To Avoid Claims, Assess Privacy Impacts of Marketing And CRM

Companies are increasingly relying on innovative and edgy digital marketing campaigns to promote their products and services. Campaigns often include user-generated content, viral marketing, the brand's website, a mobile application, and other social media and social networking elements. Companies are also looking to harness data through loyalty programs and consumer tracking to better understand, serve and reach their customers.

Big data and the interactivity of digital marketing are powerful tools for marketers, but consumer data protection laws have evolved in recent years, resulting in new and heightened compliance and risk management issues that need to be addressed when executing advanced advertising campaigns and consumer relationship management (CRM) programs. This can be done effectively if a company develops a privacy-by-design compliance culture that implements a process of conducting impact assessments before launching new products, services, campaigns or programs that could have an effect on consumer privacy or data protection. Such assessments can also incorporate analysis of traditional consumer protection impacts, such as compliance with advertising and sales laws, and analysis of intellectual property impacts (both third-party infringement risks and protection of company IP). This will help legal and compliance personnel gather the relevant information from product and marketing teams to assess legal impacts during the development process so that products and sales and marketing can be designed in a manner that minimizes potential liability, while also achieving business goals.

As a starting point for counsel to assess the privacy impacts of their companies' marketing and sales activities, see the list below, which poses questions you should be asking. When you read the answers to the questions below, you will get guidance on the issues to help inform your diligence and counsel.

1. Have You Posted an Appropriate Privacy Policy?

Not posting a privacy policy on a website, mobile application, or any other online service that collects personally identifiable information (PII) (e.g., first and last name, address, e-mail address, telephone number) from a consumer violates not only Federal Trade Commission (FTC) guidance but also California's Online Privacy Protection Act of 2003 (CalOPPA). Companies that collect PII from California consumers through any online service for commercial purposes, even if they are not themselves in California, must conspicuously post a privacy policy that informs individuals of this collection, including:

• Identifying the categories of PII collected and third parties with which such information may be shared;
• Describing any process (if the site has one) for reviewing and requesting changes to collected information;
• Describing the process by which the operator notifies users regarding material changes to the policy; and
• Identifying the effective date of the policy.

Further, amendments to CalOPPA, effective Jan. 1, 2014, require the privacy policy to additionally inform individuals of the following practices:

• Disclosing how the operator responds to Web browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of PII; and
• Disclosing whether third parties may collect PII about an individual consumer's online activities over time and across different websites when a consumer uses the operator's site or service.

As of Jan. 1, 2015, CalOPPA also requires that privacy policies of services that allow user content postings will also have to provide in a specific manner a notice and a takedown process for minors to remove public-facing content they have posted about themselves.

CalOPPA requires privacy policies to accurately describe data practices, and provides specifics as to how its requirement of “conspicuous posting” may be met, including with regard to placement, various types of font treatment, and word content. The California Attorney General has issued further guidance, particularly on how to deal with the small screens of mobile devices. See, “Making Your Privacy Practices Public,” (May 2014), and “Privacy on the Go: Recommendations for the Mobile Ecosystem,” (Jan. 2013).

The FTC has long used its deception authority to prosecute inaccurate or misleading statements in privacy policies as false advertising claims. In addition, certain regulated industries have specific privacy disclosure obligations, and online services directed to children have special regulatory requirements, outlined below. Accordingly, it is essential that companies annually audit their data collection, use, sharing, processing, storage and security practices and ensure that their privacy policies completely and accurately explain all material practices and comply with applicable laws. Most companies will also need to meet the more stringent California requirements.

In 2013, the California Attorney General sent notices to hundreds of companies, many located outside of the state, that their sites or mobile apps did not include a privacy policy as required by CalOPPA, and where a company failed to comply within 30 days, filed suit under California's Unfair Business Practices Act. While CalOPPA requires such notice and opportunity to cure for failing to post a privacy policy, no notice and cure opportunity is necessary for a state or local prosecutor or for a consumer to bring a CalOPPA-based claim for false or misleading statements in a privacy policy.

2. Are You Using Third Parties to Collect Information, or Are You Sharing Information You Collect With Third Parties?

In addition to the third-party tracking disclosure requirements of the CalOPPA amendment noted above, it is important to consider what information third parties may be directly collecting on your sites and what information you may be sharing with third parties such as co-promotional partners. With regard to third parties you are working with on a campaign, you should consider whether you have addressed data ownership and control issues, properly disclosed information sharing practices, and imposed legally required security obligations where necessary. When addressing the sharing of information with third parties, don't forget that third parties can, under many laws, include your affiliate companies. Although it may feel to you like one big, happy family when you share information among affiliates, you may be creating the wrong impression if you say in your privacy policy, or at an information collection point, that you do not share information collected with any third parties.

