Privacy Under Scrutiny
Consumers are nervous about how much of their information is readily available to anyone who knows how to access it.
We’re not talking just about identity theft, which is a criminal offense, but about legal marketing practices. Indeed, consumers are being deluged with direct marketing offers pitched at them by mail, e-mail and telephone. Think about it from their viewpoint. While you think you’re helping consumers by making just-in-time offers to satisfy their needs and desires, they’re thinking: “Whoa! Can we get a little privacy over here?”
Just how much do consumers care about this issue? A lot. For example, 69 percent of adults agree that consumers have lost all control over how their personal information is collected and used by companies, according to a Harris Interactive poll of 1,010 adults conducted by phone in February. While this is down from 80 percent in 1999, it’s still more than two-thirds of American adults feeling their personal information is no longer in their control.
Moreover, 54 percent of adults disagree with the statement “Most businesses handle personal information they collect about consumers in a proper and confidential way.” This is up from 35 percent in 1999.
Indeed, one observer has noted that privacy will be to this generation what the civil rights and women’s liberation movements were to previous generations. That is, we’re witnessing the dawn of a new social awareness: People are beginning to understand how vulnerable their personal information has become in this networked world.
So what do you, as a cataloger, need to know about this issue of consumer privacy? First, that the Federal Trade Commission (FTC) has already signaled its intent to uphold current privacy regulations. And make no mistake: Marketing practices are under scrutiny.
For example, in February Hershey Direct and Mrs. Fields Cookies incurred civil fines for violating the Children’s Online Privacy Protection Act. FTC officials cited the merchants for collecting personally identifiable information (PII) from children online without first getting the proper parental consent. Mrs. Fields had to dish out $100,000, and Hershey Direct, $85,000. The separate settlements bar the companies from violating the rule in the future (translation: they’re now on the FTC’s radar screen).
“These settlements offer food for thought for anyone who operates a Web site that caters to kids,” said Howard Beales, director of the FTC’s Bureau of Consumer Protection. “If your Web site collects personal information about children, comply with the law or face the consequences.”
So what are the laws? Following is an overview of three federal regulations to which you, as a merchant, may have to comply; the current debates pertaining to e-mail marketing; and some thoughts on safeguarding your company against privacy breaches.
Three Rules
Congress has enacted numerous regulations meant to protect consumers’ privacy. They include, but are not limited to, the following:
Children’s Online Privacy Protection Act (COPPA). Commercial Web sites must provide notice and obtain parents’ consent before collecting PII from children ages 13 and younger. (Exceptions may apply for sites that collect only kids’ e-mail addresses.)
How this affects catalogers: COPPA applies to both childrens’ Web sites and general commercial Web sites whose operators know they’re collecting PII from children (see “What is PII?”). COPPA’s goal is to place parents in control of the online collection of data from their children, said Elizabeth Delaney, an attorney in the FTC’s division of advertising practices, and a speaker at the recent Data and Privacy Security Summit held in Washington, D.C. Putting disclaimers, such as “Children under 13 cannot visit,” on your site won’t effectively protect you, she noted. Neither will making it optional for site visitors to offer their own PII.
Mrs. Fields Cookies was cited because, according to the FTC, portions of the merchant’s Web sites offered birthday clubs for children ages 12 and younger. Club kids were given birthday greetings and coupons for free products.
As noted in the FTC’s release on the case: “While Mrs. Fields did not disseminate the information it collected to third parties, the company allegedly collected personal information — including full name, home address, e-mail address and birth date — from more than 84,000 children, without first obtaining parental consent.”
Meanwhile, Hershey Direct, which operates about 30 candy-related Web sites, many of which are targeted at children, allegedly was requesting that children have their parents complete consent forms. But, the FTC noted, Hershey officials made no attempt to ensure that parents or guardians actually saw or completed the forms. And even when Hershey didn’t get the necessary consent, the company allegedly still went on to collect PII from children.
There’s not much you can do if children visit your site and lie about their age, and the FTC understands that, Delaney said. But as an online marketer, you are expected to make every reasonable attempt to get parental consent before collecting childrens’ PII. That is, the onus for COPPA compliance is on you.
But take heart: There are some resources that can help. The FTC has a COPPA Compliance Hotline you can call, and the Children’s Advertising Review Unit of the National Advertising Review Council offers guidelines and a safe harbor for marketers (see “Resources” for contact information).
Gramm-Leach-Bliley Act (GLB). You may have seen all of those privacy notices you, as a consumer, got in the mail from your credit card companies and banks last year. That was GLB in action.
