Beyond the CAN-SPAM Act: Building a Trust-Based Email Marketing Program

The CAN-SPAM Act lays the foundation for a clear differentiation of "spammers" from permission-based email marketers. However, in this era of customer control it's even more important for companies to go beyond CAN-SPAM compliance and create trust-based email marketing programs.

1. Permission
   
2. Privacy
   
3. Reputation
   
4. Preferences
   
5. Expectations
   
6. Compliance

Post Can-Spam: The Era of Customer Control
A great degree of control has been placed in the hands of email recipients with passage of the Can-Spam Act, the proliferation of challenge response systems, filters, block lists, and ISP feedback combined with the ability to change email addresses easily. In July 2003 a study conducted by the e-Privacy Group and the Ponemon Institute found that 74 percent of email users support the establishment of a No Spam Registry. Opt-in/opt-out features, do not call lists, financial privacy laws and caller ID have all contributed to a political environment of consumer empowerment that must be acknowledged and respected. By sending email messages your company is effectively "playing in the recipient's sandbox" and you must assure customers that you understand their rights and are adhering to the rules of proper email etiquette. The benefits of conducting permission-based email marketing campaigns are stronger customer relationship loyalty, better delivery rates, improved brand reputation in the marketplace, and ultimately, a greater ROI.

1. Permission, the Foundation of Trust

Why Permission is Critical
Obtaining permission to send email communication limits legal liability, creates an audit trail, produces higher delivery rates, and strengthens customer relationships while enhancing your brand image in the marketplace.

What Is Permission?
Permission is explicit consent from a potential recipient, either in the form of a reply to an email or as a result of site action initiated by the recipient.

• Solicited Versus Unsolicited
  In opt-out scenarios you don't have permission to email the recipient; you must assume the recipient will opt-out from further communication.
• Express Versus Implied
  Express permission is a checked box or a submitted email reply that expresses permission to send messages to the recipient. Implied permission rationalizes collecting email from "targeted sources" which is essentially comparable to harvesting addresses.
• Permission Scope
  When cross promoting to your list, it's important to outline the scope of the program the recipient is opting into. For instance, recipients who sign up for an informative newsletter should only receive that newsletter, not advertising or promotional messages, regardless of their relevance to the subject matter in the informative newsletter.

Acquiring Permission

• Adopt an Email Policy that describes your commitment to privacy protection.
  Email privacy policies are read more frequently than general privacy policies so they should be simple, succinct and should answer the question "How will you use my email address?" (See samples below.)
• Require User Action
  Ensure that you receive affirmative consent by requiring action on the part of the potential recipient. Check-boxes can be used, and depending on the scope of the list and possible third party usage, it's important to have users confirm that they've read and agree to your privacy policy.
• Send a Confirmation Email
  Send a follow-up email that confirms the subscription and reinforces their preferences. Add detail about the subscription process and applicable company policies. This message also initiates your relationship with the customer and reassures them of their rights and their choices. It's important to be very specific and adopt a friendly tone that nurtures the relationship you've established.
• Avoid Pre-Checked Boxes
  If your organization uses pre-checked boxes in the sign-up process, switch them to unchecked boxes or another affirmative consent approach. Otherwise you'll have to add a conspicuous notice that identifies your messages as advertisements or solicitations. The CanSpam Act does not consider pre-checked boxes to be a form of confirmative assent.

Permission Begins with List Building
Now that we've defined permission and outlined the steps for acquiring it, you can begin to build a list by incorporating messaging that would drive traffic to your site and motivate users to sign up for your programs. The following are other list-building sources and best practices:

Acceptable

• Append: Opt-in – Addresses that have been added and confirmed as a result of opt-in requests from recipients who wish to receive email.
  
• List Building: Opt-in – Addresses obtained from a variety of marketing activities including search engine listings, banner ads, online opt-in forms, direct mail etc.
  
• Opt-in List Rental – A list of recipients that have granted prior consent to receive email from third parties.

