The original EU legislation concerning unsolicited commercial email, passed in Ireland in November of 2003, requires marketers in the EU to gain opt-in permission where no prior customer relationship exists. EU marketers must also make known the use of cookies and tracking devices on their sites and give people the right to reject them. EU laws put a high premium on privacy and advocate the right of an individual to receive, not necessarily the rights of marketers to send.  However, they tend to rely on industry technology advances for enforcement rather than traditional prosecution methods.  With an estimated 90% of unwanted mail coming from sources outside the EU, it’s historically been better to fight illegal mailers in the field. 

Many in Ireland believe the increase in fines pays lip service to companies whose servers are bogged down by bulk mail, but that it will do little to prevent botnets and mail coming in from outside the EU. However, it is arguably a considerable increase, as the first Irish conviction under the law brought fines of only €2,500 in 2005. If the changes in the overall ”socio-politico-judicial-economic spam climate” in the past five years globally are any indication of the future, I wouldn’t be surprised if formidable prosecution measures evolve and we start to see the courts on every level handing out more fines. I also won’t be surprised if, due to a certain blogger coining the term “socio-politico-judicial-economic spam climate,” the term becomes a part of the everyday jargon of marketers and lay-persons alike in ‘09.

Reerun

The DMA will now require member companies to authenticate their email and according to the DMA it is very likely that most email servers in the future will block mail not authenticated.

So with that being said, Return Path announces a partnership with the DMA to assist companies in authenticating their email streams. DMA members can have access to the monitoring data, reports and alerts for their IP addresses and domains, providing critical reputation information that will help them comply with the authentication requirement.

More information along with the full article by By Matt Blumberg can be found at: Return Path

The Massachusets Office of Consumer Affairs and Business Regulation has published a lengthy checklist for compliance which is available at  their website.  The main requirement of the new regulation is putting a written information security program (WISP) in place for all records containing personal information on residents of Massachusets, as well as monitoring third parties’ abilities to protect personal information.  Once a company implements a plan, the legislation states that an employee or employees must be dedicated to maintaining and supervising its implication.  It also requires ongoing employee training and procedures for maintaining employee compliance. 

The WISP must secure all records that contain personal information and put in place technical, administrative, and physical safeguards to protect ‘personal information’, which in the actual legislation is defined as:

“a Massachusets resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: Social Security number, driver’s license number or state issued identification card number; or financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided however, that “personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully available to the general public.”

In a nutshell, the legislation requires companies to do the following:

-limit the amount of personal information gathered, limit the amount of time the info is retained, and limit the individuals who have access to personal information to such that is necessary to accomplish an intended purpose.

-determine the location of all records that contain personal information, whether it be on laptops, paper, or other storage devices and secure all areas/storage devices that contain these records.

-impose detailed, written restrictions on access to the records

-regular monitoring of the information security system including upgrading info safeguards to limit risks

-annual review of the scope of security measures or a review when business practices concerning security change

-documentation of actions taken in response to breaches of information security and, upon review, necessary security changes made concerning the breach.

In part two of this post, we will review computer system requirements.

In this amendment, advertisers are defined under three categories:one whose name and address appear in the message as the contact info, one who is publishing to promote the advertised company’s goals, and one who publishes on behalf of a commercial sender. ”Commercial Material” is defined loosely as “messages distributed commercially to encourage acquisition of certain goods or services or spending money in any other way.”  So under this premise, charitable and political organizations as well as regular commercial advertisers are on the hook.  Also, mailers must gain permission from the consumer in order to mail.  Permission can be gained in writing, by email or by automated phone message.

The purpose of the new amendment according to the Israeli government is to close any loopholes there may be in commercial email laws in the country.  Israel’s law goes along with the industry best practice of opt-in and gives individuals the right to sue.  LashBack’s best advice if you do any business in Israel is to review your mailing practices and check in with an expert compliance lawyer. Also, you may want to run a confirmed opt-in campaign to make sure Israeli subscribers of your list are truly opt-in, to keep your liability at a minimum. The actual text of the law is available here: http://www.isoc.org.il/spam/, but be sure you can read Hebrew, or you’ll surely be fahklumpt! 

