I’ve seen a lot of discussion and arguments over the CAN SPAM rule about whether or not an unsubscribe needs to be a One-Click unsubscribe. It’s gotten so common, I have a stock email I use as a template when wading into such discussions. It’s probably useful for a lot of other people, too, so I thought I’d share.
The regs say:
§ 316.5 Prohibition on charging a fee or imposing other requirements on recipients who wish to opt out.
Neither a sender nor any person acting on behalf of a sender may require that any recipient pay any fee, provide any information other than the recipient’s electronic mail address and opt-out preferences, or take any other steps except sending a reply electronic mail message or visiting a single Internet Web page, in order to:
(a) Use a return electronic mail address or other Internet-based mechanism, required by 15 U.S.C. 7704(a)(3), to submit a request not to receive future commercial electronic mail messages from a sender; or
(b) Have such a request honored as required by 15 U.S.C. 7704(a)(3)(B) and (a)(4).
If you shorten that really complex sentence and take out the modifiers / pointers to statutes it says: “No one may require that a recipient take any steps except visiting a single internet web page in order to submit a request to not receive future commercial emails from a sender.”
Under this rule, the sender may ask for the recipient’s electronic email address and their opt-out preferences.
I believe that a “2-click” process, where the first click takes the user to a webpage and the second click confirms the email address and the unsubscribe option, is legal under the FTC rulemaking. What the FTC really wanted to stop was requiring things like passwords for an opt-out, and to counter some of the spammers who were requiring people pay to be unsubscribed.
I do not like green eggs and spam.
I do not like them, Sam I am. (With apologies to Dr. Seuss)
RSS - Posts
Just because it’s legal to require the user to enter an email address to unsubscribe doesn’t make it good practice, though.
There’s a balance to be struck between inconveniencing someone trying to unsubscribe (especially if they have multiple email addresses) and dealing with the potential unsub issues caused by recipients forwarding mails to friends. There’s probably a whole other blog post about that tradeoff.
One additional complication of one-click is there are systems that will click all links in all emails. This will result in accidentally unsubscribes by the software, not the user. I have seen this happen with email systems on state school systems, and very aggressive virus scanners.
Additionally, as these systems click every link in every email, it can result in hundreds of extra gross clicks from just a handful of users.
Only thing worse than a complicated unsub option is the non-existant one. “If you would like to unsubscribe, email us at unsubscribe@website.com“. You have to manually compose an email to stop getting emails you don’t want.
I’ve seen Trend Micro clicking all links in email messages, so yeah, that is a real concern that is out there in the wild. Not sure who else does this — but I rather suspect Trend isn’t the only one.
Most of the antivirus researchers have tools that routinely click all URIs. The problem with Trend’s doing so is that they don’t’ separate their spamtraps from their virus/malware/security traps. If you click all URIs in all email sent to a spamtrap, you’ll probably hit some confirmation URIs in COI confirmation messages. Doing *that* and then treating the subsequent emails as spam is IMHO outright fraud.