With this blog article, we will introduce a series of small blog articles focusing on aspects of CAN-SPAM compliance with email marketing campaigns. I know that a lot of people discuss CAN-SPAM compliance, but this series is intended to be a small series of articles to discuss the ‘did you know’ aspects of this US federal law to help you remain compliant and improve the results of your campaigns.
What is CAN-SPAM exactly?
CAN-SPAM was enacted by the US federal government to establish a minimum set of requirements when sending out commercial email campaigns. These requirements are designed to ensure that email sent from commercial entities do not deceive, entrap or in any way intentionally falsify sender information. Basically, it is set up so that when you see who the email is from, you know that it is from that entity.
How is this different from authorization systems like SPF or Domain Keys?
Domain Keys and SPF are technical resolutions to the same issue the congress attempted to address legislatively. Effectively, there are two ways to attempt to force compliance:
- Through Law
- Through Technical Measures
Legislative Measures
Basically, congress enacted penalties for companies or individuals who violate the law. Once it’s determined that a company or individual has violated, then the federal government or another individual can file a lawsuit claiming violations.
Setting up law serves to force compliance through penalties (usually in the form of monetary fines). Although, some laws define jail time as the consequence. In the case of CAN-SPAM’s penalties, these penalties can start at $250 per email and go up to $6,000,000 depending on intent, how much was sent and other factors that are left up to the judge.
The bottom line is that these penalties can end up quite stiff, so it’s best to learn how to craft your campaigns to remain fully CAN-SPAM compliant.
Technical Measures
Measures, such as SPF, consist of producing softwares that force compliance by technical means. Effectively, this forces users to maintain compliant email with not only CAN-SPAM requirements, but any more recent requirements that may not have originally been part of CAN-SPAM. Technical measures are usually the most effective because developers are a lot more nimble in getting updates out the door. Law mandates a minimum, but technical measures are able to require the minimum and expand on it.
Getting law through congress can be quite slow. By the time the law is law, it can also be somewhat outdated by newer technical issues.
Email Harvesting
With all of the introductions out of the way, we can get to the meat of CAN-SPAM. Email harvesting will be the first topic of discussion that is a violation of the CAN-SPAM act. What is harvesting?
Harvesting is when a company or individual visits a web site, visually sees an email address, copies it and stores it. Then, later uses that list to send emails. Not only was list harvesting a bad practice long before CAN-SPAM, it is now also a crime to do it.
As a company, you want to ensure that your lists are obtained directly from your customers. You can do this through subscription forms, trade shows, customer interfacing, login preferences and even contests you may host. As long as the person filled out your form of their own volition and then submitted that data to you (along with an opt-in consent check box), this is considered opt-in. Harvesting, however, is when a list is obtained through means without consent by culling email addresses from websites, forums, blogs or in other similar places.
Renting or Purchasing Lists
Note that rented or purchased lists could have been harvested. You simply have no idea where or how that list may have been obtained. One thing for certain with a rented/purchased list, however, is that you didn’t obtain that list yourself through your own collection means. So, with these lists, you risk CAN-SPAM violations by purchasing or renting lists from a third party. Considering the compensatory damages, renting or purchasing a list may ultimately not be worth it.
Ultimately….
Violating the CAN-SPAM act is not worth it. The provisions in the CAN-SPAM act are a completely common sense approach to marketing. You want to market to people who want to see your content. There’s no point in marketing to people who don’t. CAN-SPAM’s provisions are there as voice of reason and set basic guidelines for your best email marketing campaign. Boomerang offers methods to ensure your email campaigns remain CAN-SPAM compliant and also excel in producing returns for you.
The next blog article in this series will discuss CAN-SPAM’s deceptive header provisions… see you then.
8 responses so far ↓
1 Headland Email Marketing // Sep 18, 2008 at 5:54 am
Email marketing is a very effective means of getting your message across to stakeholders. However, any email marketing agency must make sure that it follows the rules and regulations held up internationally as well as locally.
2 Brian Wright // Sep 18, 2008 at 11:47 am
Thanks for the feedback. This specific series of blog articles is intended to focus on the US CAN-SPAM act. I also plan have some follow-up blogs at the end of this focus to discuss California, regional and international compliance issues.
Suffice it to say… because Boomerang is located in California, any marketing agency who uses Boomerang’s services must comply with not only US Laws, but also California laws when sending email inside the US (no matter where the marketing agency may reside) .
Also, the email marketing agency is also responsible for complying with any local laws in their own jurisdiction (inside the US or internationally). In addition to the legal compliance issues, each Boomerang account must also comply with Boomerang’s own Terms of Service. The terms of service agreement is available to view inside your Boomerang account.
3 Laura // Sep 19, 2008 at 12:05 pm
Harvesting is not, in and of itself, a violation of CAN SPAM. If, however, you send mail that violates the provisions of CAN SPAM *and* that mail is sent to a harvested address, there are additional legal penalties.
