Opt-in vs. Opt Out

"Opt in" is the scheme of choice of EuroCAUCE, because it is the only scheme that ultimately works. The party interested in sending out bulk email must put in some effort up front, but it pays off in the long run to be able to acquire and maintain a list of potential customers. Problems of scale and administration (not to mention honesty and integrity) render virtually all "opt-out" schemes ineffective, both "individual" and "global".

"Individual" opt-out schemes, where the recipient is expected to answer with a "remove" request, suffer from problems of scale. If only 1% of the EU's 18.4 million businesses decided to operate in this way, it would be possible to have someone employed full-time for a whole year doing nothing else but issuing "remove" requests at nearly two per minute [see below]. And that's just for one email address. There are considerations of honesty and integrity as well: one sending entity may well honour a "remove" request, whilst passing the address onwards to another entity as a "confirmed live" address, thus the hapless recipient ends up getting more UCE than might otherwise have been the case. Experience suggests that this despicable practice is more often the rule rather than the exception.

So-called "global" opt-out schemes are at least tempting to consider for all forms of advertising communication directed to individuals. These, too, suffer from problems of administration, honesty and integrity. As the British Department of Trade and Industry states,

"In order for an opt-out scheme to provide effective consumer protection, it would have to fulfil certain criteria. It would be necessary for:

• all subscribers to be aware of it;
• it to be simple and free to join;
• it to become effective within a reasonable time of joining;
• it to require companies engaged in telemarketing to update their lists regularly in the light of subscribers' notifications;
• it to have adequate complaints handling mechanisms."

And would require some kind of state-backed supervisory mechanism. Oh, the day-to-day administration could be carried out by some private company under contract or by some association of telemarketers, but it would ultimately have to be backed by the state with its coercive power to enforce compliance. The IEMMC debâcle in the United States has shown that an agency not backed by the state cannot implement a "global" opt-out scheme, especially when it must rely on honesty and integrity on the part of those whose very business practices were characterised by dishonesty.

Such an "opt-out" scheme meeting the Department's criteria could well be adequate for telemarketing based in one, at worst two, countries. Telecommunications costs will still tend to limit the range of a given telephone-based operation, not so with email. Trouble is, at the end of the day, so-called "global" schemes simply are not. The European Webmeister/Usenet poster would then be expected to enter coordinates for each and every email address to any one of 20 or 30 databases, in Europe alone, or expect to be inundated with more and more inappropriately-targeted advertising where communications from clients, partners, friends, and family ought to be.

No, there are many great ways to conduct business or political activity on the Internet, and none of them involve sending Unsolicited Bulk/Commercial Email, see our links on Ethical E.Marketing. Email sent under an "opt-in" scheme is, by definition, solicited. Think about it: no bounces (addressed to someone@somewhereNOSPAM.tld), no aggro from one's provider, no thousands of complaints, just communication with possible customers/supporters. Simply forget about sending email to people who have never heard of you, and advertise on the Web. You haven't lost anything. As they're fond of saying in America, "There is no free lunch."

For additional pointers on how to use Web and email ethically and effectively, take a look at MessageMedia's Sometimes the Messenger Should be Shot: Building a Spam-free E-mail Marketing Program.

The Numbers

EUROSTAT's Yearbook for 2000 included figures for the number of businesses in various territories in 1996. There were 18.444 million businesses in the 15 countries comprising the European Union, ranging from "No Salaried Staff" (i.e. smaller even than "very small") to "Large". So take 1% of that, and we get 184440 possible senders, each of whom, for the purposes of this thought experiment, sends one message complete with instructions for "opting out".

Let's take a working year: 52 weeks less 4 weeks annual leave less an additional 5 days for legal holidays gives us 47 weeks. At 35 hours per week (this is Europe, after all) we get 47*35 = 1645 hours over a working year to deal with these 184440 messages. That works out to 184440/1645 = just a little over 112 messages per hour, or a bit less than two messages per minute. Not every sender makes it easy or convenient to "opt-out": some require using a different reply address, others require a visit to a Web site, and so on, which means that some time must be allowed to parse the message for the relevant information. This calculation does not take excessive downloading time into account, but assumes that the messages appear in time to be dealt with.

