This is not advice any startup should ever listen to.
The most successful and lucrative form of marketing, by far, is re-marketing.
That is where you take someone who signed up but is not currently a customer and you target Facebook/Google ads specifically at that email address. I've seen conversion rates as high as 30% and it's typically pretty affordable.
It's such a critical part of marketing that many companies will take a loss on the initial "here is our product, please join" ads just so they can follow up with re-marketing in the weeks/months to come. And because people re-use their email addresses across websites you can target them on Quora, Reddit etc as well.
I used to think that way too, then changed my mind.
I'd rather get random, un-targeted, irrelevant, and even annoying ads from companies that have no idea who I am or that they're even advertising to me.
Less creepy that way, also more likely to result in the serendipity of learning new things outside my filter bubble/what the algorithm predicts for me.
Sometimes in order to find the real signal, you have to accept that a lot of noise comes with it.
While it may be less creepy, it's nearly impossible to break even running advertising this way. And until there is a way to promote a business, especially a new business, without some form of marketing, it's a necessary step in the online ecosystem. In the old days it was possible to fire blind ads and do okay. But as the costs continued to climb it became more important to be able to target your audience in a more accurate way. Retargeting/remarketing has become a very powerful tool in this process.
The last thing in the world I want to do is pay real money to put ads in front of someone that has no intention of buying and no interest in becoming a customer.
It's bad enough that the primary platforms are making the process more and more of a black box where they control every aspect of the marketing process.
What about the people that bought your email from someone you shared your email address with? That's part of the problem, from the consumer standpoint.
That's fine. They can ask for your consent and you can provide valid, informed consent to this ad targeting, and then get better ads.
What's no longer acceptable according to GDPR is forcing this onto people unknowingly, or by packaging it into a "take it or leave it" package of fine print.
Typically users don't want to give you email unless you prove them it's worth it. So instead of making email mandatory for registration, you can now try showing articles around improving there game skills or ask them if they want reminders. Let them opt in on emails. This is called permission marketing. Seth godin has a while book around it.
> I've seen conversion rates as high as 30% and it's typically pretty affordable.
Just 30%? Pfft. Just wait until they become a customer, and then advertise to them. Bingo, 100% conversion success. Best way to do it? Advert on the conversion page. Customer pays money, you show them an advert, 100% relationship between the advert and conversions, sterling job, and you cut out the middleman because it doesn't need a third party agency to do the placement, so it's affordable even after your fees.
But, for 90% of websites that force me to use an email, unless it's for something i'm paying for or care a lot about, I use one of several email addresses I set up specifically to sign up for websites and never look at them again.
If I didn't have to give an email, I'd probably still use those services, reddit comes to mind, i'm only signing up because i'm interested in the first place.
Having my email and spamming me...sorry, remarketing to me, makes no difference to my retention because I never see it. Providing a quality service I care to use is why I stay with things.
Questionable. I guarantee the vast majority of users don't even read the massive legalese text walls companies show them before they sign up. Usability studies have shown that people don't even read small error messages, they just want to get rid of the annoying message as quickly as possible. The few of them that actually do read these things probably won't have the foggiest idea what any of it means or the risks associated with the breach of their privacy. So how could this be real informed consent?
Of course, we also have sites where this document is not shown at any time and can only be reached through a link buried in the page's footer. Sites that just write whatever terms they want into this hidden page and then say everyone is agreeing with it by virtue of using the site.
Under the GDPR, any non-essential data processing (analytics, ads, marketing, etc falls into that) should be opt-in and dark patterns like pre-ticked checkboxes are not allowed.
Under the GDPR, any non-essential data processing (analytics, ads, marketing, etc falls into that) should be opt-in
This isn't strictly true. Consent is only one lawful basis for processing under GDPR, and it comes with a lot of strings attached that other bases don't necessarily have, which is why so many lawyers and consultants were recommending against relying it unless it was the only way during the mad rush to GDPR compliance a few years back.
In particular, even some of the regulators have themselves indicated that marketing might be a legitimate interest of a business. Obviously the details matter here, and handing personal data over to third parties like Facebook without their knowledge or consent seems materially different to, for example, the original business sending a relevant email about a new product that is related to something that the recipient already bought from them. Time will tell how the regulators decide to handle this.
> This is a core feature of every ad platform I've seen and is absolutely not a violation of the GPDR since users are giving consent when they signup.
That's not how it works. Hiding the "consent" in the fine print doesn't count, and at least in Germany, it's clear that you need valid consent and can't weasel out of it by claiming "legitimate interest" etc.
I already had a DPA explain this to one of the companies that decided to give my data to Facebook, and the DPA indicated that they were acting on multiple complaints in that regard.
