Guest Post: Canada's New Anti-Spam Bill - Is Anyone Listening?

Today's guest post comes to us courtesy of Kevin Huxham, Director of Deliverability at CakeMail, creators of an email marketing application for small and medium-sized businesses, based in Montreal, Canada. Kevin has more than twelve years working in various email-related roles on both the sending and receiving sides of the industry. He has been around since the early days at CakeMail and helps clients manage their delivery, fight abuse, educates them on compliance, reputation and engagement. Prior to this he worked for 6 years at one of the largest ISPs in Canada. Rumour has it he also knows his way around the golf course and has a single digit handicap! Fire away, Kevin!

Transactional Spam: It Happens

Under US law, it is not mandated that transactional email notices must contain an unsubscribe link. But is it a bad idea to include one anyway? If you don't include an unsubscribe link, you run the risk of sending that mail to the wrong person and leaving them with no way to make that unwanted mail stop. And that quite validly considered spam by the recipient! That person receiving that message didn't opt-in to it, didn't sign up for it, and isn't a registered customer. You shouldn't have sent it to them in the first place, but the very least you can do is give them a way to make it stop.

I've seen transactional notices both go to the wrong people and to spamtrap addresses. And let me tell you, I know from experience that a savvy spam filterer like Cloudmark is not necessarily going to give you a free pass on spamtrap hits just because your messaging is transactional. If you want to remain on the good side of entities like that, you need to make sure you're doing things like validating addresses, respecting bounces and suppressing non-responding addresses. And let's not forget, make sure your support knows how to handle a "this is the wrong person" email issue.

SMS Spam in the News

SMS (text messaging) spam is frustrating, and blatantly illegal. Sadly, it's not always easily prosecuted, as the bad actors engaging in this practice often hide behind redirectors, falsehoods, and pseudonyms. So it is always a gleeful moment when I read of somebody tracking and filing suit against an SMS spammer. If the allegations are true, Gregorio A. Tejera, Lazaro W. Diaz-Fernandez and Jose Leyva are going to be on the hook for some serious monetary damages.

Aside: It's been years since I've heard somebody talk about the Rodney L. Joffe v. Acacia Mortgage Corporation precedent. I wonder if it will be mentioned in this case.

Defining Persimmon

Are you a persimmon-based email marketer? In case you're wondering, a persimmon is the edible fruit of a number of species of trees in the genus Diospyros.

Change your LinkedIn Password

According to Return Path and Next Web, LinkedIn was hacked today and the bad guys were able to steal passwords for about 4% of their userbase, affecting approximately 6.5 million accounts. Are you one of that 4%? Let's not find out; go change your LinkedIn password as soon as possible. Also, if you used that same password elsewhere, be sure to change your password on those other sites as well.

This perhaps isn't specifically a deliverability-related event, but everybody professional I know in the email space seems to utilize LinkedIn heavily, so I wanted to help get the word out.

Defining Permission

There's this phrase out there called "permission-based email marketing." Not everybody understands what it means. And certainly, some folks purposely misuse the terminology, in an attempt to hide the fact that their practices may be at odds with true informed consent. (Bad actors regularly misuse terminology; there's currently a Spamhaus-listed "data compiler" who incorrectly seems to think that "data cleansing" means "mailing to a big list of invalid addresses and spamtraps to see what bounces.")

To that end, I wanted to share how I define "permission-based." I believe that permission-based means:
  • Recipients are told at the point of sign up who is going to mail them and how often.
  • The statement regarding whom will be mailing you is not buried in a privacy policy, legal agreement or set of terms and conditions.
  • Recipients don't end up on a list accidentally; their email address ends up only on any list(s) that they intended to sign up for.
  • The opt-in process is not "forced" on all visitors to your site -- I'm not sure that it's truly permission-based if you require that sign somebody up for a list, just so they can access your site or download your whitepaper.
  • Email addresses are not appended, bought or sold.
  • The "affirmative consent" standard found in the US Federal "CAN-SPAM" law is met.
These are all important, but allow me to call your attention to the last point. From the perspective of the spam-receiving consumer, CAN-SPAM is an imperfect law. After all, it doesn't prohibit spam. It in fact allows a sender to send unsolicited commercial email (aka "spam"), as long as you follow a few simple rules. Regardless of this flaw, there's a very useful bit buried within -- the "affirmative consent" standard. It actually provides a useful definition of what constitutes opt-in. It states:

"The term 'affirmative consent', when used with respect to a commercial electronic mail message, means that- (A) the recipient expressly consented to receive the message, either in response to a clear and conspicuous request for such consent or at the recipient's own initiative; and (B) if the message is from a party other than the party to which the recipient communicated such consent, the recipient was given clear and conspicuous notice at the time the consent was communicated that the recipient's electronic mail address could be transferred to such other party for the purpose of initiating commercial electronic mail messages."

In plain language, this means that the informed consent standard is met if the signup was initiated by the subscriber, consent was requested and given, and that the subscriber is being told who they are going to receive mail from, if it is not the party to which they provided their email address. (I'm not necessarily excited by the allowance for data transfer, but if it's going to happen, "clear and conspicuous notice" is a pretty good way to do it.) That, to me, is how you define a process as permission-based.

(Want to read more thoughts on permission? Laura Atkins has a round-up here.)