Deliverability.com

As some of you know, the Federal Trade Commission (FTC) has been hosting a series of roundtable discussions to explore some of our most recent privacy challenges.  These challenges are being exposed more and more each day by the ever evolving technology base and combination business practices that help us to collect and use consumer data.

The FTC hopes to hold these roundtables and then use the information gleaned from them to determine how to best protect consumer privacy moving forward while still supporting the uses of new technologies within marketing.

Without realizing it, many of you may be in the midst of these issues identified by the FTC, as you use social networking, cloud computing, online behavioral advertising, mobile marketing, and the collection and use of information by retailers, data brokers, third-party applications, and other diverse businesses.

To date, the FTC has already held two (2) roundtables.

• December 7, 2009 in Washington, D.C.: They focused on data collection and use online and offline. They also discussed consumer expectations and the state of self-regulation. 
• January 28, 2010 in Berkeley, California: They focused on how technology can affect consumer privacy positively and negatively.  

A third event will be held on March 17, 2010 in Washington, D.C.   It is expected to focus on several things including how to safeguard health data and other sensitive consumer information

Unfortunately, the findings from the roundtable thus far have been alarming.  It appears that most consumers are grossly unaware of what happens to the data they submit to marketers.  The majority of the time it seems as if they are providing their information to virtual strangers without any regard for their own protection.  The public’s understanding of the need for privacy and security of personal information is sorely lacking, and when overlooked, can have startling consequences.  

Ultimately, the FTC is investigating the possibility of creating a U.S. Privacy framework to give powers to consumers.  This would involve regulations for businesses regarding the collection, processing, transfer, and protection of consumers’ information. 

This could result in a process that would require marketers to become hyper-transparent.  In this case, as the amount of data the consumer provides increases, so does the number of choices the marketer must allow for the said consumer.  The consumer would be provided with more information about what will be done with the personal details they are disclosing as the sensitivity of the information rises.  This means the more data that you need to perform your job of catering your marketing plan to them, the more you will have to tell them about how you are going to safeguard and effectively use their information. (read: Your Privacy policy isn't enough anymore.)

In addition, if an FTC Privacy process were to be instituted, marketers would have to be increasingly diligent in protecting their consumers’ information because these consumers’ should be much more aware of how their information should be used.  The consumers’ expectations would be more prevalent in deciding who was wronged if a negative event  such as a theft, occurred.

Whatever framework the FTC creates in 2010, we can certainly be assured that it will be much broader than today’s form of self-regulating "notice, access, and choice."  The FTC has said that the current forms and processes have been helpful in giving customers knowledge about what will happen to their data if given, but as you have heard me say in the past, it has also resulted in privacy policies that only a lawyer may understand.  In many cases, the knowledge provided was lost on the average consumer because of its overwhelming scope and language.  Given that, you need to be sure that your company’s privacy policy is well-written and geared towards consumers.  This policy stands to be a strong marketing opportunity, provided it is treated as such.

Tips for writing a good policy:

1. Write it for consumers. (Bearing in mind, most do not have a law degree.)
2. Keep it short.
3. Index it, or give it headers so readers can find what they want quickly.
4. Audit the policy at least once a year (and have non-lawyers read it for clarity).
5. Add “contact us” features in relevant sections of your policy so people with questions can get answers quickly and easily.
6. Inform customers about policy changes, but be sure to do so before the changes go into effect.  Give them a chance to change preferences prior to launch. 
7. Highlight the policy throughout your website and on forms.
8. Make the information (notice, access, and choice) available as more than just a “read the fine print” option.  Use the opportunity to build their confidence.
9. Do not try to think for the customer. Do not assume that subscribers or visitors will want new information or want you to share their information.

Keep in mind that the customers’ trust and loyalty will grow when you give them some control over their own information.

In the course of the next week, take the time to look into your data collection practices and programs.  It is important to understand what sort of U.S based framework would best suit your legitimate business needs, while protecting your consumers’ data. Consider attending the next FTC roundtable to make your voice on this subject heard.

