Editor’s Note: We recently launched a graphic illustrating our Cyber Risk Mitigation Services. This week, our attorneys will be writing about specific examples of those services.
Big data and the interactivity of digital marketing are powerful tools for marketers, but consumer data protection laws have evolved in recent years, resulting in new and heightened compliance and risk management issues that need to be addressed when executing advanced advertising campaigns and consumer relationship management (“CRM”) programs. This can be done effectively only if a company develops a privacy-by-design compliance culture that implements a process of conducting impact assessments before launching new products, services, campaigns or programs that could have an effect on consumer privacy or data protection. Such assessments can also incorporate analysis of traditional consumer protection impacts, such as compliance with advertising and sales laws, and analysis of intellectual property impacts (both third-party infringement risks and protection of company IP). We have developed forms for clients to use to help their legal and/or compliance professionals gather the relevant information from product and marketing teams to access legal impacts during the development process so that products and sales and marketing can be designed in a manner that minimizes potential liability while achieving business goals. This approach is fundamental to the BakerHostetler approach to helping clients be proactive and not just reactive to privacy and data protection and other consumer protection issues.
Companies are increasingly relying on innovative and edgy digital marketing campaigns to promote their products and services. Campaigns often include user-generated content, viral marketing, the brand’s web site, a mobile application, and other social media and social networking elements. Companies are also looking to harness data through loyalty programs and consumer tracking to better understand and serve their customers. However, the tech-savvy marketing professionals who are entrusted to implement these programs are often unaware of the complex patchwork of state and federal legal schemes, self-regulatory program obligations, and potential significant financial repercussions for their companies’ failure to comply with applicable laws.
As a starting point for in-house counsel to assess the privacy impacts of their companies’ marketing and sales activities, see the list below, which poses questions you should be asking. When you read the answers to the questions below, you will get guidance on the issues to help inform your diligence and counsel. There are an equal number of advertising law and intellectual property issues that relate to marketing campaigns and CRM programs, which will be addressed in subsequent blog posts.
The last decade has seen technology change how companies can target consumers in ways hardly imagined. The results can be beneficial to both brands and consumers, but consumers also face real risks and burdens as a result. Beyond the privacy issues discussed above, regulatory and intellectual property issues must be considered, both of which will be discussed in future blog posts and client advisories. Companies need to weigh the benefits and risks of proposed advertising, CRM, and sales schemes and be aware of the changing regulatory landscape that is evolving as technology advances. Further, the most important asset a brand has is its consumer goodwill. New marketing, CRM, and sales approaches that consumers appreciate build goodwill, but those that are perceived as misleading, unfair, or too intrusive can harm the brand. The role of legal counsel is to help marketers identify and evaluate the risks of novel promotional, consumer relationship management, and sales techniques from conceptualization though execution so that they may minimize risk while still achieving a compelling campaign that delivers the desired return on investment.
This post is based in part on TOP TEN PRIVACY CONSIDERATIONS FOR DIGITAL MARKETING, to be published in Promotion and Marketing Law, 8th Ed. (Brand Activation Assoc. Foundation, 2014).
- identifying the categories of personally identifiable information collected and third parties with which such information may be shared;
- describing any process (if the site has one) for reviewing and requesting changes to collected information;
- describing the process by which the operator notifies users regarding material changes to the policy; and
- identifying the effective date of the policy.
- disclosing how the operator responds to web browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information; and
- disclosing whether third parties may collect personally identifiable information about an individual consumer’s online activities over time and across different web sites when a consumer uses the operator’s site or service.
As of January 1, 2015, privacy policies of services that allow user content postings will also have to provide in a specific manner a notice and a takedown process for minors to remove content they have posted about themselves.
CalOPPA requires privacy policies to accurately describe data practices and provides specifics as to how its requirement of “conspicuous posting” may be met, including with regard to placement, various types of font treatment, and word content. The California Attorney General has issued further guidance, particularly on how to deal with the small screens of mobile devices. The FTC has long used its deception authority to prosecute inaccurate or misleading statements in privacy policies as false advertising claims. In addition, certain regulated industries have specific privacy disclosure obligations, and online services directed to children have special regulatory requirements, outlined below. Accordingly, it is essential that companies annually audit their data collection, use, sharing, processing, storage, and security practices and ensure that their privacy policies completely and accurately explain all material practices and comply with applicable laws. Most companies will also need to meet the more stringent California requirements.
2. Are you using third parties to collect information, or are you sharing information you collect with third parties?
3. Does your campaign incorporate cookies, pixel tags, browser fingerprinting, web beacons, or other tracking technologies, and do you disclose these practices?
4. Has “privacy by design” been incorporated in your campaign development process?
In March 2012, the FTC released a set of recommendations for businesses regarding the collection and use of consumer personal information. (See FTC Issues Final Commission Report on Protecting Consumer Privacy.) A central tenant of this (“Privacy Framework”) is the notion of “privacy by design (“PbD”), which is the philosophy of embedding privacy and data security considerations from the outset into the design development of information technologies and minimizing the collection and use of data to what is necessary under the circumstances. The goal of privacy by design is to minimize the privacy impact on consumers and maximize their informed choice. Companies that can “bake in” privacy protections for a new campaign in the conceptualization phase are more likely to avoid having to try to make changes right before launch or post-launch, when doing so may cause delay and additional cost. In order to effectively implement PbD, it is essential that a knowledgeable privacy professional evaluate the planned data practices to identify issues. For instance, the defendants in the recent flood of lawsuits relating to collection of consumer information as seemingly innocuous as mere zip codes in connection with credit card purchases, which violates California, Massachusetts, and other state laws, could have avoided those claims had they had compliance counsel involved in the development of the purchase flows. Such an impact assessment is essential when integrating loyalty programs with point-of-sale to avoid noncompliance with these credit card transaction privacy laws.
