> Dark pattern one: You must login to manage your marketing preferences. There's no security related emails here, so this is completely unnecessary.
This may be in violation of US law:
> You can’t charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request.
I wonder if requiring a login means that additional personal information is sent, or that the recipient must perform additional steps other than visiting a single page.
Interesting. All of my messages have a link that leads to a "click to unsubscribe" button because email scanners frequently "click" links. I guess if I was under Swiss jurisdiction I may be breaking that law.
In countries where such laws exist, most of the same links that take you to a button will immediately unsubscribe instead. I guess IP addresses are used.
I know why the button is there, as GET requests are not supposed to change state but POST requests can, and you can only make a GET request by clicking on a link in the email.
I'd be interested to see if that interpretation has been upheld by a court. Has anyone taken legal action arguing that the server should have used the GET request as the action to unsubscribe, not made the user click an extra button to get that POST request.
You can change state with a GET request. You aren't "supposed" to do it but there's no technical barrier preventing an unscrupulous company from effectively using the GET as a POST.
Remember those web counter images that would increment the number displayed each time it received a GET request? They were the most evil. -scary laughter-
The IP is used for geolocation. If the server detects that you're in a jurisdiction where clicking "unsubscribe" has to immediately unsubscribe you, the server does that, otherwise it shows you a button.
It's definitely illegal, but (ianal) it's the kind of thing that's tough to do anything about legally. The inconvenience to a particular individual is so small that there are no damages worth suing over. And so nobody bothers. But add that up over thousands of companies wasting millions of people's time, and it's a tragedy.
> Q. What are the penalties for violating the CAN-SPAM Act?
> A. Each separate email in violation of the law is subject to penalties of up to $46,517, and more than one person may be held responsible for violations. For example, both the company whose product is promoted in the message and the company that originated the message may be legally responsible.
Those penalties are only theoretical. They only matter if the FTC bothers with enforcement. Lowly citizens such as you and I cannot bring a suit and cannot cost these companies a dime. Source: https://www.law.cornell.edu/wex/inbox/can-spam_and_consumer_...
If the FTC cared, they would have made an example of at least one company in the intervening 20 years.
Just send the company an email and quote this section, it gets great results. I’ve used this method to get off a few mailing lists that implement these dark patterns.
I did this a couple of years ago to my alma mater alumni association by sending an email to the president directly. So far I haven't gotten an email so I guess it's working. In my case, every time I tried unsubscribing I'd get some kind of sql error showing up inlined in the html so it was even more frustrating.
This is true, but the intent probably isn't for the individual to sue, it's for them to report it to the relevant rule making executive agency who also has standing to sue (or just has standing to fine them directly depending on the agency and the rule, I don't know who governs this or if they have that power or not).
The relevant agency would be the FTC, but is the FTC even interested in pursuing these cases? I've seen a few cases where they sued scammy businesses (https://www.ftc.gov/news-events/news/press-releases/2019/12/...), but there are lots of legitimate businesses that are nonetheless breaking the law. For example Xfinity sent me an ad for a voice-activated remote, categorized it as a "service-related email" and had no unsubscribe link. Instantly marked as spam.
What I want to know is: has there ever been even a single case of the FTC going after one of these real companies?
Experian sends me marketing emails classified as service-related as well, seems like once a week at least. Thankfully, Gmail has learned that I always mark them as spam and classifies them accordingly, though I wonder if it'll do the same if a non-marketing email ever comes through.
I can't be the only one who's noticed that most of these companies are above the law...? When was the last time someone even got a slap on the wrist? Some class action lawsuit that gave a coupon for 10% off your next purchase?
Spam got better because Gmail, not because the law did anything...
Spam got better because email delivery became an industry. You can’t get email delivered at scale yourself, and all the businesses have a long term reputation to protect by following best practices, of which „the law“ is part.
I don't think the law really had much to do with it, vs reputation based blacklists and SPF and such that the email industry created to combat spam.
