
Tell HN: Login to unsubscribe is against Federal Law - bound008
This is a non-friendly reminder to all startups and marketing people.  If you are sending me an email and it does not have an unsubscribe link that meets the following rule (as of 2008 FTC ruling on CAN-SPAM act of 2003) then you are breaking the law:<p>to submit a valid opt-out request, a recipient cannot be
required to pay a fee, provide information other than his or her email address and opt-out
preferences, or take any steps other than sending a reply email message or visiting a single page
on an Internet website<p>source: http://www.ftc.gov/os/2008/05/R411008frn.pdf<p>Note: if you are not telling me about a financial transaction we made, our email is not transactional and STILL must follow that ruling.
======
dkokelley
I have a simple rule for email that I don't want. If there is a way to easily
opt-out (clicking a link, replying with "unsubscribe", or (in rare cases)
filling out my email address on a form) I will do that. I _should_ also set a
rule for that sender saying "opted-out" so I can know if they aren't
respecting that. If I can't do any of those things, I mark it as spam and move
on. I don't care about the negative impact to your future emails by getting
spam reports in Gmail. It doesn't concern me. Let me unsubscribe easily and
legally.

~~~
HyprMusic
Gmail actually detects when you click spam and there's an unsubscribe method
available, and will attempt to unsubscribe for you[1].

[1] [http://gmailblog.blogspot.co.uk/2009/07/unsubscribing-
made-e...](http://gmailblog.blogspot.co.uk/2009/07/unsubscribing-made-
easy.html)

~~~
ComputerGuru
Not exactly. It does, but only if the appropriate headers are set (and they're
usually not).

------
nlh
To product designers: In practice, you should really avoid using the "sending
a reply email message" part. Especially these days when people have multiple
email addresses, it can very quickly break down.

This happens often to me:

* Get email that I'd like to unsubscribe to

* Look for unsub info -- directed to "reply to this email" or, almost as bad, "enter your email address"

* Follow instructions

* Receive notice saying "Sorry, the email you entered [sent from] is not in our database"

Well thanks. We've gotten nowhere.

So the right way to design this should be a simple unsubscribe link w/ a
unique token that executes the request upon clicking.

At worst, you can do what Constant Contact does and require the email address
to be entered, but still provide a hint (i.e. "a....c@gmail.com"). This is
still somewhat annoying, but I understand why they do it -- it likely reduces
net unsubs since there's a second step involved. Pushing it, but thinking as a
business owner as well, I get it.

~~~
avar
I agree with your point about unsubscribe links, but I don't see how it's not
immediately obvious which of your multiple E-Mail addresses you need to
unsubscribe with since it's going to be the one the mail was sent to.

~~~
mehrshad
For those with vanity URLs and GMail - the trick I use to manage unsubscribes
better is to enable 'catch-all address' and registering for new accounts by
their URL and TLD, e.g. news_ycombinator_com@URL.com, or
kennethcole_com@URL.com, etc.

Two benefits - 1) easier to remember my login per site and 2) if I start
getting spammed as a result of my info being shared with third-parties, I can
attribute the original offender to the e-mail address.

~~~
jamie_ca
Also, assuming the site isn't brain-dead and invalidating the address, you can
use email+site@gmail.com with any gmail or google apps address.

That + is frequently a cause of contention though, so I use a . (which was
done via config when I ran my own mail server days gone by) and also have a
catchall on google apps.

~~~
jeltz
If I were selling my database to spammers I would process my entire list to
remove everything between the plus and the at sign.

------
andrewljohnson
In the last few days, I have been imagining an ethics pledge for start-ups.

I think start-up culture tends to be a bit unethical - we favor expedience and
results over rules and regulations, and that's generally correct, but also
leads us into murky territory.

The most important guideline might be this - build a company where you'd want
to have any of the jobs, and where you'd want to be a customer. But
specifically:

1) never send someone an email without explicit opt-in (make them check a box,
don't start spamming just because they registered).

2) make it easy for a user to delete themselves from your database, entirely

3) make it easy for a user to port data elsewhere

4) don't make up fake email personages, or otherwise overtly lie to your
customers

5) don't use misleading numbers for marketing or fundraising

6) give employees warning and/or severance when you plan to fire them

7) don't discriminate based on gender or sexual preference, even though it may
be legal for small companies to do so in your locality

8) if you store financial or sensitive data, make security a priority

~~~
r4vik
>> 7) don't discriminate based on gender or sexual preference, even though it
may be legal to do so in your locality

do you feel like this is a big problem in the startup world?

~~~
andrewljohnson
Certainly... if not in who gets hired, then at least in what hires get paid.

~~~
pervycreeper
Would you care to provide some evidence for this claim?

