Online Retailers Stumped by Internet Marketing Self-Regulation in an Unwelcome Holiday Surprise

While the Internet can be thought of as a Wild West of many things, regulation is rarely thought as being one of them.  However, at the height of the 2012 holiday shopping season, some online retailers found out the hard way that the Internet can also be a minefield of rules set by private players who wield disproportionate power to dictate online behavior. Recent reports suggest that during late 2012, one such online “regulator” -- the Spamhaus Project  -- prevented certain legitimate retailers from delivering marketing emails to their intended recipients across multiple Internet service providers (ISPs) by blocking the emails as spam.  There is no indication that the retailers violated any laws, such as CAN-SPAM, or FTC guidance in sending the emails.

Spamhaus is a non-profit group, based in Geneva, Switzerland, that provides anti-spam blocking services to ISPs and other Internet networks.  As of the date of this post, Spamhaus reportedly protects 1.7 billion mailboxes and blocks as much as 60 percent of the email sent by a sender on the organization’s block lists.  Spamhaus is reported to be in use by two-thirds of the world’s ISPs, which gives it significant yet opaque power to regulate email marketing.

According to Spamhaus, it classified the retailers whose emails were blocked as “spammers” because they sent marketing emails to addresses with typos.  In one case, for example, these addresses were legitimately collected at the point of sale for customers to receive e-receipts, but the addresses were mistyped.   Some of these typo emails were “spamtraps” (also known as “honeypots”), which are email addresses and domain names that ISPs and Spamhaus create to capture spam rather than to communicate.  This seemingly innocuous failure to verify the accuracy of a marketing recipient’s email address triggered a massive spam-blocking response to the retailer because Spamhaus takes the position that retailers collecting email addresses for transactional purposes need to receive a confirmed opt-in (a/k/a “double opt-in”) before sending marketing emails; and that if retailers did so, they would not have sent emails to the spamtraps and been marked as spammers.

Online marketers may find Spamhaus’s actions troubling.  There is no legal obligation to use a double opt-in procedure, and a double opt-in for email marketing cannot even be described as a best practice.  Yet, Spamhaus’s rules mandate a de facto double opt-in obligation as a result of its widespread adoption by a reported 2/3 of ISPs.  The ISPs, in turn, make spam blocking decisions on behalf of their end-users as part of their terms of service.  If online email marketers do not follow Spamhaus’s rules, retailers may find their emails labeled as spam and, thus, blocked from reaching a wide swath of users.

How did Spamhaus become such a powerful force in online marketing regulation?  As the growth of Internet use exploded in the late 90s and early 2000s, Spamhaus existed to provide a spam blocking solution, years before governments began enacting anti-spam legislation.  In existence since 1998, Spamhaus likely enjoyed a first-to-market (or close to it) advantage that led its technology to be widely adopted.

Unlike an industry self-regulatory group that a company joins voluntarily, however, the way in which Spamhaus controls the flow of information (via ISPs) means that online marketers have no choice in being subject to Spamhaus’s oversight.  Thus, Spamhaus – an entity with no governmental powers and no rulemaking authority – in essence becomes an entity with quasi-policing powers as a result of its widespread adoption.  Even worse, a company wrongfully classified as a spammer has no formal due process rights and, instead, must comply with Spamhaus’s procedures to be removed from its lists – a complex and time consuming process.   While Spamhaus obviously serves a useful purpose in controlling spam, its methods may be heavy-handed and the power is largely unchecked.

Absent any vocal outcry by legitimate email marketers caught in Spamhaus’s filters, or any legislation or court judgment that forces Spamhaus to change its ways, Spamhaus is likely to continue dictating requirements for marketing emails.  Spamhaus has been sued before under claims of tortuous interference with contractual relations and prospective economic advantage, as well as for defamation, but Spamhaus’s actually liability for these torts was never determined because it allowed a default to be entered against it (therefore admitting liability procedurally).  In addition, a Dutch ISP provider filed police complaints against Spamhaus alleging blackmail, among other claims.

If Spamhaus continues blocking legitimate retailers’ emails for failing to play by Spamhaus’s rules, it seems likely that Spamhaus may face additional lawsuits in the future – perhaps raising similar claims – where its methods may be challenged. Spamhaus’s actions combined with its market power in the U.S. also may subject it to antitrust claims.  Beyond legislative action or litigation, email marketers caught in Spamhaus’s web need to follow the complex and time consuming process to be removed from the organization’s blocklists.

In the meantime, email marketers should be aware that compliance with CAN-SPAM, self-regulatory guidance and best practices may not be enough to run a successful email campaign.  The specter of being blocked by a third-party such as Spamhaus always remains.  A company seeking to avoid finding itself caught in Spamhaus’s spamtraps and on its blocklists might seek to be more careful in verifying email addresses at the time of collection, perhaps through the use of simple scripts that catch common misspellings of popular webmail services.  Email marketers might also seek to remove typo addresses by using an email list hygiene services.  Finally, companies should have a plan in place to engage Spamhaus in the event their emails are blocked.

Of course, companies could always choose to follow Spamhaus’s best practices.  In any event, email marketers should tread carefully.

RegulationsInfoLawGroup LLP