In honor of SMS’s 20^th anniversary late last year and the MMA CBP’s 7^th edition we would like to provide you with some key information about mobile marketing compliance.

Regulatory background

Since the passing of the US CAN-SPAM Act of 2003, it has been widely believed that commercial SMS and MMS messages were subject to the same opt-out consent and unsubscribe requirements as commercial email. While the CAN-SPAM Act of 2003 authorizes the Federal Communications Commission (FCC) to consider mobile messages when developing guidelines, the FCC has taken the position that text messages sent by automated broadcast systems are ‘automated calls’ and are therefore best covered under the Telephone Consumer Protection Act (TCPA) of 1991. Under the original Act, implied consent through a pre-existing business relationship and not opt-in consent was the standard for commercial telephonic communications and robo-calls.

On February 15, 2012 the FCC amended the TCPA to remove any ambiguity surrounding consent requirements for SMS, making it mandatory for businesses to receive “prior express written consent” before auto-dialing or texting consumers.

Industry self-regulation background

In 2003 the MMA published its first set of ethical guidelines for mobile marketers. Now a global-facing document, the MMA Code of Conduct can be distilled into the following privacy principles:

1. Adequate notice.Whenever requesting a mobile phone number marketers should inform consumers that they will be receiving SMS messages from a concrete shortcode-based program.
2. Opt-in consent. Regardless of offline, online or handset-originating acquisition, consumers may not be automatically enrolled into an SMS program. Consumers must first give their express (opt-in) consent by knowingly volunteering their mobile number or using a handset-originating command to join the program. Submissions through online forms require a double opt-in.
3. Opting out. Users should also know the ways to opt-out of a program, how to get help from their handset and where to reference terms and conditions, as well as the fact that message and data rates may apply when participating in an SMS program.

While advocated, the Code was not enforced and there were no concrete rules it’s practical application. The shift to robust self-regulation came in 2007 when the Florida Attorney General’s Cybercrime Taskforce aggressively pursued affiliate networks and mobile carriers who enabled the proliferation of deceptive premium-rated mobile programs.[1] The AG’s actions resulted in a number of key settlements, the terms of which became the backbone of the MMA CBP and carrier-specific monitoring and enforcement playbooks. This self-regulatory schema has evolved steadily over the past 7 years and is currently administered by the custodians of US shortcodes, the CTIA. In 2012 the CTIA, in collaboration with wireless carriers and industry auditors, developed a consolidated Common Shortcode Monitoring Compliance Playbook for SMS marketers.

Regulatory win for consumer best practices

The FCC’s amendments to the TCPA resulted in unintended consequences for MMA-compliant senders who were subjected to threats of civil suits for alleged violations under the Act.[2] On November 30, the FCC clarified that MMA-prescribed confirmation messages were not in violation of the TCPA. According to FCC Commissioner Ajit Pai, “Hopefully, by making clear that the Act does not prohibit confirmation texts, we will end the litigation that has punished some companies for doing the right thing, as well as the threat of litigation that has deterred others from adopting a sound marketing practice.”

And while not an explicit endorsement, the FCC Commissioner’s comments in support of “sound marketing practices” should not be overlooked. Some marketers have already dealt with the consequences of breaking these rules by way of CTIA audits, program short codes being de-provisioned and private legal actions from consumers.[3] With the TCPA updated to better reflect the state of privacy and practice in the industry today, rogue senders now have more reasons to worry.

Michael Puffer, one of our mobile marketing experts at Experian Marketing Services, suggests you ask yourself the following questions when reviewing your mobile program: (HINT – If the answer is no, it might be time to take another look)

Here is a quick and easy reference guide by Experian CheetahMail to help you follow point of sale email acquisition best practices. Remember, best practices start before point of sale and continue after the transaction.

For more information on managing compliance, privacy and deliverability with in-store email acquisition, download our latest Point of sale email white paper.

The creation of this specification is one that we believe aligns closely with one of our core businesses here at Experian CheetahMail-eliminating messaging abuse and protecting recipients from the fraudulent behaviors of other senders. While we believe that this technology is something that all senders should investigate and eventually implement, we believe those that are in the financial services industry, or otherwise have witnessed phishing attacks against the brand, should be the first to determine their company’s strategy with regards to DMARC. For most companies this will involve working across different departments, such as marketing, IT and security.

