple means of requesting to be removed from future mailings. This can be done via email, or through a link to a single web page. The mechanism must be functional for at least 30 days after the email is sent and requests must be processed within 10 business days.

4. Include clear identification of the sender's identity, including a valid postal address.

 
What's new under the new rules?

 

There are four main issues addressed, or clarified, under the final regulations issued a few weeks ago:

 

1. The opt-out mechanism must not require recipients to pay any fee, must not require recipients to provide any information other than their email address, and must not require any steps other than sending a reply email or visiting a single web page. In addition, the FTC made clear that if you utilize an opt-out web page, it cannot contain additional advertisements or exhortations not to unsubscribe. This may require some email marketers to change their current unsubscribe practices, particularly if they ask recipients to log in or to navigate through multiple pages to process the request.

2. In the case of emails sent on behalf of multiple advertisers, the FTC provides guidance on creating a "designated sender" in order to simply the notice, unsubscribe processing, and other compliance obligations. The designated sender will be the entity responsible for ensuring prompt opt-out processing, and ensuring that all of the advertisers receive copies of the opt-out (suppression) list for future mailings.

3. A post office box or private mailbox, if otherwise operated in accordance with postal service regulations, can be considered a valid postal address under the Act.

4. When the Act talks about a "person," that includes natural persons as well as corporations, associations, and non-profit entities.

Finally, if your site includes a "Refer-A-Friend," "Forward to a Friend," or other similar process, the FTC provided some lengthy guidance about how it will look at such emails in terms of compliance with the CAN-SPAM Act. For example, the FTC made clear that any site, product, or service that is advertised in a "refer-a-friend"-type message may be deemed the sender of that message if the person "induces" its transmission.

 

The FTC did not provide a definition of "induce," but they did indicate that a payment or other consideration wasn't a necessary  requirement of an inducement. The FTC's discussion on this point is very lengthy and I won't try to summarize it all here. But suffice to say that if you depend on "refer-a-friend"-type mechanisms, you will need to consult your legal counsel regarding changes you might need to make in order to ensure compliance.

 

While Habeas cannot provide you with legal advice, we certainly can assist you in reviewing your email reputation management and deliverability strategy and practices with various legal and industry best practices in mind. Our advisory services team is happy to help you fortify your online strategy and brands, and stay off email blacklists!

The Habeas team returned from this year's Authentication and Online Trust Alliance (AOTA) Summit in Seattle, and by most measures it was a roaring success.

As with past AOTA Summits, this year's featured a wide array of top-tier speakers, including Craig Newmark from Craig's List, former cybersecurity czar Howard Schmidt, and Washington State Attorney General Rob McKenna.

Even at a time when travel and conference budgets are being slashed, the turnout for the AOTA Summit was great, with a tremendous mixture of brands, vendors, service providers, and current/former government officials.

There were also a number of excellent sessions covering the latest technologies and best practices in authentication, email security, and deliverability. We're proud to say that Habeas and some of our customers presented in several sessions, including at AOTA's first Email Deliverability and Trust Academy.

In this post are assembled some random thoughts and comments from several members of the Habeas team who participated in the event. Here are some of the most noteworthy observations:

The deployment of email authentication continues to grow, but it remains a daunting task. In January, AOTA reported that over 50% of email is authenticated in some fashion. These figures were confirmed at this month's Summit, and most of the attendees at AOTA are from companies that really understand the urgency and importance of authentication. The problem is not with the companies whose representatives are involved in AOTA or attending these conferences, rather it's with the thousands of companies who weren't there and who don't yet see authentication as a critical brand protection and reputation protection measure. Thus, some of the most interesting and difficult conversation topics at the summit were around how to grow that number.


There remains a great deal of tension between email senders and receiving ISPs regarding who owns the consumer relationship at the inbox. One attendee made the point that the existence of the "This is Spam" button makes it difficult for a sender to get more useful preference information from their customers. For example, perhaps a recipient really only wants to receive such messages monthly rather than daily or weekly. It's difficult to get a recipient to consider such a choice when the Spam button is glowing in their face.