There's a good chance they'll let you get away with a warning the first time if you haven't gotten in trouble before, but especially if you keep doing it (or if they decide that by now, you certainly should have known), expect quickly escalating fines.
I agree that this is a core feature. However, the GDPR mandates that consent should be opt-in, granular (you can provide consent for your data to be used for one purpose but not another) and you can't refuse service because a user is refusing to consent to non-essential data processing (ads would fall into that).
So yes, technically you can ask the user for consent, but it has to be explicit ("we'd like to share your e-mail/phone number with our advertising partners such as Facebook, accept/decline?") and I can't imagine anyone in their right mind consenting to that.
> You've signed up for a web service and never seen ads on other sites for it ? Very strange.
I sign up for stuff only when I have no other choice for exactly this reason, and often provide fake details. Reminds me of an ex-client where they had an issue with their potential customers not providing the right contact details because they're afraid we're going to spam them. "But do we actually spam them? -Yes."
But you are not sharing your email with fb. The user already shared it with fb. I am only telling fb, if you have this user with this email, show him an ad. I really don't see the problem. Much better a targeted ad than ads about porn, casinos, viagra or poker.
Regardless of whether Facebook has my e-mail, services providing them with a hashed version of it for advertising purposes still allow Facebook to tell "this hash is associated with these services" even if they never had the original un-hashed email. They can combine it with all the other information they have (stolen from people's contacts which may have the unhashed e-mail along with my name and potentially phone number) and create a pretty good profile on me even if I never signed up for a Facebook account and agreed to their ToS/privacy policy.
Things get murky in this area (or perhaps not, the lawyers will figure it out in time).
If Facebook is only using something like a hash of an email address in order to target ads at specific Facebook users at the request of one of their advertisers, they are probably only acting as a data processor for a very specific purpose that might be acceptable for both Facebook themselves and the advertiser under the GDPR rules.
If Facebook does anything else at all with that data, their role probably changes from a GDPR perspective. The hash is personal data, since by definition it's being used to identify a specific person. If Facebook is using the data they have associated with that hash -- for example, anything they know about the business that provided it -- to build up more of a profile on their users, they are probably now a data controller, possibly as well as a data processor in connection with the original targeted ad process. Then you get into questions about whether Facebook's users have given their suitably informed consent to Facebook or there is some other lawful basis for whatever processing is happening.
Obviously if businesses were providing actual email addresses to Facebook or if Facebook were using that data to do things like building shadow profiles on non-Facebook users, that would be another level entirely. And AFAIK, the custom audience tools on marketing platforms like Facebook typically do accept directly uploads of literal email addresses, phone numbers or other identifying details for the audience to be targeted, so maybe the discussion about hashing above is all moot anyway.
Thank you, that's nice of you to say, but I claim no special insight here. I just happen to live in the UK where these issues are relevant and to have some professional experience dealing with them.
The German DPAs have a FAQ on this topic, and they're very clear about the fact that hashing isn't anonymization and doesn't change the fact that you're sharing PII. (The FAQ also mentions that you need consent and can't claim "legitimate interest").
Thanks for that. Would you be able to link/quote the relevant section? I'm personally interested in it, but my German language skills are extremely limited.
There is two kinds of "custom audiences" - one list-based and one based on tracking pixels. I'll only quote the parts relevant to the method where customer lists are uploaded.
a.Rechtmäßiger Einsatz - Der Einsatz ist nur aufgrund einer informierten Einwilligung der Kunden zulässig. Das Hochladen der Kundenliste kann weder auf eine Rechtsgrundlage des BDSG noch des TMG gestützt werden. Diese Rechtsauffassung beruht auf einer europarechtskonformen Auslegung der geltenden deutschen Datenschutzbestimmungen und berücksichtigt die jüngsten Entscheidungen des EuGH zum Datenschutz. Im Übrigen wird das Übermitteln dieser Liste an Facebook auch auf der Basis des ab Mai 2018 geltenden Rechts, d.h. nach der Datenschutz-Grundverordnung (DS-GVO), nicht ohne Einwilligung zulässig sein.
b.Widerruf der Einwilligung - Widerruft der Betroffene seine Einwilligung, so muss er von der Kundenliste entfernt werden. Da der Webseiten-Betreiber keine Kenntnis davon hat, welche Kunden auch Nutzer auf Facebook sind und beworben werden, ist die vollständige Custom Audience-Liste unverzüglich zu aktualisieren.
(Translation - Google translate with misleading issues corrected manually:
Lawful use - Use is only permitted with the informed consent of the customer. The uploading of the customer list can neither be based on a legal basis of the BDSG nor the TMG. This legal opinion is based on an interpretation of the applicable German data protection regulations in accordance with European law and takes into account the most recent decisions of the ECJ on data protection. Beyond that, transmitting this list to Facebook will also not be permitted without consent according to the law applicable from May 2018, i.e. according to the General Data Protection Regulation (GDPR).