For those of you that have been in the email industry for some time you might remember when Yahoo! created a special relationship with Ebay/PayPal to reject messages that were not signed with the DomainKeys authentication protocol and stop phishing emails that were coming into their system claiming to be from these companies. DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance” has taken that same premise and grown it. DMARC standardizes how email receivers validate messaging using the well-known SPF and DKIM authentication protocols. A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as deliver messaging to another folder such as spam or junk or reject the message altogether. DMARC removes some of the guesswork from the receiver’s handling of these failed messages, limiting or eliminating the user’s exposure to potentially fraudulent & harmful messages. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation so they can potentially take action against those fraudulent senders.

An important aspect of the DMARC specification that is unique as compared to other similar initiatives that have come out before it, is that it allows the sender to determine what the ISP’s should do with messages that fail, and it doesn’t have to be an all or nothing approach. There is also no charge for senders to implement this technology. A sender can simply tell the ISPs not to do anything with failed messages, to quarantine a certain percentage of the failed mail or fully block any messages that fail and claim to be from their brand.

Over the years I have seen a number of similar proposals come into our industry and it always seems as though we have a chicken and the egg issue. Usually what happens is the ISPs say that they will start checking for the newest form of authentication once enough senders are using it. While on the other hand the sender community says that it isn’t worth their time to implement something if none of the ISPs are checking for it. The great thing about DMARC is that not only was this created by both senders and receivers there are many folks on both sides that are already using and checking for it. We currently know of at least 4 of the largest receivers in the world that are either currently checking for DMARC policies or finalizing their implementation of it . There are also a number of senders that are already publishing these records and it will only continue to grow.

We believe DMARC is an important step in order to continue to ensure the on-going health of our email eco-system and an important implementation for many senders, especially those at risk of being spoofed or phished. Experian CheetahMail will continue to monitor any changes to this latest initiative, or any other new industry developments to reduce messaging abuse and work to ensure that you are kept up to date on any additional developments.

In his new role as head of Global Email Deliverability, Spencer will provide Experian CheetahMail clients with valuable strategic and tactical insights on how they can stay in their customers’ Inboxes, as well as educate clients about the latest deliverability trends and industry best practices.

Spencer will be leading a session on the topic of deliverability and email ROI at the Email Sender & Provider Coalition (ESPC) Annual Meeting in Washington DC, September 11.

Never one to shy away from tough questions, Spencer sat down with us for a quick Q&A about his new role and approach to today’s deliverability challenges.

Q. What does your new role as Director of Global Delivery Services mean for Experian Marketing Services’ CheetahMail and its clients?

A. My responsibility is to create and deliver programs that enable our clients to connect with their customers and increase the ROI of their email marketing initiatives. Programs will focus on defining and executing sending practices that both respect what the receiving community expects out of communications from their favorite brands, and that also fit within each of our client’s business model.

Q. What about this role interested you the most?

A. There were a number of things that excited me about this role. First of all, Experian CheetahMail has always been known for its exceptional service and if I can help maintain and build on that within the deliverability realm, then it presents a great opportunity for our clients. Secondly, CheetahMail is a global company with offices throughout the world, and to be able to work across regions to help clients understand not only the ISP’s requirements and expectations, but also how customers in different regions approach and use the email marketing channel, is something that I think our client base will find valuable.

Q. How long have you been focused on deliverability?

A. I got my start in 2004 when I began working for a company by the name of Accucast (which was later purchased by Premiere Global Services). Back then there were very few people that actually focused on deliverability as a full time job. A number of folks would simply handle an ISP issue as a one off situation, rather than looking at the big picture and trying to understand the entire ecosystem. I come from a marketing background, whereas (and especially in the beginning), many of those that came into the field of deliverability came from an anti-spam/blacklist type background. Because of my marketing background, I think I have a bit of a unique perspective. I have always tended to take a more proactive approach to delivery issues, versus simply reacting to a situation and often responding after it is too late.

Q. What do you think will be different with regards to the deliverability industry in the next 2-5 years?

A. A lot of what we will be talking about in 2-5 years won’t be all that different from what we talk about with many folks now, just on a much larger scale and with more focus on end-user engagement. As engagement continues to become a determining factor in terms of what messages the ISPs will deliver to an Inbox, deliverability will play a more significant role in an email marketers overall strategy and plan.
Now, that is not to say that there won’t be drastic changes in the way we look at email best practices as a whole in the next 2-5 years. If I were to look back at when I first started in this industry and someone would have told me that there would be an entire business model based on the simple task of emailing their entire list everyday, I probably would have told them they were crazy. See back when I started, no one would have thought this was a good idea, there is something called email fatigue, and brands understood that if you mailed your customers too often they would then unsubscribe and you no longer had the opportunity to make money off of them. And at most, brands were sending one email per week. Today, we have so many different daily deal sites that many in the industry think this level of frequency is the norm. Of course I have always said that it really depends on what works best for your brand, your business model and your customers.

