Like all other reputable email service providers, my employer has an opt-in-based anti-spam policy. This sometimes raises questions about what qualifies as permissible consent under our policy. While we believe that our policy is clear enough, a few weeks ago, I decided to break down some ideas about permission, consent, and opting-in under our policies in an attempt to answer those occasional questions:
- Permission is specific. In the context of our policies, “only ‘yes’ means ‘yes.’” We require that customers wait to send email until they have been told that it’s okay by the recipient. Customers may not guess at permission levels. If they have not been told “yes” by the recipient, then our policy requires that they refrain from mailing until permission has been secured.
- Permission is personal. If you ask me to send messages, I can give you that permission. That permission is yours. If I post my email address on a web page, I have not given “the world” permission to send commercial messages to my address.
- Permission is not fungible. Unlike currency, which may change hands multiple times daily, I cannot give you permission to sell, trade, or rent to someone else. Likewise, you may not purchase, trade, or rent permission to email me from someone else. This is because our policy requires “express, client-specific opt-in.”
The easiest rule of thumb to help determine whether someone is getting proper consent under our policies is to ask: “Will this method of gaining permission result in a person who is surprised to hear from me/my customer/my prospect?” If the answer is “yes, they would be surprised,” then the requisite permission likely does not exist.
Here’s a short, non-exclusive breakdown of things that are permissible and things that are not:
Permitted:
- Notification at sign-up (where otherwise allowed by law)
- Notification in a policy statement (where otherwise allowed by law)
- The use of a checkbox during sign-up (pre-checked is okay unless otherwise defined by law to be “opt-out” — as is the case in Canada)
- Domain owner issues blanket, documented consent for addresses under their control (such as internal corporate communications or messages from a corporate provider)
Not permitted:
- Getting addresses from a list provider/broker/rental agency/append provider
- Getting addresses from a state agency (victims/witnesses listed in accident reports, professionals who must register with regulatory agencies, etc.)
- Trading addresses with a partner or affiliated group
- Company issues blanket consent for addresses outside of their control (even Sundar Pichai can’t permit Google to send marketing messages to people with hotmail.com accounts, and Satya Nadella can’t permit Microsoft to send marketing messages to people with gmail.com addresses)
- Scraping addresses from a website
- Guessing at an address based on how other addresses in the domain are formatted
Does this result in a more stringent standard than those found in several of the anti-spam statutes around the world? Absolutely. But, I am convinced, after many years of consultation with mailbox providers (both B2B and B2C), spam filter providers, and anti-spam organizations (such as The Spamhaus Project), that requiring clear, customer-specific consent is what is required to send email successfully in the world today.
And you can quote me on that.
