Many online businesses use affiliates to drum up business. The affiliate finds a lead somewhere, passes it to the business, and gets a commission if the lead turns into a sale. Web based affiliates are relatively uncontroversial, but affiliates who advertise by e-mail are a chronic problem due to their propensity to send spam, both spam as normally defined and as defined by CAN SPAM. Is it possible to do legitimate e-mail affiliate marketing? Maybe.

CAN SPAM makes it pretty clear that a business is responsible for the actions of its agents, which includes ensuring that they follow CAN SPAM and other laws. Most of the CAN SPAM requirements are handled the the same way by affiliates as if the business were doing its own mailing—headers must not be misleading, mail must have a physical mailing address, and so forth. By far the trickiest requirement for affiliate ads is the opt-out rule, which says a business must follow a recipient’s request not to send any more ads. This means that every time an affiliate mails for a business, the affiliate has to remove all the addresses of people who’ve told the business not to mail to them. Furthermore, people who send opt-outs in response to the affiliate’s mail have to be added to the business’ opt-out list. This is a pain in the neck, but as I read CAN SPAM, it’s not optional.

What makes it tricky is that affiliate marketing is full of sleazeballs, and both the businesses and the affiliates have good reasons not to trust each other. If the business provides the list of opt-outs to the affiliates, the affiliates are likely to steal it and mail to it. (Mailing to it could even be legal under CAN SPAM so long as it wasn’t promoting the same business, although it does seem like a poor idea to mail to a list of people whose common characteristic is that they’ve gone to the effort to say they don’t want mail, I know people who’ve provided tagged addresses that have gotten spammed from ex-affiliates.) So perhaps the business can provide a listwashing service, where the affiliate sends them the list and they send it back minus the opt-outs. No, that’s no good, a sleazy business could steal the list on the way through. The same problem applies to affiliates sending opt-outs back to the business—it’s far from unknown for people to resell opt-out lists as verified live leads and the like.

There’s no perfect solution. One possibility would be to use a neutral third party to handle the opt-outs. That’s what Unsubcentral does with some success, although they’re limited both by the fact that they don’t do it for free (affiliates hate to spend money on anything that isn’t going to turn into revenue) and trust issues of yet another party in the mix.

Another possibility is to use lists of address hashes, one-way scrambled versions of addresses. If you have a list of hashes and a list of addresses, you can make hashes of the addresses on your list and compare to see which of your addresses are in the hash list, but you can’t otherwise tell what hashes correspond to what addresses. This means that if a business provides a hashed opt-out list to the affiliates, they can use it to scrub their lists, and they’ll know what addresses got scrubbed, but since those were addresses they already had, the opportunity for extra mischief is limited. Going the other way, if the affiliates provide the hashes back to the business, the business can scrub its own lists, and provide the hashes in turn to other affiliates, but at each level, they don’t learn about any addresses that they don’t already have. (A sufficiently determined bad guy could go get huge lists such as the ones on Millions CDs, then hash and scrub those to see what addresses he recovers. It’s not perfect, there’s no way to provide information to someone you don’t trust and be 100% sure he won’t misuse it.)

Whatever a business dues, literal lists, third party, or hashes, they have to do something. I would go so far as to say any any affiliate e-mail program that doesn’t include opt-out management clearly can’t be CAN SPAM compliant.