Policy at scale: Policy is relative

6 July 2020

Telling stories is a dangerous thing in my line of work. But, work cannot get done without telling stories. On the one hand, you want the story to be accurate, but several really legitimate considerations mean that you can’t be so precise as to allow others to determine who is being referred to. If you are too precise, you can get into trouble, but if you lack enough precision the story cannot perform its function.

Why tell stories?

It’s easy to look at storytelling as a means for the teller to brag. After all, we tend not to tell about our losses and to speak up (and out) about our wins. But, I know that at least on this blog, the reason why I tell stories is to put context around the importance of policy.

Policy is one of those “ivory tower” fields. It is really easy to sit back and think about the way that things SHOULD be and then craft a statement that describes your chosen reality. But, very often, in my experience anyway, policies, like bills hoping to become laws, happen because of something which has occurred.

(Frishberg 1976)

So, it’s not just that people said that “There ought to be a law.” But something happened which caused a discussion that made the determination that there ought to be a law to even take place. In the context of a policy, that story is as important to understanding what the policy is, why it came to exist, and how it should be applied as the wording of the policy itself.

Policy is relative

Policy, like law, is extremely fact-intensive. That is to say that a blanket statement doesn’t always work.

For instance, last week I published a blog post talking about what constitutes opt-in. In that piece, you might have noticed a couple caveats or carve-outs. For instance, “Domain owner issues blanket, documented consent for addresses under their control (such as internal corporate communications, or messages from a corporate provider).” (Chandler 2020).

This indicates that there’s a relative element at work. If you have a very strict opt-in regime, then the requirement is that the recipient must always extend consent to be placed on a mailing list. But these things do not live in a vacuum and those of us who write and enforce policy have to take real life scenarios into account.

An example

In my case, when it came to understanding this particular carve-out in an opt-in only policy, it happened when an employee challenged the company I was working for over new employees sending introductory messages to the entire company at the end of their onboarding period. As far as the company was concerned, this was a good way for new employees to show that they had a basic grasp of the product that we were selling and allowed people to better get to know one another. As far as this employee was concerned, this process was resulting in a dozen or more needless messages per week.

Ultimately, we are in the business of helping users to successfully deliver messages into the inboxes of their intended recipients. That is, generally speaking, best accomplished by requiring the recipient extend consent which is specific to the user. But, in this case, there was more at work. The company was responsible for sending the message and was also responsible for giving the person complaining their mailbox as well as maintaining and tuning the spam filters that were hopefully keeping that mailbox usable.

While I do have strong philosophical leanings toward strict opt-in consent, in this particular instance, it makes far more sense to understand that the true owner of the mailbox is the entity who has the ability to ultimately control its use: the company. The company purchases the domain name, issues the username to the employee, and runs the spam filters. Thus, if the company wants to utilize its resources in this manner, the employee’s recourse is to try to change the company’s mind on its onboarding process — not to try to get policy enforcement to terminate the ability of each and every new employee to utilize the systems in the manner that they had been directed to use them.

So, what does that mean?

Policy creation and enforcement often come down to understanding the facts involved. While some things are pretty cut and dried (for instance, brokered/purchased/rented/appended lists are never “express, customer-specific opt-in” lists, no matter how hard you squint), in many other instances, the facts matter a whole lot. So, if the recipient’s employer gave someone a list of employees and said “mail them all about things relative to our relationship” then you have to examine the message to see what the facts say about how well the customer is keeping that agreement/request.

So, when you see a story here, understand that the story is being told to help us understand the policy and its implications by examining a real-world application. That application is what helps us to understand what policy looks like at both the micro- and macro-scales.

References

Chandler, Mickey. 2020. “What Is Opt-In?” Spamtacular. June 30, 2020. https://www.spamtacular.com/2020/06/30/what-is-opt-in/.
Frishberg, Dave. 1976. “I’m Just A Bill.” Schoolhouse Rock. March 27, 1976. https://youtu.be/SZ8psP4S6BQ?si=q9vVhK_9ohB7BgyS&t=46.

Author
Recent Posts

Mickey Chandler

A recognized leader in the fight against online abuse, specializing in email anti-abuse, compliance, deliverability, privacy, and data protection. With over 20 years of experience tackling messaging abuse, I help organizations clean up their networks and maintain a safe, secure environment.

Latest posts by Mickey Chandler (see all)

Introducing: Arcana - 22 November 2024
Help me see if there is a need for that I can fill - 23 September 2024
Verkada: Data Protection Issues - 19 September 2024