The one thing I don’t think will change is that email is all about relevancy. If you are sending messages to your customers with information/offers that they want, you will continue to see high inbox percentages, open rates and click thrus. But if you are sending them email just to send more, they are less likely to be engaged with your brand and more likely to unsubscribe or complain about your messages.

As a consumer I was peeved with how casually my address was auto-consented into to the retailer’s email marketing program with nary a word at the register. As a compliance professional, I wondered if the retailer realized that it likely violated California’s Song-Beverly Credit Card Act of 1971.

The U.S. District Court for the Central District of California noted that the Act’s main purpose is to address the misuse of personal information for marketing purposes and that it was “specifically passed with a brick-and-mortar merchant environment in mind.”¹

If you collect email addresses at Point of Sale (POS) in California, here is what you should know about this historic consumer protection law:

1. Song-Beverly prohibits businesses from collecting “personal identification information” during credit card transactions.
2. The law defines PII as “information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number²” ‘Not limited to’ opens the window for ZIP codes³ and email addresses being covered under the law.
3. California’s Supreme Court ruled⁴ that the statute does not apply to vending kiosks and online transactions involving credit cards, supporting the District Court’s assessment that the law focuses on in-store, non-cash PII collection.
4. The statute gives private right of action to credit card users with civil penalties of up to $250 for the first violation and $1,000 for each subsequent violation plus costs and legal fees.

As it is often the case, risk mitigation begins with staff education and customer perception management, and flows into a smart approach to deliverability. It IS possible to collect PII at the counter in California given the following:

1. Decouple PII collection from the credit card purchase. Ask the customer for their email address before taking their credit card or after they sign off on the purchase. Create a script for your sales associates to follow when requesting PII at the register.
2. Consider using the credit card terminal or other touchpad device for customers to enter their email and NOT use the sales associate. The device should first prompt the customer to consent to receiving an in-store eReceipt and/or marketing communications ideally before proceeding with the transaction, but it could be after as well.
3. Be transparent about the commercial intent. A consumer who feels misled is more likely to complain and to seek redress under the state’s Song-Beverly or potentially other consumer protection laws. If following different scripts is a challenge, apply the same disclosure/request script for both credit and cash transactions.
4. Send a welcome permission pass. Don’t assume that the customer wants anything more than an in-store eReceipt even if you can legally claim to have this right. You are looking for a loyal customer, not a courtroom victory. Let the customer make an informed decision at the counter or in a subsequent email. For example:
   • If the customer consents to the in-store eReceipt AND opts into your marketing messages at the register, send an ‘opt-out permission pass’ welcome email shortly after delivery of the e-Receipt to confirm their subscription status and to outline benefits of your email program. Be sure to include a clear and easy unsubscribe mechanism as well as a prominent link to your privacy policy.
   • If the customer ONLY consents to the in-store e-Receipt, send an ‘opt-in permission pass’ e-Receipt where you include a “subscribe to our marketing communications” link, button, or banner along with a link to your privacy policy.

Beyond risk of exposure in California, you should also be aware of related compliance considerations:

1. CAN-SPAM: Requires senders to obtain affirmative (aka; opt-in) consent from consumers who have previously unsubscribed from their commercial emails. If affirmative consent is not recorded at the point of collection, the address would need to be scrubbed against the appropriate unsubscribe list and suppressed.
2. Primary Purpose: My in-store e-Receipt did not have an unsubscribe mechanism, postal address, or even a link to a privacy policy. Fortunate for the marketer, the email also did not contain any promotional content in the subject line or in the body copy so they qualified under the CAN-SPAM Act ‘transactional or relationship’ message exemption. Yet, the message could have easily been considered ‘primarily commercial’ under the FTC’s Final CAN-SPAM Act Rule if it contained any solicitous content in the subject line or if it was overwhelmed by up-sells, cross-sells or other commercial content.

With the above in mind, we can now clearly see what went wrong during my Grant Avenue shopping experience. The associate asked for PII during the credit card transaction and did not provide notice of marketing intent before or after the request. There was no transition from in-store e-Receipt to newsletter in the form of a welcome email permission pass and no efforts made to solidify the pre-existing business relationship.

