Home / Blogs

CAN SPAM and Affiliate Mailer Opt-Out

Many online businesses use affiliates to drum up business. The affiliate finds a lead somewhere, passes it to the business, and gets a commission if the lead turns into a sale. Web based affiliates are relatively uncontroversial, but affiliates who advertise by e-mail are a chronic problem due to their propensity to send spam, both spam as normally defined and as defined by CAN SPAM. Is it possible to do legitimate e-mail affiliate marketing? Maybe.

CAN SPAM makes it pretty clear that a business is responsible for the actions of its agents, which includes ensuring that they follow CAN SPAM and other laws. Most of the CAN SPAM requirements are handled the the same way by affiliates as if the business were doing its own mailing—headers must not be misleading, mail must have a physical mailing address, and so forth. By far the trickiest requirement for affiliate ads is the opt-out rule, which says a business must follow a recipient’s request not to send any more ads. This means that every time an affiliate mails for a business, the affiliate has to remove all the addresses of people who’ve told the business not to mail to them. Furthermore, people who send opt-outs in response to the affiliate’s mail have to be added to the business’ opt-out list. This is a pain in the neck, but as I read CAN SPAM, it’s not optional.

What makes it tricky is that affiliate marketing is full of sleazeballs, and both the businesses and the affiliates have good reasons not to trust each other. If the business provides the list of opt-outs to the affiliates, the affiliates are likely to steal it and mail to it. (Mailing to it could even be legal under CAN SPAM so long as it wasn’t promoting the same business, although it does seem like a poor idea to mail to a list of people whose common characteristic is that they’ve gone to the effort to say they don’t want mail, I know people who’ve provided tagged addresses that have gotten spammed from ex-affiliates.) So perhaps the business can provide a listwashing service, where the affiliate sends them the list and they send it back minus the opt-outs. No, that’s no good, a sleazy business could steal the list on the way through. The same problem applies to affiliates sending opt-outs back to the business—it’s far from unknown for people to resell opt-out lists as verified live leads and the like.

There’s no perfect solution. One possibility would be to use a neutral third party to handle the opt-outs. That’s what Unsubcentral does with some success, although they’re limited both by the fact that they don’t do it for free (affiliates hate to spend money on anything that isn’t going to turn into revenue) and trust issues of yet another party in the mix.

Another possibility is to use lists of address hashes, one-way scrambled versions of addresses. If you have a list of hashes and a list of addresses, you can make hashes of the addresses on your list and compare to see which of your addresses are in the hash list, but you can’t otherwise tell what hashes correspond to what addresses. This means that if a business provides a hashed opt-out list to the affiliates, they can use it to scrub their lists, and they’ll know what addresses got scrubbed, but since those were addresses they already had, the opportunity for extra mischief is limited. Going the other way, if the affiliates provide the hashes back to the business, the business can scrub its own lists, and provide the hashes in turn to other affiliates, but at each level, they don’t learn about any addresses that they don’t already have. (A sufficiently determined bad guy could go get huge lists such as the ones on Millions CDs, then hash and scrub those to see what addresses he recovers. It’s not perfect, there’s no way to provide information to someone you don’t trust and be 100% sure he won’t misuse it.)

Whatever a business dues, literal lists, third party, or hashes, they have to do something. I would go so far as to say any any affiliate e-mail program that doesn’t include opt-out management clearly can’t be CAN SPAM compliant.

By John Levine, Author, Consultant & Speaker

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet


John Engler  –  May 20, 2008 12:51 AM


Thanks for mentioning our service, but you should know that we don’t charge affiliates anything.  The Advertiser, who is the “Sender” in most cases under CAN-SPAM bear the burden of paying for the UnsubCentral service 100%, since they’re the ones that need to ensure compliance. 

Our goal for advertisers is to make UnsubCentral a cost-effective solution, and I’d say that for all of our clients we do that pretty well.

We have over 150 advertiser using UnsubCentral today… a far cry from where we were two or three years ago. 

John Engler
.(JavaScript must be enabled to view this email address)

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.



Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

Domain Management

Sponsored byMarkMonitor


Sponsored byVerisign

IPv4 Markets

Sponsored byIPXO