 
In many of the sessions, we saw continuing evidence that deliverability remains a significant challenge for many major brands, in large part because it can be a very imprecise science. Even when companies employ the very best practices, the difference in how various ISPs assess reputation continues to make reliable deliverability a challenge. For example, SPF records may have a great deal of weight at one ISP, while DKIM signatures have more weight at another. Content filtering may also see a resurgence for ISP to ISP email due to some problems with hackers breaking the "CAPTCHA" process and automatically creating accounts for spamming. All of this points, yet again, to the importance of comprehensive and ongoing reputation management.


Adding further confusion to the deliverability landscape is the proliferation of "best practices" documents and recommendations. With recommendations out there from the DMA's EEC, the ESPC, MAAWG, the IAB, and others, it will be increasingly difficult for senders to stay on top of what "state of the art" actually means. If there's good news for Habeas customers, however, it's that we stay on top of these for you. More importantly, we are very involved with these organizations, and others, and continue to work to resolve any discrepancies and contradictions between all of these standards.


We closed the event with a fabulous group dinner at “The Met” including our customers Sal Tripi from Publishers Clearing House and Sean Walker from The PGA -- and were joined by Craig Spiezle from the AOTA board, members of the team and a few industry friends.


The AOTA Summit continues to be the premier event focusing on authentication issues and technologies. But even though the event is over, the challenges being addressed by the members and attendees continue. Habeas is proud to be helping AOTA drive the effort to get everyone to "Authenticate in '08!"


As always, Habeas Advisory Services and our extended team are happy to help you and your organization with email reputation management and inbox deliverability strategy and execution to achieve your business goals.

Wednesday, May 14, 2008

By: Ray Everett - Church

After four years of drafts and discussions, the Federal Trade Commission has approved the Final Rule - the enforceable implementing regulations - that say how the FTC will be enforcing the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act).
 
The Final Rule was issued by the FTC on Monday, May 12, and will be published in the Federal Register, most likely within the next week or so. They will take effect 45 days after their publication. You can find a copy (http://www.ftc.gov/opa/2008/05/canspam.shtm) in PDF form at the FTC's website.
 
(Obligatory disclaimer: The information contained in this blog posting is not intended to serve as legal advice. If you have any questions about compliance or liability, you are urged to seek appropriate legal counsel.)
 
The entire federal register notice is 109 pages long, although the rule itself is only six pages of that. The rest of the document is a lengthy but incredibly informative discussion of all the feedback they received during the process and an explanation of why they did or did not choose certain approaches.
 
The rule itself sets out four main issues that will affect senders of commercial email:

* The FTC clarified that when the law uses the term "person," that will include not only individual human beings, but also corporations and non-profit organizations.

* To satisfy the Act's requirement that commercial email display a "valid physical postal address," a sender is allowed to use an accurately-registered post office box or private mailbox, so long as it is established under the applicable United States Postal Service regulations for such services.

* An e-mail recipient cannot be required to pay a fee, provide information other than his or her e-mail address and opt-out preferences, or take any steps other than "sending a reply e-mail message or visiting a single Internet Web page" to opt out of receiving future e-mail from a sender.

* The definition of "sender" will be modified to include a means of creating a "designated sender" who will be responsible for complying with the Act in those situations where multiple parties may be advertising in a single e-mail message.

The first two points are neither earth shattering nor controversial. But the same cannot be said of the other two, or of the many issues which the FTC chose to discuss in its notice but on which it ultimately chose to punt rather than issue regulations.
 
Prohibiting the charging of a fee to be unsubscribed is a no-brainer. But by prohibiting the asking of additional information, which would include usernames and passwords, could mean some changes for how sites handle the unsubscribe process.
 
