"How Did They Get My Email?" is a precise catalog of how addresses move through the email data economy without their owners' knowledge. Each verse describes a real mechanism. Here is what those mechanisms are and what senders must understand about the damage they cause.
Understand What Consent Actually Means
The protagonist's central confusion — "got me wonderin' when I gave the nod" — is not confusion at all. She never gave meaningful consent. She gave a signature on a form she did not fully read, to a party she did not know, for a purpose she did not anticipate. That is not consent. That is the simulation of consent.
Legally actionable consent for email marketing requires:
- Specificity: The subscriber must know they are consenting to receive email from your organization specifically, not a generic "partners" category.
- Clarity: The consent mechanism must be legible and unambiguous — not buried in paragraph six of a sweepstakes entry form in 8-point type.
- Voluntariness: The consent must not be a condition of receiving something else (entering a sweepstakes, checking out, accessing content).
GDPR requires all four elements: freely given, specific, informed, and unambiguous. CASL requires express consent that names the sender. CAN-SPAM does not require consent, but sending to addresses obtained without genuine consent produces complaint rates that destroy deliverability regardless of legal compliance.
If your consent record would not survive scrutiny from a regulator — or from the subscriber themselves — it is not a valid consent record.
Never Use Sweepstakes or Giveaway Co-Registration
Verse 2 names the mechanism exactly: "I just wanted to win a little sweepstakes prize / ended up sold to twelve new pairs of lyin' eyes."
Co-registration through sweepstakes and giveaway sites is one of the most common sources of poisoned lists in email marketing. The pattern: a user enters a sweepstakes on a third-party site, and the entry form includes a pre-checked box — or no box at all — adding their email to a list of "partner" sponsors. They may have technically consented to receive offers from partners; they did not consent to receive email from your specific brand, about your specific products, indefinitely.
The result is a subscriber who has never heard of you, did not ask to hear from you, and will mark your mail as spam the moment they recognize you as a stranger in their inbox.
- Do not purchase leads from sweepstakes or giveaway operators.
- Do not use co-registration networks that bundle your brand with dozens of others.
- If you run your own sweepstakes or giveaway, make the email opt-in a separate, unchecked, clearly labeled step — not a precondition of entry.
Know Where Every Address on Your List Came From
"Passed me 'round like a spreadsheet in a smoky bar" describes data brokering. An address entered on one form gets resold to aggregators, who resell to list vendors, who sell to you. By the time it arrives in your database, the address may have passed through four or five hands. Each transaction dilutes whatever consent existed at the source.
Before mailing any segment:
- Document the acquisition source for every address in your database.
- Segment by source and monitor complaint rates, open rates, and bounce rates per segment independently.
- Any segment where you cannot produce a verifiable, sender-specific consent record should be suppressed before the first send — not after complaints arrive.
- Lists inherited through acquisitions, agency relationships, or historical programs you did not design are especially high risk. Audit them before use.
Complaint rates above 0.10% at Gmail trigger active filtering. Rates from purchased or broker lists typically run 1–5%. A single campaign to a cold co-registration list can damage the reputation of a domain and IP you spent months building.
Make Unsubscribing Trivially Easy
"Can't find the link that is supposed to set me free" is not a lyrical flourish. It is a description of a CAN-SPAM violation.
CAN-SPAM requires a clear and conspicuous mechanism to opt out of future commercial email in every message. GDPR and CASL impose similar requirements. Hiding the unsubscribe link — in light gray text, below the fold, in a font size below 10pt, or behind a login wall — is not legal compliance. It is a dark pattern that increases complaint rates when subscribers who cannot find the opt-out use "report spam" instead.
- Place the unsubscribe link where subscribers can find it without effort.
- Honor opt-out requests within 10 business days (CAN-SPAM maximum). Best practice is 24–48 hours.
- Never require a subscriber to log in to an account to unsubscribe.
- Never use unsubscribe flows that require more than two steps: one click to indicate intent, one confirmation.
- One-click unsubscribe (RFC 8058) is now expected by Gmail and Yahoo for senders above 5,000 messages per day. Implement it.
A subscriber who can unsubscribe easily is a subscriber who does not file a spam complaint. The unsubscribe link protects your deliverability.
Maintain Consent Records You Can Produce on Demand
The bridge's hardest line: "Can't prove I didn't want it." That is the data broker's defense, and it transfers to you the moment you mail an address you did not acquire directly.
If a subscriber or regulator asks you to prove consent, you must be able to produce:
- The date and time the address was collected.
- The form or mechanism through which it was collected.
- The exact language of the consent at the time of collection.
- The IP address of the submission (for web forms).
- The identity of any third party through which the address passed before reaching your database.
If you cannot produce this record, you cannot defend the send. Store consent data with the same rigor you apply to purchase or transaction records. It is not optional documentation — it is the foundation of every email you send.