The document issued last week by the FTC is 109 pages long, although the rule itself is only six pages of that. The rest of the document is a lengthy (but incredibly informative) discussion of all the feedback they received during the process and an explanation of why they did or did not choose certain approaches.
The rule itself sets out four main issues that will affect all senders of commercial email:
The FTC clarified that when the law uses the term "person," that will include not only individual human beings, but also corporations and non-profit organizations.
An e-mail recipient cannot be required to pay a fee, provide information other than his or her e-mail address and opt-out preferences, or take any steps other than "sending a reply e-mail message or visiting a single Internet Web page" to opt out of receiving future e-mail from a sender.
The definition of "sender" will be modified to include a means of creating a "designated sender" who will be responsible for complying with the Act in those situations where multiple parties may be advertising in a single e-mail message.
The first two points are neither earth shattering nor controversial.
But the same cannot be said of the other two, or of the many issues which the FTC chose to discuss in its notice but on which it ultimately chose to punt rather than issue regulations.
Prohibiting the charging of a fee to be unsubscribed is a no-brainer. But by prohibiting the asking of additional information, which would include usernames and passwords, could mean some changes for how sites handle the unsubscribe process.
Of course, if an unscrupulous marketer is attempting to use the unsubscribe process to create a transactional relationship, they're going to be out of luck. My favorite example of this comes from about six years ago, courtesy of a monstrously large software company located in the Pacific Northwest.
One of their divisions or products would send you unsolicited email and when you clicked to unsubscribe, the web page would ask for your password. Since you didn't opt-in and didn't have the password they were looking for, the site would force you to register, requiring things like your full name, postal address, phone number, etc. It would then email you a confirmation before it would finalize your sign-up, and only then would you get the coveted password that was the reason for all this silliness.
If memory serves, they finally stopped the password registration requirement after finding themselves on several spam blocklists and having to clean up a database full of obscene street names.
Moreover, the discussion makes it quite clear that the FTC will not look kindly upon any process that takes more than one page, or fills that page with other advertising or marketing pitches. A big flashing banner that says "Please don't unsubscribe!" will definitely not be allowed on the unsubscribe page. Whether you could place some kind of appeal on the landing page after the unsubscribe request itself is not clear.
The biggest news in this Final Rule, however, is how the FTC chose to modify the definition of "sender" in response to many inquiries about multi-advertiser messages. They added to the definition of "sender" to clarify that:
"...when more than one persons products, services, or Internet website are advertised or promoted in a single electronic mail message, each such person who is within the Acts definition will be deemed to be a "sender," except that, only one person will be deemed to be the "sender" of that message if such person: (A) is within the Acts definition of "sender"; (B) is identified in the "from" line as the sole sender of the message; and (C) is in compliance with [the Act and the FTC's Final Rule]."
Applying this process to an example, let's say a newsletter publisher "PublishCo" sends an advertisement containing promotions for three companies. Under the originally proposed definition of "sender," all four entities could be considered a sender, and thus all four would be responsible for ensuring CAN-SPAM Act compliance.
But under the Final Rule, the FTC would allow PublishCo to be the "designated sender" to be responsible for all compliance tasks, no matter how many advertisers appear in the body of the message.
To be the designated sender, however, PublishCo would need to be accurately identified in the "from" line, include their physical address in the body of the email message, and provide one of the two designated opt-out mechanisms (e.g., "sending a reply electronic mail message or visiting a single Internet Web page").
The decision about whether to be a designated sender is one that a company like our fictional PublishCo will have to make with its legal counsel. But it might make sense for PublishCo to step up and be the entity identified as the designated sender, placing their address in the "from" line, and their contact information in the message body along with their unsubscribe process.
Taking on this role as the designated sender would also allow PublishCo to offer choices to subscribers about exactly which advertisements they want to receive. While we noted that the FTC expects the unsubscribe process to be simple and unencumbered with additional advertisements or appeals, the law does still permit offering an array of choices.
Simplifying the compliance process by having a "designated sender" may help avoid legal problems, but it can also help email deliverability. Think of our example above with three advertisers and a publisher. If all four entities were considered senders, each with its own boilerplate disclosures and opt-out processes, a consumer receiving such an email might be confused about whether they might need to follow four different unsubscribe processes in order to effectively communicate their desire.
Some less-than-reputable advertisers might rejoice at such a prospect: by making the unsubscribe process cumbersome, some recipients might be dissuaded from doing so or so the theory goes. But in the end, it is really all of the senders who will wind up as the ultimate losers.
When faced with a confusing or cumbersome process, consumers will take the path of least resistance and click the "Report Spam" button or report the senders to email blacklists. Anything that drives consumers to click the spam button is among the most damaging things a sender can do to its email reputation.
At my company, we have long encouraged the customers of our online reputation management services to adhere to prevailing email industry best practices. Foremost among those is compliance with the CAN-SPAM Act, including making sure that the unsubscribe process is clear and simple.
At the end of the day, if a consumer is no longer interested in your email, you want to get them off your list as quickly and from the consumer's perspective, as effortlessly as possible, in order to avoid being labeled as spam and harming your email reputation.
For those familiar with the regulatory process, it's not surprising that this one has produced a set of rules that raises almost as many questions as it answers. We will undoubtedly see a number of additional inquiries to the FTC seeking further advice as companies explore how the Final Rule affects their particular ways of doing business.
The good news from all this is that the new FTC rules will probably not have a significant adverse effect on senders who are already following the industry's best practices recommendations.