Companies should particularly take care to assess their obligations under California Civil Code Section 1798.83 (also known as California's “Shine the Light” law), which provides California residents with certain rights with respect to sharing certain consumer information (defined to include not just personally identifiable information as typically understood, but also certain types of demographic information, and according to the California AG, potentially a persistent identifier used to recognize a user, browser, or device over time and across sites and services, such as an IP address) collected online or offline with third parties (including affiliates) for the third parties' direct marketing purposes. Failure to comply with that scheme has spawned a number of class action lawsuits. Further, a bill in the California legislature would vastly expand the scope and effect of that law.

3. Does Your Campaign Incorporate Cookies, Pixel Tags, Browser Fingerprinting, Web Beacons, or Other Tracking Technologies, and Do You Disclose These Practices?

Undisclosed passive tracking is the stuff that media headlines are made of, and depending upon the scope of the information collected, it may now be required to be disclosed under the recent CalOPPA amendment discussed above. Cookies and other passive tracking practices are receiving increasing scrutiny domestically and globally (particularly in the European Union and Canada) from both the press and lawmakers. Even where passively tracked information is not linked to what we in the U.S. traditionally consider personally identifiable information, it can still raise privacy notice and consent issues. Also, almost every site now uses Google Analytics, and Google requires that certain disclosures be included in your privacy policy, as do other third-party vendors that most sites rely on to operate and serve ads. Thus, most companies engage dozens of vendors to help them operate their sites or services, and those vendors similarly contractually require that specific notices and opt-outs be followed by the companies. Third parties (government, media, consumer organizations, and site visitors) can use various browser add-ons (see, e.g., www.ghostery.com) as a means to reveal whether a site's representations about passive tracking match up with actual practice. Misrepresentations, and potentially material omissions, are actionable as deceptive advertising claims. Revise your privacy policy to thoroughly address passive means of collecting information on your site or application. As part of a data practices assessment, talk with your IT and marketing staffs to ensure that you cover all of your bases and get an accurate picture of what is going on with your site and in connection with your digital campaigns.

4. Has “Privacy By Design” Been Incorporated In Your Campaign Development Process?

In March 2012, the FTC released a set of recommendations for businesses regarding the collection and use of consumer personal information. See, “FTC Issues Final Commission Report on Protecting Consumer Privacy.” A central tenant of this (Privacy Framework) is the notion of “privacy by design” (PbD), which is the philosophy of embedding privacy and data security considerations from the outset into the design development of information technologies and minimizing the collection and use of data to what is necessary under the circumstances. The goal of privacy by design is to minimize the privacy impact on consumers and maximize their informed choice. Companies that can “bake in” privacy protections for a new campaign in the conceptualization phase are more likely to avoid having to try to make changes right before launch or post-launch, when doing so may cause delay and additional cost. In order to effectively implement PbD, it is essential that a knowledgeable privacy professional evaluate the planned data practices to identify issues. For instance, the defendants in the recent flood of lawsuits relating to collection of consumer information as seemingly innocuous as mere zip codes in connection with credit card purchases, which violates California, Massachusetts, and other state laws, could have avoided those claims had they had compliance counsel involved in the development of the data flows. Such an impact assessment is essential when integrating loyalty programs with point-of-sale to avoid noncompliance with these credit card transaction privacy laws.

5. Do You Offer Choice Regarding Future Marketing Communications?

Companies with immature compliance programs may be surprised to find out that they can't send out marketing materials unless they have the proper permission to do so. The ability to communicate with consumers is increasingly subject to different legal requirements both in this country and internationally. Under the CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003), e-mail marketing to consumers is largely an “opt out” regime in the U.S. (other countries are “opt in”). Thus, companies are required to offer customers the ability to opt out from receiving future e-mail marketing communications in any marketing e-mail sent. Companies should also be mindful of special rules associated with marketing communications sent to mobile devices. The Telephone Consumer Protection Act (TCPA), telecom carrier rules, and the Mobile Marketing Association Mobile Advertising Guidelines govern the sending of text messages and e-mails to mobile domain addresses. Companies must satisfy notice and express advanced written consent requirements before sending a commercial text message to a mobile device, though written consent may be electronic if certain requirements are met. A change, effective Oct. 1, 2014, to Connecticut's version of TCPA seemingly expands the scope of the types of covered mobile messages beyond MMS and SMS to mobile app push notifications, a device marketers have been using to avoid the TCPA's express written consent requirements. Additional rules govern telemarketing and fax marketing. TCPA violations have spawned many class action lawsuits, resulting in tens of millions of dollars in settlements paid by advertisers that failed to fully comply.

To avoid problems with future marketing campaigns, companies must carefully consider when it is appropriate to take an opt-in versus an opt-out approach to the sending of future marketing communications. It is important to evaluate whether language is drafted appropriately to cover the additional communications that the company will send now and in the future, including who will send the communications (company only, affiliates, other third parties), how they will be sent (do not assume that “send me updates” means “call me at home during dinner”), and types of communications (about just one product, anything related to the company, anything related to a particular topic of interest, etc.). Recording of customer service calls is also regulated by various state laws regarding notice and consent, the violation of which has generated much recent litigation. Accordingly, companies should consider appropriate spam, do not fax, do not call, call recording, and broader communications policies for employees and vendors.