Withdrawal of consent - If the person concerned withdraws his or her consent, he or she must be removed from the customer list. Since the website operator has no knowledge of which customers are also users on Facebook and are being advertised, the complete Custom Audience list must be updated immediately.)
> I am only telling fb, if you have this user with this email, show him an ad.
You're also telling Facebook "by the way, I have a relationship with someone with this email address". That's personally identifiable information that you're sending to Facebook. Under the GDPR you can only do that if you have the explicit and freely given opt-in permission to do that from each respective person. "By using this site you agree to..." or "by signing up you agree to..." does not qualify as consent under the GDPR.
If the person does not live in Europe and you are not in Europe then the GDPR doesn't apply, of course.
If I'm not on Facebook (which I'm not) you are telling them that there most likely exist a user with this email address and an interest in your service. If many companies do this FB might even be able to build a profile of me without me doing anything
This is (or at least should be) not Bueno under GDPR / data minimalization.
No way. If I sign up to, say, a mailing list, or make an account using my email address, I am NOT giving my consent for that site to use my email for targeted marketing (other than the specific mailing list I signed up for).
> This is a core feature of every ad platform I've seen and is absolutely not a violation of the GPDR.
I agree with you on this part. It is not a violation of GDPR on the ad platform side since you, as the data controller, are responsible to obtain a permission from the end-user. The ad platform is a data processor defined under GDPR. I am sure that the agreement between you and the ad platform is stating that you have a permission to use the email addresses for targeted advertising purposes and bear the full legal responsibility if not.
> since users are giving consent when they signup.
See Nextgrids comment. Yes, the GDPR admittedly lacks on the enforcement side and yes, I agree that this is a common practice, but that does not make it legal. Not for a data subject residing in the EU.
This is a core feature of every ad platform I've seen and is absolutely not a violation of the GPDR since users are giving consent when they signup.
I think we'll see regulators take a different view when they get around to challenging this practice, and the businesses who get made into examples might find it an expensive lesson. Handing over personal details to big data hoarders for remarketing purposes is the epitome of behaviour the GDPR was intended to curtail. You can't just mutter the word "consent" and claim some small print on a Ts & Cs page no-one reads protects you, and regulators have shown very little sympathy so far for data controllers who have tried to weasel their way out of GDPR obligations with this kind of strategy.
Those regulators are still under-resourced and it will presumably take some time for them to get around to dealing with this issue. Right now they're still going after serious leaks and the like. But they're already handing out 9-figure fines to big name businesses for those breaches, and by default those fines go back into central government coffers. Given the current economic climate, how long do you think it will be before their governments realise that this is potentially a very lucrative revenue stream that the public is unlikely to mind, and so start pushing the funding for those regulators up? The ICO (the UK's regulator) has already significantly increased its budget and headcount since the GDPR came into effect, and is reportedly looking at ways to ringfence some of the fines to cover the litigation costs when it inevitably has to defend the big penalties it will hand down from time to time.
When the Cambridge Analytica scandal happened here in the UK, the ICO fined Facebook £500,000. That was the largest fine they could legally impose at the time. As they observed themselves, in what might charitably be considered a thinly veiled threat, under the GDPR that could have been well over £1B instead. Even an organisation the size of Facebook is going to feel that, particularly since there is nothing that says it can't be repeatedly fined on that scale if it misbehaves in multiple different ways.
A couple of potentially important issues have, as far as I know, not yet been resolved in this area.
Firstly, what happens if processing in violation of the GDPR is widespread, the businesses you give your address to are the data controllers, but you still have the likes of Facebook hoovering up huge amounts of personal data inappropriately but possibly only in a capacity of data processor? No doubt there will be some interesting legal arguments about where liability is going to be placed if Facebook was actively soliciting that sort of activity as part of its business model.
Secondly, what happens after the UK has fully separated from the EU at the end of this year, if as the government has stated we retain the GDPR in our national law? Until Brexit was relevant, the GDPR was an EU-wide measure, and typically one member state's regulator would take the lead role in any given case. Anyone breaking the GDPR's rules could be duly investigated and penalised, but only once, not in the same way by every regulator in every member state where there was offending behaviour. If the UK is no longer to be a part of that scheme, will regulators still co-ordinate in this way, or will the businesses sharing data with Facebook face a kind of double jeopardy where both the UK and a lead regulator from an EU member state can potentially fine them for the same behaviour, effectively doubling the maximum penalty they could receive?
If both of those issues were resolved in ways unfavourable to the marketing platforms like Facebook, they could be looking at huge fines for promoting this sort of scheme on the scale that they do, potentially enough to make whole strategies based on selective targeting unviable.