One "power delete-key user" boasted of being able to determine whether a message was wanted or not in 6 seconds. This happy individual could therefore deal with slightly over 5 times as many messages, or so it would seem, 987000 in total. But do we need nearly a million senders? Well, not exactly: it would depend on the number of messages each one sent in the course of this hypothetical year. Even this 6-second cycle delete key operator would barely find enough time in a whole working year if only 82250 advertisers (about 0.45% of all the businesses in the EU in 1996 or 6.6% of the SMEs) each sent one message per month.

The email medium would have effectively been rendered useless for most people long before these kinds of numbers have been reached. Just where the threshold of pain is will vary according to factors like the number of addresses an individual has and how much time the same individual will want to devote to email correspondence and administration, not to mention how much money is to be spent on maintaining the connections necessary to receive or handle incoming messages.

Now a daily intake of hundreds or thousands of letters each day in the post would certainly overwhelm the average householder, but there are several factors militating against such an eventuality. First and foremost, there is the factor of cost. Brochures or leaflets must be printed, put in envelopes, then delivered either directly or via the Post Office. Each part of this sets a finite cost for each message. With email, the cost per message tends towards nil for the sender. The costs of replication, transmission, and download are borne by the recipients either directly or indirectly. There is therefore no financial incentive for a sender not to bombard every address possible.

Cross-border postal, fax, or telephone advertising has been rare in Europe because of the markedly higher costs associated with international phone calls and postage. These differential cost factors are entirely eliminated for email. Why, then, stop at Europe? The Small Business Administration of the United States of America states that no less than 24.8 million non-farm business tax returns were filed in 1999. Not even the most fanatical American direct marketer would ever contemplate addressing a public in Europe with postal mail or telephone, but the Internet puts the EU's estimated 94 million (to November 2000) users within easy reach.

A further attraction for the advertiser lies in the possibility of gathering addresses automatically. "Mining", addresses from online registries, message boards, newsgroups, and other places, together with unprecedented capabilities for "tracking" potential "targets" make compiling address lists far less tedious and cumbersome. Yet another temptation is sending advertising to those who have already done business online. The fact remains, however, that the "target's" capacity for receiving and handling messages of any form remains limited: there are only so many waking hours in the day. The same medium which allows one to broadcast to millions for a negligible outlay makes it equally possible for each and every user to be flooded from thousands or even millions of sources.

Unsolicited Bulk/Broadcast Email just does not scale. For now, the flood is held back by the "Thin Red Line of Heroes" -- the responsible providers and their administrators who enact and enforce Terms Of Service / Acceptable Use Policies which forbid sending of bulk email to those who have not asked for it. Do not be lulled into complacency: it would not take much for the email medium to be made next to useless by a flood of messages which no one had requested and even fewer want.

Data Protection Aspects

From the European Commission Study Unsolicited Commercial Communication and Data Protection:

The focus on the opt-in/opt-out alternative reflects two different approaches to the issue of when it is permissible to send Internet users commercial e-mail. Both approaches are calculated to protect individuals' privacy but to different degrees. For countries which have announced their intention of having a high level of data protection, it is difficult to see the advantage in stopping at the minimum standard of the opt-out, unless it is to placate backward-looking industry interests and to shore up business practices which with the advent of consensual marketing now belong firmly in the past. To portray the opt-out approach as a compromise between privacy protection and free enterprise is a gross distortion. To use a somewhat fanciful analogy, the opt-out approach amounts to giving the e-mail user a sponge to mop up a flood of commercial messages which will never run dry (or to mop the sweat from his brow, perhaps) while the opt-in approach gives him access to the source and allows him to control the level of the flow. As for free enterprise, it is hard to imagine that any legislator would wish to sacrifice citizens' privacy in the name of free enterprise. In the final analysis, the opt-in/opt-out debate merely re-opens an issue which had already been resolved by the general directive of October 1995, which very clearly establishes two basic rights: first, the right to observance of the principle of finality, whereby disclosure of an e-mail address either in a discussion forum or directly to a merchant in a given context under no circumstances whatsoever authorises the use of the address in any other context or for any other purpose; and, secondly, the right of the individual to object ex ante. By allowing the recipient to register his objection only after the event i.e. after the initial prejudice has been suffered, the opt-out approach deprives Internet users of their rights over their own mailboxes. This approach is thus contrary to the general directive.