6. Have You and Your Vendors Adopted a Formal, Written Data Protection Compliance Program?

Despite a sectorial approach to privacy and a state patchwork approach to data security regulation in the U.S., a growing number of companies are now subject to some form of legal obligation to adopt “reasonable” data security measures. Among the laws mandating some form of “reasonable” security are: 1) the Health Insurance Portability and Accountability Act (HIPAA) security regulations applicable to the health care industry; 2) the Gramm-Leach-Bliley Act (GLB Act) “safeguards” regulations for financial institutions; 3) state insurance law analogs to the GLB Act Safeguards Rule applicable to insurance companies; and 4) state laws governing businesses that maintain personal information of residents (see, e.g., Massachusetts, Nevada, and California). Even if your organization happens to operate outside the reach of these particular data security laws, there is a growing consensus that implementation of a formal, written security compliance program is a best practice. In Massachusetts, such a “Written Information Security Program” (WISP) is required if a company has personal information of Massachusetts residents, even if the company itself is not present in the state. Most states also have data breach response and reporting laws, which require prompt action following a suspected compromise. Indeed, the FTC has been very active in exercising its unfairness authority to prosecute companies that have experienced data security breaches, under the theory that failure to take reasonable measure to protect data, even data that is not sensitive (e.g., Twitter account credentials), is an unfair business practice.

7. Does Your Company Engage In Behavioral Advertising?

Online behavioral advertising (OBA), interest-based advertising, and targeted and retargeted advertising are terms used to describe this process of companies' tracking consumers' online activities to profile and target them for specially tailored advertising. Twitter and Facebook have started offering various forms of targeted advertising, including retargeting and “custom advertising” that matches a company's consumer contacts to Facebook member account information. Many companies advertise using OBA but may not be directly involved in collecting and using the OBA data because they employ vendors and ad servers to do this. However, an advertiser, even if engaging in OBA on a non-affiliated site (e.g., retargeting a user who has left your site with an ad on another site), is subject to self-regulatory rules and best practices guidance promulgated by the FTC.

Before engaging in any OBA, companies (both advertisers and publishers) should review the behavioral advertising self-regulatory guidance of the Digital Advertising Alliance (DAA). See, www.aboutads.info. The DAA's guidance provides a self-regulatory framework for advertisers, agencies, publishers and technology companies for engaging in OBA. The DAA provides an iconic form of notice that alerts consumers to OBA and provides a method to opt out. (Facebook and other platforms offer a similar proprietary form of notice.) Though the opt-out method is currently browser-based and thus not effective for mobile apps, the DAA is currently testing a similar notice and opt-out program for OBA via mobile apps, though it is not yet widely adopted by mobile ad networks. While the DAA licenses the icon itself for $5,000 a year, it has three approved service providers that provide compliance and analytics services and can provide the license as part of their services. Also, many advertising intermediaries can provide the on-ad notice under their license. Publishers need not even license and use the icon to comply, so long as they provide an understandable notice such as “About Ads” that links to the opt-out explanation and opportunity. The DAA's enforcement division has brought dozens of actions against noncompliant advertisers, ad networks and publishers, most recently against website publishers that were dropping retargeting cookies on users, without the required notice on such Web pages, to enable ads from that site to be served later when users visited other sites.

To identify and minimize risks, companies should take steps to: 1) understand what tracking is taking place through their marketing campaigns as well as via their websites and mobile applications; 2) try to include appropriate representations, warranties and indemnities in their agreements with vendors assisting them with OBA; and 3) include appropriate disclosures in their privacy policies, on their home pages, and on OBA ads to address what OBA activities may be occurring.

8. Is Your Marketing or Sales Targeted To Children?

Children's privacy issues are lurking in many digital marketing campaigns, whether or not the campaigns are directed to children. On July 1, 2013, the FTC updated the Children's Online Privacy Protection Act (COPPA), which requires a company to obtain parental consent prior to collecting personal information from a child under the age of 13 online or via mobile apps, with limited exceptions. The updated COPPA regulations greatly expand what kind of data requires verified parental consent before being collected from a child under 13 years of age, and such information now includes persistent identifiers. Also, COPPA now creates a new category of so-called mixed-use sites and apps that may in part be directed to children but not primarily so. These sites and services must now screen users for age in a neutral manner and treat them differently based on self-reported age. Mixed-use sites cannot block children under 13 completely, but must offer them COPPA-compliant services. The FTC has made it clear that once any operator (even if directed to adults) has notice that a persistent identifier belongs to a child under 13, it must immediately take action to prevent a violation of COPPA. This includes ensuring that behavioral advertising is not served to them, that social media plug-ins and tools where they can submit publically available content are not made available to them, and that analytics providers and other vendors do not use their persistent identifiers or other personal information, except pursuant to certain narrow exceptions. Digital marketing campaigns that are clearly required to comply with COPPA because they are targeted to children often make basic mistakes, such as not posting a COPPA-compliant children's privacy policy (or any privacy policy at all), making the policy hard to find, assuming that it is okay to collect personal information from children as long as the site does not share it with marketers, or failing to properly secure the requisite level of parental consent before personal information from a child is collected, absent a qualifying exception. General audience services too often run afoul of COPPA by collecting the age of consumers in a manner that does not properly weed out those under 13, thus providing them with personal information of children with the knowledge that they have that data, and then failing to delete it.

