Building Trust

CAN-SPAM – Looking Ahead & Looking Global

This week OTA / the Internet Society joined nearly 90 individuals and organizations submitting comments in response to the US Federal Trade Commission call for comments in regard to the CANSPAM Act.  By most accounts, the interactive marketing industry and email community have demonstrated a commitment towards compliance and the overall user experience.  Based on OTA’s own research businesses are unsubscribing to user requests well within the 10 day requirement.  Since CAN-SPAM came into effect nearly 15 years ago we have seen email and interactive marketing flourish, with increased precision and relevancy of the marketing messages being sent.  Both industry and consumers have benefited from this innovation.  At the same time we continue to see email exploited as the tactic of choice by criminals and cybercrime syndicates, underscoring the need for marketers to embrace email authentication standards and reject unauthenticated email by default.  There is room for improvement in other areas, most specifically in the discoverability, readability and transparency of the unsubscribe process and user experience.  In OTA’s comments and research we outline recommended guidance.  Read OTA’s Press Release.  Read OTA’s submission.

Looking Ahead vs the Rear View Mirror
As the internet is global and users are highly mobile, increasingly moving from one country to another, this creates challenges for businesses to comply with local jurisdictions and legal regimes.  It is important we look ahead and consider these issues and move toward enhanced opt-in and consent on data collection and specific usage.  The US is still somewhat looking in the rear view mirror versus looking ahead and should consider efforts by  Canada, Australia and the EU.  We know that the opt-in requirements in Canada’s Anti-Spam Law (CASL) and the E.U. Data Protection Directive (GDPR) have both been successfully implemented without creating a burden to business or the economy.  With the deadline to GDPR less than a year away, businesses are encouraged to move past the compliance threshold of CAN-SPAM and move toward the requirements stipulated by GDPR.  Those that fail risk being caught flatfooted and suffer distrust of their brand.

Learning From CAN-SPAM
Looking back on my involvement in the development of CAN-SPAM in 2002, it is important to reflect on where we have come from.  While the Act was originally not supported by leading trade organizations, we have found CAN-SPAM to be a very good model.  It was built on the foundation of efforts by several states including California, while preserving individual states’ rights to enforce it.  Businesses have benefited without having to navigate a patchwork of laws and regulations.  At the same time ISPs and consumers have been able to seek relief with States prosecuting some of the worst spammers.  We need a similar approach for data breach laws, which I suggest will equally benefit society.  Unfortunately once again many of the same trade groups and lobbyists continue to argue for a low bar and limit enforcement to the FTC.  Now is the time to reflect and rethink this approach and move forward and support national breach legislation.

Note: Craig Spiezle is  the managing director of AgeLight  Strategic Insights, a consultancy focused on build trust, stewardship and responsible privacy practices.  Craig is the Founder and Chairman Emeritus of the Online Trust Alliance and currently an industry advisor to the Internet Society and other organizations and government agencies.  The views represented above do not necessarily represent those of all OTA members or the Internet Society.  You may contact Craig at craigsp @