There is a hidden legal danger in not confirming email addresses, and yes, even in the United States. We talk a lot about email deliverability (because hey, we’re the original email deliverability service). And in that context we always explain how using double opt-in (i.e. confirmed opt-in) helps immensely with deliverability by reducing spam complaints and increasing interaction rates. But now we’re going to talk about something that people rarely think about: not confirming someone’s email address before you use it or add it to a mailing list can have serious legal consequences for you having nothing to do with CAN-SPAM, GDPR, CASL or any email-specific law. It can also have serious consequences for others, consequences that in turn can come back to you in serious, unexpected, but entirely avoidable, legal ways.
You see, when you send information to an email address, particularly personal information, and you don’t first confirm that the person who is receiving that information is the person to whom you think you are sending that information, things can go horribly wrong. And you would be surprised at just how often people will give you the wrong email address, even unintentionally. They may accidentally mistype it, and without realizing it enter an email address that goes to someone else. This often happens at free email account providers, such as Gmail, where people have to sometimes go to ridiculous lengths to create an email address for themselves that is actually available and not already taken by someone else. These people come up with email addresses that are very similar to the email address they actually wanted but which was unavailable because someone else already has it. They may add some numbers to it, and then mistype one of the numbers when giving their email address. Or they may simply mistype it because they have the one they wanted in their head.
Similarly, and again, quite often at Gmail, people seem to be really confused by the fact that adding a dot or two to an email address at Gmail has no affect on who will receive that email. For example, email to a.*************@gm***.com will get delivered to the person who has ag***********@gm***.com, and vice versa, but we frequently see people signing up for things with a.*************@gm***.com even though ag***********@gm***.com is not their email address. Don’t ask us why, we know it makes little sense, but we’ve seen it enough times to know it to be the case.
Finally, without meaning to pick on Gmail (but hey), when someone first signs up for a Gmail account, if the username they pick isn’t available, the system will tell them that it’s not available and will suggest similar usernames. But sometimes the system will autofill the form with a suggested username, and if the person isn’t paying attention and just clicks on ‘submit’, they will get the suggested username but think they are getting the username they originally entered.
And that’s just with Gmail. Each webmail and free email provider, and their flavor of user, has their own idiosyncrasies which can lead to someone unintentionally entering someone else’s email address into your system.
Right about now you may be thinking “Ok, so the wrong person ends up with our email, that’s not really that big a deal, is it?” Well, of course, they are going to report you for spamming, so that’s not great, and will contribute to your email reputation taking a hit, along with your deliverability. But that’s well-known, and not what we’re talking about here. It’s this hidden legal gotcha that can rise up to really bite you. We’re going to use two real-world examples. We can vouch for these because we were involved with each of these. Some of the names have been changed, including the names of some of the organizations.
The Hidden Legal Danger in Not Using Double Opt-In to Confirm Email Addresses
Mary and WeedWhackers
Mary placed an order with her local dispensary, we’ll call them WeedWhackers. When the order was ready, the online order tracking and notification service that WeedWhackers uses, GetNoticed, sent an email notification to Mary that her order at the dispensary was ready for pickup. Only that notification didn’t go to Mary. It went to someone else, a total stranger named John, because Mary had mistyped her email address, and neither WeedWhackers nor GetNoticed had bothered to confirm Mary’s email address. Within 5 minutes of receiving one of the misdirected emails, using just the information available in that notification, John knew where Mary lived, her date of birth, that she ran away from home at 17, where she gets her taxes done, where she works, what her position is at her job, and that she’s a pot smoker.
Mary’s position at her job is one where she is responsible for interacting with customers, and handling a lot of cash. John also knew the frequency with which Mary was picking up pot from WeedWhackers. In any situation where John does something bad to Mary with this information, whether it’s going to her place of work and harassing her, attempting to blackmail her with the information he has, or possibly even assaulting her, both WeedWhackers and GetNoticed would be named as defendants in any lawsuit that Mary brought, as their actions were directly responsible for that information falling into John’s hands. Because the generally accepted best practice in email handling is to confirm an email address, Mary would have a good chance of prevailing in her lawsuit against both WeedWhackers and GetNoticed.
Amber and QVC
Amber orders a lot of stuff from QVC. We mean a lot of stuff. Amber gets 3 to 4 orders a week from QVC. And QVC emails Amber confirmation notices of each of her orders.
And QVC’s delivery carrier, Hermes, emails Amber notices of upcoming deliveries, and also notices of completed deliveries.
The only problem is that Amber is not receiving these email notices, because she mistyped her email address; in fact Jason is receiving these notices. These notices include her full address, and even the description and value of the items that Amber has ordered from QVC. Because Amber orders a lot of makeup and skin care items, Jason infers that she is a youngish, single woman. And because he has her full name and address, he finds her Facebook profile, which confirms it. When Jason goes to Amber’s house to break in and rob her (not to mention possibly to do physical harm to Amber) he knows exactly what high-value items to look for.
Amber should readily win a lawsuit against both QVC and Hermes, especially because, in the actual situation, both QVC and Hermes were repeatedly put on notice that they were sending the emails to the wrong person, and yet Amber’s misdirected emails continued to flow to Jason.
There are lots of excuses for not confirming email addresses and we’ve heard them all: “People don’t want to confirm” (then they don’t really want your email); “Our confirmations go in the spam folder” (so does your email, let us help you with that); “It’s too hard to convince management to switch to confirming email addresses” (have them read this article).
But trust us, all it will take is one lawsuit where someone’s personal information ending up in the wrong hands could have been prevented, if only you had confirmed their email address when they gave it to you, to more than offset any ‘advantage’ you may think you had by not confirming email addresses; it may even bankrupt you.
[Prefer to listen to this? You can do that here.]