On a mailing list I’m on there is currently a long, drawn out discussion regarding suppression lists. One of the interesting points that has come up has come from a privacy angle.
What if someone wants you to completely remove their data from your possession? By that, I mean that they request that you remove their address from all of your mailing lists, your customer/client records, and your suppression lists. That is, ultimately, a form of unsubscription request, and thus you need to consider the mandates of the CAN-SPAM Act of 2003.
CAN-SPAM mandates that unsubscribe requests (which is a form of suppression list) be maintained indefinitely — unless the subscriber opts back in. In this last round of rulemaking, they were asked by some groups to set an expiry on those requests. (Given who was doing the asking,* what they really wanted to have another bite at the apple after a few years.) The FTC denied that request in a rather blanket way. In essence, they reaffirmed the “hold on to that address in the unsubscribe list until the heat death of the universe” position.
In analyzing the data submitted by these commenters, the Commission finds that, at this time, there is insufficient evidence to show that email suppression list scrubbing is impeded by the lack of a time limit on opt-out requests, or that imposing a limit will be useful in implementing the provisions of the Act under section 7711(a). Notably, Congress chose neither to impose such a time limit nor to specifically authorize the Commission to do so at this time. Consequently, the Commission declines to impose a time limit on the duration of an opt-out request. (p. 88).
Notice that they firmly set it in the context of our discussion by even calling it an “email suppression list”. Law of unintended consequences? Maybe.
So, at least in the case of unsubscription requests, suppression lists are like the Hotel California: You can check out anytime you like, but you can never leave.
* The American Resort Development Association, Wells Fargo, Bank of America, the National Retail Federation, the Council for Marketing and Opinion Research, American Business Media, First National Bank of Omaha, the Electronic Retailing Association, the Email Service Provider Coalition, America’s Community Bankers, Bigfoot Interactive, and Visa were doing the asking. It is worth pointing out that between the time that the comments were submitted and the release of the FTC’s document, America’s Community Bankers merged with the American Bankers Association, and Bigfoot Interactive was bought out by Epsilon Interactive. Thus, the links go to the current places.
[...] has a post up about how long senders must hold on to that suppression list. « EEC [...]
In July 2007, the FTC held a public hearing about spam, and during that hearing Scott Richter of Media Breakaway LLC, asked the FTC to comment on this same topic, and they confirmed this same thing then: hold on to unsubscribes forever. If someone unsubscribes, you should make sure you don’t mail them again…
But that doesn’t mean the data has to be held in plain-text.
It could, and should probably be hashed before being stored, and used in that format (MD5 or SHA-256 would make the most sense – MD5 being most prolific among email service providers, and SHA-256 being the next format that we’ll all move to after we all start using MD5 across the industry).
If you store addresses in a hashed form, they can never be used to actual mailing, and are typically pretty secure, and this need not cause any privacy concerns.
In fact, I’d love to see everyone store suppression lists in MD5 or SHA-256 going forward. It’d sure save us all a lot of time and effort dealing with suppression list abuse.