Tell HN: Login to unsubscribe is against Federal Law
This is a non-friendly reminder to all startups and marketing people. If you are sending me an email and it does not have an unsubscribe link that meets the following rule (as of 2008 FTC ruling on CAN-SPAM act of 2003) then you are breaking the law:
to submit a valid opt-out request, a recipient cannot be required to pay a fee, provide information other than his or her email address and opt-out preferences, or take any steps other than sending a reply email message or visiting a single page on an Internet website
source: http://www.ftc.gov/os/2008/05/R411008frn.pdf
Note: if you are not telling me about a financial transaction we made, our email is not transactional and STILL must follow that ruling.
109 comments
[ 4.5 ms ] story [ 173 ms ] threadI think start-up culture tends to be a bit unethical - we favor expedience and results over rules and regulations, and that's generally correct, but also leads us into murky territory.
The most important guideline might be this - build a company where you'd want to have any of the jobs, and where you'd want to be a customer. But specifically:
1) never send someone an email without explicit opt-in (make them check a box, don't start spamming just because they registered).
2) make it easy for a user to delete themselves from your database, entirely
3) make it easy for a user to port data elsewhere
4) don't make up fake email personages, or otherwise overtly lie to your customers
5) don't use misleading numbers for marketing or fundraising
6) give employees warning and/or severance when you plan to fire them
7) don't discriminate based on gender or sexual preference, even though it may be legal for small companies to do so in your locality
8) if you store financial or sensitive data, make security a priority
do you feel like this is a big problem in the startup world?
More on point, our cultural norms are a little funky. I don't feel really that their should be any degree at a university where there are 20x the number of male students than female students. However, in the computer science world, this is probably the case. This isn't from direct discrimination, but as I said, from cultural standards. Perhaps we should try to be more welcoming to women in the technology field in general.
For example, if I've been taking money from a customer, then I am required to keep appropriate records of that, for example for tax purposes. I must not completely delete that user from my database, no matter how much they ask me to or how willing I would be to do so absent the legal/regulatory requirements that I have to meet.
Having said that, I think serious ethical problems start to creep in if we allow genuine obligations like that one to start getting blurred. After all, if I have to keep some personal data on file because of my tax obligations, there's no harm in keeping the rest as well, right? No-one will ever know unless we get hacked, and we're 100% confident in our security so that's never going to happen. Similarly, if users are signing up using an e-mail address as account ID and I send the required legalese documents to them at that address when they sign up, I might as well send them "news" every few days as well since they obviously don't mind hearing from me. And hey, I've got a cookie there to handle someone logging in, so no harm in having another one for analytics, and if we're going to do that, we might as well let advertisers use tracking cookies as well because no-one cares about privacy any more and they're all on Facebook anyway.
I suppose the trouble is that all of those things are probably already illegal, at least in my jurisdiction, and any start-up willing to do them is probably just as willing to sign up to any friendly-sounding "pledge" and then completely ignore it. Put another way, I'd be happy for any business I run to commit to a realistic pledge along the lines you suggested, but then we wouldn't be doing the sorts of shady thing you're trying to highlight anyway, so I'm not sure anyone gains anything from it.
I personally think that startups face enough challenges already and anything that goes beyond legal limitations and restrictions is just reducing the chances for startups to succeed. Startups are there to break the rules, be disruptive, and should get some slack to "fake it until they make it".
Most of these things already come under "legal limitations and restrictions", and if a start-up can't disrupt a market or create a viable competing offer without breaking those rules, then perhaps it deserves to fail.
I complained about Facebook for requiring me to sign in to unsubscribe from group-emails (which I had already turned off twice).
By that logic, It would seem I'm also allowed to make you login to change the settings by which I notify you of these things. While it would be nice of me to provide such functionality to my site, it does not appear I am not obliged to do so under law.
I'd love to see a blog post about best practices when you have a few different options for in your email prefs & you want to avoid people having to log in.
