BLOG

Confirmed Opt-In: An Old Topic Resurrected

Looking back through my archives it’s been about 4 years or so since I wrote about confirmed opt in. The last post was how COI wasn’t important, but making sure you were reaching the right person was important. Of course, I’ve also written about confirmed opt-in in general and how it was a tool somewhat akin to a sledgehammer. I’m inspired to write about it today because it’s been a topic of discussion on multiple mailing lists today and I’ve already written a bunch about it (cut-n-paste-n-edit blog post! win!).

Confirmed opt-in is the process where you send an email to a recipient and ask them to click on a link to confirm they want the mail. It’s also called double opt-in, although there are some folks who think that’s “spammer” terminology. It’s not, but that’s a story for another day. The question we were discussing was what to do with the addresses that don’t click. Can you email them? Should you email them? Is there still value in them?

We have to treat the addresses as a non-homogenous pool. There are a lot of reasons confirmation links don’t get clicked.

  • Some recipients aren’t going to click because they really don’t want the mail  and the extra step is too much effort. If the mail had just shown up they might read it, might even engage with it, but don’t want to actually have to make an effort to engage with the confirmation.
  • Some recipients aren’t going to click because they’ve already gotten what they want, like access to a website or a white paper or free download.
  • Some recipients aren’t going to click because they aren’t your customer. Someone used their email address to sign up and they sincerely do not want the mail.
  • Some recipients aren’t going to click because they never saw the mail. It may have gone to bulk, they may have not recognized the subject line and just deleted it, it may have ended up dropped on the floor. Whatever happened, it wasn’t seen by the recipient.
  • Some recipients aren’t going to click because there is no recipient. Sure, the mail is accepted by the receiving mail server, but the user never logs in, or it’s a spamtrap.

There is some value in the pool, but statistically, some of that value is negative. Each company needs to do their own risk analysis and determine what best to do with these addresses.

Different subscription techniques are going to generate different subscriber pools. Those different pools are going to have different risk profiles. Some subscription processes will generate more of one type of subscriber than another. That means the risk of mailing users who didn’t click on the link is going to vary depending on the pool.

Lots of “no recipients” on the list means sending followups is high risk. Lots of non-customers on the list, ditto. But if the pool is lots of people who can’t be bothered or missed the email the first time? That’s probably OK to mail once or twice.

Details matter.

Overall, the entire goal here is to get a list of email addresses that are owned by people who want mail from you. There are two parts to that: identity and permission. The identity part is tying the email address to the person who is your customers / subscriber / lottery winner / potential future customer who wants to know what you sell. The permission part is discovering if they want mail from you.

Traditional COI combines the identity and permission piece into one step. Send the person a mail and ask for permission to mail them more email. That covers the identity and the permission – if the person clicks you have both. But there are other ways to prove identity and there are other ways to gauge permission.

 

10 comments

  1. Moliverabililty says

    Hi Laura,

    Regarding “no-recipients” and people who can’t be bothered, how would one differentiate if the emails are successfully accepted? The scenario I propose is no bounces, no opens/clicks/unsubs, nothing to tell you one has engaged with the mail.

    To me, between 1-3 times is risk with it going up the more times you send. I would rather not take a risk full stop in the hope there is some win.

    1. laura says

      There isn’t really a way to distinguish between “no-recipients” and people who can’t be bothered. But they’re different categories of recipients, so it’s relevant to discuss them.

      This kind of risk is really specific to each business. It’s a tool, with benefits and limitations. Understanding those benefits and limitations is a big part of knowing when and how to use that tool.

  2. Darron Wyke says

    “It’s also called double opt-in, although there are some folks who think that’s “spammer” terminology.”
    That’s because it is. You never have to opt-in twice, just once. COI or VOI are both legitimate terms; DOI is not. If you sign up for a mailing list, then confirm or verify your subscription, guess where that leads to…

    >Some recipients aren’t going to click because they really don’t want the mail and the extra step is too much effort.
    That’s a risk you’re going to have to take.

    >Some recipients aren’t going to click because they’ve already gotten what they want
    That’s a risk you’re going to have to take. If you require someone to sign up for a mailing list to get something, like a download, well, it’s a bit scummy IMO, but if they don’t confirm that’s your loss.

    >Some recipients aren’t going to click because they aren’t your customer.
    And this is good, because if you emailed them you *would* be a spammer by nearly all definitions. This is one of the things that COI/VOI works and protects.

    >Some recipients aren’t going to click because they never saw the mail.
    That’s a risk you’re going to have to take. If you’re ending up in spam, you’re either sending out an email that looks like spam (at which point you need to fix that), or you’re sending from a location that has a low reputation — usually due to openly sending spam. Both of which are fixable by you.

    >Some recipients aren’t going to click because there is no recipient.
    And again, that’s a risk you’re going to have to take.

  3. Mickey says

    Ah. “That’s a risk you’re going to have to take.”

    The thing about it, as with most “security vs user experience” issues is that it’s NOT a risk that you’re GOING TO HAVE to take. Rather, it’s a decision that has to be made. Some companies will decide one way and others will decide another after making a risk assessment where one of the factors will absolutely be “how much does this affect the user experience?”

  4. Darron Wyke says

    Except, Mickey, it is a risk you have to take. That risk is that you’re going to give something up and get nothing in return. That’s part of the marketing game.

