Time to rethink the CAN SPAM Act

The CAN SPAM Act is now 11 years old and as good as it has been, the Act needs to be updated to address the realities of modern marketing.

According to Trend Micro, spam accounts for around 40% of all US email amounting to something like 150 billion pieces of electronic junk mail every day.

I’d argue that in reality this is a serious underestimation because marketers are also sending staggering volumes of BS email to exactly the wrong people. Worse still, they add these wrongly targeted recipients to subscription lists and then send a stream of unwanted stuff to the recipient until they can get around to unsubscribing.

Now, out there in the big, wide world, there are a number of people called “Mark Gibbs” and a fraction of these are doctors. Whether it is the doctors’ fault or that of their assistants or the marketers trying to engage them I don’t know but somehow my Gmail and gibbs.com addresses get signed up for all sorts of email-based medical marketing campaigns for doctors. The problem is that I can’t ignore them and expect the messages to just stop because it's almost always a subscription list and none of them use confirmed opt-in; that is, they don't request that the recipient confirms their address before the address is added to their list.

Why? I'd guess it’s either staggering naiveté or indefensible laziness. Consider inVentiv Health who describe themselves as:

We are clinicians, researchers, educators, sales professionals, scientists, Web developers, marketers, and more. We’re dedicated, flexible, and ready for the challenges of a rapidly evolving healthcare environment.

We are inVentiv Health, and we're here to help.

Unfortunately inVentiv are also there to spam. They're launching a new product called “Evzio” (a take-home, single-use naloxone auto-injector, indicated for the emergency treatment of known or suspected opioid overdose … not something I would have thought many people would need that often but then again, I'm not a doctor, etc.). 

As part of inVentiv's marketing program  they created an email list to promote their launch broadcasts and then subscribed people from lists they got from the gods-know-where without, and this is the really dumb part, using confirmed opt-in.

I ignored the first promo message I got six days ago but when the second one, a “reminder,” arrived today I thought “Dammit, I'll just unsubscribe.” My irritation was, I think, understandable, given that I have to unsubscribe from lists I never subscribed to in the first place at least six times every week.

inVentiv Mark Gibbs

I clicked on the unsubscribe link and arrived at an opt-out page that asked me to provide my email address and my invitation code. But I didn't have an invitation code. Perhaps they meant the “Confirmation number” they cited in their email? I have no idea and, at that point, I no longer cared. They were making me do work to get off their list that I had never asked to be on.

Note that they obviously know who I am as they've put my name next to the "Submit" button so why not fill in my email address and the stupid code they want? This was obviously designed by someone who just didn't care.

(Allow me to digress for second to point out just how sloppy and unprofessional it is to call things like confirmation or invitation codes by different names in different places. I wonder if these organizations actually "design" their outbound communications.)

I responded to the sender of the message:

To unsubscribe from a list I never asked to be subscribed to in the first place is bad enough but to have to look for some stupid number you've assigned me is incredibly annoying and violates the CAN SPAM Act. 

To my surprise I got a message just now (four hours after their last message) that looks similar to the two previous messages but now comes from evzio.com rather than inventivhealth.com. Moreover, this message has an opt-out link at the top and bottom rather than one buried way at the end and the opt-out page it leads to now has no requirement to provide a confirmation or invitation code, automagically knows who you are, and just displays a message saying you have been unsubscribed without having to click on anything. 

Be my experiences as they may, this is the kind of nonsense many of us have to deal with more or less every day and it points out the need for the CAN SPAM Act of 2003 to be updated. Specifically:

  • Recipients may not be added to a subscription list without their specific opt-in. 
  • Opt-in data must be recorded citing date, opt-in user’s name and IP address, URL of the opt-in page, and the name of the service opted-in to as understood by the user. A receipt must be sent to opt-in users with the opt-in data. 
  • An opt-out link and alternative opt-out methods must be at the top of any communication the recipient has not opted into.
  • Opt-out links must be directed to a page where the recipient’s email address is already entered and no other information may be required for a successful opt-out.
  • Opt-outs must be effective within a maximum of 48 hours. 
  • Users who opt-out must receive confirmation of their status change within a maximum of 24 hours.

Those are my improvements. What do you think? What would you add?


Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10