In October 2004, I registered with The Lancet to access an article. Elsevier, which publishes The Lancet, has been sending me emails ever since. After their mailing on July 11, 2008, I finally had enough. I went to their website, cleared all of the checkboxes, and considered the matter closed.
Three months later, I got another mailing from them.
That alone is a CAN-SPAM violation. The Act requires that unsubscribe requests be honored within ten business days.1 The gap between July 11 and October 21 is not a close call.
But the more instructive problem is how Elsevier handles unsubscribes in the first place. When I went back to their site to sort this out, I found all of my preferences had been reset to opted in. To unsubscribe again, I was required to log in with a username and password, provide my specialty, work location, and country, and then uncheck the relevant boxes. That is four steps, a password, and personal information well beyond my email address.
The FTC closed this door when it promulgated CAN-SPAM rules. The rulemaking record is explicit: the Commission considered and rejected arguments that senders need additional verification steps to prevent abuse, concluding that requiring consumers to transmit personal information creates its own security risks rather than reducing them. The resulting rule is unambiguous: a sender may not require any fee, any information other than the recipient’s email address and opt-out preferences, or any steps beyond sending a reply message or visiting a single web page, as a condition of honoring an unsubscribe request.2
Passwords are out. Preference centers requiring login are out. Forms asking for specialty and country are out.
This is worth keeping in mind because the Elsevier pattern is not unusual. Senders routinely dress up noncompliant unsubscribe processes as preference management. The statutory standard does not bend to that framing. A process that requires more than an email address and a single web page does not comply with 16 C.F.R. § 316.5, regardless of what the sender calls it.
Footnotes
- 15 U.S.C. § 7704(a)(3)(B) (2003), https://www.law.cornell.edu/uscode/text/15/7704. ↩︎
- Definitions and Implementation Under the CAN-SPAM Act, 73 Fed. Reg. 29654, 29667 (May 21, 2008) (codified at 16 C.F.R. § 316.5), https://www.ftc.gov/sites/default/files/documents/federal_register_notices/definitions-and-implementation-under-can-spam-act-16-cfr-part-316/080521canspamact.pdf. ↩︎
About the Author
Mickey Chandler is a Consultant & Attorney with over 28 years of experience in Email Deliverability & Privacy Law. He has a strong background in email authentication infrastructure (SPF, DKIM, DMARC), ISP and mailbox provider relations, anti-spam policy and compliance, CAN-SPAM and state anti-spam law gained through overseeing the Abuse & Compliance team at Salesforce Marketing Cloud, originating the ISP relations role at Informz (now part of Higher Logic), and working in the fight against spam since 1997. He holds a B.A. in Government, a B.S. in Computer Information Systems, and a J.D. from the University of Houston Law Center. He is a certified CIPP/US professional and a certified CIPM professional.
