Code of conduct for members of the Signal Spam association

The members of Signal Spam adopted the present version of the Code of Conduct in a general assembly on 20 June 2017.

The members of Signal-Spam cover a variety of professions contributing to the creation, routing or security of electronic messages. Except where specifically stated, this charter applies to all forms of communication by this means, whether for commercial or any other purpose. This charter also applies to all persons who wish to adhere voluntarily to it, in particular persons who are recipients of feedback loops via framework contracts with Signal Spam member organisations.

The members of the association undertake to implement the terms of this charter within 6 months of their adoption.

The finalisation of the membership of new members is subject to the application of this charter.

Any further implementation of the feedback loop or voluntary signing of the charter requires prior implementation of the terms of the charter.

Chapter 1 - Common principles

The members of Signal-Spam are committed to :

Article 1.1 - Combating unsolicited e-mail

to contribute to the fight against unsolicited e-mails and more generally to the objectives of the association, by active participation in the activities of the association, and in particular in the general meetings and electronic exchanges.

Article 1.2 - Relations between members

to receive any request from a member of the association with kindness and to endeavour to provide a rapid and effective response.

Article 1.3 - Neutrality of the Signal-Spam association

to preserve the neutrality of the association in all circumstances. In particular, conflicts between members outside the association must never interfere with its functioning.

Article 1.4 - Duty to advise

to conduct itself as a responsible professional and in particular to provide each of its clients with all the information and advice necessary to ensure that e-mails are processed efficiently, in accordance with the legislation and the association's ethical rules.

Article 1.5 - Ensuring a high level of data protection

to respect a high level of protection of personal data resulting from the provisions of the amended law of 6 January 1978, its implementing decree of 20 October 2005, amended in 2007, and the deliberations of the National Commission for Information Technology and Civil Liberties;

Article 1.6 - Dissemination and implementation of the Charter

Any member of the association who plays a role in the transmission or routing of electronic mail shall make this charter known to their employees and contractors. It shall also make available to the public a document highlighting the commitments contained in the charter and the way in which it applies them.

The members of the association, the signatories of this charter or the recipients of a feedback loop may combine different professions among those covered in the following chapters. In this case, they undertake to respect all the commitments that concern them.

Article 1.7 - Applicability of the Charter to members of organisations

Signal Spam's charter should constitute a convergence horizon for the texts, commitments and recommendations of its member organisations.

Signal Spam's ethical charter is not directly binding on the individual members of the organisations that make up the association Signal Spam. Any member of an organisation that is part of Signal-Spam may choose to sign this charter individually.

And, in any case, any member of an organisation that benefits from a Signal Spam service without being directly a member via a framework agreement with its organisation, in particular a feedback loop, must subscribe to Signal Spam's code of ethics.

Article 1.8 - Publicity of the Code of Ethics

All members of the association must publicise by the means of their choice that they are signatories to the Signal Spam code of ethics and promote the commitments made.

Chapter 2 - Technical Applications

Article 2.1 - Format of e-mails

The provisions of this Article shall apply to all automated mailings.

These provisions therefore concern, in a non-exhaustive manner, both commercial e-mails and those sent by charitable or political associations or any other automated dispatch.

The following rules are applied by the members of the association to the emails they process, each according to their role in the construction of the messages:

  • Nothing in the technical header or body of the message should mislead the recipient as to the origin or purpose of the message;
  • The body of the message is in a format that complies with current standards and is of a reasonable total size (text, attachments and any remote content);
  • The body of the message does not contain any malicious software or software that could perform operations without the knowledge of the systems intended to receive the message;
  • The subject line informs the recipient in a clear and transparent way of the content and purpose of the message;
  • The technical field reserved for the sender of the message contains an e-mail address whose domain name corresponds either to the actual sender or to a service provider involved in the routing of the message, and a display name clearly informing the recipient about the sender of the message;
  • The body of the message shall contain, in a format which ensures that it is clearly displayed in all circumstances, the company name (or the brand or company name likely to be known to the person receiving the e-mails) of the sender of the message and a link to an information and unsubscription procedure;
  • In addition, the header of a marketing message contains a standard "List-unsubscribe" field (as per RFC 2369).
  • The information relating to the collection of consent most relevant to its identification as described in 4.4 - Data quality collected are made available to the Internet user on request. Eventually, the information on the collection of consent will appear in the body of the message. The most useful information is for example, but not limited to: the brand name for which the campaign is sent, the name of the sending company, the name of the collection operation (a free text field).
  • The company name of the sponsor of a message is identified in the message, for example at the bottom of the message.
  • The technical header must contain an X-SignalSpam-CID field with two parts allowing to identify the sponsor and the campaign. If the Signal Spam member already implements one of the identifiers in use on the market (Feedback-ID, X-CampaignID), the presence of the X-SignalSpam-CID field becomes optional, but is strongly recommended to authorise all the processing carried out by Signal Spam All messages of the same campaign must have identical values in the headers, and in no case differ according to the recipients. These provisions must be in force by 1 January January 2019.