~~~
drivebyacct2
For what claim? Unless you're a WASP, you know that discrimination still
exists. I don't see why startups would be automatically immune to this until
they have explicit policies in place ensuring proper equal treatment.

~~~
pervycreeper
Parent implied that female startup hires get paid less than their male
counterparts. This is not something that can be proved "a priori", regardless
of the presence of discrimination (or "WASPS") in the world.

~~~
krickle
For the US, I thought the converse was directly provable with empirical data.
Don't you have a far sronger argument than you are using?

------
barredo
European law:

    
    
        When the email address is obtained in the context
        of the sale of a product or service, *the natural
        or legal person may use the email for direct
        marketing of its own similar products or services
        provided that customers clearly and distinctly are
        given the opportunity to object, free of charge and
        in an easy manner*, to such use of electronic contact
        details when they are collected and on the occasion
        of each message in case the customer has not
        initially refused such use.
    

<http://www.lsoft.com/resources/optinlaws.asp>

------
georgemcbay
If I wind up on some mailing list and there isn't a _very_ easy way to
unsubscribe via link right in the email, I immediately and without guilt mark
the mail as spam in my gmail.

I recommend everyone else do the same and if everyone did I think the fear of
being put on gmail's global blacklist for spam would be a far more effective
deterrent than the laws alone.

~~~
akldfgj
This is in fact the intent of Gmail's spam button design. Gmail's definition
of spam isn't tailored to Federal law, it's "whatever messages our users are
likely to mark as spam"

------
jrallison
The CAN-SPAM law makes a clear distinction between “commercial electronic mail
message” and “transactional or relationship message”.

In most cases, if an email isn't commercial in nature, it's excluded from the
CAN-SPAM requirements. Now, whether or not it annoys your users is another
discussion...

One relevant excerpt:

"These requirements do not prohibit transmission of “transactional or
relationship” content. Even if a recipient opts out of receiving messages with
a commercial primary purpose from a particular sender, that sender may
continue to transmit other types of messages. Therefore, recipients who invoke
their rights under the opt-out mechanism required by CAN-SPAM will continue to
receive valuable “transactional or relationship” messages. This is important
because transactional or relationship messages are communications that
Congress has determined to be per se valuable to recipients."

------
rickdale
This is how linkedin does it. They created an account for me then started
blasting me with emails. When I try to unsubscribe I have to login. Almost
want to shoot myself every time I see a stupid linkedin email. How can I login
to an account I didn't create?

~~~
lpolovets
If it's tied to your email account, couldn't you do a password reset?

------
kordless
I read Section 316.2(o) – Definition of “Transactional or Relationship
Message”. It would appear I'm allowed to tell you about software updates,
forgotten passwords and the like without including an opt-out link. These are
termed transactional or relationship messages and are excluded from the
definition of commercial electronic mail messages.

By that logic, It would seem I'm also allowed to make you login to change the
settings by which I notify you of these things. While it would be nice of me
to provide such functionality to my site, it does not appear I am not obliged
to do so under law.

~~~
sudonim
It's pretty common to require sign in to change email preferences. Not out of
malice, but more that if you want to have more than a global unsubscribe, you
then have to allow users to see the prefs for a given email address without
being logged in. It gets tricky quickly.

I'd love to see a blog post about best practices when you have a few different
options for in your email prefs & you want to avoid people having to log in.

------
PCheese
It's not just startups. Why does Google get away with this with their "Name
Here wants to chat" invite emails? I have an address that at this point must
have received hundreds of these emails, none of which have instructions on how
to block them. Partial example: <http://cl.ly/image/3y3D0f2r0W0q>

~~~
dangrossman
Speaking of Google, every mailbox I have is subscribed to a dozen Google
Groups full of Arabic-language spam. These are mailboxes on my own domains,
that don't have Google Groups or Google Account accounts. Anyone can add you
to a group and start spamming you through Google, repeated "report this group
as spam" reports don't stop new mails from arriving, and the only way to
unsubscribe is to create a Google Account with that mailbox then leave the
group.

~~~
akldfgj
Does that mail get labelled Inbox, or Spam, when it is first delivered?

------
pestaa
Thank you.

Not only illegal, it is downright rude to establish gatekeepers like a login
box to avoid getting me off that important newsletter.

Given any mail with this characteristic I will gladly report it as spam in the
hope that the next guy won't have to deal with it.

------
vm
What legal recourse do consumers have against companies that violate this?

LinkedIn and GetGlue both require logins to unsubscribe, so I mark their
emails as spam and filter directly to trash. It works, but philosophically it
still pisses me off...