-Dennis, CIPP
Eloqua

Don't Just Send, Deliver! 

Wow! being last week in Washington, D.C. was a head-turner. This post might sound like a bore to read, but stick with it and begin to apply it to your email and other online marketing programs.

First, The United States Department of Commerce with the participation and cooperation of the European Commission and the Article 29 Working Party on Data Protection (those entrusted with privacy in the EU) held the "Across the Divide: Successfully Navigating Safe Harbor --
The 2009 Conference on Cross Border Data Flows, Data Protection and Privacy"

In this, participants examined the progress that the Framework has made, reviewed any changes made to the process for approving binding corporate rules, looked at new paradigms for privacy compliance, and address the role information security plays in data protection and privacy. Other topics considered included:

• Cross border data sharing during pandemics
• privacy by design
• strategic information management for the enterprise
• social network service providers and behavioral advertising in cloud computing
• global privacy standards
• electronic discovery in civil litigation

Second, the U.S. House Committee on Energy & Commerce held another joint hearing to examine consumer data collection & use. Witnesses testified before a joint hearing of the House Energy and Commerce Subcommittee on Commerce, Trade, and Consumer Protection (CTCP) and Subcommittee on Communications, Technology, and the Internet (CTI) last week in which they discussed collection and commercial use of consumer data in the offline and online marketplace.

Members of the committee's expressed interest in learning what controls would instill confidence in consumers about data collection and use, questioning whether concerns about targeted marketing would be allayed by providing thorough disclosures of what and how information is collected and offering consumers the choice of opt-in or opt-out depending on the nature of the information.

As you may already know, the chairmen and ranking members of both subcommittees are working on draft legislation to address a range of privacy issues at the federal level. A draft bill is expected to be circulated in the next several weeks.

Folks, you've heard it from me once , if not twice, or three times. Privacy and compliance should be an integral part of your online marketing activities and daily decisions when creating campaigns. As it is today, the Internet knows no bounds when it comes to states and country borders. Many of these countries already have stringent privacy regulations that you might have to comply with when it comes to opt-in for email and or tracking cookies.

• Who Cares About Privacy Policies?
• Privacy policy isn't enough anymore
• Privacy in marketing/advertising

What we are seeing today in these sessions all applies to online and possibly offline marketing. Will we see a U.S. privacy federal rule like Canada and the EU? have today. Very possible in my opinion, but will not be without major discussions as you see above. You need to ensure your companies are involved in these discussions or at a minimum monitoring these changes.

More reading: FTC Urged To Clamp Down On Data Collection Online

-Dennis
Eloqua

Don't Just Send, Deliver!

Well I'm not sure how the cookie monster will take this news, but if you haven't heard online advertising and tracking is threatened by Europe's new cookie law.

If the new law is passed within the next few weeks, websites in the EU will be required to seek consent from users before serving cookies which will ensure more pop-ups for customers to click on for consent. This requirement will go into effect eighteen (18) months after the bill is signed somewhere around December 14th.

Now of course your asking yourself, why didn't I heard about this? Well don't worry, your not disconnected... this cookie requirement, similar to German cookie law, is attached/hidden in a new telecom package which seeks clauses that requires a court's authority before an individual can be disconnected from the internet for illegal downloading. EU's Council of Ministers and Parliament are in disagreement over that single clause in the package of laws. The rest of the package which includes the cookie plan is closed and agreed to, but for the cookie plan to go into effect the ENTIRE package has to pass. So if we are lucky and they can't agree to the rest of the package by December 14th, then we are safe. If they do agree, then cookies will be opt-in in the EU.

The law does however make an exception for cookies that are "strictly necessary" to provide a service. So anything requiring a cookie that helps a shopper get from a product page to a checkout doesn't require a consent notice. A consent notice through will be still required for cookies that are used in traffic analysis or advertising. For most of us we might have some issues here.

