- More Effective Email Marketing with Salesforce.com(09/03 09:00 AM)
- Create Your Own Email Marketing Application(09/07 11:00 AM)
- Live BlastWizard by Boomerang Training(09/07 11:00 AM)
- Save Time, Drive Sales by Automating Your Newsletter with SlingShot(09/07 13:00 PM)
- Growing Your Email List(09/07 13:00 PM)
- More Effective Email Marketing with Salesforce.com(09/08 11:00 AM)
- Create Great Email Messages with an Online HTML Editor(09/08 13:00 PM)
- Learn From Your Delivery Results with Email Analytics(09/08 13:00 PM)
- Live BlastWizard by Boomerang Training(09/09 11:00 AM)
- Save Time, Drive Sales by Automating Your Newsletter with SlingShot(09/09 11:00 AM)
CAN-SPAM compliance (Harvesting)
With this blog article, we will introduce a series of small blog articles focusing on aspects of CAN-SPAM compliance with email marketing campaigns. I know that a lot of people discuss CAN-SPAM compliance, but this series is intended to be a small series of articles to discuss the ‘did you know’ aspects of this US federal law to help you remain compliant and improve the results of your campaigns.
What is CAN-SPAM exactly?
CAN-SPAM was enacted by the US federal government to establish a minimum set of requirements when sending out commercial email campaigns. These requirements are designed to ensure that email sent from commercial entities do not deceive, entrap or in any way intentionally falsify sender information. Basically, it is set up so that when you see who the email is from, you know that it is from that entity.
How is this different from authorization systems like SPF or Domain Keys?
Domain Keys and SPF are technical resolutions to the same issue the congress attempted to address legislatively. Effectively, there are two ways to attempt to force compliance:
- Through Law
- Through Technical Measures
Legislative Measures
Basically, congress enacted penalties for companies or individuals who violate the law. Once it’s determined that a company or individual has violated, then the federal government or another individual can file a lawsuit claiming violations.
Setting up law serves to force compliance through penalties (usually in the form of monetary fines). Although, some laws define jail time as the consequence. In the case of CAN-SPAM’s penalties, these penalties can start at $250 per email and go up to $6,000,000 depending on intent, how much was sent and other factors that are left up to the judge.
The bottom line is that these penalties can end up quite stiff, so it’s best to learn how to craft your campaigns to remain fully CAN-SPAM compliant.
Technical Measures
Measures, such as SPF, consist of producing softwares that force compliance by technical means. Effectively, this forces users to maintain compliant email with not only CAN-SPAM requirements, but any more recent requirements that may not have originally been part of CAN-SPAM. Technical measures are usually the most effective because developers are a lot more nimble in getting updates out the door. Law mandates a minimum, but technical measures are able to require the minimum and expand on it.
Getting law through congress can be quite slow. By the time the law is law, it can also be somewhat outdated by newer technical issues.
Email Harvesting
With all of the introductions out of the way, we can get to the meat of CAN-SPAM. Email harvesting will be the first topic of discussion that is a violation of the CAN-SPAM act. What is harvesting?
Harvesting is when a company or individual visits a web site, visually sees an email address, copies it and stores it. Then, later uses that list to send emails. Not only was list harvesting a bad practice long before CAN-SPAM, it is now also a crime to do it.
As a company, you want to ensure that your lists are obtained directly from your customers. You can do this through subscription forms, trade shows, customer interfacing, login preferences and even contests you may host. As long as the person filled out your form of their own volition and then submitted that data to you (along with an opt-in consent check box), this is considered opt-in. Harvesting, however, is when a list is obtained through means without consent by culling email addresses from websites, forums, blogs or in other similar places.
Renting or Purchasing Lists
Note that rented or purchased lists could have been harvested. You simply have no idea where or how that list may have been obtained. One thing for certain with a rented/purchased list, however, is that you didn’t obtain that list yourself through your own collection means. So, with these lists, you risk CAN-SPAM violations by purchasing or renting lists from a third party. Considering the compensatory damages, renting or purchasing a list may ultimately not be worth it.
Ultimately….
Violating the CAN-SPAM act is not worth it. The provisions in the CAN-SPAM act are a completely common sense approach to marketing. You want to market to people who want to see your content. There’s no point in marketing to people who don’t. CAN-SPAM’s provisions are there as voice of reason and set basic guidelines for your best email marketing campaign. Boomerang offers methods to ensure your email campaigns remain CAN-SPAM compliant and also excel in producing returns for you.
The next blog article in this series will discuss CAN-SPAM’s deceptive header provisions… see you then.