~~~
Matsta
Really? I get Linkedin spam shit every day for god knows how many years. Every
time I delete it or report it as Spam, I still get the stuff the next day.
Most annoying website in the world. I even changed my profile to reflect that
since I could figure out how to unsubscribe once I finally logged in.

<http://nz.linkedin.com/pub/matt-gascoigne/17/a25/9b6>

~~~
morgen
I've been working with a team on a product that we use in this situation.
<https://leemail.me>

You can give a custom email to every website. Then if they spam you or sell
you address, you'll know and it's one click to turn them off.

Another nice trick is to change your email at a spammy vendor to a leemail and
then turn it off.

------
Kudos
I filed a formal complaint to the FTC last year for Beatport doing this after
complaining about it to them and essentially being told to fuck off.

Their emails still arrive and get filtered to my trash. They're still in
violation with no simple way to unsubscribe.

------
lancewiggs
Somewhat obvious, but the law should be the last port of call for advice. The
real plea is to do the right thing by your customers. If they don't want your
email then let them escape instantly. It's then more likely they will have a
good feeling about your company for any future interactions or
reccomendations.

How are we, for example, feeling about Linked In these days?

------
julianz
Excellent point. I'm currently working through a mountain of email from a
hideous sounding site called Meet Me that somebody's subscribed to using my
Gmail address. Not only can I not unsubscribe from the site, I can't even
report it to them on their "identity theft" page using my address because it
detects that it's in use by a supposed existing member and bounces me to a
login page. My only strategy now seems to be to wait out the period until the
subscription auto-expires because the email address hasn't been confirmed.
Meet Me can die in a fire.

~~~
akldfgj
Gold mine. Under CAN-SPAM, spam is worth $500 per message, if you can identify
the sender.

------
TomGullen
Facebook's 'Daily Credits Report' breaks this rule. I can't find anywhere to
unsubscribe from these 2 daily emails! Anyone else suffer this?

~~~
ctbeiser
I can't tell you how to unsubscribe, but I can give you the link to the FTC to
complain about violations of the CAN-SPAM act:
<https://www.ftccomplaintassistant.gov>

I complained about Facebook for requiring me to sign in to unsubscribe from
group-emails (which I had already turned off twice).

------
mmanfrin
Thanks for posting this -- I've been getting email from companies that are
requiring login to change email settings, but the inconvenience of getting
spam is less of an inconvenience than tracking down my password for this
random site. I've emailed saying that it was probably against a law, but I
didn't know which law specifically.

------
saurik
To verify: the ramification of these rules is that for any service that you do
not pay for, if I know your email address, I can disable your service (as the
bare minimum security requirement for such would have the service at least add
a large random string to the emails it sends you, which would be information
you would need to opt out that they are not allowed to require).

(FWIW, I'm all for following laws that already exist, including this one, but
frankly this was a _stupid_ law to enact: spam is not a serious problem, and
spam from a single specific bothersome recipient--the only kind this law could
possibly affect--was _never_ a problem (or at least hasn't been since the
invention of the killfile, something that I am pretty sure predates my birth).
What needed regulation was real physical mail--the kind that causes nearly
infinite paper trash--and yet that seems to largely be ignored.)

~~~
ww520
This law is a godsend in combating email spam. You must live in a different
world if you don't have spam problem.

~~~
saurik
Look, I get tons of spam: I have had the same email address since 1997 and
have never been shy about posting it anywhere and for any purpose with
visibility to anyone. However, spam filters actually work well, and to the
extent that don't work it doesn't take much time to deal with: spam is very
obvious. When spam isn't obvious, I will argue it is actually a malicious
phishing attack, and not spam.

Given this, you must realize that >99% of this spam is from random people whom
are not actually subject to this law because they aren't at all traceable. If
I have heard of the service, then it will be trivial enough to killfile (such
as, "reject all messages from this domain; example: *@pcworld.com"), and much
easier to do so than even clicking a single link to unsubscribe as you can
make that a hotkey in your client.

(Sadly, people believe that they should rely on spam filters for this use
case, which is ludicrous as there is no real way to differentiate "I signed up
for PCWorld in 1999 and have since decided I no longer care" from "I never
signed up for PCWorld, but they decided to start sending me things O hate"
from "I like PCWorld and would love to hear about their new articles, so I
subscribed" using remotely objective algorithms.)

(Even a human is going to get it wrong half the time, especially of they're as
spam-touchy as the people on this thread reporting services I might personally
use and like to Google as "spam" when they can and should either killfile the
sender or take the extra 30 seconds to unsubscribe; people who do this just
damage the effectiveness of spam filters by messing up the training sets with
data that isn't truly indicative of the spam we need machine learning to
filter.)

In essence, this law spends a bunch of time figuring out how to regulate
people who were either never the problem in the first place, or we're the
problem only because they decided to hand your email address to a third party
they maybe shouldn't have (although the idea that you will combat spam by
keeping your email secret is already a losing battle). Meanwhile, the people
who cause the >150k spam messages I receieve per year to saurik@saurik.com
just get to keep on spamming.