5. Do you offer choice regarding future marketing communications?
Companies with immature compliance programs may be surprised to find out that they can’t send out marketing materials unless they have the proper permission to do so. The ability to communicate with consumers is increasingly subject to different legal requirements both in this country and internationally. Under the CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003), email marketing to consumers is largely an “opt out” regime in the U.S. (other countries are “opt in”). Thus, companies are required to offer customers the ability to opt out from receiving future email marketing communications in any marketing email sent. Companies should also be mindful of special rules associated with marketing communications sent to mobile devices. The Telephone Consumer Protection Act (“TCPA”), telecom carrier rules, and Mobile Marketing Association Mobile Advertising Guidelines govern the sending of text messages and emails to mobile domain addresses. Companies must satisfy notice and express advanced written consent requirements before sending a commercial text message to a mobile device, though written consent may be electronic if certain requirements are met. A change, effective October 1, 2014, to Connecticut’s version of TCPA seemingly expands the scope of the types of covered mobile messages beyond MMS and SMS to mobile app push notifications, a device marketers have been using to avoid the TCPA’s express written consent requirements. Additional rules govern telemarketing and fax marketing. TCPA violations have spawned many class action lawsuits, resulting in tens of millions of dollars in settlements paid by advertisers that failed to fully comply.
To avoid problems with future marketing campaigns, companies must carefully consider when it is appropriate to take an opt-in versus an opt-out approach to the sending of future marketing communications. It is important to evaluate whether language is drafted appropriately to cover the additional communications that the company will send now and in the future, including who will send the communications (company only, affiliates, other third parties), how they will be sent (do not assume that “send me updates” means “call me at home during dinner”), and types of communications (about just one product, anything related to the company, anything related to a particular topic of interest, etc.). Recording of customer service calls is also regulated by various state laws regarding notice and consent, the violation of which has generated much recent litigation. Accordingly, companies should consider appropriate spam, do not fax, do not call, call recording, and broader communications policies
6. Have you and your vendors adopted a formal, written data protection compliance program?
Despite a sectorial approach to privacy and a state patchwork approach to data security regulation in the U.S., a growing number of companies are now subject to some form of legal obligation to adopt “reasonable” data security measures. Among the laws mandating some form of “reasonable” security are (i) the HIPAA security regulations applicable to the health care industry; (ii) the Gramm-Leach-Bliley Act (“GLB Act”) “safeguards” regulations for financial institutions; (iii) state insurance law analogs to the GLB Act Safeguards Rule applicable to insurance companies; and (iv) state laws governing businesses that maintain personal information of residents (see Massachusetts, Nevada, and California). Even if your organization happens to operate outside the reach of these particular data security laws, there is a growing consensus that implementation of a formal, written security compliance program is a best practice. In Massachusetts, such a “Written Information Security Program” (“WISP”) is required if a company has personal information of Massachusetts residents, even if the company itself is not present in the state. Most states also have data breach response and reporting laws, which require prompt action following a suspected compromise. Indeed, the FTC has been very active in exercising its unfairness authority to prosecute companies that have experienced data security breaches, under the theory that failure to take reasonable measure to protect data, even data that is not sensitive (e.g., Twitter account credentials) in an unfair business practice.
7. Does your company engage in behavioral advertising?
Online behavioral advertising (“OBA”), interest-based advertising, and targeted and retargeted advertising are terms used to describe this process of companies’ tracking consumers’ online activities to profile and target them for specially tailored advertising. Many companies advertise using OBA but may not be directly involved in collecting and using the OBA data because they employ vendors and ad servers to do this. However, an advertiser, even if engaging in OBA on a non-affiliated site (e.g., retargeting a user who has left your site with an ad on another site), is subject to self-regulatory rules and best practices guidance promulgated by the FTC.
Before engaging in any OBA, companies (both advertisers and publishers) should review the behavioral advertising self-regulatory guidance of the Digital Advertising Alliance (“DAA”). See http://www.aboutads.info/ . The DAA’s guidance provides a self-regulatory framework for advertisers, agencies, publishers, and technology companies for engaging in OBA. The DAA provides an iconic form of notice that alerts consumers to OBA and provides a method to opt out. Though the opt-out method is currently browser-based and thus not effective for mobile apps, the DAA is currently beta testing a similar notice and opt-out program for OBA via mobile apps. While the DAA licenses the icon itself for $5,000 a year, it has three approved service providers that provide compliance and analytics services and can provide the license as part of their services. The DAA’s enforcement division has brought a dozen or more actions against noncompliant advertisers, most recently against web site publishers that were dropping retargeting cookies on users, without the required notice on such web pages, to enable ads from that site to be served later when users visited other sites.
To identify and minimize risks, companies should take steps to (i) understand what tracking is taking place through their marketing campaigns as well as their web sites and mobile applications; (ii) include the requisite insurance and indemnity provisions in their agreements with vendors assisting them with OBA; and (c) include appropriate disclosures in their privacy policies, on their home pages, and on OBA ads to address what OBA activities may be occurring.
8. Is your marketing or sales targeted to children?
9. Will your campaign collect location-based information from consumers or otherwise publicly share a consumer’s location?
10. Do you acquire or share content consumption data?