I can appreciate the challenge in honoring both the spirit and letter of privacy laws at the register. We believe that following privacy best practices in respect to training, transparency, and permission management can make POS collection a fruitful practice, even in California. I welcome any comments, questions, or suggestions on this topic at privacy@cheetahmail.com.
¹Saulic v. Symantec Corporation, 596 F. Supp. 2d 1323 (C.D. Cal. 2006)
²CALIFORNIA CIVIL CODE SECTION 1747.08(b).
³Reverse appending ZIP codes to postal information was determined by the California Supreme Court to be PII in Pineda v. Williams-Sonoma Stores, Inc., 51 Cal.4th 524 (Cal. 2011)
⁴ Pineda v. Williams-Sonoma Stores, Inc.

On Wednesday, December 7, I’ll be participating on a session at the Email Insider Summit about integrating email campaigns with display advertising. For those of you who cannot attend, or for those that plan to attend but want a sneak preview, here are a few key points I’ll be making about the future of these integrated campaigns:

1. Emailers have always used pixels and cookies to better analyze open or click-through activity, or more recently with transaction reporting and remarketing efforts. In addition, most emailers have tested or implemented third party tools using pixels for analytics or creative optimization. So adding a new third party pixel to email campaigns for display advertising can be easily understood and implemented.
2. Many online marketers have integrated website re-targeting into their suite of display advertising efforts, and leveraging email pixels to enable re-targeting is similar to using a web based pixel. This is bolstered by the fact that most email recipients are now using web-based programs, which can render this type of pixel (and associated cookie) for use with display ads. However, as with any re-targeting effort, this type of display advertising is considered to be ‘behavioral’ and falls under the Digital Advertising Alliance (DAA) Self-Regulatory Principles for Online Behavioral Advertising . As a result, marketers must make sure their privacy policies reflect this practice, and provide advertising recipients with in-ad notice and choice through the ‘AdChoices’ icon.
3. The benefits of integrated campaigns are many, and include consistent messaging across channels, improved relevancy for online display ads, and increasing performance of re-targeting efforts by extending the reach to email recipients who may not be visiting your website. In addition, future integrated display ad campaigns will be able to leverage the same segmentation schema as with email, transactional data, and addressable demographic or psychographic data, all of which in a privacy-centric way.
4. The potential drawbacks of these campaigns includes making sure you are working with a large enough display ad partner to be able to reach these types of ad recipients , making the investment of time and resources to upgrade your privacy positioning, and avoiding over-personalization with display ad creative.

I look forward to sharing more with you in the future about this exciting topic, and welcome your comments or questions. Learn more about Experian Digital Advertising Services.

I checked with the Experian CheetahMail compliance team to see if this type of email sent after an unsubscribe was CAN-SPAM compliant. I learned that unsubscribe confirmation messages like these are, in fact, compliant because “the CAN-SPAM Act explicitly exempts this type of email in their definition of ‘transactional or relationship messaging.’ The law provides an exemption for ‘notifications of a change in the recipient’s standing or status with respect to a subscription.’”

Since the unsubscribe email was deployed right after I clicked the unsubscribe button, I did not feel like my request was being taken advantage of. It also helped that the the email from Omaha Steaks used very clear, heartfelt and thoughtful language in their message. They did a great job with this post opt-out email all around, from the subject line (“We removed your email address…”) to the signed note from the owner.

Does sending an email to recent opt-outs work for all email marketing programs? Share your thoughts and experiences in the comments section.

But now that filtering technologies have now moved beyond IP address reputation to domain-based reputation, it is critical to understand how this shift fundamentally changes how email is filtered by ISPs.

• The good news: For most senders, this change will actually benefit their delivery rates. The fact remains that ISP filters still have ‘false positive’ situations where an individual IP address is singled out due to insufficient data or a glitch in the system, while the same sender’s other IP addresses are highly reputable and reach the inbox. With domain-based reputation, the filter looks at all of the data associated with the domain — therefore the singled-out IP address is overshadowed by the other approved IP addresses. In addition, domain-based filtering incorporates the reputation associated with transactional email sent from the same domain, which will most certainly help overall sender reputation.
• The bad news: If there truly is a reputation problem from anywhere within a sender’s domain, it will effect most (if not all) of the mail coming from that sender. This means that senders must be mindful of their complaint rates and email acquisition efforts because they both will affect their domain-based reputation — and by extension, their ROI. Equally important, if a sender is using the same domain for transactional messaging, those emails may also see their deliverability rates decline.

