The document issued last week by the FTC is 109 pages long, although the rule itself is only six pages of that. The rest of the document is a lengthy (but incredibly informative) discussion of all the feedback they received during the process and an explanation of why they did or did not choose certain approaches.
The rule itself sets out four main issues that will affect all senders of commercial email:
The FTC clarified that when the law uses the term "person," that will include not only individual human beings, but also corporations and non-profit organizations.
To satisfy the Acts requirement that commercial email display a "valid physical postal address," a sender is allowed to use an accurately-registered post office box or private mailbox, so long as it is established under the applicable United States Postal Service regulations for such services.
An e-mail recipient cannot be required to pay a fee, provide information other than his or her e-mail address and opt-out preferences, or take any steps other than "sending a reply e-mail message or visiting a single Internet Web page" to opt out of receiving future e-mail from a sender.
The definition of "sender" will be modified to include a means of creating a "designated sender" who will be responsible for complying with the Act in those situations where multiple parties may be advertising in a single e-mail message.
The first two points are neither earth shattering nor controversial.
But the same cannot be said of the other two, or of the many issues which the FTC chose to discuss in its notice but on which it ultimately chose to punt rather than issue regulations.
Prohibiting the charging of a fee to be unsubscribed is a no-brainer. But by prohibiting the asking of additional information, which would include usernames and passwords, could mean some changes for how sites handle the unsubscribe process.
Of course, if an unscrupulous marketer is attempting to use the unsubscribe process to create a transactional relationship, they're going to be out of luck. My favorite example of this comes from about six years ago, courtesy of a monstrously large software company located in the Pacific Northwest.
One of their divisions or products would send you unsolicited email and when you clicked to unsubscribe, the web page would ask for your password. Since you didn't opt-in and didn't have the password they were looking for, the site would force you to register, requiring things like your full name, postal address, phone number, etc. It would then email you a confirmation before it would finalize your sign-up, and only then would you get the coveted password that was the reason for all this silliness.
If memory serves, they finally stopped the password registration requirement after finding themselves on several spam blocklists and having to clean up a database full of obscene street names.
Moreover, the discussion makes it quite clear that the FTC will not look kindly upon any process that takes more than one page, or fills that page with other advertising or marketing pitches. A big flashing banner that says "Please don't unsubscribe!" will definitely not be allowed on the unsubscribe page. Whether you could place some kind of appeal on the landing page after the unsubscribe request itself is not clear.
The biggest news in this Final Rule, however, is how the FTC chose to modify the definition of "sender" in response to many inquiries about multi-advertiser messages. They added to the definition of "sender" to clarify that:
"...when more than one persons products, services, or Internet website are advertised or promoted in a single electronic mail message, each such person who is within the Acts definition will be deemed to be a "sender," except that, only one person will be deemed to be the "sender" of that message if such person: (A) is within the Acts definition of "sender"; (B) is identified in the "from" line as the sole sender of the message; and (C) is in compliance with [the Act and the FTC's Final Rule]."