The Act requires financial institutions to give consumers privacy notices that explain the institutions’ information-sharing practices. Consumers then have the right to limit some, but not all, sharing of their information — that is, they can opt out.
How this affects catalogers: If you’re a retailer who extends credit or issues credit cards to your customers, you must comply with GLB. You must format privacy notices that include what information you collect about customers, with whom you share the information, and how you protect and safeguard the data in your repository. Additionally, you must give customers a way to opt out of having you share their non-public information with third parties.
If your company must comply with GLB, no doubt you’ve already mailed your first round of privacy notices, which were due last summer. So we won’t rehash what data should have been in them. Rather, this is to alert other catalogers thinking of issuing their own branded credit cards: If you decide to go this route, understand that you then come under the numerous provisions of GLB.
National Do-Not-Call Registry. By now you’re aware that the federal government is in the process of solidifying its do-not-call (DNC) registration process. Beginning Oct. 1, 2003, telemarketers will have to access the list and scrub (at least once every 90 days) from their own calling files those phone numbers that have been placed on the national DNC list. (Consumers can begin signing up for the list in July.)
The rules do not apply to sellers who have an existing business relationship with their customers, notes Frederick Joyce, a partner with Alston & Bird LLP, a Washington, D.C., law firm. “Under the FTC’s DNC rules, a telemarketer or seller can call a consumer with whom it has a business relationship for up to 18 months after that customer’s last purchase, delivery or payment — even if the consumer’s number is on the national DNC registry,” he says.
Additionally, you can call a consumer for up to three months after the consumer makes an inquiry with your catalog. And if a consumer gives your catalog written permission, you may call him or her, even if the number is on the national DNC registry, Joyce notes.
“The rules don’t apply to business-to-business calls,” he continues, “and businesses can’t put their names on the registry.”
How this affects catalogers: Although all catalogers and telemarketers must comply with the new regulations, these rules will place a particular burden on catalogers that make outbound calls to consumers with whom they don’t have a previous business relationship. That is, catalogers that make cold calls to consumers must comply and pay the required fees to be part of the program. At press time, the fee structure was uncertain. For an update, visit: www.ftc.gov.
Be assured that the national DNC rule has some teeth to it. Violators can be fined up to $11,000 per violation.
In the meantime, the Federal Communications Commission (FCC) also has initiated a rulemaking proceeding to adopt its own DNC regulations. “Congress has given the FCC until September 2003 to issue its rules and coordinate its national registry plans with the FTC,” Joyce notes. Stay tuned for further developments.
Crammed with Spam
Telemarketing is not the only prospecting tactic to come under governmental scrutiny. E-mail marking also is lying prone on the examination table.
More and more consumers are groaning about unsolicited commercial e-mail — aka: spam. No doubt, you also have seen a marked increase in spam in your own e-mail inbox. Brightmail, a spam-filtering company, said that during this past February alone, 43 percent of all e-mails sent, or 227 billion messages, were junk. That’s up dramatically from 8 percent in January 2001.
How this affects catalogers: As of late March, 25 states have enacted spam laws, making for an unwieldy patchwork effect for national e-mail marketers such as catalogers. Thirteen states have laws prohibiting false heading and routing information (or spoofing). And 10 states have labeling laws, which mandate that marketers put some version of “ADV” in the subject line.
In addition, each state law has its own idiosyncrasies. For example, Kansas requires that all commercial e-mail contain the sender’s full contact information. This disparity among state laws makes the job of sending national e-mail campaigns all the more difficult. Now you must know the states in which each recipient lives, so you can format the e-mails to comply with appropriate state laws. Even the definitions of spam differ from state to state.
What to do:
1. Don’t send unsolicited e-mail messages, cautions Emily Hackett, state policy director for the Internet Alliance, a trade association of companies that operate in the online world. Send your campaigns only to customers who’ve opted in to your company by, say, giving you their e-mail addresses during the ordering process.
2. Be transparent. Consumers are most frustrated with marketers who hide behind false identities and don’t allow easy opt-out or unsubscribe procedures, says Hackett.
3. Secure your e-mail database from hackers. Invest in the necessary firewalls so criminals don’t gain access. Guard your e-mail addresses as tightly as you do postal addresses. Remember, you are the repository for your customers’ PII.
Get Qualified Help
Now that you understand some of the laws to which you must comply, you may be thinking: “But I have a catalog to run! I can’t be worrying about this stuff. I need to assign someone to handle these privacy issues.”