I recommend everyone else do the same and if everyone did I think the fear of being put on gmail's global blacklist for spam would be a far more effective deterrent than the laws alone.
[1] http://gmailblog.blogspot.co.uk/2009/07/unsubscribing-made-e...
Do they support HTTP URLs in the List-Unsubscribe header yet? Last time I checked, the mailto URL was the only one they supported, despite the fact that RFC 2369 clearly includes an HTTP option. It would be so much easier if website developers could simply reuse their existing unsubscribe link, instead of having to monitor a special e-mail account. And yet nobody seems to support the HTTP URL option.
Me too. I use procmail to send it to /dev/null. I've done this for the last 12 years.
For the most part, since it costs real money to send real mail, many of the people behind it are inclined to honor unsubscribe requests.
This happens often to me:
* Get email that I'd like to unsubscribe to
* Look for unsub info -- directed to "reply to this email" or, almost as bad, "enter your email address"
* Follow instructions
* Receive notice saying "Sorry, the email you entered [sent from] is not in our database"
Well thanks. We've gotten nowhere.
So the right way to design this should be a simple unsubscribe link w/ a unique token that executes the request upon clicking.
At worst, you can do what Constant Contact does and require the email address to be entered, but still provide a hint (i.e. "a....c@gmail.com"). This is still somewhat annoying, but I understand why they do it -- it likely reduces net unsubs since there's a second step involved. Pushing it, but thinking as a business owner as well, I get it.
the majority use case here is that they're not malicious, merely spammy with good intentions.
Also, the email address to which the message was sent appears clearly in the "To:" header.
Google's own google-content-api-for-shopping@googlegroups.com mailing list has this as the "To:" field:
google-content-api-for-shopping@googlegroups.com
And at the bottom of the message:
To unsubscribe from this group, send an empty message.
I had to ctrl-u and check the "Delivered-To:" and "X-Forwarded-For:" headers before I could unsubscribe.
(I'd tried to unsubscribe previously but the subscribed email account forwards to my main account so replying with an empty message didn't work. This thread prompted me to dig a little deeper and finally get one less piece of email per day - thanks HN!)
The dots are for you to play around with, but the mail all goes to one account. Or, at least, that's how it works with my account.
http://www.makeuseof.com/tag/1-awesome-gmail-tip-you-dont-kn...
http://support.google.com/mail/bin/answer.py?hl=en&answe...
Either you or your friend is misspelling their address (more common than you might think, I get opt-in mailing-list mail for myaddress@gmail.com, intended for myaddress@ymail.com), or you've encountered a bug.
Two benefits - 1) easier to remember my login per site and 2) if I start getting spammed as a result of my info being shared with third-parties, I can attribute the original offender to the e-mail address.
That + is frequently a cause of contention though, so I use a . (which was done via config when I ran my own mail server days gone by) and also have a catchall on google apps.
My mail server allows -- as an alternative to + so my users can work around braindead address regexes.
(FWIW, I'm all for following laws that already exist, including this one, but frankly this was a stupid law to enact: spam is not a serious problem, and spam from a single specific bothersome recipient--the only kind this law could possibly affect--was never a problem (or at least hasn't been since the invention of the killfile, something that I am pretty sure predates my birth). What needed regulation was real physical mail--the kind that causes nearly infinite paper trash--and yet that seems to largely be ignored.)
Given this, you must realize that >99% of this spam is from random people whom are not actually subject to this law because they aren't at all traceable. If I have heard of the service, then it will be trivial enough to killfile (such as, "reject all messages from this domain; example: *@pcworld.com"), and much easier to do so than even clicking a single link to unsubscribe as you can make that a hotkey in your client.
(Sadly, people believe that they should rely on spam filters for this use case, which is ludicrous as there is no real way to differentiate "I signed up for PCWorld in 1999 and have since decided I no longer care" from "I never signed up for PCWorld, but they decided to start sending me things O hate" from "I like PCWorld and would love to hear about their new articles, so I subscribed" using remotely objective algorithms.)