9. Will Your Campaign Collect Location-Based Information from Consumers or Otherwise Publicly Share a Consumer's Location?

Location-based services (LBS) have one thing in common regardless of the underlying technology: they rely on use, or incorporate the location of a device to provide or enhance a service. For instance, a consumer may be able to “check in” at a location with his or her current location displayed to others using the LBS. Retailers are starting to employ in-store “iBeacons” that interact with consumers' mobile devices. Or users' locations can be tracked so that geographically relevant content or ads can be sent to them. Another popular location-based service is an application that enables users to locate other users who are near them.

While such functionality can be valued by users, it is potentially intrusive, and companies should require that certain notices and consents be given and obtained before enabling such functionality on apps or other services. General caution should also be exercised. The San Francisco District Attorney recently sued a mobile app publisher that made teenagers' locations available to each other as an unfair business practice, alleging that it put minors at risk of becoming victims of sexual predators. A digital marketing campaign that incorporates LBS technology should give a user appropriate notice about how location information will be collected, used, shared and disclosed, and should consider age restrictions.

With respect to location tracking, and accessing certain device content or functionality, notice, opportunity to review, and consent are required by carrier and platform rules. User tracking also requires notice and consent in the European Union, and U.S. best practice is to give notice and a means to disable tracking (even if by uninstalling the entire app or service). For LBS technology, there should be a notice and opt-in permission to geo-location tracking that is displayed on a single screen, with links to a more detailed privacy policy, before LBS functionality is enabled. It will also be necessary to post a privacy policy on the app or service (which should be available at the point of registration, if applicable, and on an information page and on the app store page) that specifically addresses the collection of location-based or other sensitive data. The privacy policy should inform users of how they may terminate the collection of location-based information (which may be by uninstalling the software or by exercising privacy options) and of how to exercise any available privacy options (providing such options is recommended). Short-form notice is recommended at the point of consent.

10. Do You Acquire or Share Content Consumption Data?

The Video Privacy Protection Act (VPPA) and similar state laws prohibit disclosure of information that identifies a person as having requested or obtained specific video materials or services from a video “rental” provider, without having first obtained consent from the user. The law was written in the era of video tapes and video rental stores, but has been expanded by some early lower court decisions to include online video streaming services. Some companies wish to share video content consumption information with third parties and/or allow users to share what videos they watched on the company's site with a social networking site like Facebook. Plaintiffs are contending that under these laws, in order for a company to be able to share video viewing information with a third-party social media site or other third parties, the company first needs to obtain user consent to do so. Video service providers can obtain consent electronically over the Internet from a user for use of the video information for a maximum period of two years under the VPPA as it has been recently amended, though some state laws have more complex consent requirements. The form of VPPA consent requires that a separate, independent consent be obtained from the user (outside of consent obtained in a privacy policy/Terms of Use). Thus, companies wishing to share video content consumption information may need to post a separate “Video Privacy Policy” on their sites that complies with the requirements of the VPPA and state laws, and they may need to obtain consent to this document from users that is separate and apart from the consent obtained to typical privacy policies and Terms of Use before sharing a user's video consumption data, absent statutory exception. The scope of the applicability of these laws to online content consumption data sharing remain unclear.

Conclusion

The last decade has seen technology change how companies can target consumers in ways hardly imagined. The results can be beneficial to both brands and consumers, but consumers also face real risks and burdens as a result. Beyond the privacy issues discussed above, traditional regulatory and intellectual property issues must also be considered, and it is recommend that all be reviewed together. Companies need to weigh the benefits and risks of proposed advertising, CRM, and sales schemes and be aware of the changing regulatory landscape that is evolving as technology advances. Further, the most important asset a brand has is its consumer goodwill. New marketing, CRM, and sales approaches that consumers appreciate build goodwill, but those that are perceived as misleading, unfair, or too intrusive can harm the brand.

The role of legal counsel is to help marketers identify and evaluate the risks of novel promotional, consumer relationship management, and sales techniques from conceptualization though execution so that they may minimize risk while still achieving a compelling campaign that delivers the desired return on investment.

Next month, the author will discuss how to develop and operate an overall company data management program.

Alan Friel is a Partner in the Los Angeles office of Baker Hostetler. A member of this newsletter's Board of Editors, he focuses his practice on intellectual property transactions, regulatory schemes, and privacy and consumer protection law. A sought-after speaker, Friel is an Adjunct Professor at the UCLA School of Law. He can be reached at [email protected] or 310-442-8860. This article is based in part on Friel and Brody, “PRIVACY CONSIDERATIONS FOR DIGITAL MARKETING,” a chapter in Promotion and Marketing Law, 8th Ed. (Brand Activation Assoc. Foundation, 2014).