Article 2.2 - Deregistration procedures

The unsubscribe procedures accessible from each email received should allow people to unsubscribe:

  • to use them for at least 30 days after the message is sent;
  • to be informed about the advertiser or technical provider concerned;
  • to see immediately which e-mail address they have been contacted on;
  • to be selectively unsubscribed from any future campaigns of the advertiser or service provider concerned;
  • where this is an option managed by the provider, to have easy access to the selection of topics on which they wish to be contacted in the future;
  • where possible, to be informed by any appropriate means if the unsubscription procedure has not been successful for a legitimate reason.
  • the de-registration procedure clearly shows :
    • the e-mail address of the Internet user who is unsubscribed;
    • the database from which the e-mail address is removed or the name of the sponsor operating the database where this makes more sense;
    • the mention of an effective taking into account within 72 hours.

Article 2.3 - Detection of invalid addresses

Members of the association are implementing procedures to detect invalid addresses, both to improve the quality of the personal data they process and to reduce the impact of misdirected mail on the recipient networks.

Article 2.4 - Abuse management procedures

Association members who manage a domain (a second level domain of the Domain Name Management System) or network (a set of IP addresses) that plays a role in the routing of e-mail, or that may play such a role, effectively administer the abuse handling interfaces provided for in the applicable standards (in particular the "abuse" address of the RFC 2142 specification for the second level domain).

The following services should be offered on the abuse interface:

  • Receiving and processing messages in the "Abuse reporting format" (RFC 5965);
  • At least daily coverage on working days;

Additional processes can be implemented - for example to ensure exchanges with privileged partners - but they do not replace the minimum provisions described above.

The members of the association concerned by this commitment shall inform the other members of the association of all the procedures they have in place for dealing with abuse.

When reporting an incident under these abuse procedures to another member of the association, they always use the procedures outlined above to ensure that the information is handled efficiently and smoothly.

Emergency procedures may be proposed between members of the association. Members undertake to use them under the conditions set by the member setting up such an emergency procedure.

Procedures for informing users of the actions taken by the abuse management unit are put in place which consist, at a minimum, of disseminating in a publicly accessible format information on how to contact the unit and the type of action it takes. This may also involve, depending on the case and the specificities of the provider concerned, :

  • Acknowledge receipt of reports of abuse ;
  • Set up an interface for monitoring alerts;
  • Or to disseminate statistics on the activity of the abuse unit

Article 2.5 - Configuration of domain name servers

To facilitate the routing of emails, SignalSpam's professional members implement state-of-the-art technologies that ensure the legitimacy of the infrastructures that send emails and take into account the evolution of standards developed in this field.

Thus, the implementation of the "Sender policy framework" specifications (SPF, RFC 4408) as well as the "Domain Keys Identified Mail" specification (DKIM, RFC 4871) are considered, at the time of writing, as being part of the state of the art and the DMARC recommendation "Domain-based Message Authentication, Reporting & Conformance" can be considered as an interesting avenue for their application.

Article 2.6 - Cookies

Signal-Spam members exchange best practices on the use of cookies and, in particular, on informing Internet users about cookies.

On this subject, Article 32 of the Data Protection Act states that: "Any subscriber or user of an electronic communications service must be informed in a clear and complete manner, unless he or she has already been informed by the controller or his or her representative:

  • the purpose of any action to access, by electronic transmission, information already stored in his or her electronic communications terminal equipment, or to write information into that equipment ;
  • the means available to him to oppose it.

Such access or registration may only take place on condition that the subscriber or user has expressed, after having received this information, his or her consent, which may result from appropriate settings on his or her connection device or any other device under his or her control. These provisions shall not apply if access to information stored in the user's terminal equipment or the writing of information in the user's terminal equipment :

  • or has the exclusive purpose of enabling or facilitating communication by electronic means;
  • or is strictly necessary for the provision of an online communication service at the express request of the user.

Chapter 3 - People receiving feedback loops

Article 3.1 - Security of personal data processing

Persons receiving feedback loops undertake to implement all state-of-the-art measures to ensure the security - and in particular the confidentiality - of the personal data they contain.