The current law says that sites using cookies must give visitors "clear and comprehensive information" about the purpose of the cookies and must offer visitors "the right to refuse" the use of cookies.

What's happening here is that many websites don't seem to offer the clear and comprehensive information and the right to refuse mentioned in the current law. An example of choice can be seen on Eloqua's website here. So what we see happening here is they are making it a requirement; short, sweet, and clear.

Stayed tuned, hopeful our cookies won't go stale on us.

-Dennis
Eloqua

Don't Just Send, Deliver!

Blogged from 37,000 feet using GoGo InFlight

This is a little late in posting, but I'm glad that it was because I have been able to sit down and think about this at great length.

Is simply posting a privacy policy good enough anymore? Is simply saying what you will and will NOT do in a privacy policy enough? It may not be.

As you may have heard now, the Federal Trade Commission (FTC) charged in their complaint Sears, Roebuck and Company and Kmart Management Corporation that it failed to disclose adequately the scope of consumers’ personal information it collected via a downloadable software application.

Users could downloaded Sears' tracking software, which monitors web activity and each user was paid $10.00 (which is a lot) if they kept it for a minimum of one month... oh and all one had to do to secure this plentiful bounty was turn over to the company every single bit of information about one's Web browsing.

Now your probably saying, so? No worries on them tracking their customers on their site. No so fast, Sears and its data collection partner also gained access to the "contents of shopping carts, online bank statements, drug prescription records, video rental records, library borrowing histories, and the sender, recipient, subject, and size for web-based e-mails," said the FTC. They also collected non-Web information about the user's personal computer.

Did Sears hide this fact they were collecting all this personal information? NOPE... They posted every juicy detail of what they were doing in their privacy policy and in a fifty-four (54) page license agreement for users to in GREAT detail read at their convenience. yea right! Who reads that stuff? (CYA note: I do as the Chief Privacy Officer) ;)

So, of course a few researchers noted this problem to the FTC who then charged that Sears did not "adequately disclose the scope of the tracking software's data collection."

Now, when you look at all the details involved here, Sears wasn't trying to hide the fact they were monitoring you, they weren't hijacking browsers, secretly doing drive-by installations, or anything illegal or anything unfair.  The FTC was concerned that Sears would be tracking people online for marketing purposes but hadn't clearly disclose what they're doing. Up until now, Sears's disclosures were both legally valid and commonplace. However, in the past the FTC has said in two (2) other cases that companies couldn't bury critical disclosures about the nature of adware in fine print (Zango and Direct Revenue). The Sears case here is NOT adware mind you. This is a case where the user would/should have known they were sharing personal identifiable information (PII) when they read those documents. They were ASKED to share their information if they download this program.

So what's the lesson learned here? What's the big deal to your business? Will it REALLY impact you? The simple answer in my eyes this beautiful fall morning in Texas is YES!

This settlement with the FTC shows that the FTC is watching and waiting for those who might be trying to confuse the average consumer. This means that you will need to be "hyper transparent" when your collecting, transferring, and processing PII. You can NO longer just think by posting in your privacy policy what your doing with a persons information is sufficient. You need to become "hyper transparent".

This could mean that in certain sign-up forms or marketing processes you should break out the relevant impact points of how your collecting and what your planning on doing with this information once you collect it upfront and not buried in some legal linked document. This means if you plan on doing more with transference of data that you warn the users more upfront about it. This means that if you want use their information for more than just normal out of ban use you need to be up front about it.

You get the point here? A PRIVACY POLICY IS NOT A GET OUT OF JAIL FREE CARD FOR YOUR MARKETING PROGRAMS AND PROCESSES. Never has been to be honest.

In this settlement

• Sears has agreed to destroy all data gained from the experiment and stop collecting data from any software still running in the public domain.
• If it wants to do any tracking in the future, the company has committed to "clearly and prominently disclose the types of data the software will monitor, record, or transmit.
• Any disclosure must be made prior to installation and separate from any user license agreement.
• Sears must also disclose whether any of the data will be used by a third party."

