SIGNALER

Code of ethics 

of the Signal Spam association

Cette page contient :

1. Common principles

2. Technical applications

3. Feedback Loops recipients

4. List management

5. Advertisers

6. Email Service Providers

7. ISP / Hosting providers

8. Hosting providers

9. Law enforcement

Adopted by the members of Signal Spam at the General Assembly on June 20, 2017.

Signal Spam members represent a variety of professions contributing to the creation, transmission, or security of electronic messages. Unless otherwise specified, this charter applies to all forms of electronic communication, whether for commercial prospecting or any other purpose. It also applies to anyone wishing to adhere voluntarily, particularly recipients of feedback loops established by framework agreements with Signal Spam member organizations.

New members must comply with this charter upon joining, and all feedback loop implementations or voluntary signatures imply prior adherence.

Chapter 1 - Common principles

Article 1.1 – Combating unsolicited emails

Members commit to actively contributing to the fight against unsolicited emails and to the association’s objectives by participating in its activities, and in particular in general assemblies and electronic exchanges. 

Article 1.2 – Relations between members

Members must respond constructively and efficiently to solicitations from other members.

Article 1.3 – Neutrality

The association must remain neutral. In particular, conflicts between members outside the association must not affect its functioning.

Article 1.4 – Duty to advise

Members must act as responsible professionals, providing clients with all necessary information to ensure effective, lawful, and ethical handling of electronic messages, in accordance with Signal Spam’s Code of Ethics. 

Article 1.5 – Data protection

Members must uphold a high level of personal data protection in accordance with the provisions of the amended French law of January 6, 1978, its implementing decree of October 20, 2005 (as amended in 2007), and all deliberations of the French Data Protection Authority (CNIL). 

Article 1.6 – Dissemination of the charter

Any member of the association involved in the sending or transmission of electronic communication must make this charter known to its employees and service providers. They must also make available to the public a document highlighting the commitments contained in the charter and how they are applied.

Members of the association, signatories of this charter, or recipients of a feedback loop may hold multiple roles among those covered in the chapters below. In such cases, they commit to respecting all the obligations that apply to them.

Article 1.7 – Applicability 

The Signal Spam charter must serve as a common framework for the texts, commitments, and recommendations of its members.

The Signal Spam Code of Ethics does not directly apply to individual members of the organizations that make up the association. However, any member of an organization belonging to Signal Spam may choose to sign this charter individually.

In any case, any member of an organization that benefits from a Signal Spam service—without being a direct member themselves through a framework agreement with their organization, in particular a feedback loop—must adhere to the Signal Spam Code of Ethics.

Article 1.8 – Publicity

Every member of the association must publicly state, by the means of their choice, that they are a signatory of the Signal Spam Code of Ethics and promote the commitments undertaken.

Chapter 2 - Technical applications

Article 2.1 – Email formatting

The provisions of this article apply to any automated email sending.

These provisions therefore cover, though not exhaustively, both commercial emails and those sent by charitable or political associations, as well as any other type of automated emailing.

The following rules must be applied by members of the association to the emails they handle, each according to their role in the construction of the messages:

  • – No element of the technical header or the body of the message may mislead the recipient about the origin or subject of the message;
  • – The body of the message must be in a format compliant with current standards and of a reasonable total size (text, attachments, and any remote content);
  • – The body of the message must not contain malware or any software capable of performing operations without the knowledge of the systems intended to receive the message;
  • – The subject line of the message must clearly and transparently inform the recipient of the content and purpose of the message;
  • – The technical field reserved for the sender must contain an email address whose domain name corresponds either to the actual sender or to a service provider involved in routing the message, along with a display name that clearly informs the recipient of the sender;
  • – The body of the message must contain, in a format ensuring clear display under all circumstances, the corporate name (or brand name or trade name likely to be recognized by the recipient) of the sender, along with a link to an information and unsubscribe procedure;
  • – In addition, the header of a commercial prospecting message must contain a standardized field of the type “List-unsubscribe” (in accordance with RFC 2369).
  • – Information relating to the collection of consent, most useful for identifying it as described in « 4.4 – Data Quality », must be made available to the user upon request. Eventually, such information will appear directly in the body of the message. The most useful information includes, but is not limited to: the brand name for which the campaign is sent, the name of the sending company, and the name of the data collection operation (a free-text field).
  • – The corporate name of the sponsor of a message must be identified in the message, for example, at the bottom of the message.
  • – The technical header must preferably contain an X-SignalSpam-CID field comprising two parts, identifying on the one hand the sponsor and on the other hand the campaign. If the Signal Spam member already implements one of the identifiers commonly used in the market (Feedback-ID, X-CampaignID), the presence of the X-SignalSpam-CID field becomes optional but is strongly recommended in order to allow all processing carried out by Signal Spam. All messages belonging to the same campaign must display identical values in the headers, and must in no case differ depending on the recipients. These provisions were required to be in force no later than January 1, 2019.
  •  

