Earlier this month, the Federal Trade Commission (FTC) announced that it had reached a settlement with well-known e-mail marketing firm Yesmail over violations of the federal CAN-SPAM Act.

According to the FTC’s complaint, Yesmail’s recently acquired business unit, called @Once, failed to abide by the CAN-SPAM Act’s requirements for processing unsubscribe requests in a timely fashion.

What was the reason @Once failed to honor the opt-out requests? In a deliciously ironic twist, it turns out the company’s own spam filters blocked the requests!


Recent Security Articles
Automated Patching Helping Zero-Day Exploits

Our Phishing Filter is Better Than Yours!

How Insecure Do You Think You Are?

The Rise of Patch Vigilantism

FREE Tech Newsletters

Hard to Get Caught

The fact that the FTC caught anybody violating the CAN-SPAM Act is a minor miracle.

When CAN-SPAM was enacted in 2004, it was touted by its congressional supporters as relief for the millions of consumers inundated by unwanted email.

But as I noted in an op-ed piece at the time, there’s a reason why the law wasn’t called the “Can’t Spam” Act: the law’s requirements served as little more than a roadmap for how spammers could keep sending millions of emails while avoiding legal liability.

Among the various do’s and don’ts for spammers who wanted the veneer of legality: Do put your company’s contact information in the body of the advertisement. Don’t use a bogus return address. Do give recipients a mechanism for opting out of future messages. Don’t take longer than ten days to process those opt-out requests.

So in a world where even a billion copies of the most annoying Viagra spam can be made legal by simply adhering to those simple requirements, it’s hard to believe that @Once screwed it up. And it’s even harder to believe that the FTC was there to catch it!

Yet according to the FTC’s complaint, when FTC investigators hit “reply” and asked to be removed from @Once’s mailing lists, the spam filtering software identified the incoming requests as spam, preventing them from being delivered to the automated removal process.

A source close to the situation told one newspaper that it took between three and four months before @Once realized that some of the reply emails were going astray and not being processed. By the time the problem was discovered, however, the FTC was already poised to spring into action – two years later!

Yesmail, which acquired @Once in 2005, was ordered to pay a relatively paltry civil fine of $50,717. However, the FTC will closely scrutinize the company for the next five years, resulting in attorney fees and other costs that will probably exceed that amount many times over.

Lessons of Yesmail’s Pain

As more and more companies begin exploring more aggressive e-mail marketing campaigns – and an increasing number of companies begin bringing their email marketing activities in-house – there are good lessons to take from the Yesmail case.

First and foremost, any company who wishes to do their own e-mail marketing needs to be fully conversant in the requirements of the CAN-SPAM Act. As I have noted, the requirements aren’t particularly onerous. Yet as the Yesmail case makes clear, it’s also not too difficult to run afoul of them.

Having a corporate privacy officer in place to oversee the creation and implementation of sound compliance policies is one vital way to make sure that your company is on top of these issues. Most major corporations, and certainly most reputable Internet marketing companies, have privacy officers already on the job. But for an increasing number of companies who are trying to bring more of their marketing activities in-house, the need for a privacy officer may not be fully appreciated.

Next page: Even with policies in place...