More resources and explanations on this law are available at DirectMag and Deliverability.com.

Yahoo adopting Sender Score Certified has positive implications for legitimate email marketers who are already Sender Score Certified, as it will begin to improve their deliverability in Yahoo mail inboxes.  It also means caring about email reputation as a marketer has never been more important.  As more and more ESPs adopt strict, uniform standards for the mail that reaches their customer inboxes, getting a handle on your reputation as a sender could mean the difference between sink or swim. Mailers can apply to become Sender Score Certified at the Return Path site.

How did I get on these lists of annoying mailings? It was my own fault! I bought a phone through a website and hurryingly hit submit before I noticed a box checked allowing partners and affiliates to send me unsolicited email. Read the fine details. I have tried to unsubscribe without success. Now advertisements are sent to me blindly. This all being said, it seems that advertisers and publishers would want their mailings to reach their target audience. It would drive click through sales and increase deliverability. The current system is broken.

~MOE

The suit, filed under the CAN-SPAM Act,  alleges that Guerbuez fraudulently gained access to various Facebook accounts and used them to market male enhancement pills, “legal Marijuana” and ringtones. Facebook claims losses due to harm to it’s reputation and resources spent fighting Guerbuez’s spamming efforts.

More info at links below:

Deborah Gage, San Francisco Chronicle
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/11/24/BUBO14B6J6.DTL

Matt Marshall, Venture Beat
http://venturebeat.com/2008/11/24/facebook-awarded-873-million-in-suit-against-spammer/

Jacqui Cheng, ars technica
http://arstechnica.com/news.ars/post/20081124-facebook-spammer-fined-almost-1-billion-under-can-spam.html

Security and bandwidth issues are definite bonuses with text based emails.  Personally, I wouldn’t go through the trouble to cut and paste a URL just to see what a company is trying to sell me.  After doing a little research, I think that it is a quality way to get into the inbox but probably not the best as far as response.  People are lazy and so am I.  Give me hyperlinks and colorful images to catch my eye (If you want my money).

~Reerun

LashBack executives viewed presentations by key law enforcement officials and members of the anti-spam community, including one by Stuart Paton and Vincent Schonau from top messaging security firm Cloudmark titled Fundamental Principles and Outbound Spam Analysis Studies. To summarize, the presentation noted that webmail is currently the top outbound spam vector.  A small number of IPs are responsible for the majority of webmail spam, but webmail spammers use hundreds of user ID’s for spamming.  The primary threat is currently off-net IPs spamming through webmail of SMTP AUTH.  Because imposing IP based rate limits risks blocking legimitate users, Cloudmark recommends its managed outbound IP reputation service. To control spam sent through webmail, ESPs should limit the number of messages that an IP can send in a day and use volume thresholds to flag suspect sending patterns.

In addition to hearing Cloudmark’s presentation along with many others, we were fortunate enough to meet Hein Dries-Ziekenheiner, LL.M, CEO of VIGILO Consult, who has a thorough background in fighting fraud and criminal activities online.  As a former technical advisor to OPTA, the Netherlands’ enforcement agency, a trained lawyer and former lobbyist, he is an expert on the risks posed by the increase in illegal activity and the requirements this places on business strategy of email marketers.  VIGILO Consult provides consulting services in the area of ICT related public and regulatory affairs, compliance and strategic advice.

In the current uncertain economic situation, both VIGILO and LashBack feel it is important to stay ahead of the competition and online criminals by staying on top of reputation.  Monitoring reputation allows for safe expansion into new markets to diversify revenue.  VIGILO and LashBack are teaming up to provide LashBack clients with two special offers from VIGILO which provide anti-spam forensics to mitigate the effect of criminal activities on reputation.

The services VIGILO provides are an excellent extension to LashBack’s Brand Alert and Compliance services, as they allow clients to identify the appropriate response to any criminal activity impacting their business which requires extensive research to identify the source.  VIGILO can also work with law enforcement to assure the proper potential public penalties as well as assist with any private legal action a client may want to file. Whether you are thinking of expanding your business in the EU or have complex online criminal activity impacting your email marketing program, VIGILO can help you get started. Visit VIGILO’s special page for further information.