Double, Double, Toil and Trouble

The term "Double Opt-In" is a misnomer engendered, or at least propagated, by marketers whose interests are in reaching as wide a public as possible, and who only reluctantly subscribe to the notion of "Opt-In" at all. It conjures up images of the repeated demands for confirmation and ratification of each and every decision which are included as a "feature" of certain desktop computer operating systems. It conveys the impression of needless redundancy, "belt and braces" with a vengeance. It encourages the notion of inconvenience and trouble for the simple users who only want to subscribe to the marketers' publications with a minimum of fuss and bother.

Alas, as with so many things, the picture is not as simple as some would paint it. There are several good reasons for requiring a confirmation of the destination address, not the least of which being typographical errors when entering it. Unfortunately, malice cannot be entirely ruled out, either. Indeed, a favourite form of revenge is known as "subscription bombing": the hapless target of the attack is subscribed to a large number of mailing lists and is expected to have to spend an inordinate amount of time and effort in order to be removed from all of them. The confirmation requirement mitigates the effects of accident or malice quite efficiently: the recipient who ends up getting the misdirected confirmation requests need do nothing to avoid getting further mail from those sources in the future.

Contrast this with the situation whereby the recipient is supposed to take some kind of action. A piece of Unsolicited Broadcast/Bulk Email arrives with or without instructions for 'opting out'. How is the recipient intended to tell the difference between UBE arriving as the result of an honest mistake from that arriving as the result of 'scraping' the address from somewhere? An increasingly frequent lie seen in UBE is a statement that the recipient has somehow "subscribed" to the list in question.

All too often, even the 'unsubscribe' possibilities appearing in UBE are fraudulent. This is why we at EuroCAUCE cannot in all good conscience recommend that the recipient makes use of them. Where the 'unsubscribe' is made in bad faith, the result may be an increase in received UBE because the address is sold onwards as a "confirmed, live" address where email is read by a human.

Now one course of action we would recommend is reporting the abuse to the sender's provider or their upstream. Yet even here, some problems emerge where the abuse desks of the providers decline to take action against customers who are not regarded as being abusive. In such cases, the providers do differentiate between 'spammers' sending to the entire contents of a "57 Million Emails!" CD and the operators of a sloppily-managed but otherwise legitimate list. The providers' actions can vary: either quietly telling the list operators to remove the "troublemaker's" address or telling the person submitting the abuse report to "unsubscribe" using whatever simple or cumbersome procedure is offered. This latter option is increasingly being seen as completely unacceptable, if only because it is impossible for the aggrieved recipient to tell whether he or she is dealing with a legitimate but poorly administered operation or with a 'black hat' or 'rogue' provider who is quite happy to take abusers' money and force others to deal with the fallout.

A frequently heard argument against the implementation of subscription address confirmation is that too low a percentage of those initially "subscribing" actually follow through and complete the procedure. Leaving aside the initial entries resulting from bad typing or malicious scripts, there may be a problem either at the point where the signing-up is initiated or with the confirmation procedure itself. Where the initial sign-up is a little, shall we say, misleading, and the confirmation request comes as a surprise, the recipient will simply fail to complete the subscription. Nothing unexpected here. A further issue can arise where the confirmation request itself starts to read like a legal document and frightens off the would-be subscriber. A list operator would be well-advised to keep the confirmation request short and simple, "If you want to receive our newsletter, please reply to this message with..." or "Please visit this link...".

It is but a very small step between operating a list on the principle of "single" or unconfirmed 'opt-in' and 'opt-out'. To the recipient who gets "subscribed" to a list without his or her knowledge or consent, there simply is no difference. And single-case opt-out just doesn't scale. That's why we recommend that mailing lists are operated according to the MAPS Basic Mailing List Management Principles for Preventing Abuse. Anything else is just messing about.

There is no "Double" Opt-In. There is Confirmed Opt-In and there is net-abuse.