16 CFR Part 316; CAN-SPAM Rule: Rule Review; Request for Public Comments; Project No. R711010
The CAN-SPAM act was based, partially, on the idea that opting out manually was a feasible approach. However, there are now millions of entities, whether businesses or not-for-profits, who can easily place people on mailing lists, making individualized, manual opt-out a game of whack-a-mole or having John Henry compete with the steam shovel. If Canadian opt-in is not feasible, formalizing what responsible email senders do today would at least help: (1) provide a standards-based opt-out link (URL) that requires no further user input, not just a postal address or email address; (2) explicitly designate the scope of opt-out to the corporate entity, not just a particular campaign; (3) institute a soft opt-in, i.e., a sender gets to send one or two messages before the recipient has to opt in or further messages are in violation. There are easy and generally-known techniques to ensure that only recipients of the email can activate the opt-out link, negating any objection that third parties could unsubscribe willing recipients. For example, the link can contain an encrypted token that allows the sender to look up the recipient record in its database. Item (2) may be addressable under the rule-making authority granted to the FTC under existing law. In general, given the use of API-based and other automated systems, the ten-day period is no longer appropriate. There is no technical reason that email senders cannot update their lists in (say) 24 hours. Thus, the FTC should use its authority under 15 USC 7704 to significantly shorten the allowable time window.