Moreover, the discussion makes it quite clear that the FTC will not look kindly upon any process that takes more than one page, or fills that page with other advertising or marketing pitches. A big flashing banner that says "Please don't unsubscribe!" will definitely not be allowed on the unsubscribe page. Whether you could place some kind of appeal on the landing page after the unsubscribe request itself has been processed is not clear in the discussion by the FTC.
 
The biggest news in this Final Rule, however, is how the FTC chose to modify the definition of "sender" in response to many inquiries about multi-advertiser messages. They added to the definition of "sender" to clarify that:
 
"...when more than one person's products, services, or Internet website are advertised or promoted in a single electronic mail message, each such person who is within the Act's definition will be deemed to be a "sender," except that, only one person will be deemed to be the "sender" of that message if such person: (A) is within the Act's definition of "sender"; (B) is identified in the "from" line as the sole sender of the message; and (C) is in compliance with [the Act and the FTC's Final Rule]."
 
In creating the concept of a "designated sender," the discussion in the notice indicates that the FTC intends that the "element requiring identification of the person in the "from" line [be] mandatory."
 
Under the Act, the "from" line (the line identifying or purporting to identify a person initiating the message) must accurately identify any person who initiated the message. So when taken in conjunction with this change, the FTC seems to be requiring  that there be at least one entity accurately identified in the "from" line and they're probably going to presume that that entity will be deemed to be sender.
 
Applying this process to an example, let's say a newsletter publisher "PublishCo" sends an advertisement containing promotions for Company A, Company B, and Company C. Under the originally proposed definition of "sender," all four entities could be considered a sender, and thus all four would be responsible for ensuring CAN-SPAM Act compliance.
 
But under the Final Rule, the FTC would allow PublishCo to be the "designated sender" to be responsible for all compliance tasks, no matter how many advertisers appear in the body of the message.
 
To be the designated sender, however, PublishCo would need to be accurately identified in the "from" line, include their physical address in the body of the email message, and provide one of the two designated opt-out mechanisms (e.g., "sending a reply electronic mail message or visiting a single Internet Web page").
 
It's important to note that the rule does not require that there be a designated sender. The FTC discussion indicates that having an entity identified in the "from" line is "mandatory," but the discussion goes on to indicate that the rule:
 
"does not eliminate the possibility that a message may have more than one "sender." However, marketers can use the criteria set forth in the proviso to establish a single sender and reduce CAN-SPAM's compliance burdens. If marketers fail to structure the message to avoid multiple senders under the sender definition, then each sender is obligated to comply with CAN-SPAM requirements for senders, notably, to provide its physical postal address and to honor any opt-out requests."
 
In other words, if you don't have a designated sender, every advertiser appearing in a message could be deemed a sender and be responsible for processing unsubscribes and sharing suppression lists with all other senders. In a newsletter containing ads for a half-dozen advertisers, this could rapidly turn into a compliance mess, with each and every one of the advertisers liable for ensuring that all the collecting, processing, and trading of unsubscribe lists with all the other advertisers occurs without a hitch.
 
Under our example above, if the email "from" line did not indicate a single designated sender and instead provided something less definitive (e.g., "A_Consortium_of_Fine_ Businesses@PublishCo.net"), then all of the advertisers in the message could still be considered "senders" under the Act and be responsible for not only its own compliance but the compliance activities of every other "sender" on that message.
 
There's also another twist to this. In order for PublishCo to meet the Act's definition of a sender, it would need to be considered as advertising in the message. This requirement could be met with something as simple as including the words, "For the best in new products and services, come visit PublishCo.net." Without some content that could be clearly considered advertising for itself, however, PublishCo might not fulfill the legal definition of a sender and leave all the other advertisers on the hook.
 
The decision about whether to be a designated sender is one that a company like our fictional PublishCo will have to make with its legal counsel. But it might make sense for PublishCo to step up and be the entity identified as the designated sender, placing their address in the "from" line, their contact information in the message body along with their unsubscribe process, allowing PublishCo to take on the tasks of providing consumers with the opt-out choices, and in turn providing each advertiser with the suppression list arising from that campaign. For most ESPs or publishers, this could mesh well with the existing value-added services such organizations already provide.
 
