Policy at scale: The purpose of a policy is protection

The purpose of a written policy is to protect the provider by protecting the customer. Stated policies — especially in written form — provide a baseline of expected behavior that other people on the Internet can look toward. So, customers, prospects, recipients, and other providers are able to see what standards apply to the use of company resources. The provision of this baseline also helps to set a reputation for the company. Companies that have and enforce policies that align with the expectations of others in the ecosystem will enjoy a greater measure of success than those companies who either do not have or do not enforce policies.

Policy & law

One thing that I have noticed in my years of policy enforcement is the common refrain that “the law does not require this.” That is usually said in response to seeing a policy requirement that senders obtain permission from recipients before sending them messages.

Now, I used to say that “the law provides a floor.” But, that’s not really true. When you come down to it, what the law provides is the bedrock for behavior. You dig down to the bedrock and then you begin to build the structure. You don’t normally walk on the bedrock — you just know that you cannot go below it.

These days, I tend to want to ask what is the point of having a policy that merely agrees with the law? If the policy is more lenient than the law allows, then the law controls. If the policy is set by the law (i.e.: a policy that says “follow the CAN-SPAM Act”) then the policy is the law. In both cases, having a policy is useless as most contracts will already contain a clause that requires both parties to abide by any applicable laws.

So, you want to consider a policy to be “the floor” and, in a perfect world, you would want to see customers exceeding the requirements of the policy. In either case, you want to see them operating well in excess of the law’s requirements.

Why is this important?

A few years ago, I was talking with one of the postmasters for a major mailbox provider. That postmaster told me, “We block millions of CAN-SPAM compliant messages per day.” And that’s true. At one point, AOL had a counter displayed that showed how many messages it was blocking in realtime. You couldn’t even make out the last couple of digits due to the speed with which the numbers were changing.

If mailbox providers are blocking messages which fully comply with “the law” then it stands to reason that the actual standard for sending mail in the modern world has to be something greater than the law. What those mailbox providers want to see is a policy that is in alignment with the standards that they have for allowing messages into their systems. And, they want to know that if they have concerns and reach out that something will actually change.

Policy at scale

It’s really easy to set policies on the fly and in response to inquiries made by specific customers. But, providers with many customers need to set policies that recognize the scale of their business.

In many cases, adherence to policy is going to be a contractual obligation. This means setting policies that are reasonably clear and precise but not so rigid that they cannot adapt to changing business needs or unpredictable actions on the part of others (customers or message recipients, or even mailbox providers). Why? Because material alterations to a policy can sometimes constitute a material change in the contract itself that will necessitate either a “grandfathering” in of the old policy or a renegotiation of the contract moving forward. Since this series is talking about “policy at scale,” we would take that to mean either massively uneven enforcement of published rules while the old agreements age out or spending the time and money to get new signatures on new contracts for every customer. Both of these are things to be avoided.

In conclusion

Publishing and enforcing a policy helps to tell other relevant parties that messages sent from your platform are worth receiving and routing to the recipient’s inbox. This protects the customer’s interest (which is seeing their messages delivered) but that can only happen by first protecting the company’s interest in establishing and maintaining a clean reputation.

• Author
• Recent Posts

Mickey Chandler

A recognized leader in the fight against online abuse, specializing in email anti-abuse, compliance, deliverability, privacy, and data protection. With over 20 years of experience tackling messaging abuse, I help organizations clean up their networks and maintain a safe, secure environment.

Latest posts by Mickey Chandler (see all)

• Introducing: Arcana - 22 November 2024
• Help me see if there is a need for that I can fill - 23 September 2024
• Verkada: Data Protection Issues - 19 September 2024