Top US brands still falling foul of CAN-SPAM legislation, study finds

But have consumers moved on anyway?

More than a decade on from the ground-breaking CAN-SPAM laws meant to stop the barrage of unwanted email pestering US consumers, one in ten firms still falls foul of its most basic provisions, according to a study by the non-profit Online Trust Alliance (OTA).

The OTA audited a sample of the top 200 North American online and e-commerce brands in July, assessing them against ten measurements it believes to be industry best practice for complying with CAN-SPAM and Canada's Anti-Spam Legislation (CASL).

These included the ability to opt out of all email, the embedding of unsubscribe notices, and offering a user preferences web page. Overall, compliance was extremely high, with 10 percent of firms achieving a perfect score against the criteria, and 68 percent passing on eight out of ten counts.

OTA even names the top performers, which we print here in full because it offers some idea of the kind of firms included in the study:,,,,, BlueNile. com,,,,, Coach. com,,,,NineWest. com, Northern,,, and

However, about the same number of firms were found not to be compliant with CAN-SPAM in one of two important respects - not responding to an unsubscribe request within a generous 10 working days or not even having a working unsubscribe link inside emails at all.

Although an appendix in the OTA report list all 200 firms studied, it does not tell us which ones fell down on these points, which is disappointing if legally understandable.

The point about studies such as this is to push for change by embarrassing firms into changing their behaviour but naming them might have risked a lawyer's letter. However much consumers have moved on from the problems that CAN-SPAM sought to address, these firms are still apparently breaking the law.

What the OTA did offer was this:

"Despite CAN-SPAM taking effect 10 years ago, it is disappointing that a number of the world's biggest online retailers have yet to get things right," said OTA president, Craig Spiezle.

"On the positive side, the vast majority of email marketers are doing their part to distance themselves from spammers and thus fortify their customer relationships. Now is the time for others to follow their leadership."

When Techworld asked about the non-disclosure policy, the OTA's Spiezle did say that "in the absence of action in the future, we may need to reconsider the merits of public disclosure."

The 2003 CAN-SPAM legislation's effect was to force legitimate companies to think through their assumptions, partly as a way of distinguishing themselves from the legion of hardcore non-legitimate spammers. Spam was a problem in 2003 just as it remains a problem today. One major difference was that people then were perhaps more surprised and outraged by it. Today, with bigger issues afoot, most people shrug their shoulders at Spam. It's become a form of digital weather.

On the basis of OTA's assessment, CAN-SPAM could still be said to have worked extremely well for genuine companies, also influencing behaviour far beyond the US.

If consumers have forgotten about it, the FTC does take the occasional action under its provisions, such as the one earlier this year against an alleged spammer using emails to trick people into signing up for healthcare.

Join the CSO newsletter!

Error: Please check your email address.

Tags Personal TechsecurityCDWLivingSocial

More about CDWFTCStaplesSweetwater

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E. Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place