    If you choose to start spamming because you didn’t want to tarnish user experience, or because the benefits outweighed the risk, it’s no different than a company that figures that paying off lawsuits and claims is cheaper than stopping production. See: Bhopal, India after Union Carbide.

    At that point, you’re taking a position that’s not only morally and ethically bankrupt, but also typically legally bankrupt, in favor of a better hit rate.

  5. Mickey says

    Darron, it’s actually quite a bit different than choosing to pay off lawsuits and claims rather than retool for safety issues. The biggest difference is that no one’s life is at stake (cf. Bhopal).

    There’s always a risk involved in making business decisions. That’s really what Laura’s post is about: Outlining the reasons why someone would choose not to click a confirmation link so that a proper risk assessment could be made.

    What you appear to be saying is “There is no other way but this way.” The honest truth is that for the vast majority of marketers in the world today, that statement rings hollow both in theory and in experience.

    I constantly deal with clients who are using full COI/VOI/DOI-with-a-cherry-on-top who still suffer from spam complaints and who still hit spamtraps with regular traffic (i.e.: not just confirmation requests). I’m absolutely certain that Laura deals with such clients on a far more regular basis than I do.

    There are other ways to verify that the person sitting behind the keyboard is the person who is making the request than COI/VOI. Making the decision as to what works best (both the standpoints of UX and securing-the-mailstream) in a particular circumstance is what the risk analysis is all about.

  6. Darron Wyke says

    Of course there’s more than the way I outlined. There’s the way that violates ethics, morals, and in many juridictions, the law.

    If they’re using full COI/VOI, then the amounts of times they hit spamtraps and more should be miniscule. Either they’re still sending to an email, after getting permission, that’s been repurposed into a spamtrap (in which case, shame on the spamtrap owner for not purging legitimate traffic out), or they’re mailing repeatedly to a spamtrap without verifying the subscriber. A single email with a request to subscribe isn’t spam. If you repeatedly email them informing them of their request to subscribe (nagging), that’s spam.

    The latter can easily be avoided by culling old addresses that haven’t subscribed. If within X days an address hasn’t confirmed, remove them from the list. Periodically asking people to confirm their interest is also good, and putting them in a ‘hold’ list until they do re-confirm their subscription is also a good idea.

    Having proper COI/VOI isn’t going to guarantee that you’re not going to get complaints. You will. But when a complaint comes in from your host, you can provide proof that yes, you did collect consent, and it should include some specific metadata to give credence to your claim — such as IP, time, browser, etc. As a network operator, if I receive a complaint from someone that accuses you of spamming, I will ask for proof of COI/VOI. If your response is simply ‘they confirmed’, I’m going to ask for proof. If you can’t provide proof, I’m killing your access.

  7. Al Iverson says

    Your network, your rules, of course. But an anecdote — i.e. how you do things — is not the same as data — i.e. Mickey’s truth that your way doesn’t match the most common ways.

  8. Darron Wyke says

    If you want to use another means that violates the law, and every common definition of “spam”, then by all means, go ahead. You can enjoy fines and being added to the ROKSO database.

  9. Huey says

    There’s no inherent problem with arguing the case for ideological purity; the problem is that you’re arguing the wrong case.

    The goal of an anti-spam perspective from the sending end should not be “send only confirmed opt-in mail”, it should be “send mail people want, and don’t send mail people don’t want”. And while confirmed opt-in can be a useful part of the latter, it isn’t a guaranteed prevention of the failure mode of the former.

    Examples: LinkedIn has my email address. I’ve also told them on countless occasions to stop sending me email. They still send a couple a day. There’s an industry group that I stopped paying money to more than ten years ago; still can’t figure out how to get them to stop mailing me. A store that I used to patronize changed ownership and started sending piles of email I didn’t want. All of those are confirmed opt-in, and also spam. At scale, address churn is another problem senders need to be aware of.

    Meanwhile: what’s the most useful mail stream I get? The local businesses where I’ve written my email address on a receipt and they’ve started sending me email. Not COI at all, but still email I enjoy getting.

Comment:

Your email address will not be published. Required fields are marked *

  • OTA joins the ISOC

    The Online Trust Alliance (OTA) announced today they were joining forces with the Internet Society (ISOC). Starting in May, they will operate as an initiative under the ISOC umbrella. “The Internet Society and OTA share the belief that trust is the key issue in defining the future value of the Internet,” said Internet Society President and CEO, Kathryn Brown. “Now is the right time for these two organizations to come together to help build user trust in the Internet. At a time when cyber-attacks and identity theft are on the rise, this partnership will help improve security and data privacy for users,” added Brown.No Comments


  • Friday blogging... or lack of it

    It seems the last few Friday's I've been lax on posting. Some of that is just by Friday I'm frantically trying to complete all my client deliverables before the weekend. The rest of it is by Friday I'm just tired. Today had the added complication of watching the Trumpcare debate and following how (and how soon) it would affect my company if it passed. That's been a bit distracting, along with the other stuff I posted about yesterday. I wish everyone a great weekend.1 Comment


  • Indictments in Yahoo data breach

    Today the US government unsealed an indictment against 2 Russian agents and 2 hackers for breaking into Yahoo's servers and stealing personal information. The information gathered during the hack was used to target government officials, security employees and private individuals. Email is so central to our online identity. Compromise an email account and you can get access to social media, and other accounts. Email is the key to the kingdom.No Comments


Archives