Agreed. If I feel violated or tracked, I'm far more likely to develop negative feelings for your product. If Facebook starts showing me more ads for your product right after I visited your site, you're definitely not getting my business.
Ask yourself this: Would you rather have targeted ads, for something you might be interested in, or completely random junk you couldn't care less about? Targeted advertising benefits both you and the advertiser.
Targeted advertising creates a liability for me in the form of leaking which services I use to a third-party advertising partner I may have no relationship with and haven't accepted their privacy policy (the service itself doesn't know whether I use Google/Facebook and sends them the information regardless).
If advertising was targeted at the browser level (the browser has access to the entire catalog of ads out there and then does the selection locally based on sites/services I interacted with previously) then I would be in favor of that.
Finally you are omitting a third option in your comparison: how about no advertising at all? Preferring paid services over ad-supported ones and countermeasures like uBlock Origin make that a real possibility. I can't recall the last time I've seen a proper ad online (in fact my problem with the parent's idea is more about the data sharing than the ads themselves since I won't see the ads anyway).
If you feel it's a liability, it is up to you to protect yourself. Use VPNs, disposable VMs, multiple email accounts, private browsing, and whatever else you think is necessary to preserve your privacy. "Tracking" is baked in to the web. The cat is out of the bag.
No advertising isn't a viable option in this world. I'd go as far as to say that the Internet, as we know it today, would not exist without targeted ads.
In this case you could say that we need to go back to the Middle Ages and we don't need laws & enforcement and if you are concerned about getting robbed or killed it's up to you to defend yourself by wearing body armor, carrying weapons and having your own personal army.
Society has laws for a reason when its constituents decide that certain behavior is detrimental to it and should be outlawed & discouraged by the use of appropriate punishment. I don't see why this shouldn't apply here? The GDPR is in fact a step in that direction, though its enforcement is severely lacking.
> No advertising isn't a viable option in this world.
This is debatable but it's a discussion for another thread.
> I'd go as far as to say that the Internet, as we know it today, would not exist without targeted ads.
The Internet originally was about sharing information freely. It facilitated commerce to a certain extent but commerce wasn't its core purpose. The internet as well have nowadays has actually become worse because of the increased focus on commerce & advertising.
The difference is enforcement. GDPR cannot be enforced worldwide. Even if it "legally" can, which is debatable, practical enforcement is another matter. Even if it could be practically enforced, accidents happen. People make mistakes. Your data could still be shared with a third party due to a bug or just plain incompetence. It's still a good idea to protect yourself.
This is a superficial view that does not account for the advertiser's ability to price discriminate via advertising. For example, say there is a Batman movie coming out, and I sign up on the Batman website to find out when/how it is released.
The movie folks now know that I am very interested in this movie. They can choose to target me for a small coupon advertisement, knowing that I will likely claim it and consider it a win.
Simultaneously they can target people on FB that they think are Batman fans (but who have not signed up for their email list) with a more generous coupon.
So while I am seeing advertisements for relevant products, I may be seeing less-generous offers than I would see in a world without tracking.
With e-commerce, the coupon bit will soon be unnecessary - you'll just see higher "personalized" prices, with no indication that they differ from what others see. Like a more targeted version of https://crow.app/blog/price-localization-with-stripe
I do get targeted ads, it's called newletters I sign up for on services, and blogs of techincal companies I keep up with. Both work well for things I am interested in.
As yourself this: How do you feel about the possibility of any personal information you give to any company may be given to others without your consent (or "with your consent" behind a huge wall of "this is how we use your data, take it or leave it"), and for those companies to sell it to data arrgrators to build a complete picture of you, to sell it to anyone with enough cash?
I am fine with pseudo-anonymous ad targeting. You can collect personal "interests" without collecting truly identifying PII.
However, what you describe already happens and has for decades, in the offline world. Tons of personal info, like real estate and voter records, are already public in many jurisdictions anyway. Insurance companies, credit card companies, phone companies, and everyone else all take this stuff and spam the hell out of everyone.
The problem is in what the person said above - it works for them, with 30% conversion rate...they wouldn't be doing it if they didn't get money from other people that way...
Criminal gangs could also say that crime such as theft, robbery, blackmail, extortion, etc works for them and makes them money. It doesn't mean we should be legitimizing and encouraging this behavior that most of us agree is detrimental to society.
There are plenty of scams and malware being spread through ads. Furthermore ads are a parasite that wastes most people's time for no benefit with no official way for them to opt-out (a lot of services don't allow you to pay money to opt-out); it'a a cancer on society.
> Especially in this case where PII data is not being provided to the advertising company.
You are literally talking about capturing e-mail addresses so you can pass them to an advertising partner to target ads to these users. How is that not PII?
The emails can be hashed, turning it into a pseudo-anonymous ID. It is debatable whether that is PII. It probably comes down to whoever can afford the better legal representation.
