No implicit consent! Dos and don'ts for email addresses you find on the web

Like many people with an online presence, I have my email address plastered up on the web for all to see. I do it because I do want people to get in touch for business or friendly purposes.

However, there are a few myths out there about what that "means" for the purposes of taking a copy and using it for you own ends.

After a long email conversation with a man who got a few aspects of this very wrong... I thought I'd put up a quick list of dos and don'ts for using email addresses found on the web.

The myth of "Public domain"

A lot of people have the wrong idea about the web. They assume that because you can freely access a website... that means it's covered by the magic blanket called "public domain' that lets you take anything you find and use it yourself... including email addresses.

This is not true.

Let me give the example of a "public building" such as a free museum. A public building is open to any members of the public. but just because they don't charge entry, does not mean you can come in and take the artworks off the shelves and take them home. They still belong to the museum.

In this same way - just because you can easily come to a website, does not mean that anything you find there is yours for the taking. Your stuff is actually copyright. All of it!

What copyright means is that another person cannot just grab your stuff (whether the pictures words or even personal details such as email) and use it without your permission. Specifically, they cannot copy it, and especially cannot use it and put their name on it. It is *not* free for public use.

Anything you write or create is *automatically* covered by copyright law. If you create it, you own it. Automatically. You don't even need to say "copyright". It already is the moment you first wrote it down. This goes for a poem you write on the back of a napkin, a drawing you scribble in your diary or a website you build and keep on your own server.

Now, some people aren't as aware of copyright law as others... so there's this convention of putting a copyright notice on your website... just to make sure people really know that this stuff belongs to you. Just like the little roped off areas in a museum - they don't really stop anybody, but make it clear that entry is unwanted.

It actually isn't necessary - your stuff is still copyright without that notice - but I see the sense in it, and do it on my own website, just as a reminder to newbies that "you can look, but don't touch".

So, what actually is public domain and how do we put things in it?

If you've ever used wikipedia, and actually had a go at editing a page... you'll know that you actually have to agree by their terms and conditions... including agreeing that anything you contribute no longer belongs to you - and has been put in the public domain. A notice on the site declaring it as public domain isn't enough (because people frequently don't read notices). You actually have to check a box and hit "submit" before they'll accept that you have agreed to their terms.

This is how things get into the public domain... by you clearly agreeing it as such.

On flickr you can put things into the public domain... or share them using the creative commons license (which does roughly the same thing at the most forgiving levels)... but again, you must physically do something to put something in the public domain... and everything else is considered copyright.

... but you should now understand that you actually have to *actively* do something to make your stuff go into the public domain. The default case is that your stuff is not available for anybody to just grab for themselves.

What does this mean for email addresses?

Well, email is tricky in some cases. You have put your address out there as a method for people to get in touch with you. So you can't then complain if they do.

However, there are some obvious social implications of exactly how that works... and there are definitely some legal implications surrounding the concept of spam.

Firstly: it is illegal to send any unsolicited email to a person.

Your consent must be given to get in touch with you, and even if you put your email address up on the web, there is *NO* implied consent for that. You have not given up any rights by making it publicly viewable.

If I put my email up on my website and literally write next to it "use this to contact me about business opportunities"... and then get spam about pills... I can legally say that this was unsolicited. It is quite clearly *not* what I asked for.

If I get spam about "work from home using your computer"... then it's more of a grey-area. It is in fact email about business opportunities, and I can't complain about that. So - make it clear what your email is there for.

but if somebody tries to send you any other kind of "helpful free information"... you now know that they are misbehaving.

Secondly: you cannot be automatically signed up for a newsletter that you did not subscribe to.

The exact legality of this varies depending on your country. But in the UK - you cannot be automatically signed up for a mailing list that you have not requested.

...unless you actually left your email address with the company that is signing you up.

ie a company that you have voluntarily handed your email address over to (say, during purchasing online) can sign you up for *their* personal email newsletter, without asking. But they *cannot* hand your email address to a third party[*] for spam or mailing lists. You have to have given a company consent for them to get in touch with you... and consent is not transferable.

Also - a company cannot come to *your* website and *take* your email address and use it for their mailing list. You have to have handed the email over to them.

