Internet and e-mail policy and practice
including Notes on Internet E-mail


Click the comments link on any story to see comments or add your own.

Subscribe to this blog

RSS feed

Home :: Email

19 May 2008

CAN SPAM and Affiliate Mailer Opt-Out Email

Many online businesses use affiliates to drum up business. The affiliate finds a lead somewhere, passes it to the business, and gets a commission if the lead turns into a sale. Web based affiliates are relatively uncontroversial, but affiliates who advertise by e-mail are a chronic problem due to their propensity to send spam, both spam as normally defined and as defined by CAN SPAM. Is it possible to do legitimate e-mail affiliate marketing? Maybe.

CAN SPAM makes it pretty clear that a business is responsible for the actions of its agents, which includes ensuring that they follow CAN SPAM and other laws. Most of the CAN SPAM requirements are handled the the same way by affiliates as if the business were doing its own mailing--headers must not be misleading, mail must have a physical mailing address, and so forth. By far the trickiest requirement for affiliate ads is the opt-out rule, which says a business must follow a recipient's request not to send any more ads. This means that every time an affiliate mails for a business, the affiliate has to remove all the addresses of people who've told the business not to mail to them. Furthermore, people who send opt-outs in response to the affiliate's mail have to be added to the business' opt-out list. This is a pain in the neck, but as I read CAN SPAM, it's not optional.

What makes it tricky is that affiliate marketing is full of sleazeballs, and both the businesses and the affiliates have good reasons not to trust each other. If the business provides the list of opt-outs to the affiliates, the affiliates are likely to steal it and mail to it. Mailing to it could even be legal under CAN SPAM so long as it wasn't promoting the same business. Although it does seem like a poor idea to mail to a list of people whose common characteristic is that they've gone to the effort to say they don't want mail, I know people who've provided tagged addresses that have gotten spammed from ex-affiliates.

So perhaps the business can provide a listwashing service, where the affiliate sends them the list and they send it back minus the opt-outs. No, that's no good, a sleazy business could steal the list on the way through. The same problem applies to affiliates sending opt-outs back to the business--it's far from unknown for people to resell opt-out lists as verified live leads and the like.

There's no perfect solution. One possibility would be to use a neutral third party to handle the opt-outs. That's what Unsubcentral does with some success, although they're limited both by the fact that they don't do it for free (affiliates hate to spend money on anything that isn't going to turn into revenue) and trust issues of yet another party in the mix.

Another possibility is to use lists of address hashes, one-way scrambled versions of addresses. If you have a list of hashes and a list of addresses, you can make hashes of the addresses on your list and compare to see which of your addresses are in the hash list, but you can't otherwise tell what hashes correspond to what addresses. This means that if a business provides a hashed opt-out list to the affiliates, they can use it to scrub their lists, and they'll know what addresses got scrubbed, but since those were addresses they already had, the opportunity for extra mischief is limited. Going the other way, if the affiliates provide the hashes back to the business, the business can scrub its own lists, and provide the hashes in turn to other affiliates, but at each level, they don't learn about any addresses that they don't already have. (A sufficiently determined bad guy could go get huge lists such as the ones on Millions CDs, then hash and scrub those to see what addresses he recovers. It's not perfect, there's no way to provide information to someone you don't trust and be 100% sure he won't misuse it.)

Whatever a business does, literal lists, third party, or hashes, they have to do something. I would go so far as to say any any affiliate e-mail program that doesn't include opt-out management clearly can't be CAN SPAM compliant.

posted at: 12:14 :: permanent link to this entry :: 3 comments
posted at: 12:14 :: permanent link to this entry :: 3 comments

comments...        (Jump to the end to add your own comment)

This topic is very interesting and largely ignored by the media. Many affiliate email programs do I think address the legitimacy problem by taking the newsletter approach.

So they send out a regular newsletter with original articles etc and promote various merchants through ads / sponsorships within this context. That I think allows them to treat the emails entirely as their own and avoids many of the above issues.

But there are many doing email in the way you imply: effectively sending standalone promos on behalf of a merchant. As an affiliate, I've dealt with a lot of B2C affiliate merchants and they tend to divide into three groups:

1. Those that explicitly ban email marketing as part of their affiliate agreement, thus bypassing any problems (but they lose affiliate email sales, of course).

2. Those that only allow select trusted affiliates to use email to promote their products, and who work closely with these to ensure legal compliancy.

3. Those who don't care or don't know about Can-Spam.

The vast majority are in category 3. Add to that the many affiliates who have no awareness of anti-spam laws and, unfortunately, a less-enlightened attitude to spamming and you have a time bomb.

A side issue that is also ignored by many merchants is that it's not just about law. When you've carefully built a business and brand, you really don't want to then have people with no long-term interest in either blazing away wantonly and carelessly with emails promoting your name/products.

(by Mark Brownlow 19 May 2008 10:53)

John, Mark - good post - thanks for mentioning us John Email is an incredibly high ROI channel - when it's done right More and more brands realize that search and display only get them so far - customer acquisition email motivates people to buy and increases sales We have solutions that make it easy for everyone to be in compliance and protect their brand and deliverability-without directly sharing email lists And usually, the advertiser pays - not the affiliate

(by Peter Simmons 22 May 2008 14:11)
I agree as well. Oddly, we haven't seen many lawsuits which really focus on the unsubscribe issue. Take that off the cuff thought for what it's worth.

(by Venkat 29 May 2008 18:49)

Add your comment...

Note: all comments require an email address to send a confirmation to verify that it was posted by a person and not a spambot. The comment won't be visible until you click the link in the confirmation. Unless you check the box below, which almost nobody does, your email won't be displayed, and I won't use it for other purposes.

Email: you@wherever (required, for confirmation)
Title: (optional)
Show my Email address
Save my Name and Email for next time


My other sites

Who is this guy?

Airline ticket info

Taughannock Networks

Other blogs

Remembering JD Falk - 10 years later
181 days ago

A keen grasp of the obvious
New Hope for the Dead
423 days ago

Related sites

Coalition Against Unsolicited Commercial E-mail

Network Abuse Clearinghouse

© 2005-2020 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.