Hashes are not a panacea. I see them being suggested as solution for anonymization of ip addresses/domain names/urls/file names/emails all the time but these people that make said suggestions are either clueless or are arguing in bad faith. It is extremely easy to brute-force the majority of said hashes. (in addition to that I doubt that anyone is passing hashed emails as it would make it slightly inconvenient to send emails to said accounts)
It's indeed extremely easy to brute force these hashes when you have a database of the original (plaintext) data stolen from people's contacts which reduces your search space dramatically.
They do. Advertising's whole purpose is to manipulate people into doing what companies want them to do. Not every company has your best interests in mind. Due to this inherent conflict of interest, ads should be viewed with healthy suspicion at best.
Banning tobacco ads helped reduce smoking in my country. We should ban a whole lot more.
Content blockers work really well too. They should be integrated into browsers. That ought to reduce the conversion rates and get companies to stop spamming us with noise.
Email registration is the gateway drug to conversion. We AB tested this. Requiring users to sign up meant we got fewer sign ups but a higher conversion rate to premium. So although we had fewer users, more paid. Giving your email is a committment. Maybe once you've made a small committment it's easier to make a bigger committment. If you're running a commercial product, especially freemium, it's not just about number of signups.
How do you know that it wasn't caused simply by selecting for more serious trialers? What makes you think the cause was "committing", and not a selection thing?
Because the conversion rate was higher from no sign-up to paid. So we were probably selecting more serious trailers, but they were then more likely to pay as well. If it was just the conversion rate from sign-up to paid then you would be right, but we looked at the conversion across the entire funnel.
"More serious trialers" will be more likely to commit by entering an email; people who are not willing to enter an email are obviously not very serious trialers. It's just two different ways of saying the same thing.
"More serious trialer" is not a fixed attribute or category that you can select for. A person fits this description based solely on their behavior; they become a more serious trialer by the act of putting in their email address. From that point the causality is the same.
Yes - my point was that the narrative of "why" isn't useful. A/B tests tell you what happened. They do not provide insight into why. Yet everyone has a story they tell to fill in the why, and these stories are harmful to making good decisions.
> Maybe once you've made a small committment it's easier to make a bigger committment.
It's definitely not the whole story, but this is a pretty well-studied thing in psychology. A similar trick in social engineering is to ask your mark for a small favor, which will make them more likely to do you a bigger favor later. I've read about it many times, but can't for the life of me remember what it was called...
I also don't understand the value in giving away more than you need to get someone to commit. If your product has any type of cost associated with converting you may be better to filter poor prospects early, i.e. those who won't even give out an email. This is likely better than carrying them farther down the process with more promising conversions.
>you can target them on Quora, Reddit etc as well.
This is one of the reasons I stopped giving out my primary email address for user signups. I use a service called Blur which allows for unlimited "masked" emails to be created, allowing me to give companies read-only email addresses. In the four years I've had it I have created 378 email addresses. If I'm including the email addresses that I've already deleted, the list gets to 400.
Marketing and the 3000 spam messages I get per month made me do this. It does not have to be this way, but as long as corporations can play fast and loose with my email address I will make sure they never get a real one to begin with.
Edit: Want to add here that I am not in any way sponsored by that company, I've just been using them for years now and think their prices are reasonable.
I registered a domain name that’s basically just a UUID, and pointed it’s MX records to my self-hosted email server (you could also point it to Google Apps or Fastmail).
Everything before the UUID domain is just the name of the service, so something like hackernews@e913ff00...xyz. If someone sells out my email address, I can instantly burn it by just adding a sieve rule since they’re all unique. I even know who sold it based on what name I picked before the @ symbol. This has been working out pretty well for me so far.
I'm using a similar technique, but rather generating a random address @my-domain.
To know which provider it was (in case I later get spam from somewhere else), I keep a text-file + email myself any time a new forwarder is set up, so this way I can always look up which service it was.
This way, I was able to spot a leak at box.com and maybe a couple of other places, before it was even announced.
For websites that have questionable password policy, I use passwords that curse the company in my native language (if no-one sees it then it's fine, but if someone does then they have deserved it). I bet the same tactic would work if you get creative, ie spotfuckingify@uuid
If you're using gmail, plus-suffixing is a low-effort but effective countermeasure: username+servicename@gmail.com gets delivered to username@gmail.com.
Ah. You can set up dash-suffixing if you're using a custom domain with gmail. Create a new "catch-all" email account. Log into that new catch-all account, and create forwarding rules for alice-* to go to alice@example.com, bob-* to go to bob@example.com, ...
Once the marketers discover people are doing this, they'll ban email addresses from this service as if they were fraudulent. Wouldn't be surprised if companies started disallowing everything except gmail.