Now there's a grey area here that companies often know about, but individuals don't... you don't have to have handed your email address over for the express purpose of signing up to their newsletter. You could have handed it over just as yet-another-mandatory-field in their uber-long registration form. It doesn't matter. They are legally allowed to use it... as long as they provide an opt-out mechanism.

But companies shouldn't do this anyway!

Companies should not abuse their mailing lists by opting people into newsletters.

People are busy enough as it is, with a metric crapton of mailing lists from work, social groups, friends and family. They don't need one more. It is considered rude to opt people in to your mailing list without asking their permission first.

It is damaging to your brand!

I totally understand wanting to get your message out to people... and I am *not* against getting in touch with your hard-earned customer base. So what I suggest you do is adopt an *opt-in* (rather than opt-out) policy.

Write the email-equivalent of a warm-call: "this is new widget that we're offering, we have this neato newsletter about it, and we think you'll be really interested because you were interested in widgets from our company before... are you interested in signing up?"

Then let them choose to ignore it if they wish!

Will you get fewer "subscribers"? YES! but will it make a difference in actual turnover? UNLIKELY! the people who were going to ignore your message were going to ignore it anyway. You've just bugged them for a few more months before they finally caved and hit "unsubscribe". and probably get annoyed at the horrible unsubscribe interface (like everyone does), further damaging your brand in their eyes.

What you're left with instead is a set of people that are *ACTUALLY INTERESTED* in your product.

Take a moment to think about how valuable THAT would that be to you!

Think of it as an effective way to find your tribe of true believers... and maybe get yourself a copy of Seth Godin's book Tribes, while you're at it.

To sum up:

An email address on the web does not mean that you can spam it, or sign it up to even a really useful, helpful newsletter. There is *no* implied consent. Feel free to get in touch, but make certain that it's:

1. appropriate to the person and
2. opt-in only

---

* Third Party opt-ins Note that a lot of company online purchasing processes have one of those nearly-hidden checkboxes talking about "third parties" for exactly this purpose... they are a sneaky way of pretending that you "opted in".

Email campaign tracking with Silverpop

SilverPop offer themselves to the world as an "Engagement marketing solution". They provide click-stream and conversion tracking based on your email marketing campaigns, by putting unique identifiers in the links of your mailings (which they can send out in bulk). If you store these IDs and ping them back to SilverPop's click-stream and conversion-tracking servelets, this means you can get complete conversion analysis based on your email marketing campaigns.

I'm currently working for Moneyspyder, and one of our clients has signed up for a Silverpop account - which means we need a way to easily integrate with SilverPop - and the examples they give are all in php (and a little less than dynamic). So here's my Ruby-on-Rails solution.

1) Cookify the IDs

When a customer clicks on a link in one of the SilverPop emails - Silverpop has cleverly adding tracking IDs to identify the mailing-job and individual customer. When we send tracking information back to SilverPop - we need to send back these ids so the click-tracking is stored against the correct campaign and individual.

Of course, the parameters will disappear after the first time the user clicks another link, and we need to persist the data - to keep tracking all the pages they click on until they eventually convert!

The easiest way to keep track of this to stick it all into the session - then we can just check if it's there and send it each time we want to ping to SilverPop... and of course the best place to do session-wrangling is in a before_filter. So stick the following into something like application.rb

  before_filter :save_silverpop_data_in_session

  # This method does the storing of the ids from the URL into a session
  # cookie for later sending.
  # It will replace any existing values in the cookie - which represents the
  # user having returned to the site after viewing (and clicking on) another
  # link from a different email campaign.
  def save_silverpop_data_in_session
    silverpop_params = %w{spmailingid spuserid spjobid spreportid}
    if silverpop_params.all? {|f| params.keys.map{|k|k.to_s.downcase}.include?(f) }
      params_down = {} # ugly but necessary to get past browser case insensitivity issues
      params.each_pair {|k,v| params_down[:"#{k.to_s.downcase}"] = params[k]  if silverpop_params.include?(k.to_s.downcase) }
      session[:silverpop] = {:m => params_down[:spmailingid], :r => params_down[:spuserid],
                             :j => params_down[:spjobid], :rj => params_down[:spreportid]}
    end

  end

2) Configure your pod

SilverPop calls it's servers "pods" - and you could be using any one of them. This works better as a configuration option than hard-coded in your code - and lets you set up a link to the test-server on your dev/test environments. but in environment.rb you'll have something like this:

  # SilverPop URL = mailing list manager/ClickStream Analysis
  SILVERPOP_SITE_URL =  "recp.mkt41.net"
  SILVERPOP_SITE_HTTPS_URL =  "marketer4.silverpop.com"

3) Helping hands

Next up is to figure out how to ping SilverPop... which they helpfully give us an img tag example of how to build up the correct url with all the requisite values.

