CAN-SPAM, Email marketing, Legislation, Personalization, Trends

To IP or Not IP, That is the Question

IP graphic
Internet Protocol (IP) addresses are how the Internet keeps track of who is where. They aren’t necessarily attached to specific email addresses, but they do contain potentially valuable information about a person’s geographic location (although, as we’ll see, this is an imperfect science). It stands to reason that the more information you know about your subscribers, the easier it is to tailor your content to fit their interests, so there is some value in attaching IP information to each email address, but be careful: Where you and your customers reside can affect the legality of this practice.

Using the IP Address

Your computer’s IP address is like a landline telephone. If everyone in a household is using that telephone, then everyone will show up under the same number. Like a telephone number, an IP address can give you a good idea as to where someone is located without showing you the exact address. A search on our own IP, for instance, turns in different results, but they are all in the Bay Area, which is where our headquarters are located. Even with this limitation, an IP address will narrow down the possible location of the subscriber, which can, in turn, help greatly with certain types of marketing.

Dynamic vs. Static

There are two kinds of IP addresses—dynamic and static. Their names suggest exactly what they are. A static IP address is one that never changes. Companies, for instance, will often be use a static IP address to help them send and receive data and allow others to easily log onto their servers. A static IP address is mandatory for certain activities such as VoIP and VPN to ensure stable connections. Individuals might also opt for static addresses if they plan to host a website on a server, or are highly active in the online gaming community.

Dynamic IP addresses are often used for home connections. They are considerably cheaper and the end user doesn’t have to worry about network configuration since this is handled automatically. As one might expect, geolocation is a little more reliable with a static address than a dynamic one, although both have some value here.

Linking IP addresses to the email addresses gives you ability to provide information as to when and where a person opted to receive email from you, eliminating potential claims that your mailings were unsolicited. Some ISPs ask for this information when investigating spam complaints. But there is a big caveat to using this approach: It might be against the law.

IP Addresses and the Law

The legality of linking IP addresses to email addresses changes from country to to country. In some countries, it is perfectly legal, while others see it as a violation of privacy, allowing it only after the subscriber has agreed to let the ESP use that information. In the US, for instance, there is no single, comprehensive federal law regulating the collection and use of personal data. Even if there were, the odds of it being enforced are slim considering that the FTC only brings a handful of cases against emailers to court every year, and most of those are because the products these companies are selling don’t work, rather than privacy breaches or CAN-SPAM violation.

In Canada, which has some of the strictest spam laws on the books, a record of an opt-in is required. Canada has strict rules about what information the government can gather about a person, but the laws concerning the private sector appear less well defined. If businesses aren’t allowed to attach IP information to email addresses, then the verification of subscription becomes a lot harder. This summer, a second aspect of CASL takes effect that lets individuals challenge a company’s email programs, meaning anyone can bring any company to court. This sounds like a recipe for disaster, but only time will tell.

In Great Britain, you can collect IP addresses, but you start treading into the danger zone once you connect those IP addresses to individual email accounts. An IP address by itself isn’t considered personal data, but when it’s combined with other information to build a profile of an individual, it suddenly becomes personal data—even if that individual’s name is unknown. You’ll need to get permission from the recipients to do so. This isn’t a big deal., although most British companies use these additional requests for more specific information, such as the location of the recipient’s preferred store.

In most of the rest of Europe, things get even even trickier. In Europe, static IP addresses have been considered personal data for some time now, but on October 19, 2016, the Court of Justice of the European Union (CJEU) ruled that dynamic IP addresses can also qualify as personal data under EU privacy law. Additionally, the Swedish Supreme Administrative Court has ruled that collecting and storing IP addresses is in violation of the Personal Data Act.

These laws have been further enforced with the approval of the EU General Data Protection Regulation (GDPR). The regulation was passed by the EU Parliament in April of 2016. Although not specific to email, the regulation does require businesses to keep tight controls on their private data and gives your subscribers the “right to be forgotten.” Any data you have on them needs their approval and they can nix it at any point. This includes their name, photos, email addresses, bank details, posts on social networking websites, medical information, and computer IP addresses. The regulation has a two year grace period before they start cracking down on violators, and applies to any business doing business in the European Union.

The irony here is that by not allowing the ESPs to use this information, it makes it harder to verify when someone not associated with that email address is pranking the actual addressee, making it far more likely for that person to receive spam than they otherwise would.

Over in China they have a completely different take on the matter. As far as they’re concerned, an IP address in isolation isn’t personal data because it’s focused on a computer and not an individual. This reasoning was applied by the Hong Kong Privacy Commissioner in a complaint about Yahoo!’s disclosure of information about a journalist to Chinese authorities.

Approach With Caution

So what is the best technique? If your company does no business outside of the United States, and never plans to expand past that country’s borders, IP collection isn’t an issue. If, on the other hand, your clientele is international and you need to stay compliant in several countries, you’re better off either forgetting about collecting IP information, or adding a check box to the sign-in process to verify that the recipient has approved your use of their IP address information. Given the constantly shifting landscapes or laws on this subject. Some type of verification from the users that it’s okay to note their IP addresses is the safest route.