Companies are increasingly relying on innovative and edgy digital marketing campaigns to promote their products and services. Campaigns often include user-generated content, viral marketing, the brand's website, a mobile application, and other social media and social networking elements. Companies are also looking to harness data through loyalty programs and consumer tracking to better understand, serve and reach their customers.

Big data and the interactivity of digital marketing are powerful tools for marketers, but consumer data protection laws have evolved in recent years, resulting in new and heightened compliance and risk management issues that need to be addressed when executing advanced advertising campaigns and consumer relationship management (CRM) programs. This can be done effectively if a company develops a privacy-by-design compliance culture that implements a process of conducting impact assessments before launching new products, services, campaigns or programs that could have an effect on consumer privacy or data protection. Such assessments can also incorporate analysis of traditional consumer protection impacts, such as compliance with advertising and sales laws, and analysis of intellectual property impacts (both third-party infringement risks and protection of company IP). This will help legal and compliance personnel gather the relevant information from product and marketing teams to assess legal impacts during the development process so that products and sales and marketing can be designed in a manner that minimizes potential liability, while also achieving business goals.

As a starting point for counsel to assess the privacy impacts of their companies' marketing and sales activities, see the list below, which poses questions you should be asking. When you read the answers to the questions below, you will get guidance on the issues to help inform your diligence and counsel.

1. Have You Posted an Appropriate Privacy Policy?

Not posting a privacy policy on a website, mobile application, or any other online service that collects personally identifiable information (PII) (e.g., first and last name, address, e-mail address, telephone number) from a consumer violates not only Federal Trade Commission (FTC) guidance but also California's Online Privacy Protection Act of 2003 (CalOPPA). Companies that collect PII from California consumers through any online service for commercial purposes, even if they are not themselves in California, must conspicuously post a privacy policy that informs individuals of this collection, including:

• Identifying the categories of PII collected and third parties with which such information may be shared;
• Describing any process (if the site has one) for reviewing and requesting changes to collected information;
• Describing the process by which the operator notifies users regarding material changes to the policy; and
• Identifying the effective date of the policy.

Further, amendments to CalOPPA, effective Jan. 1, 2014, require the privacy policy to additionally inform individuals of the following practices:

• Disclosing how the operator responds to Web browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of PII; and
• Disclosing whether third parties may collect PII about an individual consumer's online activities over time and across different websites when a consumer uses the operator's site or service.

As of Jan. 1, 2015, CalOPPA also requires that privacy policies of services that allow user content postings will also have to provide in a specific manner a notice and a takedown process for minors to remove public-facing content they have posted about themselves.

CalOPPA requires privacy policies to accurately describe data practices, and provides specifics as to how its requirement of “conspicuous posting” may be met, including with regard to placement, various types of font treatment, and word content. The California Attorney General has issued further guidance, particularly on how to deal with the small screens of mobile devices. See, “Making Your Privacy Practices Public,” (May 2014), and “Privacy on the Go: Recommendations for the Mobile Ecosystem,” (Jan. 2013).

The FTC has long used its deception authority to prosecute inaccurate or misleading statements in privacy policies as false advertising claims. In addition, certain regulated industries have specific privacy disclosure obligations, and online services directed to children have special regulatory requirements, outlined below. Accordingly, it is essential that companies annually audit their data collection, use, sharing, processing, storage and security practices and ensure that their privacy policies completely and accurately explain all material practices and comply with applicable laws. Most companies will also need to meet the more stringent California requirements.

In 2013, the California Attorney General sent notices to hundreds of companies, many located outside of the state, that their sites or mobile apps did not include a privacy policy as required by CalOPPA, and where a company failed to comply within 30 days, filed suit under California's Unfair Business Practices Act. While CalOPPA requires such notice and opportunity to cure for failing to post a privacy policy, no notice and cure opportunity is necessary for a state or local prosecutor or for a consumer to bring a CalOPPA-based claim for false or misleading statements in a privacy policy.

2. Are You Using Third Parties to Collect Information, or Are You Sharing Information You Collect With Third Parties?

In addition to the third-party tracking disclosure requirements of the CalOPPA amendment noted above, it is important to consider what information third parties may be directly collecting on your sites and what information you may be sharing with third parties such as co-promotional partners. With regard to third parties you are working with on a campaign, you should consider whether you have addressed data ownership and control issues, properly disclosed information sharing practices, and imposed legally required security obligations where necessary. When addressing the sharing of information with third parties, don't forget that third parties can, under many laws, include your affiliate companies. Although it may feel to you like one big, happy family when you share information among affiliates, you may be creating the wrong impression if you say in your privacy policy, or at an information collection point, that you do not share information collected with any third parties.

Companies should particularly take care to assess their obligations under California Civil Code Section 1798.83 (also known as California's “Shine the Light” law), which provides California residents with certain rights with respect to sharing certain consumer information (defined to include not just personally identifiable information as typically understood, but also certain types of demographic information, and according to the California AG, potentially a persistent identifier used to recognize a user, browser, or device over time and across sites and services, such as an IP address) collected online or offline with third parties (including affiliates) for the third parties' direct marketing purposes. Failure to comply with that scheme has spawned a number of class action lawsuits. Further, a bill in the California legislature would vastly expand the scope and effect of that law.