Frequently asked questions about domain-based reputation:

1. Which ISPs (and email access providers) use domain-based reputation?Yahoo!, Google/Gmail, AOL and ISP filtering provider Cloudmark are pioneers in the effort. Microsoft has started using it to some degree, and most other major ISPs are identifying ways to incorporate it either by using an outside filter like Cloudmark or other tools.
2. If my delivery rates to those domains are declining, what short-term things can I do?Your best bet is to look at the complaints received by ISPs registered in the unsubscribe reports and identify specific sources or trends that would account for higher than average complaint rates. There should be relative percentage consistencies between complaints registered at AOL, Microsoft and Yahoo!, so please don’t consider each of them as unique. Also, be mindful that Google/Gmail is likely seeing the same complaint rates as the other webmail providers even if they’re not sharing them with us.
3. What long-term things should I be considering?You might try varying the sub-domain or domain name used for transactional or relationship messaging. While this data could help mitigate a poor commercial email reputation, the risk for this type of email going to the spam folder or blocked is likely too high for most companies to bear. This same tactic could be used to split up various products or brands into subdomains to help separate reputations from varying acquisition or retention efforts. Finally, as with any effort to improve reputation, take another look at your email acquisition programs, mailing frequency, and ‘inactive’ re-engagement efforts to optimize total audience relevancy and minimize complaints.

For more information on domain-based reputation or deliverability, feel free to reach out to Ben Isaacson directly at deliverability@cheetahmail.com

- Bill Gates on spam

Every so often it is prudent to take a refresher on fundamental email marketing topics and best practices. CAN-SPAM, officially known as the Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003, is one of the most important online marketing topics. To follow are some of the basic facts, principals and rules concerning CAN-SPAM legislation. But like most legislation, this is not a simple bill. I recommend reading the entire act to learn more details.

Opt-Out and Opt-in Rules:

• Opt-out email addresses cannot be shared or sold for marketing purposes.
• The opt-out option must be available to recipients for at least 30 days after they receive a commercial email.
• Opt-out requests must be handled within 10 business days.
• Opt-out methods must be available either via an email option or single web page option.
• If affirmative consent is not used, the email must be identified in the body of the message as an advertisement and include a valid brick-and-mortar postal address.

Other Related Information:

• The CAN-SPAM Act went into effect January 1, 2004.
• Header information must be correct and legitimate.
• An email’s “from” and “to” lines must be accurate. This includes the originating domain name, and identifying the organization or person who initiated the email.
• The subject line cannot mislead email recipients about the content within the email.
• Email addresses cannot be harvested, and automated means cannot be used to create email addresses.
• “Clear and conspicuous notice at the time the consent was communicated” must be given if an email address is to be shared with a third party.
• CAN-SPAM law is intended for the U.S. only.
• It is up to the Federal Trade Commission (FTC), the State Attorney General, and ISP’s to prosecute CAN-SPAM offenses. A spammer can be subject to a maximum $16,000 fine per violation. One of the largest CAN-SPAM violation settlements to date was $2.9 million in penalties. This case occurred in 2008.

So those are the rules. Pay close attention and as always, Happy Marketing!

In Bill McCloskey’s recent ClickZ article he takes the strong position that double opt-in consent is no longer a best practice and should be discarded. In my view, McCloskey is correct – double opt-in will not facilitate list growth.

At this point in time, individuals are largely familiar with the traditional single opt-in email sign-up process. Double opt-in requires more effort from the person who already completed the email sign-up process, which in some cases, can be a time consuming affair to begin with. For example, many registration forms (especially for sites handling sensitive personal information) now require the customer to repeat letters and numbers (CAPTCHA forms) for security reasons.

If your sign-up process is clear and straightforward, there is no need to require an individual to work even harder to join your list.

For this reason, I would recommend that companies invest in creating a clean sign-up process that clearly indicates how to whitelist your sending domain and articulates what the user should expect to receive in their inbox. Companies should consider displaying images of sample newsletters during the sign-up process to give the user a clear idea of what to expect from your email program. If these rules are followed, a single opt-in should suffice in nearly all circumstances.

The email sign-up process should be confirmed immediately via email, and certainly within 3 days maximum. ‘Welcome’ emails should remind the user of their recent subscription action and also reiterate that they can opt-out at any time. For more advanced email marketing programs, I’ve seen great success with ‘educational’ series of emails that explain the value of the content they will receive via email in upcoming mailings.

Email programs handling very sensitive personal information should be even more focused on creating a clean and clear sign-up process. As customers register for email statements, account alerts and the like, the process deserves the highest level of consent application. For this reason, more and more financial institutions now require the creation of an online account before email opt-in is offered. Above all, email is never the proper venue to reveal sensitive customer information.

By adhering to these registration techniques, email marketers can generate single opt-in list growth responsibly and effectively.