Here are the relevant links to the FTC announcements if you want to read further.

Sears Settles FTC Charges Regarding Tracking Software

FTC Approves Final Consent Order Requiring Sears to Disclose the Installation of Tracking Software Placed on Consumers’ Computers; FTC Approves Final Consent Order in Matter Concerning Enhanced Vision Systems, Inc.

-Dennis
Eloqua

Don't Just Send, Deliver!

The biggest one that you might have heard is the new Federal Trade Commissions (FTC) rule covering unwanted "Robocalls".The new requirements are a part of the larger FTC's Telemarketing Sales Rule (TSR) that begins September 1, 2009 prohibiting prerecorded commercial telemarketing calls to consumers, or robocalls, unless the telemarketer has obtained permission in WRITING from consumers who want to receive such calls. This was announced a year ago by the FTC.

 The rules look something like this.

• If you send robocall, telemarketer must have permission IN WRITING before calling the target
  
• If your a seller or telemarketer and you transmit without written permissions, the fine is $16,000 per call.
• it DOES prohibit robocalls even if you have previously done business before with them
• the pre-recorded call must tell the user how to opt-out st the start of the message
• provide an automated opt-out mechanism that os voice or keypress-activated
• If your pre-recorded message is left on an answering machine or voicemail, it must also provide a number that connects to the automated opt-out system.

• that their flight has been cancelled
• they have a service appointment, or similar messages

Such purely "informational" calls are not covered by the TSR because they do not attempt to sell the called party any goods or services. Others not covered and by no surprise are politicians, banks, survey's, debt collectors, health care/prescription refill messages, telephone/utility carriers, and most charitable organizations.

After September 1, sellers and telemarketers who transmit prerecorded messages to consumers who have not agreed in writing to accept such messages will face penalties of up to $16,000 per call.

Calls made by humans will still be allowed, but not if the phone number is on the National Do Not Call Registry.

After September 1, consumers who receive prerecorded telemarketing calls but have not agreed to get them should file a complaint with the Commission, either on the donotcall.gov Web site or by calling 1-888-382-1222.

If you want all the details about the robocalls regulations please read the Federal Register Telemarketing Sales Rules Final Rule Amendments. The FTC also published a site that helps business comply with the TSR's which is very lengthy, but should answer most of your burning questions that I did not touch on here like telemarketing calls to business.

Your now asking why I'm telling you about this and it doesn't impact digital communications like email? Think really hard now........

How many of you send out an email invite to a customers about something like a conference or webinar and then follow-up with a robocall telling the user to look for the email? For some of you, the email open rates are significantly higher than those that did not get the robocall in these situations and thus you regularly use this process. Can you still use this process? Probably not.

-Dennis
Eloqua

Don't Just Send, Deliver!

A quick Wiki on the world's laws governing email suggests that four of the largest, fastest growing national economies and much buzzed about 'BRIC' countries have one thing in common: a lacuna of legislation or enforcement to regulate commercial email. Brazil has a short section in its Empresa Brasileira de Telecomunicações (Portuguese) on email published in 1999, but it is quite vague and lacks enforcement capabilities. Russia loosely addresses advertising email in Russian Civil Code 309. China has actually passed the most clear legislation on email with its 2006 "Regulations on Internet Email Services", which holds ESPs responsible and requires opt-in, as well as the placement of the word "AD" at the beginning of subject lines. However, India has recently passed an amendment to its IT Act of 2000, without addressing commercial email. Below is an overview of IT regulation so far in India.

Overview: The closest legislation relating to email in India is the newly amended Information Technology Act of 2000. It was previously ammended in 2006, and Indian lawmakers amended the IT Act again in December of 2008. However, the 2008 amendments have yet to be published in the Gazette of India and still do not address email. The law addresses the following, summarized by Justice Rajesh Tandon of the Indian Cyber-Regulations Appellate Tribunal:

-Tampering computer source documents

-Hacking with Computer system

-Loss/damage to computer resource/utility

-Hacking

-Obscene publication/transmission in electronic form.

