Who manages compliance for your outsourced compliance specialists?

Starting around 20 years ago, a popular way for shady startups to skirt employment laws was to hire an outsourced “co-employer” or “employer of record.” Employees would receive their offer letter from—and perform services for—one company, but their paychecks would come from another, which was often in a different state. That way, if the employment relationship went sideways, a shell game could be played as to which company the employee actually worked for.

I worked for a couple of companies that used a company called TriNet for this. My most recent experience with TriNet was about 15 years ago, so I was a little surprised when they started sending spam to my personal email account earlier this month.

TriNet is now billing themselves as “HR compliance specialists,” also known as blood-sucking leeches. Human Resources rivals only the government and NIMBYs at trying to bring about the downfall of productive civilization. A few months ago, I joined a publicly-traded company, and was forced to sit through nearly 40 hours of cheesy “annual compliance training” videos, which covered topics like “insider trading is bad,” “you shouldn’t bribe government officials,” and “please don’t pull your dick out mid-way through a Zoom call.” [Link to PornHub elided—Ed.] Multiply those 40 hours by 4,000 employees, times the average tech worker salary, and that’s literally tens of millions of dollars pissed down the drain every year, for no purpose other than to appease the HR nannies and ESG scammers. I’m pretty sure exactly zero of my 4,000 co-workers were planning to commit multiple felonies, but had a sudden change of heart because they were forced to watch a badly-produced video and answer a multiple-choice quiz afterwards.

(The production of many of those videos was outsourced to a company called KnowBe4, and they’re terrible. I’m positive I could hire my local high school’s drama department to produce higher-quality content. But I digress.)

Before sending spam—er, “email marketing”—you would expect that TriNet, being “compliance specialists,” would do some basic research into the legal requirements. But it turns out that they’ve outsourced to a different compliance company, OneTrust, to illegally make it difficult to unsubscribe from their mailing lists.

When I clicked the unsubscribe link in one of TriNet’s messages, I saw the following:

Screenshot asking me to enable JavaScript to continue

Ah yes, it’s totally fair that I should allow you to run a Bitcoin miner on my computer in order to stop receiving your junk mail. Well, whatever. Let’s disable NoScript and continue:

Screenshot showing a signin form

After entering my email address and language preference, I get this shit:

Screenshot requesting a one-time passcode

I reload my inbox.

I reload it again.

I get up to get another cup of coffee.

Several minutes later, the message with the one-time passcode arrives, and on the third web page, I’m presented with a long list of “message types” from which I’m finally allowed to unsubscribe:

Screenshot of an opt-out page

All of the “opt-out” boxes are already checked, so I still don’t know why I’m receiving their unwanted marketing bullshit, but maybe unsubscribing again will work. ¯\_(ツ)_/¯

Astute readers may be questioning my assertion a few paragraphs back, that this “powered by OneTrust” verification flow is illegal. Let me explain:

Many years ago, Congress passed the CAN-SPAM Act, which made certain types of spam—unless it’s from politicians—illegal. Like all laws in this country, it totally worked, and nobody has received any spam since. (Or not.) To comply with CAN-SPAM, all “unsolicited commercial email” (aka spam) must include a working opt-out mechanism.

In passing CAN-SPAM, Congress also directed the Federal Trade Commission to enact additional rules to further clarify the law’s requirements. One of those is codified as 16 CFR § 316.5:

§ 316.5 Prohibition on charging a fee or imposing other requirements on recipients who wish to opt out.

Neither a sender nor any person acting on behalf of a sender may require that any recipient pay any fee, provide any information other than the recipient’s electronic mail address and opt-out preferences, or take any other steps except sending a reply electronic mail message or visiting a single Internet Web page, in order to:

(a) Use a return electronic mail address or other Internet-based mechanism, required by 15 U.S.C. 7704(a)(3), to submit a request not to receive future commercial electronic mail messages from a sender; or

(b) Have such a request honored as required by 15 U.S.C. 7704(a)(3)(B) and (a)(4).

Note that the law prohibits requiring me to provide my language preference or a one-time passcode, or any information other than my email address and opt-out preferences.

Note also that the law prohibits requiring me to take any other steps than visiting a “single internet web page” to unsubscribe. “Other steps” would include having to disable browser extensions, click through three different web pages, or wait around for a confirmation email with a one-time passcode.

One of CAN-SPAM’s Congressional findings was that “the receipt of unsolicited commercial electronic mail may result in costs […] for the time spent accessing, reviewing, and discarding such mail.” Spam is insidious because the costs are asymmetric. In 10 minutes, a single sender can blast out a million spam messages. Each of the million recipients then has to skim the message and figure out how to unsubscribe from it. If that takes 30 seconds per recipient, the sender has sucked over 1,000 person-days of productivity out of the economy (assuming an 8 hour workday). If each recipient has to spend 5 minutes refreshing their inbox to get the one-time passcode before they can unsubscribe, that one message blast results in the equivalent of almost 18 full-time employees doing nothing but unsubscribing for a year. (Compare this to telemarketing or in-person sales, where the salesperson has to spend an equivalent amount of time as the potential buyer, and thus is more likely to target their outreach to those who actually want to receive it.)

TriNet isn’t the only company that pulls this kind of stunt, but just because everyone else is doing it, doesn’t make it legal. The multiple layers of outsourced “compliance” companies in this particular debacle would be somewhat comical, if they weren’t so damn evil.

I’m trying to imagine the morally-bankrupt product manager that designed this flow, carefully documenting it in 150 JIRA tickets that were assigned to developers, who discussed it every morning at their daily standup, and then spent 10 sprints building it. And now there’s an utterly clueless salesperson that has been tasked with selling it to other companies. The pitch is probably something like, “breaking the law on your own is hard, you should hire us to help you do it!”

The OneTrust product should not even exist. The unsubscribe link in the spam message contained a unique tracking code, which identified me and proved I had indeed received spam from TriNet. They knew who I was as soon as I clicked the link. There is no valid reason I couldn’t have been taken directly to the third screen in the flow.

At each layer of outsourcing, incompetence and/or malice grows, because accountability shrinks. Companies like TriNet, OneTrust, and KnowBe4—all apparently fans of CamelCase—serve no useful purpose other than to milk money from brain-dead executives who read in Harvard Business Review that “HR compliance” is a necessity of modern corporate life. (It’s not.) The cost of these parasites, and their drag on the economy, is far greater than the risk of lawsuits. Instead of giving lip service to compliance, companies should focus more on behaving ethically… like, you know, not sending out spam and making it intentionally difficult to unsubscribe.

My plea to developers being asked to build garbage like OneTrust: don’t. Even in a bad economy, there are better jobs out there. You don’t need formal compliance training to know that “just doing your job” is no excuse for using your in-demand skills to make the world worse instead of better.

I’ve written to TriNet and the FTC. Since TriNet’s entire raison d’être is compliance, I’m sure their top men—top men!—are going to get right on fixing their email practices to comply with the law.

Image of warehouse scene from Raiders of the Lost Ark