• Harvesting – Software that sweeps the Internet searching for @ addresses
  randomly is illegal under the Can-Spam Act.
  
• Append: Opt-out – Unconfirmed appends. Addresses that have been added
  but not confirmed.
  
• List Purchase – Purchasing lists without the consent of recipients.
  
• List Rental: Non Opt-in – List rental is where recipients did not consent to
  email from third parties.
  
• Directories – Email addresses that appear on a directory have not granted consent for inclusion in your list.

Why Double Opt-In Instead of Single Opt-In?
The double opt-in subscription policy is a closed loop confirmation method for adding subscribers to your mailing list. Double opt-in is a second step that potential subscribers must take to become a member of your mailing list and confirms recipients' interest, prevents erroneous subscriptions, reduces inactive recipients, and provides proof of opt-in. Double opt-in confirmation logs allow you to refute any spam complaints that may arise and are seen by mail administrators as the most privacy-conscious way to handle subscriptions. Corporate filters are more apt to whitelist your newsletters if confirmation logs are available, and they also protect your company against anti-spam legislation by providing evidence of solicitation.

2. Email Privacy Policies
An email privacy policy describes your email marketing program practices and should cover:

• Mailing Frequency
• Scope of Marketing Programs
• Subscription Management
• Issue Resolution Procedures
• Third Party Availability

Privacy Policy Examples
Following are two privacy policies, one that appears in a new window when viewers click on a link, and one that appears in response to a mouse scroll. The best practice is to have the short version next to the submit button and provide a link to the longer, detailed version.

Comprehensive Version
"The information you provide upon registration for our newsletter will be used to keep you informed about new services, discounted products, and website updates and will not be sold or disclosed to any third party. By signing up for the mailing list on www.genericcompany.com you understand that generic company will send you emails periodically. You have the opportunity to unsubscribe from the generic company database at any time via a link at the bottom of every email."

Abbreviated Version
"Email addresses are never given out or sold. The only use of your email will be to communicate about your interest in generic company's products and services. To view more detail, click on this link."

Sample Email Privacy Footer
To read more about the email privacy footer, click to read this article by Loren McDonald.
Sample Email Privacy Footer:



3. Updating Preferences and Profiles
This crucial third component of any trust-based program is providing the ability for recipients to self-select preferences and modify personal profiles. If customers and prospects have control over mail that you send them, they're more likely to trust you and provide information that increases the relevance of your email communications, a win-win situation for you both. The following update options should be available to list members:

• Update email address
  
• Choice of format (HTML versus Text)
  
• Frequency of messaging
  
• Interests and Preferences
  
• Subscription Options
  
• Unsubscribe Options

The Benefits of Updating

• Global suppression is “required” by CAN-SPAM. Though not explicit, the Act implies that global suppression options are required.
  
• Easier for subscribers, provides control over messaging
  
• Fewer bad addresses
  
• More segmentation data so you can target specific interests
  
• More satisfied customers

• Call center procedures
  
• Direct mail forms
  
• Subscribe forms
  
• Any other marketing formats that elicit information from recipients.

Current methods of reputation management are largely internal to specific organizations and exist in the following forms:

• Private Lists - Blacklists and whitelists based on established criteria are maintained internally by an organization (usually an ISP).
• Public Lists - Blacklists and whitelists are maintained by volunteers, are accessible to the public, and are often used by smaller ISPs and companies without dedicated email administrators.
  
  Again, if you enforce a vigorous email abuse policy it will help you avoided blacklists and resolve any potential listings.
  