-Failure of compliance/orders of Certifying Authority.

-Failure to assist in decrypting the information intercepted by Govt. Agency.

-Un-authorized access/attempt to access to protected computer system.

-Obtaining license or Digital Signature Certificate by misrepresentation/suppression of fact.

-Publishing false Digital Signature Certificate.

-Fraud Digital Signature Certificate.

-Breach of confidentiality/privacy.

Enforcement Effects: Interestingly enough, India's 2008 amendment to its IT Act has reduced the punishment for "cyber crime" from 5 years to 2-3 years and has made violations of the act bailable offenses. However, the amendment has apparently closed a lot of loopholes in the existing law. As India's economy develops, a stronger IT infrastructure and a greater presence in the online marketplace will come to fruition. Without enforceable email laws specific to India, the online reputations of companies with a global reach could potentially suffer.

Industry Self-Regulation: CAUCE India was founded in 1999 and later merged with CAUCE Australia to form APCAUCE (Asia-Pacific), a volunteer organization lobbying against unsolicted comercial email. APCAUCE is a division of iCAUCE. In a growing economy, Indian companies with a global reach are in the right position to develop functioning rulesets that are fair to both marketers and consumers. Many email marketing laws around the globe find their roots in industry-developed best practices.

Relevant Resources:

Department of Information Technology (IT Act 2000)

iCAUCE - International Coalition Against Unsolicited Commercial Email

Cyberlaw India- Information on the IT Act, amendments, opinions, articles and resources from Mr. Pavan Duggal, a prominent India IT legislation advocate. 

IT Act 2008 (.pdf Actual Legislation in English)

The m-SPAM Act of 2009 is intended to crack down on what the senators described as a "growing nuisance for millions of wireless customers."

Apparently, they plan to link mobile phone numbers in the Do Not Call Registry to SMS spam as well. There isn't much more, but you can find it here.

Thanks to Josh Janicek from UnsubCentral for bringing this to my attention!

So, some of you know I finally was able to "escape" the house this past week to attend the IAPP Summit in Washington D.C. and at the same time I attended the Center for Democracy and Technology (CDT) 2009 Gala where the attendees where given an induction to some of the potential changes to behavioral advertising.

We might be seeing a change in email or marketing rules here in the United States soon and I'm talking more restrictive ones.

This Principle provides that a website utilizing behavioral advertising should provide a clear, concise, consumer-friendly and prominent statement that behavioral data is being collected. Such a statement should also provide that consumers can choose whether or not to participate. Websites are encouraged to provide  consumers with a clear method for exercising the opt-out option.  

Websites that collect and store user data are encouraged by this Principle to use reasonable security measures to guard that data. Factors to consider in determining the appropriate level of security include the sensitivity of the data, the risks a company faces, the nature of the business and the availability of reasonable protections to the company.  

The company should obtain consumer consent before it uses previously collected data in a way that differs materially from the privacy policy that existed at the time the data was collected. For example, if an acquisition prompts a change in the use of collected data, this Principle encourages the surviving corporation to obtain consumer consent for the new policy. 

The fourth Principle urges companies to collect sensitive data via behavioral advertising only after a consumer expressly consents to its collection. Such data would include, for example, health information, Social Security numbers and information about children.

Overview: Austria's email laws are based around the EU Directive 2002/58/EC, which requires consumer permission or opt-in except for under the following circumstances: consumer information was obtained during a sale of a good or service, and the direct marketing message is for a similar good or service. So basically, a prior relationship with the consumer must exist. Also, a clear and free opt-out mechanism and an opportunity to object to messages at the time of data collection must be provided, the sender must be identified, and the message has to be labeled an electronic advertisement.

The specific law in Austria that implements the EU directives is the TKG 2003 Telecommunications Act, specifically section 107. The government body responsible for enforcement is the Austrian Data Protection Authority.  The Austrian law specifies that opt-in applies to both natural and legal persons; therefore, b2b communication must be opt-in unless it meets the other EU directive requirements. Violators of the law can be fined up to €37,000 in Austrian courts.  Austria's Data Protection Act deals with general privacy issues, and their e-Commerce Act includes sections concerning unsolicited communication and plans for a "Do Not Spam" list.