Article 3.2 - Processing of alerts from Signal-Spam

The recipient of a feedback loop provided by the association commits:

  • To deal promptly and effectively with alerts;
  • To inform Signal-Spam of any significant deviation from the type of alerts it should receive, such as, for example, alerts that are clearly not intended for it;
  • To regularly exchange with Signal-Spam on the actions taken with the alerts it receives;
  • To comply with its obligations under the French Data Protection Act (declare its processing to the CNIL or register it in the event of the appointment of a Data Protection Officer, inform people of their rights and the purpose of the processing, and define storage periods in accordance with the purpose of the processing).

Chapter 4 - List Managers

Lists are all processing operations of personal data containing the electronic contact details of natural persons.

Article 4.1 - Formalities prior to the implementation of processing operations

A Signal Spam member who wishes to use a list undertakes to carry out formalities prior to the implementation of its processing (declaration of the processing to the CNIL, registration in the register in case of designation of an IT and liberties correspondent, request for authorisation for data transfers outside the European Union when required by law).

Article 4.2 - Information, consent and exercise of the right of objection

At the time of collection of his or her data, the Internet user concerned is informed :

  • the identity of the controller ;
  • the aims pursued ;
  • whether responses are mandatory or optional;
  • the possible consequences for them of failing to respond;
  • of the recipients of the data ;
  • and of his or her rights of access, rectification and opposition, on legitimate grounds, to the processing of the data, except in cases where the processing is in response to a legal obligation, and, where applicable, of the transfers of personal data envisaged to a non-EU Member State.

In the event of planned transfers of personal data to a non-EU country, the provisions of Article 91 of the implementing decree of 20 October 2005, as amended, apply: individuals must in particular be informed of the country or countries of establishment of the recipient of the data, the nature of the data transferred, the purpose of the planned transfer, the category or categories of recipients of the data, and the level of protection offered by the third country or countries.

At the time of data collection, it should also be foreseen that :

  • or the express and specific consent of the data subject, in particular in the following cases
    • a canvassing by means of electronic mail (e-mail address, SMS or MMS) excluding similar products or services;
    • the transfer of e-mail addresses to partners; it is recommended that when a consumer's consent is sought for the sending of commercial offers by electronic means, as provided for by law, consent to receive offers from the business itself and consent to receive offers from partners of that business should be separated in order to avoid any confusion in the consumer's mind as to the scope of his consent;
    • the collection or transfer of data which may directly or indirectly reveal the racial or ethnic origins, political, philosophical or religious opinions or trade union membership of individuals or which relate to their sex life.
  • a possibility to object in a simple and unambiguous way, in particular in the following cases
    • canvassing by e-mail for a similar product or service in cases of a pre-existing customer-business relationship;
    • canvassing between professionals when the subject of the message is related to the activity of the professional;
    • the transfer to partners of information relating to the family, economic and financial situation, provided that the recipient organisations undertake to use this information only to address the interested parties directly, for exclusively commercial purposes and that this data is not used for any other purpose.

Consent is a manifestation of free, specific and informed will by which a person accepts that personal data concerning him or her be used for direct marketing purposes. Thus, the acceptance of the general conditions of use is not a sufficient means of collecting consent from individuals.

In the case of collection via a form, the right to object or to obtain prior consent must be expressed by a simple and specific means, present on the form.

For example, the form may contain a checkbox or selector, or any other interface tool that is clear, readable and accessible.

Where data is collected orally, the data subject shall be given the opportunity to exercise his or her right to object or to give consent before the collection of his or her data is completed.

After data collection :

  • the data subject shall have the right to object, free of charge, to the use of his or her data for the purposes of canvassing, in particular commercial canvassing, by the current or future data controller;
  • messages sent for direct marketing purposes must include valid contact details allowing the recipient to request that they no longer receive such solicitations.

Article 4.3 Retention periods

List managers shall respect the retention periods necessary for the purposes for which they are collected and processed, set by the declaration of their processing to the CNIL or by the entry in the register in the event of the appointment of an IT and freedoms correspondent.

Article 4.4 - Quality of the data collected

Those managing lists and/or sending e-mails shall ensure, in accordance with the legislation in force, the quality of the data collected. In particular, whenever relevant and possible, professionals collect information relating to the collection of consent. This information includes at least :

  • the organisation in charge of collecting consent (in particular if they are direct customers, customers of a partner or persons who have agreed to be canvassed by third parties);
  • the date and time when the consent was collected;
  • the URL of the site through which the consent was collected;
  • When the IP address is collected at the time of consent, it is kept only for as long as is strictly necessary for the purpose (e.g. when the operations to combat mass registrations are completed or according to the security needs of the platform).