3. Does Your Campaign Incorporate Cookies, Pixel Tags, Browser Fingerprinting, Web Beacons, or Other Tracking Technologies, and Do You Disclose These Practices?

Undisclosed passive tracking is the stuff that media headlines are made of, and depending upon the scope of the information collected, it may now be required to be disclosed under the recent CalOPPA amendment discussed above. Cookies and other passive tracking practices are receiving increasing scrutiny domestically and globally (particularly in the European Union and Canada) from both the press and lawmakers. Even where passively tracked information is not linked to what we in the U.S. traditionally consider personally identifiable information, it can still raise privacy notice and consent issues. Also, almost every site now uses Google Analytics, and Google requires that certain disclosures be included in your privacy policy, as do other third-party vendors that most sites rely on to operate and serve ads. Thus, most companies engage dozens of vendors to help them operate their sites or services, and those vendors similarly contractually require that specific notices and opt-outs be followed by the companies. Third parties (government, media, consumer organizations, and site visitors) can use various browser add-ons (see, e.g., www.ghostery.com) as a means to reveal whether a site's representations about passive tracking match up with actual practice. Misrepresentations, and potentially material omissions, are actionable as deceptive advertising claims. Revise your privacy policy to thoroughly address passive means of collecting information on your site or application. As part of a data practices assessment, talk with your IT and marketing staffs to ensure that you cover all of your bases and get an accurate picture of what is going on with your site and in connection with your digital campaigns.

4. Has “Privacy By Design” Been Incorporated In Your Campaign Development Process?

In March 2012, the FTC released a set of recommendations for businesses regarding the collection and use of consumer personal information. See, “FTC Issues Final Commission Report on Protecting Consumer Privacy.” A central tenant of this (Privacy Framework) is the notion of “privacy by design” (PbD), which is the philosophy of embedding privacy and data security considerations from the outset into the design development of information technologies and minimizing the collection and use of data to what is necessary under the circumstances. The goal of privacy by design is to minimize the privacy impact on consumers and maximize their informed choice. Companies that can “bake in” privacy protections for a new campaign in the conceptualization phase are more likely to avoid having to try to make changes right before launch or post-launch, when doing so may cause delay and additional cost. In order to effectively implement PbD, it is essential that a knowledgeable privacy professional evaluate the planned data practices to identify issues. For instance, the defendants in the recent flood of lawsuits relating to collection of consumer information as seemingly innocuous as mere zip codes in connection with credit card purchases, which violates California, Massachusetts, and other state laws, could have avoided those claims had they had compliance counsel involved in the development of the data flows. Such an impact assessment is essential when integrating loyalty programs with point-of-sale to avoid noncompliance with these credit card transaction privacy laws.

5. Do You Offer Choice Regarding Future Marketing Communications?

Companies with immature compliance programs may be surprised to find out that they can't send out marketing materials unless they have the proper permission to do so. The ability to communicate with consumers is increasingly subject to different legal requirements both in this country and internationally. Under the CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003), e-mail marketing to consumers is largely an “opt out” regime in the U.S. (other countries are “opt in”). Thus, companies are required to offer customers the ability to opt out from receiving future e-mail marketing communications in any marketing e-mail sent. Companies should also be mindful of special rules associated with marketing communications sent to mobile devices. The Telephone Consumer Protection Act (TCPA), telecom carrier rules, and the Mobile Marketing Association Mobile Advertising Guidelines govern the sending of text messages and e-mails to mobile domain addresses. Companies must satisfy notice and express advanced written consent requirements before sending a commercial text message to a mobile device, though written consent may be electronic if certain requirements are met. A change, effective Oct. 1, 2014, to Connecticut's version of TCPA seemingly expands the scope of the types of covered mobile messages beyond MMS and SMS to mobile app push notifications, a device marketers have been using to avoid the TCPA's express written consent requirements. Additional rules govern telemarketing and fax marketing. TCPA violations have spawned many class action lawsuits, resulting in tens of millions of dollars in settlements paid by advertisers that failed to fully comply.

To avoid problems with future marketing campaigns, companies must carefully consider when it is appropriate to take an opt-in versus an opt-out approach to the sending of future marketing communications. It is important to evaluate whether language is drafted appropriately to cover the additional communications that the company will send now and in the future, including who will send the communications (company only, affiliates, other third parties), how they will be sent (do not assume that “send me updates” means “call me at home during dinner”), and types of communications (about just one product, anything related to the company, anything related to a particular topic of interest, etc.). Recording of customer service calls is also regulated by various state laws regarding notice and consent, the violation of which has generated much recent litigation. Accordingly, companies should consider appropriate spam, do not fax, do not call, call recording, and broader communications policies for employees and vendors.

