Building Trust 6 December 2017

OTA Audits Email Trustworthiness of 200 Largest Online Retailers Leading into Holiday Shopping Season

Majority honor unsubscribe requests and help prevent email impersonation, but retailers are making it harder to easily opt-out

Dec. 6, 2017 – Reston, VA – The Online Trust Alliance (OTA), an Internet Society initiative, today released its 2017 Email Marketing & Unsubscribe Audit. Now in its fourth year, the Audit analyzes the newsletters and promotional emails of the 200 largest North American online retailers for authentication and end-to-end user experience from signup through unsubscribe.

“Online trust plays an important role in where consumers shop, especially when they’re getting bombarded with offers during the holiday shopping season,” said Jeff Wilbur, director of the OTA Initiative at the Internet Society. “While we found retailers are doing many things right when it comes to email, many are not making it transparent and easy to find a way to unsubscribe, which increases consumer frustration and ultimately reduces their trust.”

In OTA’s 2017 audit, 67 percent of the retailers received a “Best of Class” designation, meaning they scored 80 percent or higher in OTA’s analysis of their marketing email trustworthiness (see methodology section below). Nine of those sites had perfect scores, which means they adopted all 12 of OTA’s email best practices, did not send an unsubscribe confirmation email, and did not violate CAN-SPAM and Canada’s Anti-Spam Law (CASL). Those retailers are Blue Nile, Home Shopping Network, Lands’ End, Musician’s Friend, Sierra Trading Post, Stitch Fix, Talbots, Toys “R” Us and Walgreens.

Unsubscribe Harder to Find
The ability to easily discover an unsubscribe link dropped this year to 76 percent from 81 percent in 2016. This is due to a combination of factors, but primarily for the use of low contrast colors (e.g., grey text on a light grey background), small text and alternate wording (i.e., not using “unsubscribe”). Specifically, OTA found:
• Thirty-two percent used low contrast colors and 69 percent are under the recommended enhanced contrast ratio.
• OTA determined that 6 percent of retailers used too small a font (less than 10 pixels), while 29 percent used a font size of 10 pixels, which is on the edge of readability.
• Seventy-six percent used the word “unsubscribe” itself as the link to click—the remainder use other text such as “click here” for the link. The less clear the wording, the harder it is for customers to find the link.
• Fifty-one percent of unsubscribe links were placed in a footer (OTA’s recommended practice), while 28 percent were part of a separate sentence and 21 percent were buried in a paragraph.

Honoring Unsubscribe
Eighty-eight percent of the examined retailers stopped sending marketing emails to consumers immediately after they placed an unsubscribe request, up from the 86 percent OTA observed in 2016. OTA’s research showed just as in 2016, this year 6 percent of the retailers were in violation of U.S. and Canadian anti-spam laws either by not listing their physical address in an email or failing to honor unsubscribe requests. This data indicates consumers can generally trust large retailers to honor their requests, although it remains unacceptable for any retailer to not honor an unsubscribe request.

“With the EU General Data Protection Directive taking effect May 25, 2018, organizations need to embrace best practices, and be more sensitive than ever to regulatory environments and where their customers reside,” said Craig Spiezle, OTA founder and chairman emeritus. “Building trust takes time and embracing stewardship today will provide future trust dividends.”

Email and Unsubscribe Security
The top retailers did an outstanding job of preventing their emails from being successfully spoofed or impersonated. However, OTA did find nearly half of retailers did not encrypt web sessions to their unsubscribe landing pages. Specifically, OTA found for email and unsubscribe security:
Email Authentication: Ninety-five percent use Sender Policy Framework (SPF) and 99 percent use DomainKeys Identified Mail (DKIM), up from 94 percent and 98 percent respectively in 2016. SPF and DKIM allow a receiver to verify that a message was sent by the purported sender.
Impersonation: Adoption of Domain-based Message and Reporting Conformance (DMARC), which allows senders to tell receivers how to handle messages that fail authentication, grew from 51 percent in 2016 to 60 percent in 2017. Those that are using DMARC to enforce policy with reject or quarantine designations grew from 25 percent in 2016 to 33 percent in 2017.
Encryption: The most dramatic increase in email security adoption this year was the use of opportunistic Transport Layer Security (TLS), which jumped from 32 percent in 2016 to 90 percent. TLS for email adds message level encryption and helps maintain the privacy of emails in transit between mail servers.
Use of HTTPs: New this year, OTA found that only 52 percent of unsubscribe web pages were encrypted using HTTPs. If these pages are not encrypted, consumers’ email addresses and other sensitive information can be passed in the clear, risking exposure.

This research complements the research conducted in OTA’s annual Online Trust Audit, which examines the consumer protection, site security and privacy best practices of more than 1,000 organizations, including the top 500 online retailers.

Methodology
OTA signed up to receive promotional emails from the top 200 North American retailers as defined by revenue in the Internet Retailer Magazine Top 500 Guide in late March, May and August 2017. It analyzed the user experience from those retailers from signing up to receive email through the unsubscribe process. 12 best practice categories related to the unsubscribe process were assessed and the email authentication practices were noted.

About OTA:
The Online Trust Alliance is an initiative within the Internet Society. OTA’s mission is to enhance online trust, user empowerment and innovation through convening multi-stakeholder initiatives, developing and promoting best practices, ethical privacy practices and data stewardship. The Internet Society is a non-profit organization dedicated to ensuring the open development, evolution and use of the Internet. Working through a global community of chapters and members, the Internet Society collaborates with a broad range of groups to promote the technologies that keep the Internet safe and secure, and advocates for policies that enable universal access. The Internet Society is also the organizational home of the Internet Engineering Task Force (IETF).

Related resources

Building Trust 8 October 2019

OTA’s Trust Audit Scores U.S. Presidential Candidates’ Campaigns, Finds Major Failures in Privacy Statements

Reston, VA. – October 8, 2019 – The Internet Society’s Online Trust Alliance (OTA), which identifies and promotes security and privacy...

Building Trust 25 September 2019

The Internet Society’s Online Trust Alliance Announces Methodology for Eleventh Online Trust Audit and Honor Roll

Criteria updated to include increased focus on encryption and global privacy regulations; international retail segments added

Building Trust 9 July 2019

Internet Society’s Online Trust Alliance Reports Cyber Incidents Cost $45B in 2018

Reston, VA – July 9, 2019 – The Internet Society’s Online Trust Alliance (OTA), which identifies and promotes security and privacy...