Wherever relevant, a sufficiently precise categorisation of registrants is recommended.

Article 4.5 - Cascading updates

List managers shall put in place procedures to allow for a cascading update of information about a natural person, i.e:

  • systematically retransmit, in accordance with the exercise of the right of opposition provided for by the regulations, requests to unsubscribe to the persons to whom prospecting lists have been retransmitted;
  • and to take into account as soon as possible any request for an update transmitted by an upstream list manager.

Furthermore, the members of Signal-Spam recognise the need to work on procedures to facilitate the exercise by individuals of their right to object upstream to those who provide lists.

These cascading update procedures are facilitated by a higher quality of the data collected, as described in the previous article.

Article 4.6 - Safety

The data controller shall take all necessary precautions to protect the security of personal data and, in particular, to prevent them from being distorted or damaged or accessed by unauthorised third parties.

In particular, access to data processing operations shall be by means of an individual access code and password, which shall be regularly renewed, or by any other means of authentication.

It should be noted that biometric authentication means are subject to prior authorisation by the CNIL in France.

In the case of the use of an online public communication service, the controller shall take the necessary measures to guard against unauthorised access to the automated data processing system.

Chapter 5 - Advertisers

Article 5.1 - Management of lists

Where advertisers who are members of the association manage lists themselves, the requirements described above shall apply.

Article 5.2 - Deregistration procedures

Advertisers who are members of the association shall themselves manage or require their service providers to set up unsubscription procedures in accordance with the commitments of this charter.

Chapter 6 - Routers

Article 6.1 - Primary role of routers

The routers who are members of the association are aware of the central role they play in the procedures for sending large numbers of electronic mail. As such, they undertake to put in place the tools enabling their customers to fulfil the obligations set out in this charter or to advise them on the good practices to be respected.

Article 6.2 - Compliance with technical standards

When the tools set up by a router who is a member of the association are used to construct e-mails sent in bulk, these tools include all the functionalities enabling the good practices described in this charter to be respected. If external tools are used by its customers, the router shall check regularly or according to the alerts it receives that they are applying good practice and shall advise them on how to improve their procedures.

Article 6.3 - Management of abuse

The association's member routers pay particular attention to the management of the information that reaches them through the abuse management procedures or feedback loops.

Chapter 7 - Internet Service Providers and Hosting Companies

Article 7.1 - Processing of alerts on IP addresses sending unsolicited e-mail

Internet service providers and hosting companies that are members of the association shall implement security procedures in accordance with the following conditions:

  • The measures taken are proportional to the risk associated with each situation;
  • The types of measures envisaged include several levels of reaction, applied as far as possible in a progressive manner, except in situations where the safety or quality of operation of the network is severely compromised;
  • Whatever measures are taken, the customer or user must always have a means of accessing their personal data (especially for hosting services);
  • In particular for general public customers, the holders of the IP address (or other service) concerned shall be informed of the reasons for the measures taken and shall receive, by any appropriate means, advice adapted to their situation to enable them to rapidly restore all the functionalities permitted by the service of which they are holders.

Chapter 8 - Hosts

The commitments in this chapter are in addition to those in Chapter 7.

Article 8.1 - Special case of phishing and other malicious content

The association's member hosts shall implement procedures to remove or make inaccessible, as quickly as possible, any content, program or data that contributes to a phishing operation or the distribution of malicious software.

Article 8.2 - Special case of hosts offering e-mail transmission and reception services

Hosting companies that offer e-mail transmission and reception services:

  • Inform their clients who send e-mails and manage a domain name of good practices, including those recommended by this charter, and provide them with tools to help them respect them;
  • Comply with the provisions of this charter for domain names under their direct jurisdiction.

Chapter 9 - Authorities

Article 9.1 - Independence

Signal-Spam's associate members include authorities in charge of personal data protection, network security or judicial police missions. As such, they remain fully independent of the association's members, in accordance with the laws and regulations governing their missions. This independence covers in particular the secrecy of the investigation.

When information from the processing operations carried out by the association or its members is necessary for the tasks of the authorities, they shall obtain it only by means of the procedures laid down by the laws and regulations.

Article 9.2 - Technical and legal support

In the above context, the authorities provide technical or legal support to enable the association and its members to fulfil the association's objectives.

Share This