I run https://kopi.cloud - let's you give out burner addresses you can just make up on the fly. SSO through Google, Facebook, Twitter. One touch blocking of burner addresses. Supports replying and attachments. Mail 2 RSS - read Facebook / StackOverflow, newsletters, etc. as RSS feeds. And you can use your own domain if you want, so no lock-in.
Great idea, but all these posts deserve the same qualifier: this should be considered an experiment / hypothesis, and not a recommendation that every other site / business / experience should apply without question.
There are times when removing email is best, and others where data or business vertical necessitates something different. You still need to verify with your users and do the appropriate testing / analysis / user research.
100% agree. This worked for us, but is likely to vary by business and this is not a silver bullet. I do think though people who register with email and convert tend to be people who would convert already (i.e., there is a bias already). Product managers can test opening up the funnel more by asking for emails later in the funnel.
We use some tools to understand traffic and fortunately most of the traffic is clean. One downside with asking for usernames alone is that people (not too surprisingly), come up with creative but very profane usernames!
Yes. I run a web service that provides a free trial period, and I can't see anyway around it other than forcing a sign up. I'd love to know if there are more friendly ways to do it.
1) Everyone and their dog wants your email those days, which is bad due to engagement spam as mentioned in article, and privacy (those email addresses are probably flying around adtech servers which allow building up extremely detailed user profiles by those adtech companies).
Your website should allow "demo mode" to make me see what's the value it provides. No way I will go through registration on random pages that fail to immediately make me crave to use them. I ain't got time or will for that.
2) If you want to follow advice of the article, I'd rather not remove email field, but as I wrote before, allow demo mode, and at next step when actually registering the user, put a clear one paragraph sentence saying that you'll not be spamming me with your engagement stuff.
3) If you ask for email, absolutely verify it. There are way too many people who subscribe to all kinds of services using someone else's email. See this thread:
I am not surprised. The list of services I no longer use because they constantly email me to generate "engagement" is quite long. And if I get too annoyed (about once or twice per quarter), I make the effort to not only de-register my account, but I often add the domain to my spam filter so I never see email from that domain again.
I just checked and I have a bit over 110 domains in my spam list that look like they were added over the years because of this. So I may have under-estimated how often I "blacklist" businesses like this.
I have a fake email address I use to sign up when I am forced to. I login to that email account once every month not to lose access, but other than that it is a huge swamp of unread emails.
Sadly though, it appears all these temporary mail domains are in some central list, that data harvesters use to deny access. It's almost impossible to sign up for forum accounts with these. So it's impossible to download files from vinylengine.com unless you allow them to spam you.
I run 2 addresses, both at my own domain (using Midagu for hosting).
One is my actual address that human people who I know have.
The other – referred to as “the sluice” – is everything else. I don’t really care what goes in it. A rule marks it as read as soon as it hits my inbox.
Simple but massively effective. I used to get stressed about spam but now I don’t give a crap.
Edit: also, the sluice mailbox is 2020@mydomain. When it does finally become too much of a cesspit, I'll just kill it and create 2023@...
I'm fairly certain I would rather collect the emails even if it means less retention. Not for marketing purposes but for support purposes.
With MakePostSell [1] a customer may add products to their shopping cart and interact with a shop as if they are logged in, but at the point of sale / checkout, we ask them to verify their email.
Don't bother. If you collect email addresses, it's PII and someday you will have to account for that.
Instead, give them a searchable FAQ or a wiki and an email address to write to for support. Connect it to a ticket system that autoresponds with a ticket number.
(then you added your second paragraph while I was writing this.)
We're hoping to test an email password recovery option after the account is set up. It builds on the idea of getting more information after commitment.
I've started uses separate email addresses on my personal domain for each account I create, and so far I like this approach. I hope some company solves the problem of making domain registration as accessible as phone numbers are today so the average person can reap the benefits
10 years ago (!) Instapaper changed its tune and started requiring emails for new accounts. Before it had not required emails (just usernames) and even didn't require passwords, and after living with that for years Marco decided to switch back to the more traditional form.
It's interesting to think that times may have changed and that people are hesitant to give out their email addresses anymore, but you are giving up some real benefits by leaving it out.
Anecdotal, of course, but in my experience many people won't sign-up using their email because they're tired of getting added to mailing lists and receiving spam. Now, you could use fake emails when you sign up for these, partially as a way of avoiding spam and partially to find out which services are the most annoying with their mailing. However, this gets tiresome and if I can find an alternative service that doesn't require me to give as many personal details, I'll choose it over that one.
I like the idea of starting registration with no email but with the option to add a recovery email later on, once I am sold on the idea that this account is worth recovering.
