Confirm to unsubscribe?

A question comes in this morning:

Requiring the confirmation of an email address in an unsubscription is not CAN-SPAM compliant, right?

While I’m not a lawyer, to my understanding that is absolutely correct. The current implementing rules for CAN-SPAM state:

Neither a sender nor any person acting on behalf of a sender may require that any recipient pay any fee, provide any information other than the recipient’s electronic mail address and opt-out preferences, or take any other steps except sending a reply electronic mail message or visiting a single Internet Web page, in order to:

(a) Use a return electronic mail address or other Internet-based mechanism, required by 15 U.S.C. 7704(a)(3), to submit a request not to receive future commercial electronic mail messages from a sender; or

(b) Have such a request honored as required by 15 U.S.C. 7704(a)(3)(B) and (a)(4).

​(Federal Trade Commission 2008)​ (emphasis added)

My assumption in answering this question is that the issue here is that the sender wants to use a confirmed, or double, opt-out approach. This would be a violation of CAN-SPAM because requiring that confirmation step is requiring take steps other than sending a reply electronic mail message or visiting a single Internet Web page to effect the opt-out.

The technology exists to encode the recipient’s address into the URL or the reply-to field so that unsubscription shouldn’t take more than a single blank email or a visit to a single page. And since that’s what the law currently requires, that’s what you should be doing.