  Hiring authentication and bonded sender services to certify compliance with privacy standards provides greater content flexibility when dealing with filters. As legislation and accountability guidelines escalate, reputation services are starting to resemble Verisign or the Better Business Bureau. These two relatively new companies certify compliance with published guidelines and standards:

• Ironport’s Bonded Sender - http://www.bondedsender.com/ Bonded sender programs allow email marketers to secure a bond (usually thousands of dollars) to certify that their email adheres to Bonded Sender guidelines on the basis of privacy, mailing practices and issue resolution.
• Habeas - http://www.habeas.com/ Recognized by several anti-spam solutions and ISPs, Habeas is protected by US Trademark law. The Habeas mark can be licensed for application to email that satisfies Habeas’ strict privacy guidelines, and the mark is integrated into email message headers for easy detection by content filtering systems. Habeas also provides a list of IPs that send certified mail.
  
  With the increase of spam, ISPs are more likely to employ services to do the legwork of compliance certification. Imminent clarification of the CAN-SPAM act by the FTC will probably increase CAN-SPAM compliance certification demand and amplify the market for email reputation agencies.

Managing Email Reputation
It's crucial to have a documented procedure for complaint handling and response; it demonstrates forethought and allows ISP and blacklists to become familiar with your process. The following are current and emerging email delivery solutions that may be widely adopted soon:

• Microsoft Email Caller-ID
  Microsoft's patented caller-ID solution embeds XML language in Domain Name System (DNS) servers that are authorized to send email from a particular domain. A recipient's mail system can then decide to delete, bounce, or segregate email with conflicting caller-ID information. Since this is a Microsoft solution, there will be no shortage of funds invested once it gains momentum, and integration into Microsoft's widely used Exchange and Outlook programs is basically a given. The drawbacks of Microsoft email caller-ID would arise as a result of patent protection that might hinder adoption by other ISPs, as well as the XML format, which will increase the amount of power needed to process each incoming email.
• Sender Policy Framework (SPF)
  SMTP protocol, the current email delivery method, contains a serious authentication flaw in that senders can masquerade as any domain, which leads to exploitation and email forging. For example, a sender can claim to be "billg@microsoft.com," and there is no certification process that verifies whether senders are authorized to use this address.
  
  SPF aids legitimate email delivery by ensuring accountability; spammers wouldn't use SPF since spam that’s confirmed to be coming from a domain will quickly and effectively be blocked. SPF also protects companies from being used as "complaint shields" for spammers. Email with an SPF record that clears the authorization process will potentially gain positive points in weighted content filter environments such as SpamAssassin and ISP filters.
  
  SPF has been adopted by mainstream companies including AOL and Google, and will also be incorporated in the next release version of the SpamAssassin content filter. As an open-source project SPF has both drawbacks and advantages, but it has been tested extensively and is being implemented by AOL, attesting to its functionality.
• Yahoo DomainKeys
  Announced in December, 2003, Yahoo's proposed DomainKeys solution would attach an encrypted key to an email message, which would then be compared against a private database containing the second half of the key. If the keys match, the email would be authenticated. Yahoo's proposal is to make this system open and available to developers to enable widespread adoption. This solution requires development and maintenance of key databases and email software that recognizes encrypted keys, factors that may negatively affect early adoption.

5. Expectations Are Everything
Managing expectations is an important component in establishing trust, and provides opportunities for personalization and customer contact, reinforcing the value you receive from your client list.

1. Opt-in subscription form messaging, (sample below)
   
2. Thank you page messaging
   
3. Confirmed opt-in email messaging
   
4. Initial and ongoing messages should contain:
   • Timely content
     
   • From name
     
   • Quality - reinforcement of your brand
     
   • Content value
     
   • Reminder of subscription information

Managing Expectations

• Content Scope: Remind recipients that you will only send messages that relate to preferences and interests indicated during the opt-in process.
  
• Purpose/Value: Reiterate the objective of your messages and the value for recipients (receiving promotions that relate to their interests, etc.)
  
• Frequency: Remind them of the preferences they indicated about frequency of delivery, and reassure them that you'll only send messages within that framework.

