CAN-SPAM GUIDELINES FOR TECH SUPPORT E-MAIL PRODUCED BY THE ASSOCIATION OF SUPPORT PROFESSIONALS Published by The Association of Support Professionals 122 Barnard Avenue Watertown, Mass. 02472 Telephone 617/924-3944 Fax 617/924-7288 www.asponline.com Copyright ASP 2004. All rights reserved. This report may not be reproduced without permission of the publishers.
CAN-SPAM Guidelines for Tech Support E-mail On January 1, 2004, a new federal law went into effect that regulates business use of e-mail. The socalled CAN-SPAM law (short for Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 ) is aimed chiefly at the current glut of spam that s choking Internet e-mail. But CAN-SPAM also establishes guidelines that impact virtually all business e-mail including e-mail sent by tech support organizations. This report is intended to clarify how the new law will affect tech support and service customer communications.* It s important to point out that the CAN-SPAM rules aren t an attempt to define good e-mail etiquette or to decide who owns the Internet. In fact, CAN-SPAM explicitly endorses the use of e-mail for the development and growth of frictionless commerce, a position that has already infuriated anti-spam advocates. Rather, CAN-SPAM establishes a legal baseline for e-mail use. Individuals and companies are free to set higher standards for themselves, as long as their practices don t conflict with the federal rules. (For instance, CAN-SPAM says nothing about privacy policies, but protecting customer e-mail addresses is still an important principle of ethical e-mail use.) It s also worth noting that the CAN-SPAM law is already in force; there s no grace period. At least in theory, companies that don t promptly comply with CAN-SPAM face fairly significant legal and financial exposure. Thus, there s certainly some urgency about becoming compliant, even if the spam cops aren t pounding on your door yet. Of course, there s no way to predict how aggressively the new law will be enforced, or how fast, or even who the targets will be. True spammers have shown remarkable creativity in evading earlier laws; many already operate off-shore, and U.S. enforcement agencies (mostly the Federal Trade Commission) may decide that prosecuting spammers just isn t worth the hassle. However, even if CAN-SPAM isn t actively enforced by the FTC, it s inevitable that anti-spam organizations will use the new law to launch a blizzard of nuisance complaints against virtually anyone who abuses or even seems to abuse bulk e-mail. Regardless of whether these complaints end up in a courtroom, complaints of any kind are expensive to handle and resolve. Common sense suggests the best way to respond to CAN-SPAM will be to follow the new rules closely and avoid any risks. What are the most important of these rules for support-related e-mail? Here s a summary: The commercial e-mail rule CAN-SPAM applies specifically to commercial e-mail, which the law says is any message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service. At the same time, the law exempts transactional or relationship e-mail, a category that includes account updates, subscriptions, product upgrades, and warranty information. Clearly, most support-related e-mail falls squarely in the transactional or relationship category. Personal answers to customer-initiated support questions aren t spam by anyone s definition; similarly, bug alerts, customer satisfaction surveys, and maintenance renewal notices almost certainly fall within the CAN-SPAM safety zone, even if sent as part of a bulk mailing. Moreover, the law appears to allow at least some marketing content in transactional and relationship messages, as long as marketing isn t the primary purpose. However, there s some support-related e-mail that does qualify as commercial under CAN-SPAM. For instance, e-mail campaigns to promote training programs, consulting services, and maintenance * This report focuses primarily on issues that are relevant to companies that provide software support. Marketers who deal in investment scams, sexual aids, or guaranteed weight loss programs may find we ve ignored some elements of the new law. Sorry. 2 CAN-SPAM GUIDELINES
HOW TO LOOK LIKE A GOOD E-MAIL CITIZEN The CAN-SPAM law provides a legal definition of spam, but most of your e-mail recipients will also apply a subjective sniff test. Mail that feels personal, relevant, and interesting is likely to be opened even when it s obviously part of a bulk e-mail campaign. Some advice: Look at your overall mix of commercial vs. transactional and relational messages. In general, customers will tolerate a reasonable amount of sales-oriented e-mail from a company if most of the company s messages seem helpful and relevant. Explore ways to personalize all company e-mail campaigns and target them to appropriate audience segments. Even if you do no more than address the recipient by name Dear Wilbur you re showing more personal knowledge of the recipient than the average spammer. Post simple, clear privacy statements. Customers feel a higher level of trust in companies that promise not to resell e-mail addresses and personal data. (If you do plan to share e- mail addresses with affiliates and partners a euphemism that fools no one these days the law now requires you to state this fact conspicuously.) Consider developing a product or company newsletter, whose primary focus is tips, case studies, and other support content. E-mail newsletters are generally perceived as a source of informational rather than sales content, and recipients don t object to relatively frequent mailings. Build relationships, not just sales. Spammers are usually hit-and-run artists whose goal is to extract money as quickly as possible from impulse buyers. Over time, you ll get much higher response rates if you first develop a relationship of trust with your prospects. upgrades are all likely to be seen primarily as marketing efforts. As such, these e-mails will need to follow CAN-SPAM rules for commercial messages. (One of the most important of these rules is that commercial e-mails have to carry clear and conspicuous identification that the message is an advertisement or solicitation. ) If the success of an e-mail campaign is measured in terms of revenue, it s probably commercial under the CAN-SPAM