Telling stories is a dangerous thing in my line of work. But work cannot get done without telling stories. On the one hand, you want the story to be accurate. Still, several legitimate considerations mean that you can’t be so precise as to allow others to determine who is being referred to. If you are too precise, you can get into trouble, but the story cannot perform its function if you lack enough precision.
Why tell stories?
It’s easy to look at storytelling as a means for the teller to brag. After all, we tend not to talk about our losses and to speak up (and out) about our wins. But I know that, at least on this blog, I tell stories to put context around the importance of policy.
Policy is one of those “ivory tower” fields. It is easy to sit back and think about how things SHOULD be and then craft a statement that describes your chosen reality. But, very often, in my experience anyway, policies, like bills hoping to become laws, happen because of something that has occurred.
So, it’s not just that people said, “There ought to be a law.” But something happened that caused a discussion that determined that there ought to be a law even to take place.1 In the context of a policy, that story is as vital to understanding the policy, why it came to exist, and how it should be applied as the wording of the policy itself.
Policy is relative
Policy, like law, is highly fact-intensive. That is to say that a blanket statement doesn’t always work.
For instance, I published a blog post about what constitutes opt-in last week.2 You might have noticed a couple of caveats or carve-outs in that piece. For instance, “Domain owner issues blanket, documented consent for addresses under their control (such as internal corporate communications, or messages from a corporate provider)”.
This indicates that there’s a relative element at work. If you have a very strict opt-in regime, then the requirement is that the recipient must always extend consent to be placed on a mailing list. But these things do not live in a vacuum, and those of us who write and enforce policy have to consider real-life scenarios.
An example
When it came to understanding this particular carve-out in an opt-in-only policy, it happened when an employee challenged the company I was working for over new employees, sending introductory messages to the entire company at the end of their onboarding period. As far as the company was concerned, this was a good way for new employees to show that they had a basic grasp of the product we were selling and allowed people to better get to know one another. As far as this employee was concerned, this process resulted in a dozen or more needless weekly messages.
Ultimately, we are in the business of helping users successfully deliver messages to the inboxes of their intended recipients. That is, generally speaking, best accomplished by requiring the recipient to extend consent, which is specific to the user. But, in this case, there was more at work. The company was responsible for sending the message. It was also responsible for giving the person complaining their mailbox and maintaining and tuning the spam filters that hopefully kept that mailbox usable.
While I have strong philosophical leanings toward strict opt-in consent, in this particular instance, it makes far more sense to understand that the true owner of the mailbox is the entity that can ultimately control its use: the company. The company purchases the domain name, issues the username to the employee, and runs the spam filters. Thus, if the company wants to utilize its resources in this manner, the employee’s recourse is to try to change the company’s mind on its onboarding process, not to try to get policy enforcement to terminate the ability of every new employee to utilize the systems in the manner that they had been directed to use them.
So, what does that mean?
Policy creation and enforcement often come down to understanding the facts involved. While some things are pretty cut and dried (for instance, brokered/purchased/rented/appended lists are never “express, customer-specific opt-in” lists, no matter how hard you squint), the facts matter a whole lot in many other instances. So, if the recipient’s employer gave someone a list of employees and said, “Mail them all about things relative to our relationship,” then you have to examine the message to see what the facts say about how well the customer keeps that agreement/request.
So, when you see a story here, understand that it is being told to help us understand the policy and its implications by examining a real-world application. That application helps us understand what policy looks like at both the micro- and macro-scales.
Footnotes
- I’m Just a Bill – Schoolhouse Rock, (2014), https://youtu.be/SZ8psP4S6BQ?si=Ti6yqxRElI3yu8nP&t=45 (last visited Jul 6, 2020). ↩︎
- Mickey Chandler, What Is Opt-In?, Spamtacular (Jun. 30, 2020), https://www.spamtacular.com/2020/06/30/what-is-opt-in/ (last visited Jul 6, 2020). ↩︎
- Privacy Notices That Work: Beyond Wall Art for Your Website - 20 December 2024
- 2025 Email: Get Rid of the Training Wheels - 13 December 2024
- Help Me See If There Is A Need For That I Can Fill - 23 September 2024
