Jonathan wanted to opt out everyone in his family from direct marketing campaigns, something the DMA promises is possible via their website. Surprise! It turns out the DMA doesn’t really care so much about whether or not you want to be taken off any mailing lists, and they have a rotten website and poor security protocols to prove it.
Jonathan noted all the ways in which the DMA doesn’t do an adequate job of helping people opt out. Among them are:
- You can’t permanently remove yourself from their lists.
- You aren’t notified when your “enrollment” expires.
- The DMA won’t use change-of-address lists to update your information (although they do use such lists for people who haven’t opted out, proving that it’s a capability).
- You can only enter five names per account; if you have more than five family members to opt out, you have to create a second, third, etc. account.
- Sometimes the website “doesn’t work” and you get a blank screen. The DMA is aware of this and their response is that you have to mail in your request.
That list is enough evidence for us that the DMA isn’t acting in good faith on its opt out program, but then Jonathan contacted the organization to ask them to investigate his second account (the one where he received a blank screen and no confirmation as to what happened). In response, a DMA rep did this:
The folks at the DMA to whom I complained about the problems on their site decided that the right way to respond was by emailing me my account passwords in plaintext, thus proving that (a) the people who designed the site don’t have a clue about secure Web applications (secure Web applications NEVER store passwords in plaintext!), and (b) the people who support the site don’t have a clue about Internet security (NEVER email passwords!).
What makes this so egregious is that people tend to use the same passwords everywhere, which means that if someone manages to steal the DMA’s user database (and it doesn’t have to be hacker — apparently there are people at the DMA who have access to the data), they can use the email addresses and passwords in it to break into OTHER sites that the DMA users are registered at.
It’s a bad, bad scene.
Update, September 25, 2009: It turns out the DMA didn’t like our post or Jonathan’s complaints, and they sent Ben a lengthy, point-by-point rebuttal. As per his instructions, I’m pasting it below.
1. With regards to the statement that “the DMA doesn’t really care so much,” DMAchoice (www.dmachoice.org) empowers consumers to easily opt out of mailings that they would prefer not to receive. DMAChoice is intended to aid a consumer on an individual basis, and can aid with family members at the same address. DMAchoice gives consumers the flexibility to choose which categories of mail that they do/do not want, while companies can address the wide array of individual preference requests. Also, DMAchoice allows a consumer to enter up to three variations of their name to ensure adequate and accurate suppression of unwanted mail. In addition, DMA provides for an individual caring for a dependent, allowing him/her to fill out the caretaker form, and those with a recently departed loved one who can fill out the deceased form.
2. With regards to whether names are removed permanently: Names are removed for a period of three years, not permanently, due to change of address, name variations or other data updates needed to facilitate name suppression and ensure that is effective. Unlike other name removal services that simply contact marketers and nothing more, members of the DMA are obligated to accept the requests as a best practice under the DMA’s ethical guidelines. If there is a company that is not honoring the request made, an individual can contact DMA by going to http://www.the-dma.org/guidelines/complaintprocedures.shtml. The DMA handles cases against member and nonmember companies, and will contact the company to ensure they honor the request for compliance purposes.
3. With regards to whether you are “notified” when the enrollment expires: Since this is a name removal service, we want to respect that individual’s preferences and proceed with caution by limiting the number of email communications sent to the individual. After an individual registers, we do not contact them further except for a service update if they have provided an email address and are allowing us to communicate with them in the future, or if they have a question, concern or comment. Enrollment expiration information for a registered individual is easily obtained by contacting DMA’s customer support team via dmachoice.org.
4. With regards to the statement that DMA won’t use a “change of address lists” to update your information and that they do for those not opting out proving that is a capability: We are not certain what this is referencing since the DMA is not a company, but is instead a nonprofit trade association that represents for-profit and nonprofit organizations that market to consumers (and businesses). The DMA itself does NOT market to consumers and, hence, there is no need for it to utilize suppression lists intended for companies that market to consumers. However, the DMA does maintain and enforce a set of self-regulatory Ethical Guidelines that its members are obliged to follow as a condition of membership. The Guidelines span all media and cover list management, among many other things. To review the Guidelines, please visit http://www.dmaresponsibility.org/Guidelines/. To learn more about DMA’s Ethics Committees which enforce the Guidelines, please visit: http://www.dmaresponsibility.org/Committee/. In addition, the DMA’s Board of Directors passed an Environmental Resolution in 2007, which laid out the DMA “Green 15,” a set of eco-responsible business practices. Among the Green 15 tenets, companies are expected to run their marketing lists through the National Change of Address (NCOA) system of the United States Postal Service. To learn more about DMA’s Green 15 tenets and many other environmental initiatives, please visit http://www.the-dma.org/environment.
5. With regards to the statement that the DMAchoice system runs only 5 names per account: As noted above (#1), DMAchoice is set up to aid a consumer on an individual basis and allow for an individual to provide his/her name variations. Nonetheless, additional accounts may be created. In addition, DMA makes a special exception for an individual caring for a dependent, allowing him/her to fill out the caretaker form, and those with a recently departed loved one who can fill out the deceased form.
6. With regards to the statement that sometimes the “website doesn’t work,” and there is a blank screen: If an individual is having a technical issue we are happy to assist the consumer, they can email us at dmachoice.org. Just as any other product or service that is offered to consumers, there will be some technical issues that need to be resolved. We are striving to provide an excellent consumer service and such a technical problem should not lead a consumer to believe that the DMA membership “does not care” as was stated. In fact, members of our organization are committed to honoring consumer preferences (see http://www.dmaccc.org for more information) and are running the DMAchoice name removal file on a monthly basis. This system has reduced unwanted mail for consumers and improves the relevance of the marketing offers to those consumers that are interested in receiving marketing offers that may save them money or provide services they are seeking.
7. With regards to the statement that there was a potential security risk when the individual that ran into a blank screen was provided his account passwords in plain text by a customer service rep: We appreciate the concerns raised and will follow up immediately with our team to verify what happened in the process and ensure that we are following the appropriate security protocols.
“DMA’s Mail Preference Service: Once a fraud, always a fraud” [Something better to do]
“DMA site is not only broken, but insecure” [Something better to do]