Article 2.2 – Unsubscribe procedures

The unsubscribe procedures accessible from each email received must allow recipients to:

  • – Use them for at least 30 days after the message is sent;
  • – Be informed about the advertiser or technical provider concerned;
  • – Immediately see which email address was contacted;
  • – Be selectively unsubscribed from any future campaigns of the advertiser or provider concerned;
  • – Where managed by the provider, easily access the option to choose the topics on which they wish to be contacted in the future;
  • – Whenever possible, be informed by any appropriate means if the unsubscribe procedure could not be completed for a legitimate reason.
  •  

The unsubscribe procedure must clearly show:

  • – The email address of the user being unsubscribed;
  • – The database from which the email address is being removed, or the name of the sponsor managing the database when more appropriate;
  • – A statement confirming that the request will be effectively processed within 72 hours.
  •  

Article 2.3 – Detection of invalid addresses

Members of the association implement procedures to detect invalid addresses, both to improve the quality of the personal data they process and to reduce the impact of misdirected mail on recipient networks.

Article 2.4 – Abuse management

Members of the association who manage a domain (a second-level domain in the Domain Name System) or a network (a set of IP addresses) that plays or may play a role in email transmission must effectively administer abuse-handling interfaces as required by current standards (in particular the “abuse” address specified in RFC 2142 for second-level domains).

The abuse-handling interface must provide at least:

  • – Reception and processing of reports in Abuse Reporting Format (ARF) (RFC 5965);
  • – Processing at least once daily on working days.
  •  

Additional processes may be implemented—for example, to ensure exchanges with key partners—but they must not replace the minimum provisions described above.

Members concerned by this commitment must inform other members of the procedures they have put in place for abuse handling.

To report an incident covered by these abuse procedures to another member of the association, members must always prioritize the procedures described above to ensure effective and smooth handling of this information.

Emergency procedures may be established between members of the association. Members undertake to use them under the conditions set by the member who establishes such a procedure.

User information procedures must also be put in place by abuse-handling teams. At a minimum, these must include publicly accessible information on how to contact the abuse team and the types of actions it undertakes. Depending on the provider’s specifics, this may also include:

  • – Acknowledgment of received abuse reports;
  • – A reporting follow-up interface;
  • – Or publication of statistics on the activity of the abuse team.
  •  

Article 2.5 – DNS server configuration

To facilitate the delivery of electronic mail, professionals who are members of Signal Spam implement state-of-the-art technologies that ensure the legitimacy of the infrastructures sending emails, while taking into account the evolution of standards developed in this field.

Thus, the implementation of the Sender Policy Framework (SPF, RFC 4408) as well as DomainKeys Identified Mail (DKIM, RFC 4871) are considered, at the time of drafting this charter, as part of the state of the art. The Domain-based Message Authentication, Reporting & Conformance (DMARC) specification may also be regarded as a promising approach for their application.

Article 2.6 – Cookies

Signal Spam members exchange best practices regarding the use of cookies, particularly concerning how internet users are informed about them.

On this subject, the French Data Protection Act (Loi Informatique et Libertés) states in its Article 32:

“Any subscriber or user of an electronic communications service must be clearly and fully informed, unless they have already been previously informed, by the data controller or its representative:

  • – of the purpose of any action intended to access, by electronic transmission, information already stored in their terminal equipment for electronic communications, or to store information in such equipment;
  • – of the means available to them to object.
  •  

Such access or storage may only take place provided that the subscriber or user has given their consent after receiving this information, which may result from appropriate settings of their connection device or any other device under their control.

These provisions do not apply if accessing or storing information in the user’s terminal equipment:

  • – has the exclusive purpose of enabling or facilitating electronic communication; or
  • – is strictly necessary to provide an online communication service expressly requested by the user.”

Chapter 3 – Feedback Loop recipients

Article 3.1 – Securing the Processing of Personal Data

Persons receiving feedback loops undertake to implement all state-of-the-art measures to ensure the security—and in particular the confidentiality—of the personal data they contain. 