4 Brian Wright // Sep 19, 2008 at 10:53 pm
Actually, here’s the crux of harvesting. In the CAN-SPAM act’s verbiage, the sentencing guidelines specifically state that judges should consider penalties more harshly for those found to use harvested addresses in their email campaigns than those who do not. Thus, it requires you to send to the addresses in order to violate CAN-SPAM.
Thus, creating harvested address list and then sending email to those harvested addresses violates the CAN-SPAM act. Doing anything else with such a list that doesn’t involve the act of sending an email is not technically illegal under the CAN-SPAM act.
While the act of harvesting itself may not be outright illegal based on CAN-SPAM, the dilemma arises… What can you do with a harvested list of email addresses? Clearly, you cannot use a harvested list to send emails because a) these addresses have not opted in and b) because penalties for using harvested lists are more harsh. As an email marketer, it’s easier and safer to assume that harvesting is considered illegal based on the fact that you cannot use such a harvested list when sending emails.
If you do anything else with such a list that doesn’t involve sending email, that’s really outside the realm of email marketing.
Thanks for your reply.
5 CAN-SPAM compliance (Harvesting) | Boomerang Email Marketing Blog | Email Marketing Tool // Nov 19, 2008 at 8:06 pm
[...] Brian Wright added an interesting post today on CAN-SPAM compliance (Harvesting) | Boomerang Email Marketing BlogHere’s a small readingWhat can you do with a harvested list of email addresses? Clearly, you cannot use a harvested list to send emails because a) these addresses have not opted in and b) because penalties for using harvested lists are more harsh. … [...]
6 CAN-SPAM compliance (Harvesting) | Boomerang Email Marketing Blog // Nov 21, 2008 at 8:04 pm
[...] Brian Wright put an intriguing blog post on CAN-SPAM compliance (Harvesting) | Boomerang Email Marketing BlogHere’s a quick excerptWith this blog article, we will introduce a series of small blog articles focusing on aspects of CAN-SPAM compliance with email marketing campaigns. I know that. [...]
7 Pete // Jan 9, 2009 at 2:32 pm
While it’s not considered best practice, using harvested email addresses to market products and services is NOT illegal under CAN SPAM. CAN SPAM prohibits “aggravated violations” relating to commercial emails such as harvesting and dictionary attacks, meaning if harvested emails are used by one or more organizations, and they violate one or more CAN SPAM requirements, then there are “aggravated violations” which means triple damages, for EVERY oganization upstream (the organization that initially harvested the emails) and downstream (each organization which receives and/or buys the harvested emails and uses/sells them).
8 Brian Wright // Jan 9, 2009 at 4:13 pm
Pete,
The act of harvesting is not illegal under CAN-SPAM as I’ve already said. The use of harvested addresses increases the amount of penalty (if a violation occurs) to the point that, as a business, you must question whether or not using harvested addresses is legally worth it to you. But, there are additional ramifications besides legal ones when using a harvested list.
Since the CAN-SPAM requirements are easy enough to violate already, adding an aggravated penalty is just not worth it. I mean, why would you want a judge to change your $1 million penalty to $3 million? Either number is enough to bankrupt many small firms. Is it worth it?
If you, as a marketing agent, firm or department feel that using harvested addresses is worth taking that legal risk to potentially get your company limited new business, that’s your decision. However, here at Boomerang as an ESP, we do not knowingly allow harvested addresses out on our network because such a list WILL hit spamtraps, WILL generate a high amount of abuse complaints and WILL eventually get your ESP’s IPs (and possibly even your company’s IPs) onto RBL lists. As such, while that doesn’t negatively impact you as a business immediately, it does impact your company’s reputation and it does impact your ESP.
The mere fact that address harvesting is specifically mentioned BY NAME in the CAN-SPAM act as an ‘aggravated violation’ should be enough to tell you that it’s not a wise decision to use a harvested list. Again, it’s not the act of harvesting the addresses that is at issue. It’s what you DO with that list after you’ve harvested. It’s your choice to try and use such a list in an email campaign, but you would be hard pressed to find a reputable ESP who would knowingly allow you to use such a list on their network strictly from the after damage control that will necessary.
I should also point out, that using such a list is readily apparent even sending just ONCE through an ESP due strictly to the amount of complaints. So, you shouldn’t think you can ‘pull one over’ on the ESP by using such a list. It will come back to you (if not through a CAN-SPAM violation, then through other means).
What it comes down to is, if you are a legitimate company with a legitimate customer /prospect base, there is no need to harvest. You already have an address pool from which to email. Further, if you have a compelling product or service, putting a sign-up form on your own web site allows for collection of addresses that is not considered harvesting.
Leave a Comment