The article mentions the tradeoff of username Vs email of increased willingness for people to sign up Vs losing the simple channel for password reset, but does not propose a solution outside of non-expiring cookies, which to me isn't really a satisfactory solution (though perhaps it works OK enough in practice for some types of use cases).
In my view, for most applications, the upside is not really worth that downside. It got me thinking though, are there any clever solutions to do password reset without an email / social media account login / etc? Does anyone know of any good ones?
I ran a small system for awhile where you could designate three other users to act as backup. If you needed to reset your password each of the three backups would receive a unique token and a request that they forward it to you out of band. With all three tokens you could reset your password. This was optional, though, and in addition to a classic email based reset flow. Obviously a solution like this would only really be feasible for a few niche applications.
Could you set a minimum amount of time since last login / visit before recovery was possible? If you are visiting the site every day, and your three "friends" decide to collude to reset your password, the site should refuse to issue the tokens since you are still able to access it.
This gets a little more tricky if you have an unexpired session but want to be able to change your password (which likely requires knowing the existing password), but a request from this logged in session to reset your password should be trustable (unless your "friends" have also stolen your unlocked device).
Similarly, if one or more of your "friends" requests a token / password reset of your acccount, the site should highlight that in a banner on every page you visit, to potentially give you warning to find better friends. (The process for replacing a friend on the site should probably require re-entering your password too, to stop someone that's hijacked your session from picking three sock puppet accounts as your new friends, and resetting your password that way).
The community as a whole was pretty tight-knit so we didn't go that far down the security rabbit-hole. The initial proposal, though, only required a single backup and we did increase it to 3 to add a little more defense ;)
Presumably if only one "friend" defects and attempts to reset your account you will be notified by the other two friends sending you unrequested reset tokens out of the blue
3 is kinda an arbitrary number, chosen to strike a balance between security and convenience. It was decided that getting 3 people to collude to erode the trust of the community was harder than intercepting an email so the solution was accepted as adding some additional amount of security.
Honestly a bigger flaw in this scheme is if one or more of your friends is no longer active or has forgotten their own password and cyclically is relying on you for backup. You can hedge against this a bit by adding more backups and requiring only some critical mass of tokens, but this does also increase the attack surface.
Use a security key like yubikey to verify it’s the same person. I dunno if the default yubikey requires a pin AND touch, but mine does... even if you steal it, you don’t know the pin. These days you can also use Apple touch and windows hello in webauthn. So, there’s that.
Another possibility is requiring a payment with a payment method they’ve used before and then credit their account with the amount. Forcing 3D secure on that transaction should cut down on fraudulent take overs; or at least shift the liability from you, somewhat.
If you have an app, you can also allow them to authorize the password reset from the app on a computer (or vice versa).
Lastly, you could just not have a password to forget. :)
Seems like a hard problem. You could keep track of IP addresses that the user plays from, and allow resets from that IP. You'd only want to do this for very low risk types of accounts. Sadly, game sites tend to be high target for account takeovers, so this may be a very bad idea. Adding some other fingerprinting would help.
In fact, the more I think about it, there's a paper I saw that can identify users solely by their mouse movements. If you maintained that kind of fingerprinting in game, you could simply ask the user to play a few rounds then offer to reset if they're from a typical IP address. Might work well for this particular website.
Allow to upload a PGP public key, and reset request page would just return an encrypted PGP message containing a link to reset the password.
Assumes:
- people are less likely to lose their PGP key, than random password to a random website.
- people have PGP keys
- PGP key doesn't contain email address (it does).
Anyway, it would be reliable, and it doesn't need giving third party online service access to all your online accounts.
Phone number, I guess. Sending SMS messages en masse is expensive or heavily regulated in much of the world and it doesn't particularly suit frequent "spamming" so people of a younger generation may be more willing to hand it over(?)
Yeah, I have a number that I "hand over" and another number I don't. The public number is inundated with spam SMS to the point that I don't even bother checking them anymore. And this is with pretty conservative behavior: even though I have a dedicated number for this purpose I still avoid entering it unless I absolutely have to.
Agree. It will depend on site, but we often don't challenge if email collection is worthwhile. One idea we had is to ask for an email afterward as an optional password discovery option if the user wants it. That way they are in control.
Honestly, I hate managing accounts and passwords so much that I'll walk away when a "create an account" is thrown in my face.
Login via Google / Facebook / Whatever is sometimes helpful, but it usually results in SPAM. For example, I logged into Redfin through Google and they immediately started spamming me.
Other times, when I login through Facebook and disable sharing my email, the site that I'm trying to log into has a "mystery error" because the concept of not sharing my email address never occurred to whoever wrote the integration.
Most of the time, I just use a unique email address with each site. My domain has a catch-all email address, so when someone starts spamming it, I know who did it.
I use a subdomain; making your main domain a catch-all will eventually result in a deluge of spam.