Article 3.2 –Processing of reports from Signal Spam

The recipient of a feedback loop provided by the association undertakes to:

  • – Promptly and effectively process the reports;
  • – Inform Signal Spam of any significant discrepancies from the type of reports they should be receiving, such as reports that are clearly not intended for them;
  • – Regularly communicate with Signal Spam regarding the actions taken in response to the reports received;
  • – Comply with their obligations under the French Data Protection Act (Loi Informatique et Libertés), such as:
    • * declaring their processing to the CNIL, or recording it in their register if a Data Protection Officer has been appointed;
    • * informing individuals of their rights and the purpose of the processing;
    • * defining retention periods according to the purposes of the processing.

Chapter 4 – List management

The term lists refers to any processing of personal data containing the electronic contact details of natural persons. 

Article 4.1 – Formalities prior to the implementation of processing

The Signal Spam member who wishes to use a list undertakes to complete the required formalities prior to implementing such processing (declaration of processing with the CNIL, registration in the record of processing if a Data Protection Officer has been appointed, request for authorization for transfers of data outside the European Union when required by law).

Article 4.2 – Information, Consent, and the Exercise of the Right to Object

At the time of data collection, the internet user concerned must be informed of:

  • – the identity of the data controller;
  • – the purposes pursued;
  • – whether the responses requested are mandatory or optional;
  • – the possible consequences, for them, of failing to respond;
  • – the recipients of the data;
  • – and their rights of access, rectification, and objection, on legitimate grounds, to the processing of their data, except where processing is required to meet a legal obligation, and, where applicable, of any intended transfers of personal data to a State outside the European Union.
  •  

In cases of intended transfers of personal data to a non-EU State, the provisions of Article 91 of the implementing decree of October 20, 2005, as amended, apply: individuals must, in particular, be informed of the country (or countries) in which the recipient of the data is established, the nature of the data transferred, the purpose of the intended transfer, the category (or categories) of data recipients, and the level of protection offered by the third country (or countries).

At the time of data collection, provision must also be made for either:

1. The collection of the express and specific consent of the data subject, particularly in the following cases:

  • – prospecting via electronic mail (email address, SMS, or MMS) outside the context of similar products or services;
  • – transfer of email addresses to partners. It is recommended that, when seeking a consumer’s consent for receiving commercial offers by electronic means (as required by law), consent to receive offers from the company itself be clearly separated from consent to receive offers from the company’s partners, so as to avoid any confusion in the consumer’s mind about the scope of their consent;
  • – the collection or transfer of data that directly or indirectly reveals racial or ethnic origins, political, philosophical, or religious opinions, trade-union membership, or data relating to an individual’s sexual life.
  •  

2. Or, the possibility for the person concerned to object easily and unambiguously, particularly in the following cases:

  • – prospecting by email for a similar product or service where there is a pre-existing customer-business relationship;
  • – business-to-business prospecting where the subject of the message relates to the professional activity;
  • – transfer to partners of information relating to family, economic, or financial situations, provided that the recipient organizations undertake to use them solely to address the data subjects directly, for exclusively commercial purposes.
  •  

Consent is a free, specific, and informed manifestation of will by which a person agrees that their personal data may be used for direct marketing purposes. Accordingly, acceptance of general terms and conditions of use is not sufficient to constitute valid consent.

When data is collected via a form, the right to object or the collection of prior consent must be expressed through a clear and specific mechanism present on the form. For example, the form may contain a checkbox, a selector, or any other interface tool that is clear, legible, and accessible.

When data is collected orally, the data subject must be given the opportunity to exercise their right to object or give their consent before the end of the collection.

After data collection:

  • – the data subject has the right, free of charge, to object to their data being used for prospecting purposes, particularly for commercial purposes, by the current controller or by a subsequent controller;
  • – messages sent for direct marketing purposes must include valid contact details allowing the recipient to request that such solicitations no longer be sent.
  •  

Article 4.3 – Retention periods

List managers must respect retention periods necessary for the purposes for which the data is collected and processed, as set out in their processing declaration to the CNIL or in the record of processing where a Data Protection Officer has been appointed.

Article 4.4 – Quality of data collected

List managers and/or email senders must ensure, in accordance with applicable legislation, the quality of the data collected. In particular, whenever relevant and possible, professionals must collect information relating to consent. This information must include at a minimum:

  • – the entity responsible for collecting the consent (particularly whether it concerns direct clients, a partner’s clients, or individuals who have agreed to be contacted by third parties);
  • – the date and time at which the consent was collected;
  • – the URL of the website through which consent was collected;
  • – where the IP address is collected at the time of consent, it must only be retained for as long as strictly necessary for its purpose (for example, when anti-bulk-registration operations are complete, or depending on the security needs of the platform).
  •  

Whenever relevant, it is recommended to provide sufficiently detailed categorization of subscribers.