I'm not saying this because I'm anti government, I just don't remember any of the spam laws doing anything, historically, vs the technological defenses invented by the community.
Hell, almost all of the spam I get these days is FROM the government begging for campaign donations, because they so thoughtfully excluded political spam from the laws. Gee, thanks. Now I just globally block anything from NGP VAN.
if anything we are lacking a law. A law ensuring a government backed email system comparable to USPS for regular mail
Just as the USPS allows for personal mailing, each person should be provided an email address that has unhindered access to send email to any other email address in that domain. government ID required for the email address, so there is accountability if you abuse it the same way you would be held accountable for mailing dangerous goods from your home mailbox
Mm, seems like the costs of that would way outweigh the benefits...
An email system with the speed of the USPS, the ease of use of the DMV, the security of the social security system, and the billing of the IRS. It already sounds like a digital gulag, lol
Haha I know what you mean - but realistically all the government really needs to do is provide specification and fund it, while having the courts uphold its reliability.
for example, Google could provide the service - but they would have to avoid co-mingling the service with their existing one. They wouldnt have the same rights to the content within the email as they do with a gmail account. And they wouldnt be spam filtering small businesses into oblivion for trying to talk to each other directly.
technically the service can be fulfilled by multiple vendors adhering to the same specification.
Okay, that makes sense. I'm in the UK and voting spam outside of obvious political groups like the EFF that you would have signed up to doesn't appear to exist.
In the US, our campaign finance is heavily corrupt. There is no public finance system so candidates beg for money anywhere they can. Our 2020 elections spent nearly 15 billion dollars between our president and our congress. Some of that money comes from candidates directly asking for money. Other times, supposedly independent organizations (superpac) working to further the cause of a candidate, but not directly working with them, will also try to fundraise and campaign on their behalf without direct coordination. There is no limit to the amount of money such an org can get or spend, because the conservative Supremes ruled it an expression of free speech. Other conservatives worked to mask the sources of funding for such organizations.
Political activity was specifically excluded from our already sad and almost never enforced spam laws. Further, individual campaign donations are considered a matter of public record. So individual donors get recorded in these databases, and then private companies like NGP will harvest those databases, cross reference / deduplicate people with other databases, figure out their email and text contacts and then sell that information to candidates and parties who will in turn use it to spam you nonstop across email and SMS for every subsequent or similar election.
You can auto-check the "sign me up" option, but you have to present it and allow the user to avoid it. Perhaps I've insulated myself a bit too much, but I haven't seen a signup form in the past few years that doesn't follow this pattern, and allow me to avoid signing up.
And a vast number of these companies go ahead and email me anyway.
Sometimes they’re 100% marketing emails and they’ve just blatantly ignored my opt out, other times the emails are under the guise of being related to my account/purchase as opposed to marketing (eg those annoying drip feed “getting started with our product” daily emails) but the lines are very (deliberately) blurred.
In either case, the amount of inbound communication seems very heavily geared towards benefiting the company in being able to send out marketing messages / increase “engagement” as opposed to being actually necessary or useful from the point of view of a customer.
These thoroughly annoy me.
Edit: ironically Cloudflare is among the few companies who I do willingly receive marketing emails from - but even so, if the unsubscribe flow is as OP described, this is not really acceptable and needs looking at.
Redfin does this, has some forms that start a process with your email, tells you you'll be on a list, no box to uncheck, terrible/dark unsubscribe process
Express is sending me promotional emails with no unsubscribe link. They even justify it saying it is a “transactional email as part of their loyalty program” (it is not transactional, it’s just ads for sales) and the only way to stop them is to call their customer service to remove yourself from their loyalty program. Has to be the most blatant violation of CAN-SPAM I’ve seen. They used to have an unsubscribe button too, but it never did anything.
This may be in violation of US law:
> You can’t charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request.
I wonder if requiring a login means that additional personal information is sent, or that the recipient must perform additional steps other than visiting a single page.
https://www.ftc.gov/business-guidance/resources/can-spam-act...