The final iteration of the CAN-SPAM Act regulations take effect this week, so this is as good a time as any to review the requirements of the law and to make sure the latest twists given by the Federal Trade Commission (FTC) are baked into your email, web, e-commerce and/or marketing operations.

 

The basics of the CAN-SPAM Act remain the same as they were under the interim regulations:

1. Do not have false or misleading header information or deceptive subject lines.  When you send email, the "from," "to," and email routing information must be truthful and accurately describe the entity who is initiating the email. The subject line must also accurately reflect the contents of the email.

2. Identify the message as an advertisement. Every commercial email must include clear and conspicuous notice that the email is an advertisement and that the recipient can opt-out of future messages.

3. Include a valid return email address or other Internet-based method for receiving and processing opt-out requests. You must give recipients a simple means of requesting to be removed from future mailings. This can be done via email, or through a link to a single web page. The mechanism must be functional for at least 30 days after the email is sent and requests must be processed within 10 business days.

4. Include clear identification of the sender's identity, including a valid postal address.

 
What's new under the new rules?

 

There are four main issues addressed, or clarified, under the final regulations issued a few weeks ago:

 

1. The opt-out mechanism must not require recipients to pay any fee, must not require recipients to provide any information other than their email address, and must not require any steps other than sending a reply email or visiting a single web page. In addition, the FTC made clear that if you utilize an opt-out web page, it cannot contain additional advertisements or exhortations not to unsubscribe. This may require some email marketers to change their current unsubscribe practices, particularly if they ask recipients to log in or to navigate through multiple pages to process the request.

2. In the case of emails sent on behalf of multiple advertisers, the FTC provides guidance on creating a "designated sender" in order to simply the notice, unsubscribe processing, and other compliance obligations. The designated sender will be the entity responsible for ensuring prompt opt-out processing, and ensuring that all of the advertisers receive copies of the opt-out (suppression) list for future mailings.

3. A post office box or private mailbox, if otherwise operated in accordance with postal service regulations, can be considered a valid postal address under the Act.

4. When the Act talks about a "person," that includes natural persons as well as corporations, associations, and non-profit entities.

Finally, if your site includes a "Refer-A-Friend," "Forward to a Friend," or other similar process, the FTC provided some lengthy guidance about how it will look at such emails in terms of compliance with the CAN-SPAM Act. For example, the FTC made clear that any site, product, or service that is advertised in a "refer-a-friend"-type message may be deemed the sender of that message if the person "induces" its transmission.

 

The FTC did not provide a definition of "induce," but they did indicate that a payment or other consideration wasn't a necessary  requirement of an inducement. The FTC's discussion on this point is very lengthy and I won't try to summarize it all here. But suffice to say that if you depend on "refer-a-friend"-type mechanisms, you will need to consult your legal counsel regarding changes you might need to make in order to ensure compliance.

 

While Habeas cannot provide you with legal advice, we certainly can assist you in reviewing your email reputation management and deliverability strategy and practices with various legal and industry best practices in mind. Our advisory services team is happy to help you fortify your online strategy and brands, and stay off email blacklists!

The Habeas team returned from this year's Authentication and Online Trust Alliance (AOTA) Summit in Seattle, and by most measures it was a roaring success.

As with past AOTA Summits, this year's featured a wide array of top-tier speakers, including Craig Newmark from Craig's List, former cybersecurity czar Howard Schmidt, and Washington State Attorney General Rob McKenna.

Even at a time when travel and conference budgets are being slashed, the turnout for the AOTA Summit was great, with a tremendous mixture of brands, vendors, service providers, and current/former government officials.

There were also a number of excellent sessions covering the latest technologies and best practices in authentication, email security, and deliverability. We're proud to say that Habeas and some of our customers presented in several sessions, including at AOTA's first Email Deliverability and Trust Academy.

In this post are assembled some random thoughts and comments from several members of the Habeas team who participated in the event. Here are some of the most noteworthy observations:

The deployment of email authentication continues to grow, but it remains a daunting task. In January, AOTA reported that over 50% of email is authenticated in some fashion. These figures were confirmed at this month's Summit, and most of the attendees at AOTA are from companies that really understand the urgency and importance of authentication. The problem is not with the companies whose representatives are involved in AOTA or attending these conferences, rather it's with the thousands of companies who weren't there and who don't yet see authentication as a critical brand protection and reputation protection measure. Thus, some of the most interesting and difficult conversation topics at the summit were around how to grow that number.


There remains a great deal of tension between email senders and receiving ISPs regarding who owns the consumer relationship at the inbox. One attendee made the point that the existence of the "This is Spam" button makes it difficult for a sender to get more useful preference information from their customers. For example, perhaps a recipient really only wants to receive such messages monthly rather than daily or weekly. It's difficult to get a recipient to consider such a choice when the Spam button is glowing in their face.

 
In many of the sessions, we saw continuing evidence that deliverability remains a significant challenge for many major brands, in large part because it can be a very imprecise science. Even when companies employ the very best practices, the difference in how various ISPs assess reputation continues to make reliable deliverability a challenge. For example, SPF records may have a great deal of weight at one ISP, while DKIM signatures have more weight at another. Content filtering may also see a resurgence for ISP to ISP email due to some problems with hackers breaking the "CAPTCHA" process and automatically creating accounts for spamming. All of this points, yet again, to the importance of comprehensive and ongoing reputation management.


Adding further confusion to the deliverability landscape is the proliferation of "best practices" documents and recommendations. With recommendations out there from the DMA's EEC, the ESPC, MAAWG, the IAB, and others, it will be increasingly difficult for senders to stay on top of what "state of the art" actually means. If there's good news for Habeas customers, however, it's that we stay on top of these for you. More importantly, we are very involved with these organizations, and others, and continue to work to resolve any discrepancies and contradictions between all of these standards.


We closed the event with a fabulous group dinner at “The Met” including our customers Sal Tripi from Publishers Clearing House and Sean Walker from The PGA -- and were joined by Craig Spiezle from the AOTA board, members of the team and a few industry friends.


The AOTA Summit continues to be the premier event focusing on authentication issues and technologies. But even though the event is over, the challenges being addressed by the members and attendees continue. Habeas is proud to be helping AOTA drive the effort to get everyone to "Authenticate in '08!"


As always, Habeas Advisory Services and our extended team are happy to help you and your organization with email reputation management and inbox deliverability strategy and execution to achieve your business goals.