Logging in to unsubscribe

I have been talking with a company about their unsubscribe process and their placement of all email preferences behind an account login. In the process, I found a number of extremely useful links about the requirements.

The short version is: under the 2008 FTC rulemaking senders cannot require any information other than an email address and an email preference to opt-out of mail. That means senders can’t charge a fee, they can’t ask for personal information and they can’t require a password or a login to unsubscribe.

I’ve talked about requiring a login to unsubscribe in the past here on the Word to the Wise blog.

Let them go
Questions about CAN SPAM
One click, two click, red click, blue click
How not to handle unsubscribes

I’m not the only person, though, that’s written about this.

The FTC has written about it in the FTC CAN SPAM Compliance Guide for business

You can’t charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request.

Al Iverson at Exacttarget has written about it in his blog post Require a login to opt-out

Senders are not allowed to require recipients to “provide any information other than the recipient’s electronic mail address and opt-out preferences.” That means you can’t require them to login to your website before continuing on to a preference center or other page. The only thing a recipient has to give you is their email address, and the opt-out preference. (i.e. do you want to opt-out from all messages, or would you like to opt-out only from certain specific lists.)

Even the forums at Y combinator have mentioned it.

It is definitely illegal to require a login. CAN-SPAM has many (many) faults, but it is extremely explicit about there being no funny business in the unsubscribe process.
Current FTC rules say that your unsubscribe link must either immediately unsubscribe the user or lead to a page that (at most) asks for only your email address and does not try to confuse or dissuade you.

The underlying goal of the rules is to give recipients the ability to make email stop. Requiring a password is one of the things bad senders do to add friction to the process. Because of the abuse of the login process, and the fact that sometimes the recipient doesn’t have the password (and can’t recover it) the FTC has decided no passwords for an opt-out.

This company is also a good example of how COI doesn’t fix everything. All registrations are fully confirmed. Yet, they still can’t manage to stop sending mail to people who didn’t ask for it or want it.

I’m pretty sure the company that triggered this discussion didn’t mean to violate CAN SPAM. But they did. I also expect that this may be the first time anyone pointed out the problem to them.


  1. Christopher says

    This sounds like linked-in. Thankfully Gmail does a great job of sending them right to the spam folder now.

  2. Aaron says

    It’s a good thing that senders can’t charge a fee or require a password/login to unsubscribe because I lack the mental capacity to remember passwords with so many different accounts and websites to deal with. Unsubscribing will hopefully remain a very simple and convenient process in order to clean up your email mailbox. The FTC is definitely right about this one.

  3. En vrac, l’emailing cette semaine : Spam Traps, Réputation IP, Désinscription, Spam, Arrière plan, Ouverture,… | Badsender - Conseil Emailing & eCRM says

    […] Logging in to unsubscribe – Word to the Wise I have been talking with a company about their unsubscribe process and their placement of all email preferences behind an account login. … 00Share […]


Your email address will not be published. Required fields are marked *

  • OTA joins the ISOC

    The Online Trust Alliance (OTA) announced today they were joining forces with the Internet Society (ISOC). Starting in May, they will operate as an initiative under the ISOC umbrella. “The Internet Society and OTA share the belief that trust is the key issue in defining the future value of the Internet,” said Internet Society President and CEO, Kathryn Brown. “Now is the right time for these two organizations to come together to help build user trust in the Internet. At a time when cyber-attacks and identity theft are on the rise, this partnership will help improve security and data privacy for users,” added Brown.No Comments

  • Friday blogging... or lack of it

    It seems the last few Friday's I've been lax on posting. Some of that is just by Friday I'm frantically trying to complete all my client deliverables before the weekend. The rest of it is by Friday I'm just tired. Today had the added complication of watching the Trumpcare debate and following how (and how soon) it would affect my company if it passed. That's been a bit distracting, along with the other stuff I posted about yesterday. I wish everyone a great weekend.1 Comment

  • Indictments in Yahoo data breach

    Today the US government unsealed an indictment against 2 Russian agents and 2 hackers for breaking into Yahoo's servers and stealing personal information. The information gathered during the hack was used to target government officials, security employees and private individuals. Email is so central to our online identity. Compromise an email account and you can get access to social media, and other accounts. Email is the key to the kingdom.No Comments

Recent Comments