Taking on this role as the designated sender would also allow PublishCo to offer choices to subscribers about exactly which advertisements they want to receive. While we noted that the FTC expects the unsubscribe process to be simple and unencumbered with additional advertisements or appeals, the law does still permit offering an array of choices.
 
Simplifying the compliance process by having a "designated sender" may help avoid legal problems, but it can also help email deliverability. Think of our example above with three advertisers and a publisher. If all four entities were considered senders, each with its own boilerplate disclosures and opt-out processes, a consumer receiving such an email might be confused about whether they might need to follow four different unsubscribe processes in order to effectively communicate their desire.
 
Some less-than-reputable advertisers might rejoice at such a prospect: by making the unsubscribe process cumbersome some recipients might be dissuaded from doing so - or so the theory goes. But in the end, it is really all of the senders who will wind up as the ultimate losers.
 
When faced with a confusing or cumbersome process, consumers will take the path of least resistance and click the "Report Spam" button or report the senders to email blacklists. Anything that drives consumers to click the spam button is among the most damaging things a sender can do to its email reputation.
 
At Habeas, we have long encouraged the customers of our online reputation management services to adhere to prevailing email industry best practices. Foremost among those is compliance with the CAN-SPAM Act, including making sure that the unsubscribe process is clear and simple.
 
At the end of the day, if a consumer is no longer interested in your email, you want to get them off your list as quickly - and from the consumer's perspective, as effortlessly - as possible, in order to avoid being labeled as spam and harming your email reputation.
 
Finally, it is worth noting that the FTC decided not to address a number of other thorny issues in the regulations. But the Federal Register notice does include some useful, if lengthy, discussions of many of those topics and provides some insights into how the agency might rule if pressed on those points.
 
Among the other topics discussed are: CAN-SPAM's definition of "transactional or relationship message"; the Commission's decision not to alter the length of time a "sender" of commercial e-mail has to honor an opt-out request; the Commission's determination not to designate additional "aggravated violations" under the Act; and the Commission's views on how CAN-SPAM applies to forward-to-a-"friend" email marketing campaigns.
 
The viral "tell a friend" email model, in which someone either receives a commercial e-mail message and forwards the e-mail to another person, or uses a Web-based mechanism to forward a link to or copy of a Web page to another person, is a hallmark of today's hottest social networking websites. The FTC declined to wade into regulating those kinds of emails, but they took pains to explain that, as a general matter, if the seller offers something of value in exchange for forwarding a commercial message, the seller must comply with the Act's requirements, such as honoring opt-out requests.
 
At the end of the day, for those familiar with the regulatory process, it's not surprising that this one has produced a set of rules that raises almost as many questions as it answers. We will undoubtedly see a number of additional inquiries to the FTC seeking further advice as companies explore how the Final Rule affects their particular ways of doing business.
 
But the good news for senders is that the new FTC rules will probably not have a significant adverse effect on senders who are already following the industry's best practices recommendations.
 
For those Habeas customers who are already utilizing our online reputation management services, our deliverability analysis and auditing process will be updated to reflect the guidance provide by the FTC for CAN-SPAM Act compliance. (Should you have any questions about your compliance practices, your customer service rep can provide you with further information.)
 
In the meantime, all email marketers should assume that the 45-day compliance clock is running and that they will soon be held accountable under the new regulations. For some senders, these new regulations will require changes in how they process unsubscribes or manage multi-sender campaigns.
 
To tackle these and other compliance questions, senders should consider a Compliance Analysis by the Habeas Advisory Services team, in which experts from Habeas review your CAN-SPAM Act compliance practices and make recommendations for reducing your risks. You can contact Ray Everett-Church <ray@habeas.com>, Director at Habeas, for more information.