Two coalitions of online and email marketing companies are calling for the Federal Trade Commission to tighten some restrictions on commercial email, including broader use of message authentication protocols like DMARC, more user-friendly opt-out and unsubscribe options and prohibitions on the use of technologies designed to defeat spam filters and other anti-spam techniques.
The calls come in public comments the FTC is soliciting as it prepares to review rules it imposed in 2005, implementing the Controlling the Assault of Non-Solicited Pornography and Marketing, or CAN-SPAM, Act of 2003. The comment period — which closes this week — is designed to inform the agency’s regular review of its rules and will not necessarily result in any changes to the regulations.
The Email Sender and Provider Coalition — an industry group for bulk-mail senders — and the Online Trust Alliance, a nonprofit that’s part of the Internet Society, have both submitted comments. OTA subissions are endorsed by a half dozen interactive marketers and other e-commerce companies.
Although the comments differ in their perspectives and the ground they cover, there are certain commonalities. Both support the law and oppose shortening the 10-day grace period senders have to execute consumers’ opt-out requests.
“The ESPC believes the rule has resulted in … the creation of a national standard for commercial email” that has benefited businesses where a proliferation of state laws would have been unmanageable, the coalition says in its comments, adding that “a strong history of enforcement … has … helped to foster a healthy marketplace for for legitimate email senders.”
“The law is working,” Craig Spiezle, founder and chairman emeritus of the OTA, “legitimate senders understand you need a trust relationship with consumers.”
The arguments against CAN-SPAM never amounted to much, he said.
“It was going to impose unsustainable costs, it was going to stifle innovation … None of that happened,” Spiezle said.
He added that “the FTC needs to be more proscriptive about ensuring that the unsubscribe process is readable and accessible to consumers … That’s what our comments are focused on.”
Individual members of the public that have also submitted comments — about 90 all told — including University of California, Berkeley professor Chris Hoofnagle, and Dennis Dayman, the chief privacy and security officer for email marketers Return Path.
Hoofnagle’s comments — an an appendix full of screen-shotted examples — underline Spiezle’s point about the need for tighter regulation of opt-out and unsubscribe options.
“Think of it this way,” he writes, “companies with no business relationship whatsoever can send spam under CAN–SPAM. These companies can then require recipients to run code from it or from third parties … This code could be malicious. It could cause code injections (XSS), steal cookies, track user keyboard use, and install various web trackers, including device fingerprinting.”
The OTA comments note that, although the vast majority of large retailers go further than the law and FTC’s rules require, “many opt-out links were buried in paragraphs and were hardly distinguishable from surrounding text.” They also recommend enforcing a uniform terminology, to avoid companies “blurring” the requirement for opt-out by describing it as “preference management” or some other obfuscatory language. “Providing additional guidance or examples [to companies] in this area would benefit consumers,” OTA concludes.
Hoofnagle argues that senders have “incentives to burden recipients in recipients’ attempts to opt out. Senders act opportunistically to reduce opt outs by imposing non-economic costs on recipients. In aggregate, these costs are substantial.”
He urges the FTC to take account of the amount of time consumers have to spend unsubscribing from unwanted spam and ensure that this is added — alongside the expense of spam filtering personnel and technology — to the externalized costs spammers impose on the ecommerce ecosystem.
Spiezle, a long-time online security advocate who interrupted a cross-continental bike ride to speak to CyberScoop, added that the agency should also be looking at how it could broaden the adoption of email authentication technologies like DMARC — Domain-based Message Authentication, Reporting and Conformance.
When the law was passed in 2003, “email authentication was at most a concept … now it is universally available and widely used,” and the FTC should look into requiring it for commercial email senders. “Validating [commercial] email would be a very positive step,” he said.
Ultimately, Spiezle said, the position of the U.S. as the only Western democracy not to require opt-in for commercial email would become untenable. “At the end of the day, wise marketers will focus on the conditions imposed in Canada and the EU,” he said.
Perhaps surprisingly, Dayman, a career email marketer, agrees.
His comments urge “that commercial email permissions be amended to an opt-in framework,” not because it will stop those (mainly based outside the U.S.) who already flout the law, but because “that simple change will make it easier for our regulators, ISPs, attorneys general, and consumers to differentiate ‘good’ [i.e. legitimate commercial] mail from ‘bad’ mail. It will also bring our electronic policies more in line with other leading nations.”