Home / Blogs

CAN SPAM and Affiliate Mailer Opt-Out

John Levine

Many online businesses use affiliates to drum up business. The affiliate finds a lead somewhere, passes it to the business, and gets a commission if the lead turns into a sale. Web based affiliates are relatively uncontroversial, but affiliates who advertise by e-mail are a chronic problem due to their propensity to send spam, both spam as normally defined and as defined by CAN SPAM. Is it possible to do legitimate e-mail affiliate marketing? Maybe.

CAN SPAM makes it pretty clear that a business is responsible for the actions of its agents, which includes ensuring that they follow CAN SPAM and other laws. Most of the CAN SPAM requirements are handled the the same way by affiliates as if the business were doing its own mailing — headers must not be misleading, mail must have a physical mailing address, and so forth. By far the trickiest requirement for affiliate ads is the opt-out rule, which says a business must follow a recipient's request not to send any more ads. This means that every time an affiliate mails for a business, the affiliate has to remove all the addresses of people who've told the business not to mail to them. Furthermore, people who send opt-outs in response to the affiliate's mail have to be added to the business' opt-out list. This is a pain in the neck, but as I read CAN SPAM, it's not optional.

What makes it tricky is that affiliate marketing is full of sleazeballs, and both the businesses and the affiliates have good reasons not to trust each other. If the business provides the list of opt-outs to the affiliates, the affiliates are likely to steal it and mail to it. (Mailing to it could even be legal under CAN SPAM so long as it wasn't promoting the same business, although it does seem like a poor idea to mail to a list of people whose common characteristic is that they've gone to the effort to say they don't want mail, I know people who've provided tagged addresses that have gotten spammed from ex-affiliates.) So perhaps the business can provide a listwashing service, where the affiliate sends them the list and they send it back minus the opt-outs. No, that's no good, a sleazy business could steal the list on the way through. The same problem applies to affiliates sending opt-outs back to the business — it's far from unknown for people to resell opt-out lists as verified live leads and the like.

There's no perfect solution. One possibility would be to use a neutral third party to handle the opt-outs. That's what Unsubcentral does with some success, although they're limited both by the fact that they don't do it for free (affiliates hate to spend money on anything that isn't going to turn into revenue) and trust issues of yet another party in the mix.

Another possibility is to use lists of address hashes, one-way scrambled versions of addresses. If you have a list of hashes and a list of addresses, you can make hashes of the addresses on your list and compare to see which of your addresses are in the hash list, but you can't otherwise tell what hashes correspond to what addresses. This means that if a business provides a hashed opt-out list to the affiliates, they can use it to scrub their lists, and they'll know what addresses got scrubbed, but since those were addresses they already had, the opportunity for extra mischief is limited. Going the other way, if the affiliates provide the hashes back to the business, the business can scrub its own lists, and provide the hashes in turn to other affiliates, but at each level, they don't learn about any addresses that they don't already have. (A sufficiently determined bad guy could go get huge lists such as the ones on Millions CDs, then hash and scrub those to see what addresses he recovers. It's not perfect, there's no way to provide information to someone you don't trust and be 100% sure he won't misuse it.)

Whatever a business dues, literal lists, third party, or hashes, they have to do something. I would go so far as to say any any affiliate e-mail program that doesn't include opt-out management clearly can't be CAN SPAM compliant.

By John Levine, Author, Consultant & Speaker. More blog posts from John Levine can also be read here.

Related topics: Law, Spam


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


Re: CAN SPAM and Affiliate Mailer Opt-Out John Engler  –  May 19, 2008 5:51 PM PDT


Thanks for mentioning our service, but you should know that we don't charge affiliates anything.  The Advertiser, who is the "Sender" in most cases under CAN-SPAM bear the burden of paying for the UnsubCentral service 100%, since they're the ones that need to ensure compliance. 

Our goal for advertisers is to make UnsubCentral a cost-effective solution, and I'd say that for all of our clients we do that pretty well.

We have over 150 advertiser using UnsubCentral today… a far cry from where we were two or three years ago. 

John Engler

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper


Sponsored by Verisign

Mobile Internet

Sponsored by Afilias Mobile & Web Services

DNS Security

Sponsored by Afilias

IP Addressing

Sponsored by Avenue4 LLC

Promoted Posts

Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s. more»

Industry Updates – Sponsored Posts

Why the Record Number of Reverse Domain Name Hijacking UDRP Filings in 2016?

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

US Court Grants DCA Trust's Motion for Preliminary Injunction on .Africa gTLD

INTA 2013: Gearing Up for Dallas

Thomson Reuters to Acquire MarkMonitor

Nominum Launches Comprehensive Suite of DNS-Based Security Solutions for Russian Service Providers

Nominum Sets New Record for Network Speed and Efficiency

DNS on Defense, DNS on Offense

Managing Outbound Spam: A New DNS-based Approach For Stopping Abuse (Webinar)

MarkMonitor Fraud Intelligence Report, Q4 2011

Afilias Says "No" to SOPA

Minds + Machines to Announce New .brand gTLD Pricing at INTA

MarkMonitor Fraud Intelligence Report Released for Q2 2011

.CO Recognized Alongside Industry Giants in Trademark Industry Awards

Verisign and Coalition for ICANN Transparency, Inc. ("CFIT") Resolve Litigation

MarkMonitor to Co-Chair International Anti-Counterfeiting Coalition Spring Conference

The Botnet-Counterfeit Drugs Connection

Q4 2010 Fraud Intelligence Report

AusRegistry Int. and Crowell & Moring Join Forces to Support New Top-Level Domain Applicants