The Can-Spam law took effect in January 2004. And that very month, a gang of spammers who are now part of folklore launched a scheme that seemed to take Can-Spam as its
playbook.
They used botnets (forbidden) false headers and domains (forbidden), and sent hundreds of millions of emails to people who didn’t want them (forbidden). Worse,
they peddled worthless pennystocks and used a Russian hacker to feed their botnets.
The alleged ringleader was the so-called Godfather of Spam: Alan J. Ralsky.
Things have
changed: Europe is now governed by the GDPR, and that law is reflected in state statutes in the U.S. while governing firms that market in the EU.
But the question is: Just what does GDPR say
about email?
Accellion’s Vince Lau attempted to answer that question this week with a post on Security Boulevard. Lau advises that that you must:
- Protect consumer
data that you collect, store or use. Email data must be protected with an encryption algorithm.
- Delete the data and not keep it for any longer than is absolutely
necessary.
- Restrict yourself to the six lawful uses of consumer data: with consent, in performance of a contract, for legitimate vital interest, or public interest, and
for a legal requirement.
- Observe the consumer’s right to be forgotten.
advertisement
advertisement
Can-Spam is different in some respects. For one thing, GDPR
requires consent, or an opt-in, prior to sending emails. Can-Spam mandates only that you must let people opt out.
And, while Can-Spam allows 10 days to process and opt-out requests, GDPR says
it must be handled “promptly,” Lau writes.
Finally (and thankfully for actual spammers), there is no right to be forgotten in the U.S. But that could change as states pass
new privacy legislation.
That pretty much wraps it up, Lau says.
What happened to Ralsky and the gang of 2004? Most of them went to
jail.