SilverPop has two servelets - one for accepting pings for click-stream tracking and one for the conversions. But they're almost identical, just taking different parameters... and I'm lazy and don't want to have to remember all the common details of how to do this in each place in the site. Thus: helpers to the rescue!

  # This method generates the code that calls the ClickStream tracking
  # servelet - we pass in the page name and page URL, along with the values
  # passed through from the last silverpop email - saved in the session
  def silverpop_click_stream_ping(page_name, page_url)
    silverpop_link('cst', :name => page_name, :s => page_url)
  end


  # This method generates the code that calls the Conversion Tracking
  # servelet - we pass in the "action", "detail" and "value" flags - 
  # eg "silverpop_conversion_ping 'CompletedOrder', order.id, order.grand_total" 
  # along with the values passed through from the last silverpop email -
  # saved in the session
  def silverpop_conversion_ping(action,detail,value = nil)
    silverpop_link('cot', :a => action, :d => detail, :amt => value)
  end


  # generate the SilverPop ping-image based on required servelet and parameters
  def silverpop_link(servelet, options)
    # skip out early if this user hasn't come through a silverpop email
    return nil unless session[:silverpop].present?

    base_url = (/https/ =~ request.protocol) ?  "https://#{SILVERPOP_SITE_HTTPS_URL}" : "http://#{SILVERPOP_SITE_URL}" 

    image_tag "#{base_url}/#{servelet}?#{session[:silverpop].merge(options).to_query}", 
      :height => 1, :width => 1, :alt => ""
    # we'd like this alt-tag: "Silverpop #{servelet.upcase} Servelet Ping"
    # to be accessible... but the above is not *really* an image, and thus will display 
    # the alt-text in the html at present... this sux, but I have yet to talk to silverpop 
    # about a way around this.
  end

4) Click-stream - analyse!

So, now it's time to get down and dirty with the click-stream analysis. This couldn't be more simple. Just use the helper to pop a link into your main layout. eg:

  <!-- silverpop cst ping -->>
  <%= silverpop_click_stream_ping(@page_title, url_for(:only_path => false)) -%>

Now, as you can see, this mainly works by using our dynamic page-title and a link to the current-page (using the empty url_for trick). Note that if you leave off the "only_path=false" option it won't provide the hostname. This may be what you want if you want to roll up multiple mirrored domains. You'll also have to adjust the page-name parameter as necessary for the way you generate the page-title... but otherwise you're good to go and this means every page-click gets tracked back to SilverPop from now on.

With one caveat... if you have AJAX-updating, you may need to figure out a neato trick of putting the ping-link into the newly-generated page-pieces or these "clicks" won't get tracked as the layout won't see them as new pages. I'll leave that as an exercise for the reader as it's very site-specific.

5) Mine your conversion gold

Now only the final, and most important, part is left - tracking actual conversions.

A lot has already been written about what constitutes an important conversion for your site. I won't repeat it all here as you can track heaps, and it's really down to what is important for your business. So I'll pretend we only care about when a customer completes an order - which we know because they land on the "thank you" page.

Which means we need to pop a link to the COT servelet there and pass in the important details... nothing easier:

  <!-- silverpop cot ping -->>
  <%= silverpop_conversion_ping("Order Complete", @order.id, @order.grand_total) -%>

Now SilverPop will monitor our marketing mails from go to whoa - and even know which order they completed and, most important, how much money they ended up giving us... Gold!

Update: Sorry for the repost (anyone that noticed). I fixed a few bugs after I finally got a chance to fully test this out.

Anybody implementing a Silverpop solution should also be aware that Silverpop's servers (at this moment) do not correctly redirect links from mailings sent from their test server. Instead you get redirected to your website, but without any values in the required query parameters (eg spMailingID etc are empty).

To do an end-to-end test of SilverPop's link redirection, you must create a real newsletter mailing on the live server, and just restrict the recipients (eg send it to yourself and any other devs on your team).