(Even a human is going to get it wrong half the time, especially of they're as spam-touchy as the people on this thread reporting services I might personally use and like to Google as "spam" when they can and should either killfile the sender or take the extra 30 seconds to unsubscribe; people who do this just damage the effectiveness of spam filters by messing up the training sets with data that isn't truly indicative of the spam we need machine learning to filter.)
In essence, this law spends a bunch of time figuring out how to regulate people who were either never the problem in the first place, or we're the problem only because they decided to hand your email address to a third party they maybe shouldn't have (although the idea that you will combat spam by keeping your email secret is already a losing battle). Meanwhile, the people who cause the >150k spam messages I receieve per year to saurik@saurik.com just get to keep on spamming.
I'm gently worried about the spam vs ham problem. Some people must not ever have a false positive.
In theory this law encourages good companies to stay good companies and to not outsource to dodgy spam outfits.
It is weird that in 2012 we're still making up stuff about the best practice for sending email.
You might claim Gmail is worrying about the bandwidth, but again: this kind of spam is a tiny tiny fraction of the spam problem. These people are already capable of using buttons that say "spam": a killfile is just another single-click button.
Finally, and again: the spam vs. ham problem is mostly complex because people are misdefining spam as "mail I don't want" as opposed to "mail I couldn't possibly have wanted" (and thereby use the spam button to punish people whose policies they dislike, which both mistrains filters and relies on machine learning to solve a straightforward problem that could be exactly solve by rules).
The spam in the latter category must be machine filtered, as this law, nor any other possible reasonable law, doesn't make even a small ding in it, while the remaining spam in the former category can be handled with one-button killfiles.
This unsubscribe requirement is fundamentally, and frankly quite obviously, not superior to a killlist from the perspective of a normal user for the companies that the law could possibly apply to: it is unnecessary and does not solve a problem we actually have. Your comments about how this stops anyone, anywhere, from sending "massive amounts of spam", therefore, need to be defended, as otherwise they seem off-topic.
Their emails still arrive and get filtered to my trash. They're still in violation with no simple way to unsubscribe.
Not only illegal, it is downright rude to establish gatekeepers like a login box to avoid getting me off that important newsletter.
Given any mail with this characteristic I will gladly report it as spam in the hope that the next guy won't have to deal with it.
LinkedIn and GetGlue both require logins to unsubscribe, so I mark their emails as spam and filter directly to trash. It works, but philosophically it still pisses me off...
http://nz.linkedin.com/pub/matt-gascoigne/17/a25/9b6
You can give a custom email to every website. Then if they spam you or sell you address, you'll know and it's one click to turn them off.
Another nice trick is to change your email at a spammy vendor to a leemail and then turn it off.
The answer to that question might be enlightening.
1) They see communication preferences as part of your account details and therefore just lump it in with the rest of them behind the username and password. I think where this is the case they're naive or stupid rather than malicious.
2) In some cases (I think relatively rare but they exist, they actively want to make it harder for you to stop the mailings and know every extra click and keystroke does this. In this case I think they're naive and stupid as well as malicious.
This is prevented if unsubscribe links in the emails sent out have tokens specific to the user which are validated in lieu of a login. But that's fancy technology that most senders don't have.
More people need to do this.
In most cases, if an email isn't commercial in nature, it's excluded from the CAN-SPAM requirements. Now, whether or not it annoys your users is another discussion...
One relevant excerpt:
"These requirements do not prohibit transmission of “transactional or relationship” content. Even if a recipient opts out of receiving messages with a commercial primary purpose from a particular sender, that sender may continue to transmit other types of messages. Therefore, recipients who invoke their rights under the opt-out mechanism required by CAN-SPAM will continue to receive valuable “transactional or relationship” messages. This is important because transactional or relationship messages are communications that Congress has determined to be per se valuable to recipients."
How are we, for example, feeling about Linked In these days?