Enforcement Effects: Because the EU directive leaves it up to individual countries to define the terms- 'preexisting relationship,' 'similar goods and services' and 'natural or legal persons', all of the European countries with individual laws tend to vary slightly.  Therefore, marketers in the EU, to avoid the risk of getting in trouble in a specific country, have largely adopted opt-in only sending practices.   

Relevant Resources:

2003 Telecommunications Act (translated pdf-English)

Austrian Data Protection Commission (English)

OECD Austria Page- includes Austrian goverment contact information

Anti-Spam Laws in the EU Resources from Email Marketing Reports

Email Rules in the EU Marketing Profs article

Overview:

Commencing April 11, 2004, Australia's Spam Act 2003 is one of the earliest opt-in laws surrounding commercial email. The law bans the sending of unsolicited commercial emails containing an Australian link. The act also pertains to instant messaging and telephone accounts. It states that the advertiser in a commercial message must provide identifying contact information as well as a working unsubscribe mechanism. In addition, address-harvesting software, as well as lists compiled using address-harvesting software are banned. The governing body in Australia responsible for enforcement is the Australian Communications and Media Authority (ACMA). Violators of Australia's Spam Act typically incur civil penalties and injunctions, the severity of which are based on previous offenses and damages incurred by victims.  Government bodies, registered political parties, charities, religious organizations and educational institutions are exempt. The law underwent a mandatory two-year review in 2005, where few amendments were made.

Enforcement Effects:

According to the ACMA, as a result of Spam Act 2003, 200 businesses have since been required to amend their email practices, five businesses have been fined over civil penalties totaling $20,000, and three businesses have provided enforceable undertakings. The ACMA has recently begun a federal case under the act against three companies for allegedly sending mobile users unsolicited SMS messages concerning Australian dating sites, seeking fines of up to $1.1 million per day. A hearing has been set for February 6.

Industry Self-Regulation:

The Australian eMarketing Code of Practice, coordinated by the Australian DMA outlines best practices for Australian businesses sending commercial email. It applies to all companies who use email or mobile as their main form of marketing, as well as third parties and affiliates who send on their behalf.

The Internet Industry Association's Spam Code of Practice outlines regulations for ISPs and email service providers which are enforceable by the ACMA under the Spam Act. Compliance with this code provides ISPs and ESPs legal protection under certain statutes. 

Relevant Sources and Resources:

Current Spam Act 2003 (pdf): Full text of the legislation.

ACMA: Spam and e-Security page.

EFA Australian Spam Laws: Includes EFA 2006 Review and Analysis of the Spam Act 2003.

OECD Task Force on Spam: Includes links to the laws, government enforcement contacts, organization pages and education and awareness initiatives. 

White SW Computer Law: Updates and an informative history the Spam Act and its enforcement from an Australian law office specializing in IT and intellectual property.

Email Marketing Reports: Outlines links, reviews, and relevant documents pertaining to Australian anti-spam legislation.

Starting in March, all ISPs in the UK are required to keep track of every email sent and received for a year and to provide that information to the government to help fight terrorists. Not only that, but they are going to pay the ISPs to do it. What colossal waste of money and invasion of privacy!

"Tough new Irish laws will see businesses face fines up to €250,000 if they are found guilty of sending unsolicited email.

Communications Minister Eamon Ryan has signed new legislation to tackle spamming and other unsolicited communications.

Under the new regulations, unsolicited mail for direct marketing purposes will be an indictable offence.

The Data Protection Commissioner can refer serious breaches of the legislation for prosecution through the Circuit Court where fines of up to €250,000 or 10pc of the company’s turnover, whichever is greater, can be imposed.

Fines for less serious offences will increase from €3,000 to €5,000.