Deirdre Saoirse Moen

Sounds Like Weird

Email Lists: CAN-SPAM Compliance

17 May 2015

Best Practices: CAN-SPAM Compliance header graphic
I just went through a bunch of (non-writer) email lists I was on, and realized that a whole bunch of them weren’t even pretending to comply with US anti-spam laws, even for people/companies sending commercial email in the United States.
So here are the two biggies if you’re sending commercial emails of any sort:

  1. You need to offer the recipient a way to opt out. Then honor that request!
  2. You need to provide a real street address, though this can be for a mailbox. Unfortunately, this requirement keeps a lot of female writers from creating email lists. (Sorry, I don’t have a good solution to that.) I’ll just add that the mailbox doesn’t have to be in your town, but it’s likely that it’ll have to be somewhere convenient to you.
    Note that even if you’re located outside the US, many mailing list providers require that you still comply with CAN-SPAM, though they may not require you to disclose your full physical address. (I’m not certain if other countries do.)

The catch is: what’s a commercial email? The FTC guide is quite good.

My Own CAN-SPAM Saga

  1. February 13th, I bought a WordPress plugin that I liked. This was written by one company (whom I’ll call the developer) and launched in partnership with another company (and I’ve kept the relationship with the launch partner, whom I otherwise like).
    When I got some spare time, I set it up, then was having issues with my site. I went to look at the error logs and discovered this plugin was just SPEWING stuff to the logs because it was trying to write to the plugin directory. (Which is a bad practice.)
    The specific file (an error logger) wasn’t written by either company, by the way, but five years ago by an Iranian developer who was apparently in high school at the time. There’s nothing hideously wrong with it (given a quick reading) apart from where it’s trying to write to, but it’s clearly PHP code that was written for command-line stuff and not PHP code that was intended for a WordPress plugin. Hence, the log file’s location was not as important.
  2. March 1, I filed a bug with the launch partner (per instructions given), giving them the line of code and the log file. (It’s not my job, you know? I’m just a nicer person than I should be sometimes.) The ticket’s updated saying they’ll get with the developer.
  3. We go on a cruise, so I don’t check back for a couple weeks. March 19th, I file for a refund request. They offer me an alternate purchase, but I say no, and I receive my refund on March 22nd.
  4. I’m still on the developer’s email list, and I finally realize there is no unsubscribe link. Every time I get an email from him, I’m reminded of the product I really wanted to love but felt let down by. I try to unsubscribe. No luck.
    I file another ticket (my third!) on April 16th to say I can’t get off the developer’s email list and that their email doesn’t comply with CAN-SPAM. What do I get from support?

    Honestly speaking, we know that [developer] is not doing any kind of illegal stuffs and that’s one of the main reason we have partnered with him. We are aware of Can-Spam and we follow all the rules strictly.

    Yay, gaslighting. My response, excerpted:

    With respect, I wish that [launch partner] would listen when I raise an issue. (And I know all about Apple, I was a software engineer there for more than 5 years.)
    There are two specific requirements that [developer] is not complying with: 1) method of unsubscribing, 2) street address. He has NO links to unsubscribe. He does not respond when I’ve emailed him. That’s not okay.

    …and then I give a simple workaround for the problem I reported in the first ticket that would take less than an hour to fix.

  5. The next commercial email I received from developer (!) had an unsubscribe link. I clicked the link. CAN-SPAM allows the commercial enterprise up to ten days. I took screen shots of three times, responding to three different mailings, over a period of a couple of weeks. Sadly, I accidentally deleted them while I was moving files around sometime while my mom’s been in the hospital.
    So here’s where it hits a problem: many people who have commercial websites want to do some form of content locking, where part of the site’s content is only available to people who are on their email list. But email lists are typically through third-party providers. So this developer had the opt-out go through his site rather than directly to the third-party email provider. I understand the (likely) reasoning, but if that’s not working, then you need to push through the unsubscribes manually until it is working. (And test your code better!)
  6. With my mom going to the hospital, I kind of lost track of how long it had been, but every 2-3 days, I’d get another email from the developer. On May 14th, I was finally certain it had been 10 days since my last request, so I wrote to the abuse department of his third-party email provider. They suspended him pending an investigation, and blocked his ability to send to me.
  7. Yesterday, I received another email from You Know Who, which surprised me given the suspension. Viewing the source showed why: developer was using a different third-party email provider…who has since suspended him.

And I wonder how long I’m going to have to play whack-a-mole just to not continually be reminded of the mistake of trusting the wrong company. Yes, I could filter out his emails, but that’s not the point.
Thing is, I still think the original idea was pretty cool, and I’m wistful that it’s turned into this rather than being the cool product I wanted it to be.
Disclaimer: I am not a lawyer, and this is not legal advice. If it were legal advice, it would be accompanied by a bill.