What is opt-in?

30 June 2020

Like all other reputable email service providers, my employer has an opt-in based anti-spam policy. This sometimes brings up a question about what qualifies as permissible consent under our policy. While we definitely believe that our policy is clear enough, a few weeks ago, I decided to break down some ideas about permission, consent, and opting-in under our policies in an attempt to answer those occasional questions:

  1. Permission is specific. In the context of our policies, “only ‘yes’ means ‘yes.’” We require that customers wait to send email until they have been told that it’s okay by the recipient. Customers may not guess at permission levels. If they have not been told “yes” by the recipient then our policy requires that they refrain from mailing until such time as permission has been secured.
  2. Permission is personal. If you ask me for permission to send me messages, then I can give you that permission. That permission is yours. If I post my email address on a web page, I have not given “the world” permission to send commercial messages to my address.
  3. Permission is not fungible. Unlike currency, which may change hands multiple times per day, I cannot give you permission which you may then sell, trade, or rent to someone else. Likewise, you may not purchase, trade, or rent permission to email me from someone else. This is because our policy requires “express, client-specific opt-in.”

The easiest rule of thumb to help determine whether someone is getting proper consent under our policies is to ask the question: “Will this method of gaining permission result in a person who is surprised to hear from me/my customer/my prospect?” If the answer is “yes, they would be surprised” then the requisite permission likely does not exist.

Here’s a short, non-exclusive breakdown of things that are permissible and things that are not:

Read morePolicy at scale: Understanding the issue

Permitted:

  • Notification at sign-up (where otherwise allowed by law)
  • Notification in a policy statement (where otherwise allowed by law)
  • The use of a checkbox during sign-up (pre-checked is okay unless otherwise defined by law to be “opt-out” — as is the case in Canada)
  • Domain owner issues blanket, documented consent for addresses under their control (such as internal corporate communications, or messages from a corporate provider)

Not permitted:

  • Getting addresses from a list provider/broker/rental agency/append provider
  • Getting addresses from a state agency (victims/witnesses listed in accident reports, professionals who must register with regulatory agencies, etc)
  • Trading addresses with a partner or affiliated group
  • Company issues blanket consent for addresses outside of their control (even Sundar Pichai can’t give Google permission to send marketing messages to people with hotmail.com accounts, and Satya Nadella can’t give Microsoft permission to send marketing messages to people with gmail.com addresses)
  • Scraping addresses from a website
  • Guessing at an address based upon how other addresses in the domain are formatted

Does this result in a standard that is more stringent than those found in several of the anti-spam statutes found around the world? Absolutely. But, I am convinced, after many years of consultation with mailbox providers (both B2B and B2C), spam filter providers, and anti-spam organizations (such as The Spamhaus Project), that requiring clear, customer-specific consent is what is required to send email successfully in the world today.

Read morePolicy at scale: The purpose of a policy is protection

And you can quote me on that.