How to best protect data when engaging in third-party marketing
When attempting to comply with CAN-SPAM requirements that prevent advertisers from sending e-mail to consumers who have unsubscribed, many share their physical suppression lists or opt-out lists with their third-party advertising partners. That's risky and unwise. What's even riskier is many of these suppression lists are lists of physical e-mail addresses associated with individuals who do not want to receive e-mail. The fines for failing to comply with CAN-SPAM are hefty, but the impact of list theft and abuse on your brand could be far worse. When a consumer unsubscribes, they want to receive less e-mail. When suppression lists are abused, typically, consumers receive even more invasive, irrelevant, unwanted junk. Those that steal it understand the lists represent active e-mail addresses.
There are two ways to protect consumer data securely when managing e-mail suppression lists across multiple entities. The first is list scrubbing. Instead of downloading a list of e-mail addresses not to mail, e-mail partners upload their mailing list(s) to a neutral third party to be "scrubbed" against an advertiser's suppression list or lists. The suppression list never leaves the third party's secure environment.
After the data are scrubbed, the e-mail partner can either download a scrubbed, mailable list, or a list of matching records who are not to be mailed to. Either way, consumer data has not been exposed to the third party. If your e-mail partner's policy requires that they not relinquish their customer data to any third party, the neutral party may allow hashes of e-mail addresses to be uploaded for scrubbing.
Another option is MD5 distribution. This is a one-way hashing algorithm that renders e-mail addresses useless for mailing by converting plain-text e-mail addresses into 32-character hashes — a sequence of letters and numbers representing an e-mail address. Advertisers can use MD5 to encrypt their suppression lists before sending to third parties. Third parties then encrypt their mailing list and compare the MD5 hashes in their list against the MD5 hashes in the suppression list. If a match is found, the mailer removes the corresponding e-mail address in their list.
Now you know how to securely manage suppression list exchanges. If you are not following the practices outlined above, assess if you can do so internally or if outsourcing is a more efficient and less risky way to manage this.
Todd Boullion is president of UnsubCentral. Reach him at firstname.lastname@example.org.