Article 4.5 – Cascading Updates

List managers must implement procedures enabling cascading updates of information relating to a natural person, meaning:

  • – systematically retransmitting, in line with the exercise of the right to object provided for by regulations, unsubscribe requests to any parties to whom prospecting lists have been passed on;
  • – promptly taking into account any update requests transmitted by an upstream list manager.
  •  

Furthermore, Signal Spam members acknowledge the need to work on procedures to facilitate the exercise by individuals of their right to object upstream, with the parties providing the lists.

These cascading update procedures are facilitated by improved data quality, as described in the previous article.

Article 4.6 – Security

The data controller must take all necessary precautions to preserve the security of personal data, and in particular, to prevent it from being altered, damaged, or accessed by unauthorized third parties.

In particular, access to data processing must be protected by individual login credentials and passwords that are regularly renewed, or by any other means of authentication.

It should be noted that biometric authentication methods are subject, in France, to prior authorization by the CNIL.

In the case of an online public communication service, the data controller must take necessary measures to prevent any unauthorized access to the automated data processing system.

Chapitre 5 - Advertisers

Article 5.1 – List Management

When advertiser members of the association manage their own lists, the requirements described above apply.

Article 5.2 – Unsubscribe Procedures

Advertiser members of the association either manage themselves, or require their service providers to implement, unsubscribe procedures that comply with the commitments of this charter.

Chapter 6 - Email Service Providers (ESP)

Article 6.1 – Primary Role of Email Service Providers

ESP who are members of the association are aware of the central role they play in bulk email delivery procedures. As such, they commit to implementing tools that enable their clients to meet the obligations set forth in this charter, or to advise them on best practices to be followed.

Article 6.2 – Compliance with Technical Standards

When the tools provided by a sender member of the association are used to build bulk emails, these tools must include all the features necessary to comply with the best practices described in this charter. If clients use external tools, the ESP regularly verifies—either on a routine basis or upon receiving alerts—that such best practices are being applied, and advises clients on improving their procedures.

Article 6.3 – Abuse Management

ESP who are members of the association pay particular attention to the handling of information received through abuse management procedures or from Feedback loops.

Chapter 7 – Internet Service Providers and Hosting providers

Article 7.1 – Processing of reports concerning IP addresses sending unsolicited emails

Internet Service Providers (ISPs) and hosting providers who are members of the association shall implement security procedures in accordance with the following requirements:
  • – Measures shall be proportionate to the level of risk associated with each situation;
  • – Measures shall include multiple levels of response, to be applied progressively whenever possible, except in cases where network security or quality of service is severely compromised;
  • – In all circumstances, clients or users must retain access to their personal data (particularly in the case of hosting services);
  • – In the case of consumer clients, the holders of the IP address (or other relevant service) concerned shall be informed of the reasons for the measures taken, and shall be provided, by appropriate means, with guidance tailored to their situation, enabling them to restore, without undue delay, the full functionality of the service to which they are entitled.

Chapter 8 - Hosting providers

The commitments of this chapter are in addition to those set out in Chapter 7.

Article 8.1 – Specific Case of Phishing and Other Malicious Content Distribution

Hosting providers who are members of the association shall implement procedures to remove or render inaccessible, as quickly as possible, any content, program, or data contributing to a phishing operation or the distribution of malicious software.

Article 8.2 – Specific Case of Hosting Providers Offering Email Transmission and Reception Services

Hosting providers who offer email transmission and reception services shall:

  • – Inform their clients who send emails and manage a domain name of best practices—including those recommended by this charter—and provide them with tools enabling compliance;
  • – Comply with the provisions of this charter in this respect for domain names under their direct responsibility.

Chapitre 9 - Law enforcement

Article 9.1 – Independence

Signal Spam includes, among its associate members, public authorities responsible for the protection of personal data, network security, or judicial police missions. In this capacity, they retain full independence from the association’s members, in accordance with the laws and regulations governing their missions. This independence notably includes the confidentiality of investigations.

When information resulting from the processing carried out by the association or its members is required for the authorities’ missions, such information shall only be obtained through the procedures established by applicable laws and regulations.

Article 9.2 – Technical and legal support

Within the context specified above, the authorities provide technical or legal support enabling the association and its members to fulfill the objectives of the association.