rules. Unfortunately, CAN-SPAM doesn t provide a tidy set of guidelines for handling borderline cases, which can be highly visible. Are product support newsletters (which might be sent to sales prospects as well as real customers) commercial or are they part of a support relationship? What about press releases? Invitations to educational seminars and user group meetings? Customer research surveys? Most companies will want to avoid sticking clear and conspicuous advertising labels on such messages, but there s already some debate about whether omitting an advertisement notice here is acceptable under CAN-SPAM. The FTC is supposed to issue detailed guidelines some time before January 1, 2005; until then, everyone is in the dark including the lawyers. The opt-in exception rule CAN-SPAM allows e-mailers more freedom in commercial mailings to people who have opted-in to a mailing list. E-mail to these recipients falls under the relationship category and doesn t have to be identified as advertising. Opt-in has become a fairly popular strategy for tech support organizations: A recent ASP survey of e-mail practices found that 23% of companies already collect explicit opt-in permission from all the support customers they mail to, and another 11% plan to ask for opt-in permission. As part of this same trend, many product registration forms and sales contracts now CAN-SPAM GUIDELINES 3
ON PRESERVING MAILING LIST ASSETS Even before CAN-SPAM, the attrition rate for a typical corporate e-mail list was about a third of total names per year. Now that commercial e-mail must offer easy opt-out access on a company-wide basis, many lists are going to melt away faster than an ice cube on a hot summer day. Lists are a major corporate asset, so here are a few ways to preserve their value: Put a price tag on every name: It costs almost nothing to send an e-mail, so many marketers behave as if the value of e-mail names is also negligible. A good approach is to track the actual acquisition cost of new e-mail names, and then to use that cost to decide how much effort to put into recovering lost names and protecting the list from campaigns that produce high attrition rates. (A better metric, arguably, is to price e-mail names as if they were sales leads: If a hot prospect opts out halfway through the sales cycle for a $50,000 software deal, a company clearly has lost more than a few dollars in list acquisition costs.) Respond politely to unsubscribe requests: Remember that many people ask to be removed from e-mail lists temporarily when they go on vacation or switch e-mail addresses. Sending a pleasant sorry to lose you note (or a short exit interview survey) may help you salvage prospects who might otherwise never come back. Don t jump the gun on bouncebacks: Even with the cleanest lists, e-mail campaigns always produce hefty numbers of undeliverable messages. Most of these are actual bad addresses employees who ve left a company, businesses that have gone under, and the like. But many others are the result of temporary server glitches and hyperactive spam filters. (If a company s mail server is down, all e-mail sent to that company may look undeliverable.) Bulk e-mail services generally advise waiting for three bouncebacks before deleting a name but even that rule may cause you to drop some valid customer names. If your acquisition cost for new names is high enough, it s probably best to have a live person try to verify all bouncebacks before deleting them (a nasty, boring job, incidentally). Never sell names: Renting or trading a good e-mail house list is like lending your new car to your neighbor s teenage son for a quick spin around the block: It s almost certain to come back in worse shape, if not demolished. Under the new CAN-SPAM rules, moreover, you ll probably have to remove a recipient s name even if the opt-out request was triggered by a partner s hard-sell campaign. specifically request e-mail contact information and ask for permission to send support-related mail. Ironically, however, CAN-SPAM significantly reduces the incentive to obtain opt-in permission. Under the new law, a company is entitled to send commercial e-mail until the recipient opts out. Thus, offering an opt-in process to new customers may be a polite gesture, but it has little legal meaning, especially for support organizations whose e-mail is mostly transactional or relational anyway. Moreover, converting an existing customer list to 100% opt-in usually results in a massive loss of names. We made a decision approximately a year ago to self-impose an opt-in only policy on all company e- mail to customers, an ASP survey respondent reported. This included our customer satisfaction survey. As a result we have seen a significant decline in responses and are continuously struggling with having enough responses to maintain statistical significance. The bottom line: Getting opt-in permission from new customers and prospects is a desirable practice; it helps set expectations and identifies a company as a good e-mail citizen. However, there is no compelling argument for requesting retroactive permission, provided that the people who want to be dropped from a list can easily opt out. 4 CAN-SPAM GUIDELINES
The opt-out rule A basic principle behind CAN-SPAM is that commercial e-mail spam is acceptable, as long as recipients can easily remove themselves from an undesirable mailing list. The strictest rules in the new law apply to the opt-out process, and it s likely that CAN-SPAM prosecutions will focus primarily on companies that don t honor opt-out requests. (Failure to honor an opt-out request is also easy to prove, since the remove request and any subsequent promotions will leave a date-stamped audit trail.) Here are the basic rules: Every commercial message must include a functioning return electronic mail address or other Internet-based mechanism that recipients can use to remove themselves from the sender s mailing list. Note that telephone, fax, or postal mail are not considered appropriate opt-out media. Opt-out requests must be processed within ten business days. That means a list can t be prepared several weeks in advance of use. The rule also makes no allowance for seasonal overloads or inefficient handling by an outside list manager. Ten days is ten days. A Web form for