Subscription Example:

6. Key Requirements of CAN-SPAM
CAN-SPAM requires that all companies that send or otherwise “initiate” commercial email:

1. Refrain from sending any message with a misleading subject heading.
   
2. Include in each message a valid return email address or Internet-based reply mechanism that will function for at least thirty (30) days following the transmission of the message.
   
3. Include a physical postal address in the body of each message.
   
4. Include a conspicuous notice identifying each message as an advertisement or solicitation. Emails sent to recipients with affirmative consent do not need to include the notice of advertisement.
   
5. Include in the body of each message a notice explaining how recipients can prevent the transmission of future messages by using the sender’s return email address or Internet-based reply mechanism.
   
6. Honor all “opt-out” requests within ten (10) business days of their receipt.
   
7. Refrain from selling, exchanging or otherwise transferring the e-mail address of any recipient who has made an “opt-out” request, except as necessary to comply with the Act or other provisions of law.

Compliance Measures
Some areas of the act that may require significant changes in email practices include:

• Transactional or Relationship Message Requirements – These messages must include accurate path information in the email header, but are not subject to the postal address, notification and opt-out requirements outlined above.
  
• Promotional Content Within Transactional or Relationship Messages – The Senate Commerce Committee Report that accompanied the act suggests that a bonafide “transactional or relationship message” may contain some content promoting a product or service unrelated to a previous transaction. The report emphasizes, however, that this promotional material must truly be ancillary to the primary purpose of the communication. This would suggest, for example, that a monthly bank statement notice could contain a small amount of content promoting equity lines or car loans.
  
• Pre-Checked Boxes – It's a common practice for many organizations to include “pre-checked boxes” in transaction, registration and other forms that opt in consumers to receive newsletters or promotional emails. This passive opt-in does not qualify as affirmative consent and subjects any emails that result from this approach to the requirements imposed on unsolicited commercial emails. Your company then can either switch to unchecked boxes or add the “advertisement” language in your emails.
  
• Advertising Statement – If you're sending email without affirmative consent, you must include the aforementioned notice identifying each message as an advertisement or solicitation. The act does not stipulate the form of location of the notice, nor does it require the use of “ADV” in the subject line, a common requirement in some state laws.
  
• Multiple Email Newsletters/Messages – If your organization distributes more than one type of newsletter or promotional message, you'll need to provide members/recipients with a means to unsubscribe from specific individual recurring message types as well as a global unsubscribe and suppression feature. Global suppression ensures that recipients who request it will never receive any future email from your organization.

Consider taking the following steps to ensure compliance:

• Convene all company staff involved in the email marketing process – marketing, Webmaster, IT, call center, legal, sales and others. Ensure that all affected personnel have a good understanding of the act and how it might affect their practices and policies.
  
• Review your company’s email marketing programs to ensure that they comply with the content and notification requirements and involve your legal counsel as appropriate.
  
• If you haven’t already, add a postal mailing address to all of your commercial emails.
  
• Review and test your opt-out/unsubscribe language and process. Make sure it's clear, simple and actually works. Also, make sure you are using a valid return email address or Internet-based reply mechanism that will function for at least thirty (30) days after messages are sent.
  
• Ensure that all opt-out requests are honored within ten (10) business days of receipt. The best approach is to utilize software (installed or hosted) that automates the reply, unsubscribe and global unsubscribe process.
  
• If you use pre-checked boxes or other “passive” opt-in mechanisms in your email sign-up process, it's recommended that you change to unchecked boxes or another affirmative consent approach. Otherwise you'll need to add conspicuous language that identifies your email as advertisements or solicitations.
  
• Add a profile update page on your site and link to it from your messages. This enables customers and subscribers to update their address, opt in or out of individual and multiple newsletters/communications, request global suppression, change email formats and modify preferences and other information.

Overview - The Trust Payoff
In conclusion, the trust-based approach to email marketing pays off for you, the marketers, and your customers and prospects. You'll receive higher conversion rates, reduce unsubscribes and spam complaints, and benefit from enhanced brand reputation and customer relationships.