Registration is not permission

“But we only mail people who registered at our website! How can they say we’re spamming?”
In those cases where website registration includes notice that the recipient will be added to a list, and / or the recipient receives an email informing them of the type of email they have agreed to receive there is some permission involved. Without any notice, however, there is no permission. Senders must tell the recipient they should expect to receive mail at the time of registration (or shortly thereafter) otherwise there is not even any pretense of opt-in associated with that registration.
Take, for example, a photographers website. The photographer took photos at a friend’s wedding and put them up on a website for the friend and guests to see. Guests were able to purchase photos directly from the site, if they so desired. In order to control access, the photographer required users to register on the site, including an email address.
None of this is bad. It’s all standard and reasonably good practice.
Unfortunately, the photographer seems to have fallen into the fallacy that everyone who registers at a website wants to receive mail from the website as this morning I received mail from “Kate and Al’s Photos <pictage@pictage.example.com>.” It includes this disclaimer on the bottom:

This email was sent by Pictage, Inc. to laura-tagged@mydomain.example.com, a registered user on www.pictage.com or an affiliated partner. If you’d rather not receive future email from Pictage, please click here.

No. No. No. Bad Sender. No Cookie.
I registered because I wanted so see specific photos on your website. Not because I want to receive email from you. I read your privacy policy (http://www.pictage.com/static/about/termsofservice.html) and there was nothing on there about sending mail. You didn’t mail me a welcome message. You didn’t tell me I’d be receiving advertising from you. You simply added me to a mailing list and then, 3 months later, sent me an email. And you didn’t just spam me, but you spammed a bunch of Al’s closest friends (many of whom are also delivery and anti-spam folks and at least one of whom is a spamhaus volunteer).
This is a very bad way to run a mail campaign. There was no information about email in the privacy policy. There wasn’t an opportunity to opt-out at registration. There was no welcome message alerting me to the chance that I’d receive mail from you in the future.
Registration is not an opt-in request and does not confer permission for the sender to add the receiver to a mailing list.
EDIT: Al’s reaction to his name being used in mail he did not authorize

Related Posts

Subscription practices in the wild

It’s always interesting to look at what other email marketers are doing and how closely their practices align with what I am recommending to clients.
Today’s example is a welcome message I received from Marriott. During my recent trip to visit a client, I gave Marriott my email address. They sent me a welcome message, primarily text that looked good even with images turned off. The text of the email told me why I was receiving the email and what I could expect.

Read More

Beware: Phishing and Spam in Social Networks

Trend Micro warns us today about how spam and phishing can hit you even in the closed ecosystem of a social networking system such as Facebook. Malware abounds. And in the social network arena, just like anywhere else, “using your account to send spam” is a common thing for the bad guys to want to do.
In Rik Ferguson’s investigation (which I read about on CNet News), he came across a link to a URL that asked for his Facebook credentials, supposedly necessary to allow installation of a specific Facebook application. Once the credentials were handed over, the app immediately spammed all of his Facebook friends, sending them a bogus notification, attempting to draw them into visiting the phishing/malware URL, with (one assumes) the hope of spreading the infection even wider.
He’s a researcher for Trend Micro, so he knows what he’s doing. But for the rest of us, this highlights how necessary it is to be careful with who you give your usernames and passwords to. In my opinion, it’s never safe to take your username and password from one site and hand it over to another site. Some social networking make the problem even worse by blurring the lines between safe and unsafe by asking for usernames and passwords to third party accounts, but you just can never know with 100% certainty which sites are legitimate and which ones aren’t.
— Al Iverson

Read More

Sharing content, sharing reputation

Over at SpamResource Al talks about how sharing content is like sharing needles.

Read More