by David Tarrant

When consumers gained the ability to limit spam by opting out of receiving email, they didn't realize that this victory could also be of value to spamming operations, phishing scammers and con-artists. As part of CAN-SPAM, a marketer must maintain an opt-out list of those individuals who have elected not to receive future emailings. To keep track of who has opted out, the lists are routinely exchanged between marketers of Fortune 1000 companies and list owners, list managers and email service providers via FTP.

And what a list! Think about it: All the addresses are legitimate, having been confirmed by the opt-out process, and have been acquired at great expense by a Fortune 1000 company that excels at targeting prospects. On top of that, these lists range from millions to tens of millions of email addresses.

Here's the problem. After the suppression process has been completed, the receiver of the list is expected and, in most cases, legally required to destroy the list. But who's to prevent an unscrupulous person in this “chain of possession” from making an unauthorized copy of a list on an inexpensive flash drive? And then it's anyone's guess as to where the list might end up next.

Why are marketers taking such risks with these lists? I heard one marketer say, “I don't care about those addresses. They've already indicated they don't want to hear from me.” Certainly, all aren't as indifferent. More frequently, marketers just aren't aware of the risks.

To deal with this problem, some marketers require list managers to send their lists to the marketing company or its email services vendor. But that doesn't make the list owners very happy—their list is their primary asset, so they're rightly concerned with how it's handled.

Another solution is for each party to send their list to a “bonded” third party who does the suppression and then provides the list manager or email services provider with a list that has the opt-outs removed. Although this deals with the trust issue, it has time delays and the potential for errors because generally the lists are maintained manually.

The best solutions use web-based applications to provide list partners with secure access to a centralized copy of the marketer's suppression list. Some of these solutions are managed by the company owning the list, and some are managed by bonded third parties who specialize in such solutions. These approaches dramatically reduce the risk while improving the speed, efficiency and auditability of the list-handling processes.

If you are a privacy or compliance officer, you should examine how your company is handling suppression files. If you are a marketing officer, you should do your part to let the privacy, compliance and PR teams sleep better at night!

David Tarrant is the chairman of SmartSource Corporation, an e-marketing automation services company. He can be reached at dtarrant@smartsourceonline.com.