6. Have You and Your Vendors Adopted a Formal, Written Data Protection Compliance Program?

Despite a sectorial approach to privacy and a state patchwork approach to data security regulation in the U.S., a growing number of companies are now subject to some form of legal obligation to adopt “reasonable” data security measures. Among the laws mandating some form of “reasonable” security are: 1) the Health Insurance Portability and Accountability Act (HIPAA) security regulations applicable to the health care industry; 2) the Gramm-Leach-Bliley Act (GLB Act) “safeguards” regulations for financial institutions; 3) state insurance law analogs to the GLB Act Safeguards Rule applicable to insurance companies; and 4) state laws governing businesses that maintain personal information of residents (see, e.g., Massachusetts, Nevada, and California). Even if your organization happens to operate outside the reach of these particular data security laws, there is a growing consensus that implementation of a formal, written security compliance program is a best practice. In Massachusetts, such a “Written Information Security Program” (WISP) is required if a company has personal information of Massachusetts residents, even if the company itself is not present in the state. Most states also have data breach response and reporting laws, which require prompt action following a suspected compromise. Indeed, the FTC has been very active in exercising its unfairness authority to prosecute companies that have experienced data security breaches, under the theory that failure to take reasonable measure to protect data, even data that is not sensitive (e.g., Twitter account credentials), is an unfair business practice.

7. Does Your Company Engage In Behavioral Advertising?

Online behavioral advertising (OBA), interest-based advertising, and targeted and retargeted advertising are terms used to describe this process of companies' tracking consumers' online activities to profile and target them for specially tailored advertising. Twitter and Facebook have started offering various forms of targeted advertising, including retargeting and “custom advertising” that matches a company's consumer contacts to Facebook member account information. Many companies advertise using OBA but may not be directly involved in collecting and using the OBA data because they employ vendors and ad servers to do this. However, an advertiser, even if engaging in OBA on a non-affiliated site (e.g., retargeting a user who has left your site with an ad on another site), is subject to self-regulatory rules and best practices guidance promulgated by the FTC.

Before engaging in any OBA, companies (both advertisers and publishers) should review the behavioral advertising self-regulatory guidance of the Digital Advertising Alliance (DAA). See, www.aboutads.info. The DAA's guidance provides a self-regulatory framework for advertisers, agencies, publishers and technology companies for engaging in OBA. The DAA provides an iconic form of notice that alerts consumers to OBA and provides a method to opt out. (Facebook and other platforms offer a similar proprietary form of notice.) Though the opt-out method is currently browser-based and thus not effective for mobile apps, the DAA is currently testing a similar notice and opt-out program for OBA via mobile apps, though it is not yet widely adopted by mobile ad networks. While the DAA licenses the icon itself for $5,000 a year, it has three approved service providers that provide compliance and analytics services and can provide the license as part of their services. Also, many advertising intermediaries can provide the on-ad notice under their license. Publishers need not even license and use the icon to comply, so long as they provide an understandable notice such as “About Ads” that links to the opt-out explanation and opportunity. The DAA's enforcement division has brought dozens of actions against noncompliant advertisers, ad networks and publishers, most recently against website publishers that were dropping retargeting cookies on users, without the required notice on such Web pages, to enable ads from that site to be served later when users visited other sites.

To identify and minimize risks, companies should take steps to: 1) understand what tracking is taking place through their marketing campaigns as well as via their websites and mobile applications; 2) try to include appropriate representations, warranties and indemnities in their agreements with vendors assisting them with OBA; and 3) include appropriate disclosures in their privacy policies, on their home pages, and on OBA ads to address what OBA activities may be occurring.

8. Is Your Marketing or Sales Targeted To Children?

Children's privacy issues are lurking in many digital marketing campaigns, whether or not the campaigns are directed to children. On July 1, 2013, the FTC updated the Children's Online Privacy Protection Act (COPPA), which requires a company to obtain parental consent prior to collecting personal information from a child under the age of 13 online or via mobile apps, with limited exceptions. The updated COPPA regulations greatly expand what kind of data requires verified parental consent before being collected from a child under 13 years of age, and such information now includes persistent identifiers. Also, COPPA now creates a new category of so-called mixed-use sites and apps that may in part be directed to children but not primarily so. These sites and services must now screen users for age in a neutral manner and treat them differently based on self-reported age. Mixed-use sites cannot block children under 13 completely, but must offer them COPPA-compliant services. The FTC has made it clear that once any operator (even if directed to adults) has notice that a persistent identifier belongs to a child under 13, it must immediately take action to prevent a violation of COPPA. This includes ensuring that behavioral advertising is not served to them, that social media plug-ins and tools where they can submit publically available content are not made available to them, and that analytics providers and other vendors do not use their persistent identifiers or other personal information, except pursuant to certain narrow exceptions. Digital marketing campaigns that are clearly required to comply with COPPA because they are targeted to children often make basic mistakes, such as not posting a COPPA-compliant children's privacy policy (or any privacy policy at all), making the policy hard to find, assuming that it is okay to collect personal information from children as long as the site does not share it with marketers, or failing to properly secure the requisite level of parental consent before personal information from a child is collected, absent a qualifying exception. General audience services too often run afoul of COPPA by collecting the age of consumers in a manner that does not properly weed out those under 13, thus providing them with personal information of children with the knowledge that they have that data, and then failing to delete it.