Instead of [everything]@example.com, I set up [everything]@yo.example.com. Discovering subdomains is much harder and the one time I encountered a form that didn't like a subdomain, I just made a forwarding address on my main domain.
Using Fastmail's rules, I have a setup where every message arriving to @yo.example.com gets shunted into a folder unless there's a different rule putting it somewhere else.
Is this because you don’t publish MX records in DNS for the subdomains and the default setting on the main domain is to accept only specific addresses (and reject catch-all addresses)?
Personally I haven't been hit with spam to truly random addresses with my catchall. Is that a common issue people run into?
The spam I've received on my catchall is either based on previously breached sites (which I once signed up to) or to very common mailbox names (e.g. postmaster@, info@). I just add those to an auto-reject postfix filter based on the intended recipient, which keeps my inbox very clean.
Is anyone else here concerned / wondering if these numbers could be noise and loosely correlated? The leaderboard addition lead to a 22% user signup but there’s a 3-5% jump in number of sessions (games?) and it’s as a decimal position of 4. This feels like maybe there’s something more fundamentally wrong going on here...
This is pretty far from what would be needed to say 'Email registration is dead'. Users may be annoyed by it and it may help in niche cases to exclude email requirements, but for most webapps this will not be possible as users will not even be able to reset their password then.
Totally agree. This will depend by business. We're were just pointing out that it makes sense to challenge the norm, because people are so reluctant to give their email addresses.
My pet peeve is with retailers which force you to register before even being able to browse their virtual store.
They will never get my business. I wonder if the CEOs of these companies have any idea how much business they're driving away.
Ask me email, but don't force me to verify it before letting me in. While I'm browsing, show me a prominent warning that my email is not yet verified. Include my email address in the warning so that I can catch possible typos.
This scares me a bit. A part of email validation is ensuring they actually own that account. It depends on the sensitivity of the service to an extent but I don't think it's appropriate to let somebody interact as if they were a specific email account until they've proven it's theirs.
Edit: I do like the recommendation of showing them the email they're waiting to validate so that they can see typos.
One option and something I am using for my startup is to use Clearbit Risk (https://clearbit.com/risk).
It's an API where you give it the user's email address and they tell you if they think it's real or not. I have it such that if it's not risky I bypass the "verify email" step.
Not sure how long the API will be around and it's pretty slow but for now at least it's free.
That's really interesting and definitely something worth trying. I wonder how the effectiveness of email changes with the goals for the user (play solitaire vs pay for a subscription, etc).
I think age plays also a role. I have met various young people who have't entered the "working world" yet, that only have an email address because they needed one for registration and to recieve some school related information. But it is percieved as something completely arcaic and they never use it for anything else nor check it regularly. All communication is via messangers or social media.
On the other hand also elderly are or could be moving in this directions. E.g. my mother getting an iPad and apps like Whatsapp have completly changed "computers" for her. From, being mostly a chore that you have to use, to something really useful for getting information and to stay in touch with relatives in other countries
He does mention, somewhat off-handedly, that the lack of email makes password recovery harder. (Presumably impossible without some other communications channel like a phone number.)
And you really need to be able to recover account access for a paid subscription. It's probably also reasonable to assume that if someone is going to give you a credit card number and address, they're probably OK with giving you an email.
This is pretty clever, but people might get double billed if they accidentally try to confirm their account with a different card than they used to sign up.
In my case, customers don't have any data on the account - it's simply a bit saying 'has paid for premium?'. And if I end up giving premium to a few people who didn't pay it isn't an issue. The sign-up friction of needing an email address is greater.
Reddit has regressed in this area. It now appears like an email is required for signup (even though you can leave it empty and click next). It probably deters people from creating accounts.
In the end, it's all about time. People are rational creatures (despite rumours) and quickly decide whether they are willing to spend time to do the email activation thingie, and so they bail. Someone should do a survey of conversion rates vs time it takes to sign up somewhere, i bet there will be a strong correlation.
Anecdotally, i ve observed the opposite too. I don't require email to sign up, but there is an email field further down in the form, and yet 95% people DO enter an email that looks valid, and not just garbage. That said, only 5% clicked on the email verification link , presumably because they don't have to
Hopefully a lot of the remaining resons to collect emails start going away as WebAuthn gets adopted and better integrated into browser sync and/or password managers.
The most successful and lucrative form of marketing, by far, is re-marketing.
That is where you take someone who signed up but is not currently a customer and you target Facebook/Google ads specifically at that email address. I've seen conversion rates as high as 30% and it's typically pretty affordable.
It's such a critical part of marketing that many companies will take a loss on the initial "here is our product, please join" ads just so they can follow up with re-marketing in the weeks/months to come. And because people re-use their email addresses across websites you can target them on Quora, Reddit etc as well.
You can't do any of this without their email.