Tags:
September 18th, 2008 5:54 am
Email marketing is a very effective means of getting your message across to stakeholders. However, any email marketing agency must make sure that it follows the rules and regulations held up internationally as well as locally.
September 18th, 2008 11:47 am
Thanks for the feedback. This specific series of blog articles is intended to focus on the US CAN-SPAM act. I also plan have some follow-up blogs at the end of this focus to discuss California, regional and international compliance issues.
Suffice it to say… because Boomerang is located in California, any marketing agency who uses Boomerang’s services must comply with not only US Laws, but also California laws when sending email inside the US (no matter where the marketing agency may reside) .
Also, the email marketing agency is also responsible for complying with any local laws in their own jurisdiction (inside the US or internationally). In addition to the legal compliance issues, each Boomerang account must also comply with Boomerang’s own Terms of Service. The terms of service agreement is available to view inside your Boomerang account.
September 19th, 2008 12:05 pm
Harvesting is not, in and of itself, a violation of CAN SPAM. If, however, you send mail that violates the provisions of CAN SPAM *and* that mail is sent to a harvested address, there are additional legal penalties.
September 19th, 2008 10:53 pm
Actually, here’s the crux of harvesting. In the CAN-SPAM act’s verbiage, the sentencing guidelines specifically state that judges should consider penalties more harshly for those found to use harvested addresses in their email campaigns than those who do not. Thus, it requires you to send to the addresses in order to violate CAN-SPAM.
Thus, creating harvested address list and then sending email to those harvested addresses violates the CAN-SPAM act. Doing anything else with such a list that doesn’t involve the act of sending an email is not technically illegal under the CAN-SPAM act.
While the act of harvesting itself may not be outright illegal based on CAN-SPAM, the dilemma arises… What can you do with a harvested list of email addresses? Clearly, you cannot use a harvested list to send emails because a) these addresses have not opted in and b) because penalties for using harvested lists are more harsh. As an email marketer, it’s easier and safer to assume that harvesting is considered illegal based on the fact that you cannot use such a harvested list when sending emails.
If you do anything else with such a list that doesn’t involve sending email, that’s really outside the realm of email marketing.
Thanks for your reply.
November 19th, 2008 8:06 pm
[...] Brian Wright added an interesting post today on CAN-SPAM compliance (Harvesting) | Boomerang Email Marketing BlogHere’s a small readingWhat can you do with a harvested list of email addresses? Clearly, you cannot use a harvested list to send emails because a) these addresses have not opted in and b) because penalties for using harvested lists are more harsh. … [...]
November 21st, 2008 8:04 pm
[...] Brian Wright put an intriguing blog post on CAN-SPAM compliance (Harvesting) | Boomerang Email Marketing BlogHere’s a quick excerptWith this blog article, we will introduce a series of small blog articles focusing on aspects of CAN-SPAM compliance with email marketing campaigns. I know that. [...]
January 9th, 2009 2:32 pm
While it’s not considered best practice, using harvested email addresses to market products and services is NOT illegal under CAN SPAM. CAN SPAM prohibits “aggravated violations” relating to commercial emails such as harvesting and dictionary attacks, meaning if harvested emails are used by one or more organizations, and they violate one or more CAN SPAM requirements, then there are “aggravated violations” which means triple damages, for EVERY oganization upstream (the organization that initially harvested the emails) and downstream (each organization which receives and/or buys the harvested emails and uses/sells them).
January 9th, 2009 4:13 pm
Pete,
The act of harvesting is not illegal under CAN-SPAM as I’ve already said. The use of harvested addresses increases the amount of penalty (if a violation occurs) to the point that, as a business, you must question whether or not using harvested addresses is legally worth it to you. But, there are additional ramifications besides legal ones when using a harvested list.
Since the CAN-SPAM requirements are easy enough to violate already, adding an aggravated penalty is just not worth it. I mean, why would you want a judge to change your $1 million penalty to $3 million? Either number is enough to bankrupt many small firms. Is it worth it?
If you, as a marketing agent, firm or department feel that using harvested addresses is worth taking that legal risk to potentially get your company limited new business, that’s your decision. However, here at Boomerang as an ESP, we do not knowingly allow harvested addresses out on our network because such a list WILL hit spamtraps, WILL generate a high amount of abuse complaints and WILL eventually get your ESP’s IPs (and possibly even your company’s IPs) onto RBL lists. As such, while that doesn’t negatively impact you as a business immediately, it does impact your company’s reputation and it does impact your ESP.