Cloud, Email marketing, Legislation, On-premise, Trends

Privacy, ESPs, Protecting Your Data, and the Law

Who's watching your data?The NSA revelations of last year, the enactment of the Canadian Anti-Spam Law (CASL) in June, and recent European Commission meetings have brought issues of privacy and national data control to the forefront of the minds of IT professionals and technology users around the world. Although many countries, such as Egypt, UAE, and Malaysia, still have no data privacy laws, most industrialized nations are looking to beef up their data protection regulations as soon as possible. In some cases, this is the result of Edward Snowden’s revelations about the NSA. Brazil didn’t worry much about its data protection policies until President Dilma Rousseff found out that the NSA was tapping her phone. Then the Brazilian Internet Law (Marco Civil da Internet) was quickly passed.

Another trend we’re seeing is the shift in data policies and country borders. In Russia, for instance, a new law was passed by the Duma requiring that the “systematization, accumulation, storage, updating and retrieval of personal data of citizens of the Russian Federation, [must be] held on databases located in the territory of the Russian Federation.” This law takes effect in 2016. Even countries, such as Germany, that already have stricter than average data privacy laws, continue to tighten their laws with new legislation.

International privacy laws

Where’s My Data?

Where once there was very little legislation governing things such as email lists and opt-in verification, countries and states are looking to get tough on data breaches and information mis-use, but this gets a lot harder to do when you don’t know where the data resides.

As anti-spam laws become more stringent, countries such as Canada require that businesses keep subscriber records secure, well-verified, and up-to-date. Recent trends indicate that, if anything, this trend toward great accountability is growing. New York Times Business Correspondent Danny Hakim recently observed that the words “cloud computing” did not appear in the European Commission’s general data protection regulation when it was introduced in 2012, but they do now. “The European Union wants to regulate the cloud even if that makes its use more complicated,” Mr. Hakim wrote. Not everyone in the European Commission supports these regulations, but it demonstrates the extent to which governments are willing to become involved if businesses don’t do a better job of securing their data.

For this reason, a stronger emphasis is being placed on the use of location specific data sources. After all, it’s hard to comply with the laws when you don’t know exactly where your files reside. Armed with this information, country and state authorities can better determine where the problems in the information chain occur, and companies can avoid potential problems by keeping control over the information, rather than turning it over to third parties.

Hopping Off the Cloud

One side effect of this is a decreased interest in cloud-based solutions. In Germany, for instance, cloud grew only three percent in 2013, compared with nine percent the previous year. Oracle, a company that relies heavily on cloud-based solutions, saw a dip in its orders between 2013 and 2014 everywhere except the Americas. In an NPR report, Cisco senior vice president of security Christopher Young acknowledged that this was an issue, especially outside the U.S. “[Y]ou can go to Latin America, you can go to Europe, to Asia, and there’s many examples of customers asking those questions.”

This is quite a change from two years ago, when all the chatter on Internet was about doing things “in the cloud.” Companies bent over backwards to promote their “cloud-based” solutions. Now, we are seeing a shift away from this everything-in-the-cloud approach to a more thoughtful approach. For the low security needs, people still use cloud solutions, but when data security and national laws enter the picture, on-premise (“on-prem”) platforms clearly have an edge.

Keeping the Borders Closed

As Symantec pointed out in a recent article on their site, “[a benefit of] an on-premises delivery model, particularly for organizations with regulatory requirements, would be the twin needs of identifying and securing an organization’s sensitive information. On-premise deployment of these technologies offers capabilities that meet the needs of finding sensitive information where it lives and allowing appropriate access to authorized users. …[On-premise email solutions] permit complete control over the custody of data. … This is a critical consideration in a variety of situations.”

Locked Countries

Hey You, Get Off of My Cloud

On the Journal of International Law and Politics New York Forum (JILP), an Australian author explaining why Australians should use Australian-based cloud system inadvertently explains exactly why people are opting for on-premise systems: “[W]hen you take advantage of locally (in an international sense) based service here in Australia, you’re getting an extra layer of protection. [These] solutions will be governed by Australian law (and not the laws of some other nation)….You’ll never be at the mercy of a foreign government or foreign agent or the changing winds of their security policies – and as an Australian citizen using Australian-based cloud solutions you’ll have a voice in the rules, regulations, and laws governing the security and protection (as well as the enforcement of) those policies moving forward.”

While the JILP author is correct that a cloud-based system within a country’s borders affords that extra layer of state protection, it doesn’t address the problem that comes with any cloud-based system, and that is, you never really know where it is. The service might say it is local, but it could be anywhere. If asked where you data is, the best you can do is wave your hand and say, “It’s out there somewhere.” On-premise has no such limitations. When asked where your data is, you can point directly at your servers and say, “It’s right there.” This kind of locality is hard to beat.

spies in the cloud

Compliance is Not Negotiable

The key here is compliance, legal compliance, that is, and in email marketing, compliance is non-negotiable. As Bill Claybrook points out on TechTarget: “Compliance is viewed as a big obstacle toward widespread cloud adoption, and rightly so. It is driven by law and legislation so there is no choice but to comply.” He also points out that “Some regulations stipulate where sensitive information can and cannot reside.” If that information must reside in the country of origin, then an on-premise email marketing system will settle the matter.

At Goolara we offer both solutions—hosted and on-premise—so we don’t have a dog in this fight. We see the advantages of each system for different purposes. For many companies, particularly those with minimal or shaky IT departments, a hosted solution is usually a better choice, but a company with a strong IT Department and tight security is better keeping things in-house. If you are not sure which solution is best for you, give us a call. We can assess your needs quickly and accurately and give you our recommendation based on your individual business factors.