9. Will Your Campaign Collect Location-Based Information from Consumers or Otherwise Publicly Share a Consumer's Location?

Location-based services (LBS) have one thing in common regardless of the underlying technology: they rely on use, or incorporate the location of a device to provide or enhance a service. For instance, a consumer may be able to “check in” at a location with his or her current location displayed to others using the LBS. Retailers are starting to employ in-store “iBeacons” that interact with consumers' mobile devices. Or users' locations can be tracked so that geographically relevant content or ads can be sent to them. Another popular location-based service is an application that enables users to locate other users who are near them.

While such functionality can be valued by users, it is potentially intrusive, and companies should require that certain notices and consents be given and obtained before enabling such functionality on apps or other services. General caution should also be exercised. The San Francisco District Attorney recently sued a mobile app publisher that made teenagers' locations available to each other as an unfair business practice, alleging that it put minors at risk of becoming victims of sexual predators. A digital marketing campaign that incorporates LBS technology should give a user appropriate notice about how location information will be collected, used, shared and disclosed, and should consider age restrictions.

With respect to location tracking, and accessing certain device content or functionality, notice, opportunity to review, and consent are required by carrier and platform rules. User tracking also requires notice and consent in the European Union, and U.S. best practice is to give notice and a means to disable tracking (even if by uninstalling the entire app or service). For LBS technology, there should be a notice and opt-in permission to geo-location tracking that is displayed on a single screen, with links to a more detailed privacy policy, before LBS functionality is enabled. It will also be necessary to post a privacy policy on the app or service (which should be available at the point of registration, if applicable, and on an information page and on the app store page) that specifically addresses the collection of location-based or other sensitive data. The privacy policy should inform users of how they may terminate the collection of location-based information (which may be by uninstalling the software or by exercising privacy options) and of how to exercise any available privacy options (providing such options is recommended). Short-form notice is recommended at the point of consent.

10. Do You Acquire or Share Content Consumption Data?

The Video Privacy Protection Act (VPPA) and similar state laws prohibit disclosure of information that identifies a person as having requested or obtained specific video materials or services from a video “rental” provider, without having first obtained consent from the user. The law was written in the era of video tapes and video rental stores, but has been expanded by some early lower court decisions to include online video streaming services. Some companies wish to share video content consumption information with third parties and/or allow users to share what videos they watched on the company's site with a social networking site like Facebook. Plaintiffs are contending that under these laws, in order for a company to be able to share video viewing information with a third-party social media site or other third parties, the company first needs to obtain user consent to do so. Video service providers can obtain consent electronically over the Internet from a user for use of the video information for a maximum period of two years under the VPPA as it has been recently amended, though some state laws have more complex consent requirements. The form of VPPA consent requires that a separate, independent consent be obtained from the user (outside of consent obtained in a privacy policy/Terms of Use). Thus, companies wishing to share video content consumption information may need to post a separate “Video Privacy Policy” on their sites that complies with the requirements of the VPPA and state laws, and they may need to obtain consent to this document from users that is separate and apart from the consent obtained to typical privacy policies and Terms of Use before sharing a user's video consumption data, absent statutory exception. The scope of the applicability of these laws to online content consumption data sharing remain unclear.

Conclusion

The last decade has seen technology change how companies can target consumers in ways hardly imagined. The results can be beneficial to both brands and consumers, but consumers also face real risks and burdens as a result. Beyond the privacy issues discussed above, traditional regulatory and intellectual property issues must also be considered, and it is recommend that all be reviewed together. Companies need to weigh the benefits and risks of proposed advertising, CRM, and sales schemes and be aware of the changing regulatory landscape that is evolving as technology advances. Further, the most important asset a brand has is its consumer goodwill. New marketing, CRM, and sales approaches that consumers appreciate build goodwill, but those that are perceived as misleading, unfair, or too intrusive can harm the brand.

The role of legal counsel is to help marketers identify and evaluate the risks of novel promotional, consumer relationship management, and sales techniques from conceptualization though execution so that they may minimize risk while still achieving a compelling campaign that delivers the desired return on investment.

Next month, the author will discuss how to develop and operate an overall company data management program.

Alan Friel is a Partner in the Los Angeles office of Baker Hostetler. A member of this newsletter's Board of Editors, he focuses his practice on intellectual property transactions, regulatory schemes, and privacy and consumer protection law. A sought-after speaker, Friel is an Adjunct Professor at the UCLA School of Law. He can be reached at [email protected] or 310-442-8860. This article is based in part on Friel and Brody, “PRIVACY CONSIDERATIONS FOR DIGITAL MARKETING,” a chapter in Promotion and Marketing Law, 8th Ed. (Brand Activation Assoc. Foundation, 2014).