A Visit to The DMA Web Page: Part IIIn the Feb. 7 issue of DM News, I reported about my visit to the Direct Marketing Association's Web site. There were so many privacy shortcomings that I felt a second column was needed.
While at its Web site, I reviewed the opt-out methodology for the DMA's mail and telephone preference services offered to consumers. Unlike the policy for its own Web site, the DMA will not accept opt outs by e-mail.
The reason for this, the DMA explains, is that "as much as possible, we need to verify that the person who submits the request is the person whose name is being removed from marketing lists." It offers a further explanation and tells consumers that "receipt of a signed request via the Postal Service provides ... a practical method for verification. E-mail does not provide safeguards to protect your privacy or a means to verify your identity."
But the DMA cannot explain how snail mail verifies identity. A signature only verifies someone's identity if it is compared to a known signature on file. The association has no way of knowing whether a signature is correct.
The rest of the DMA's explanation is just as lame. It is concerned that e-mail does not provide privacy safeguards. But opting out does not disclose a credit card or sensitive personal information, only a name, address and phone number. People include that information in e-mail messages every day. Anyone concerned about the lack of security for e-mail is free to use snail mail.
It's obvious that the DMA's goal is to make it as hard as possible for consumers to opt out. The association admitted as much in its comments last year to the Federal Trade Commission on the kids' privacy regulations, when it harped on the inconvenience of snail mail for parental consent:
"E-mail and other methods of online consent are far preferable to ... the mail, fax, credit card and toll-free telephone approaches suggested in the notice. Although each of these non-online consent methods is of some use, they all are cumbersome enough to chill consents ... Residential online users are reluctant to use 'snail mail,' and often do not have access to fax machines. Furthermore, printing out, signing and mailing back forms is something that most Internet users are highly averse to doing once accustomed to communicating instantaneously at no cost online. These methods also have the disadvantage of being slow."
The DMA obviously wants to have things both ways. When it needs to hear from consumers, e-mail is wonderful. However, if consumers want to say no to the DMA, suddenly e-mail is unreliable, cumbersome and inconvenient.
If e-mail isn't sufficient for verification of identity, why does the DMA accept e-mail opt outs for its own Web site? Because it needs to serve its members. Its members know that the verification argument is rubbish.
If people could opt out by e-mail, many more would do so. If people could opt out of telephone calls by e-mail, the telephone preference service would probably be bombarded with requests. The DMA desperately wants to avoid increasing the preference service lists.
The association has no interest in making opt out easy for consumers. It maintains the mail and telephone preference service mostly so it can tell legislators and would-be privacy regulators that the service is available. For many years, the DMA refused to make use of the preference services mandatory for its membership. It only recently changed its policy in response to increasing pressure from consumers and legislators. Whether it is enforcing the new policy is anyone's guess.
The time has come for the DMA to accept mail and telephone opt outs by e-mail, snail mail and telephone. If the association is not willing to do so voluntarily, then maybe a state or federal legislator looking for a useful and passable Internet privacy bill could make all forms of opt out mandatory for the association. Industry would find it difficult to oppose a bill requiring mandatory opt out by e-mail or a toll-free number.
I am aware, of course, that the DMA just started offering an e-mail opt out for e-mail marketing lists. Even the DMA could not ask for e-mail opt outs by snail mail with a straight face. The new opt-out list supports the point that a snail mail opt out for other lists is just an excuse.
In any event, the association's e-mail opt-out service still misses the point. Marketing by e-mail should only be done with permission. Internet culture demands opt in and not opt out. A fair number of DMA members understand the Internet, and they only do e-mail marketing using opt ins. These companies should be embarrassed to be part of an organization that wants to make the world safe for spammers.
What is even worse is that the DMA's e-mail opt outs for e-mail marketing expire after a year. That is a transparent ploy to limit the number of names on an opt-out list. The e-mail opt out is further evidence of the association's continuing attempts to offer consumers the thinnest possible shell of privacy protection.
In the end, the privacy content of the DMA's Web site is a good reflection of the views of the association concerning privacy. Both the Web site and the association offer consumers few privacy protections, and they do it in the most convoluted way possible. The DMA's privacy self-regulation remains a travesty.
Robert Gellman is a Washington-based privacy and information policy consultant and former chief counsel to the House of Representatives subcommittee on information, justice, transportation and agriculture. His email address is email@example.com.