According to the International Association of Privacy Professionals (IAPP), chief privacy officers generally are responsible for the following tasks:
- ensuring that their companies are in compliance with all necessary state and federal privacy regulations;
- offering guidelines to corporate executives on how to properly collect, store and handle customer data; and
- ensuring that their companies take the necessary steps to safeguard consumer privacy, thereby avoiding costly and embarrassing privacy breaches.
Most CPOs are lawyers who specialize in business and privacy issues. But not all of them work exclusively on privacy-related issues. For example, at IBM, Harriet Pearson is not only the CPO but also holds the title of vice president of workforce. She says only about 30 percent of her daily duties pertain to privacy-related issues.
The message? You don’t necessarily have to assign one person to handle privacy tasks full-time, and it doesn’t necessarily have to be a lawyer who does the work.
But you should assign a senior staffer to take on the job of getting up to speed on privacy and data-security issues. (If you employ outside counsel, ask if the law firm has someone on staff trained in this area.)
Here’s why this is important: FTC officials have noted that one of the things they like to see in companies they’re investigating is that the organization has a CPO (or someone assigned to privacy issues) on staff or on retainer. This shows, says the FTC, that company executives are at least aware that they must adhere to consumer privacy rules.
Undersand that just having a CPO won’t necessarily protect you from fines if the FTC thinks they’re warranted. But you may get a bit of a reprieve for going the extra step of assigning someone to be responsible for the job.
CPOs generally are well-paid, as you would expect for a job that requires a heavy investment in education. Earlier this year, IAPP and the Ponemon Institute released a salary survey that found, not surprisingly, average salaries for CPOs vary considerably based on the size of a company and a candidate’s years of experience. Generally, most CPOs earn between $60,000 and $100,000 a year. And about a third make $100,000 to $150,000 per year, according to the study.
While that may seem like a hefty amount to add to your staffing budget, the cost may be justified if your CPO can save you from just one FTC fine. Indeed, that’s how most CPOs justify their jobs to their CEOs — in the cost savings by avoiding expensive, embarrassing and brand-damaging privacy breaches.
“Often the most costly privacy laws to violate are the laws of the press and public opinion,” write Vincent Schiavone, president and CEO, and Stephen Cobb, senior vice president of ePrivacy Group, a technology and consulting firm specializing in the privacy field, in their white paper “Practical Privacy.”
“The fines and consent costs of regulatory and legal actions may eventually pale in comparison to the lingering brand damage and loss of consumer confidence resulting from [privacy breaches],” write Schiavone and Cobb.
Conclusion
Consumers’ cries for greater privacy are not abating, but in fact, are getting stronger with each passing year. What’s more, legislators and regulators now have taken up the consumer-privacy mandate with gusto and resolve.
As a merchant with a repository of consumer information, you can help ensure your catalog’s success by heeding the calls for consumer privacy and data security.
Donna Loyle, editor of Catalog Success, is a member of the International Association of Privacy Professionals.
---
Resources
Children’s Online Privacy Protection Act: www.ftc.gov/ogc/coppa1.htm, or call the FTC’s COPPA Compliance Hotline at: (202) 326-3140
Children’s Advertising Review Unit, www.caru.org
The Direct Marketing Association, www.the-dma.org/privacy/index.shtml. DMA members can access numerous privacy policy guidelines, rules that affect marketers and much more.
ePrivacy Group, www.ePrivacyGroup.com
Gramm-Leach-Bliley Act: www.ftc.gov/privacy/glbact/index.html
International Association of Privacy Professionals: www.privacyassociation.org
Internet Alliance: www.privacyalliance.org
Frederick Joyce of Alston & Bird LLP, (202) 756-3376, or Rjoyce@Alston.com
---
What is PII?
Personally identifiable information, or PII, is a phrase you should get to know since you probably will be seeing more of it in the future.
According to Elizabeth Delaney, an attorney with the Federal Trade Commission’s division of advertising practices, PII includes the following information about an individual:
- full name,
- physical address,
- e-mail address,
- social security number,
- telephone number,
- a screen name revealing an e-mail address,
- a persistent identifier, such as a number held in an online cookie, which is combined with personal information, and
- any information tied to personal data (e.g., age, gender, hobbies).
What is not PII:
- first name only, without other identifying data;
- a screen name that’s not tied to an e-mail address or other identifying data;
- gender, hobby or preference information that’s not tied to an e-mail address or other identifying data.