~~~
DanBC
So, when you say spam is not a problem you mean it is not a problem for you.
You know how to set filters; you're using machines a lot anyway (and thus the
extra bandwidth and storage and processing isn't a burden) etc etc.

I'm gently worried about the spam vs ham problem. Some people must not ever
have a false positive.

In theory this law encourages good companies to stay good companies and to not
outsource to dodgy spam outfits.

It is weird that in 2012 we're still making up stuff about the best practice
for sending email.

~~~
saurik
Normal people use hosted services like Gmail (Yahoo!, Outlook.com,
fastmail.fm, etc.), and are not worrying about bandwidth or setup complexity.

You might claim Gmail is worrying about the bandwidth, but again: this kind of
spam is a tiny tiny fraction of the spam problem. These people are already
capable of using buttons that say "spam": a killfile is just another single-
click button.

Finally, and again: the spam vs. ham problem is mostly complex because people
are misdefining spam as "mail I don't want" as opposed to "mail I couldn't
possibly have wanted" (and thereby use the spam button to punish people whose
policies they dislike, which both mistrains filters and relies on machine
learning to solve a straightforward problem that could be exactly solve by
rules).

The spam in the latter category _must_ be machine filtered, as this law, nor
any other possible reasonable law, doesn't make even a small ding in it, while
the remaining spam in the former category can be handled with one-button
killfiles.

------
borplk
I wish the law was this strict for physical mailbox junkmail too. I receive
way too many advertising materials in my tiny mailbox. I have to dig through a
pile of unrelated advertisements to find maybe one letter addressed to me.

~~~
xtdx
<http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt063.shtm>

For the most part, since it costs real money to send real mail, many of the
people behind it are inclined to honor unsubscribe requests.

------
Tyrannosaurs
Has anyone else noticed an increasing instance of mails that have an
unsubscribe link, which takes you to a proper unsubscribe page but when you
click on it you get an error.

The joy I suspect of ignorant bug prioritisation - seen by some as no big deal
where in fact it means that the organisation is violating both US and European
law as well as causing brand damage (either of which would usually make a bug
priority 1 in any normal organisation).

~~~
Yahivin
Or the result of A/B testing when the new "feature" resulted in a 100%
decrease in the number of people who unsubscribed from the newsletter.

------
autophil
That's why I immediately flag the email as spam when I see that - even if I
know for a fact I signed up for the emailer.

More people need to do this.

------
tlogan
And this is one more reason not to use software which is free.

From customer perspective: If you are using something which is free then they
_will_ try to SPAM you as much as it is allowed by law.

From company perspective: If you ran a web service (SaaS or something) and you
have "free-loaders" using your service, they will mark as spam all your
legitimate emails.

------
krickle
I feel we are like friends who never met. Is there a way to sue or force
prosecution of those who violate this rule?

------
fourstar
Now if only I can figure out how to evade the spam box with my legitimate
unsubscribe link that I generate based off of a uniqueId and append to
mydomain/unsubscribe/$code without having to use a relay mail server such as
sendgrid of AWS route 53 :\

------
kennywinker
Off the top of my head, LinkedIn and GetSatisfaction do this.

------
philfreo
Quora is (or at least was, recently) annoyingly in violation of this,
requiring a login (which is difficult on mobile devices when you use something
like 1Password)

~~~
gravitronic
Quora's become pretty much filth. I can't read responses without signing up /
logging in? That is not what I consider helping the internet.

------
sunnysunday
Why do they ask you to login first before you can unsubscribe?

The answer to that question might be enlightening.

~~~
Tyrannosaurs
I think there are probably two reasons depending on the company:

1) They see communication preferences as part of your account details and
therefore just lump it in with the rest of them behind the username and
password. I think where this is the case they're naive or stupid rather than
malicious.

2) In some cases (I think relatively rare but they exist, they actively want
to make it harder for you to stop the mailings and know every extra click and
keystroke does this. In this case I think they're naive and stupid as well as
malicious.

------
buzzkillr2
<http://www.ls1gto.com> breaks this rule.

------
pav3l
Does anyone know of a similar law in Canada?

------
repoman
Big deal, sir.