opt-out requests must stay up for at least 30 days after a campaign. Recipients who have multiple e-mail addresses will have to submit separate opt-out requests for each address that appears on the sender s list. To avoid confusion from e-mail aliases and messages that are forwarded from other accounts, it s probably a good idea to include the recipient s original e-mail address in the text of the message, though this isn t a legal requirement. CAN-SPAM doesn t define exactly how the removal process should work, but the clear implication is that it should be simple and straightforward. E-mail recipients shouldn t be forced to fill out complex forms or read through elaborate directions. If a customer asks to opt out from an active account relationship (e.g., a maintenance contract), it s reasonable to ask for a password or proof of identity but asking for any more information should be left to a personal follow-up. In the case of high-value customers, it probably makes sense to direct opt-out requests to a simple profile management page that asks something like, What kinds of information would you like us to send you? In fact, CAN-SPAM encourages senders to provide a list or menu from which the recipient may choose the specific types of commercial e-mail messages the recipient wants to receive or does not want to receive. With this approach, customers can be given a chance to opt out of marketing messages but still receive support alerts, newsletters, and other electronic content. Although creating individual profile pages adds cost and complexity to the opt-out process, it should reduce list attrition significantly. The company-wide suppression rule An additional CAN-SPAM requirement for the opt-out process is that removal requests have to be honored on a company-wide basis. If a customer demands to be taken off the mailing list for WidgetWorks 2.0, that customer s name also has to be removed from the contact databases for maintenance contracts, newsletters, beta test programs, and every other e-mail touchpoint throughout the company. That s painful. CAN-SPAM does offer one loophole to the company-wide suppression rule: If an organization consistently promotes itself through separate lines of business or divisions, then opt-out requests don t have to be rolled up to the corporate parent. Thus, an opt-out request sent to AOL probably wouldn t have to be honored by Fortune or Sports Illustrated. However, most technology companies have positioned their products and services under the umbrella of strong corporate-level brands, so the separate line of business argument will be hard to sustain. CAN-SPAM GUIDELINES 5
Part of the challenge of complying with the company-wide suppression rule is that most companies still operate with dozens and sometimes hundreds of separate mailing lists, often with very limited cross-integration. In most cases, the only practical solution to this CAN-SPAM requirement will be to create a master e-mail suppression list and require all bulk e-mail campaigns to be run against this list before they can go out, including those using outside rental lists. This requirement will add substantial administrative overhead to the use of e-mail, but it s probably the only way to guarantee CAN-SPAM opt-out compliance. The additional challenge from company-wide suppression is that organizations now have to take seriously their whole relationship with customers and prospects. Under CAN-SPAM, a single abusive e- mail message can end a company s whole relationship with a long-term customer or high-value prospect. One slip and the ball game is over, says direct marketing columnist Robert Gellman. Striking a balance here will be tough: Marketing and sales departments will want to keep pushing customers to buy new products of sometimes unproven relevance; support departments will try to protect existing customer relationships. Almost certainly, this issue will end up being escalated to top management. Message formatting rules Under the CAN-SPAM rules, commercial e-mail must meet basic standards of honesty (no deceptive subject lines, no bogus return address, no falsified headers) and it s hard to imagine that any support organization would violate these standards. In addition, there are two specific formatting requirements: Penalties Advertising identification: CAN-SPAM requires that commercial e-mail include a clear and conspicuous identification that the message is an advertisement or solicitation. This message doesn t have to appear in the subject line, but it must not be so hard to find that recipients miss it completely. The clear and conspicuous rule has been well defined in a lengthy FTC publication called Dot Com Disclosures (www.ftc.gov/bcp/conline/pubs/ buspubs/dotcom), which e-mail copywriters should review carefully. Postal address: From now on, all commercial e-mail has to include the sender s postal address somewhere in the message. Few e-mail marketers now include their company address, so they ll probably overlook this requirement. But it s the law. Unlike a rival California anti-spam law that the new federal law preempts, CAN-SPAM doesn t allow individuals to file claims against alleged spammers. Instead, only the Federal Trade Commission, state attorneys general, and ISPs can bring a case. (However, the FTC plans to offer a 20% bounty to reward individuals who report CAN-SPAM violators.) This limitation will probably prevent the law from being abused by class-action law firms and random anti-spam zealots. Still, CAN-SPAM penalties are hardly a slap on the wrist $11,000 per violation, up to $2 million in fines per case. In addition, the FTC can impose triple damages for especially nasty behavior, such as harvesting names from online forums and deliberately ignoring opt-out requests. And finally, there are several infractions such as taking advantage of open relays to send bulk spam or falsifying header information that can lead to actual jail time. The good news is CAN-SPAM does give credit for good faith efforts to comply, so there s a definite incentive for top management to publish internal e-mail policies and start cleaning up sloppy list management. While these steps aren t as good as fully implementing CAN-SPAM, they are certainly evidence that a company is trying to comply. 6 CAN-SPAM GUIDELINES