The mere fact that address harvesting is specifically mentioned BY NAME in the CAN-SPAM act as an ‘aggravated violation’ should be enough to tell you that it’s not a wise decision to use a harvested list. Again, it’s not the act of harvesting the addresses that is at issue. It’s what you DO with that list after you’ve harvested. It’s your choice to try and use such a list in an email campaign, but you would be hard pressed to find a reputable ESP who would knowingly allow you to use such a list on their network strictly from the after damage control that will necessary.
I should also point out, that using such a list is readily apparent even sending just ONCE through an ESP due strictly to the amount of complaints. So, you shouldn’t think you can ‘pull one over’ on the ESP by using such a list. It will come back to you (if not through a CAN-SPAM violation, then through other means).
What it comes down to is, if you are a legitimate company with a legitimate customer /prospect base, there is no need to harvest. You already have an address pool from which to email. Further, if you have a compelling product or service, putting a sign-up form on your own web site allows for collection of addresses that is not considered harvesting.
March 29th, 2010 6:30 pm
Hey,
Hope to shed some light on this topic.
I’m a lawyer who practices, among other things, intellectual property law.
Under the plain language of the CAN SPAM Act, harvesting emails is not unlawful.
Under section 5(b)(A)(i) - (ii) of the Act, “Dictionary Attacks” are prohibited (programs that determine emails through the computation of different characters much like a code cracker) and one cannot send messages to an email address that was obtained using a email harvesting program from a website or online service IF the website or online service provides a notice that third-parties are not to send emails to the addresses.
Under section 7 of the Act, damages (the fine) can be increased if the emails were obtained through one of the means described above.
Based on the clear language of Statute, email harvesting is not unlawful.
Furthermore, we can be certain that Congress specifically decided to not criminalize email harvesting because (1) it mentions email harvesting, and, as a general rule, Congress will not reference a particular activity in a Statute it wishes to criminalize without explicitly criminalizing it. Quite the opposite, actually - if Congress mentions a controversial activity without prohibiting it you can be certain that Congress mulled over it and for whatever reason decided not to ban it. (2) In clear unequivocal terms, Congress prohibited Dictionary Attacks. Thus, if Congress intended to prohibit email harvesting as well it would have done the same.
You should also note that there has not been a single judgment against a spammer for email harvesting or sending out emails that have been harvested, nor could there be under the Act in its present form. Again, the email harvesting will simply increase punishment under the Act if you have already breached a provision of the Act, or if you use harvested emails from an online service that specifically prohibits such use.
You can read the sections of the Act I have referenced, or the Statute in its entirety, here: http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=108_cong_public_laws&docid=f:publ187.108.pdf
March 30th, 2010 9:06 pm
As far as ‘Dictionary Attack’ vs ‘Harvesting’, the issue is in the semantics. Let’s explore. ‘Harvesting’ is pulling existing email data from the web through a web crawling tool. A ‘Dictionary Attack’ is using an ASCII generator to produce random characters and numbers. The problem is, how would you know specifically if the user used a ‘Dictionary Attack’ vs ‘Harvesting’? The answer is, you wouldn’t (and neither would a judge, a jury or trial lawyers). Specifically putting the terminology in there means that even if a lawyer can’t go after you for the act of ‘Harvesting’, they can get you for using a ‘Dictionary Attack’ and for delivering emails to that list. Also, if they can prove that you did harvest at all, they can enhance the fines dramatically for any other infractions they find.
So, putting a defendant on trial for either of these two issues means that the trial lawyer would choose a ‘Dictionary Attack’ as a harsher legal tactic against a defendant. So, the burden is then on the defendant to prove how the addresses were obtained. If the defendant can’t disprove a ‘Dictionary Attack’, then a suspected case of ‘Harvesting’ could easily turn into ‘Dictionary Attack’ and then be punished as such. Or, if the defendant can prove ‘Harvesting’ to disprove ‘Dictionary Attack’, then that means the judge can increase the fines dramatically if it’s proven that the defendant willfully emailed to those addresses (which is prohibited). And clearly, if someone ended up in court over this at all, it’s pretty likely they’ll have already determined you sent email.
So, yes, even though the act of harvesting itself isn’t illegal (which I do mention), sending to the harvested addresses is. So, that opens other ways for a trial lawyer to ‘throw the book’ at a defendant in a way that wouldn’t be easy to defend.
My theory on why harvesting wasn’t criminalized by CAN-SPAM was due to such companies like InfoUSA that sell lists of unknown origin. This means those companies can continue to obtain lists from who-knows-where. As long as they themselves aren’t using the lists to send email, they’re not at risk. Only the unsuspecting dupe who purchases a list from them and then actually sends emails based on that list could be on the hook for legal issues.
The simplest way is to avoid all of this is to use lists where you have personally obtained the information and can prove the source, including time and date of each email entry.