header
headerbottom               Subscribe  Privacy Policy   August 2009
Spacer Image
Spacer Image
Greetings!


Recent amendments to Germany's Data Protection Act restrict marketers' data collection practices and have businesses inside and outside of the country scrutinizing their methods.
 
In the U.S., lawmakers in the state of Maine passed a bill
in June restricting what they call "predatory" marketing practices involving minors. The law sets restrictions on the collection and use of minors' information in both the online and offline realm. Although this law passed quietly, it has generated great interest in recent weeks and is expected to face a business and industry backlash, and perhaps legal action, before taking effect on September 12.

Unlike Germany, the U.S. has no broad federal legislation concerning online advertising practices. But both Congress and the Federal Trade Commission have shown deep interest in the area in recent months. In an interview with the New York Times last week, FTC Bureau of Consumer Protection head David Vladeck described the advertising industry's recently revised self-regulatory proposal as "helpful" but insufficient, and echoed the widely expressed sentiment that most privacy notices fail to adequately inform consumers.

In this issue of Inside 1to1: Privacy, we explore these issues from two different angles. First, Jay Cline provides an overview of opt-in/opt-out requirements across the globe and offers practical tips for marketers' privacy-consent strategies. Next, Larry Dobrow explores the results of an academic-industry research collaboration that has produced a consumer-friendly privacy disclosure model--a privacy nutrition label.    

The issues at the intersection of privacy and marketing are heating up. We will discuss many of them--including radical new approaches to privacy notices--at the IAPP Privacy Academy 2009.

Trevor Hughes Signature
J. Trevor Hughes, CIPP
Executive Director, IAPP

Opt in or opt out for global direct marketing?

By Jay Cline, CIPP

U.S.-based corporations sending direct-marketing messages outside the States face a maze of regulations that could ground marketing campaigns before they get started. In these situations, a carefully planned privacy-consent strategy can help maximize the available returns on marketing expenditures.

Companies with headquarters in the U.S. often target Canada as their first non-U.S. destination for expansion because of its proximity and common language. But despite Canada's proximity, its requirements for the level of consumer consent needed to send direct marketing can differ substantially.

"Unfortunately, there are no simple and fast rules as to when opt-in consent is required and an opt-out approach is acceptable," Kris Klein, CIPP/C, head of the Ottawa-based Law Office of Kris Klein, told Inside 1to1: Privacy.

"For example, an individual's workplace fax number is not personal information and can be used for marketing purposes without consent," Klein explained. "However, workplace e-mail addresses are considered personal information."

For telemarketing to Canadian residents, U.S. companies should consult Canada's do-not-call registry launched in 2008.

U.S.-based firms deciding to expand into Europe often choose the UK as a beachhead because of its shared language. With a foothold in the UK, U.S. firms typically next turn their attention to the largest EU markets: France, Germany, Spain, and Italy. But despite their shared membership in the EU, these countries have taken varied approaches to regulating direct marketing.

"The difference between UK and Spanish law in this area highlights the lack of harmonization across the EU," reported Eduardo Ustaran, partner at London-based Field Fisher Waterhouse. "In the UK, it's possible to have obtained e-mail addresses in the course of mere negotiations for the sale of a product in order to operate on an opt-out basis. In Spain, an existing and proven contractual relationship will be required."

"When you look at things like viral marketing," he added, "the Spanish approach is even more severe. The Spanish authorities have actively clamped down on the use of refer-a-friend facilities."

Rocco Panetta, a Rome-based attorney with Panetta & Associates, told Inside 1to1: Privacy that Italy takes a strict line on telecommunications-based direct marketing. Automatic marketing communications sent via SMS and fax "are allowed in the case of express previous consent of the interested person only," he said. Telemarketing calls to residential phones require opt-in consent, while calls to business numbers are allowed to be made on an opt-out basis. 

"Telephone direct marketing is the less appreciated way to do marketing in Italy," Panetta explained. "Culturally, the postal mail is more accepted."

For its part, France has a reputation for stringent privacy regulations. Pascale Gelly, head of Paris-based Cabinet Gelly, generally concurs with that sentiment. "Most businesses know that France is an opt-in country when it comes to direct marketing by e-mail," she reported. "However, they may not be aware of the good and the bad news around this rule."

"Beginning with the bad news: The potential sanction is 750 Euros per e-mail sent in violation of this rule," she explained. "The good news is that the CNIL [France's data protection authority] interprets the opt-in rule as not applying to e-mails sent to professionals on topics related to their work," she added, "which shows a certain degree of flexibility."

Dr. Sachiko Scheuing, the Frankfurt-based European Privacy Officer for Acxiom, told Inside 1to1: Privacy that "German privacy requirements for direct marketing are characterised by the strong interplay among different laws:  the data protection law, anti-competition law, and the telemedia law."

"For instance, telemarketing requires an opt-in in Germany," Scheuing explained. "This requirement is set out in the anti-competition law [Gesetz gegen unlauteren Wettbewerb] rather than the data protection law."

Scheuing noted that, because of privacy scandals, the German data protection law was recently amended to require direct marketers to gain opt-in consent in more situations.

American companies entering the more exotic Asia-Pacific region for the first time tend to begin in Australia, which is a bit more familiar. But while Australia is often considered by U.S. companies to be more business-friendly in the area of privacy regulation, the country maintains a multi-pronged direct-marketing regime.

"Direct marketing in Australia is directly covered by three pieces of federal legislation," observed Malcolm Crompton, head of privacy consultancy Information Integrity Solutions. "Each gives individuals the right to opt out after the first contact," he explained.

"In certain circumstances, however, opt-in consent is also required," he added. During his term as Privacy Commissioner of Australia, Crompton was instrumental in developing this framework.

"The Privacy Act 1988 allows direct marketing without opt-in consent only if beforehand 'it is impracticable for the organisation to seek the individual's consent'," he said.  "The Spam Act 2003 requires commercial electronic messages--including e-mail, instant messaging, SMS, and MMS--to be sent with the prior consent of the recipient, unless there is an established business relationship."

Australia, like Canada and the U.S., also maintains a do-not-call registry.

Despite its proximity to the U.S., Latin America's less-developed markets can mean it is the last stop for U.S. companies going global. But its emerging-market status will nonetheless continue to attract direct-marketing campaigns from the U.S. According to Luis Salazar, CIPP, a Miami-based partner at Greenberg Traurig, those campaigns will require a country-by-country approach.

"Latin America lacks a consistent approach to direct marketing," Salazar noted, "and, even where regulations do exist, enforcement is uneven."

"In countries with more developed laws in this area--like Mexico's Ley Federal de Protecion de Consumidores," Salazar added, "it's easier to plan good, compliant marketing campaigns."

"But in countries that just rely on often amorphous habeas data rights, one inappropriate piece of direct marketing can lead to significant penalties."

Salazar explained that Latin Americans used to be put off by impersonal direct marketing. "The massive proliferation of the mobile phone in Latin American has dramatically changed that. Consumers are more receptive to direct marketing and savvier about it, too."

With all of these national and regional variations, what are some proven strategies for maximizing a return on marketing dollars? Perhaps one of the most common inclinations of companies first encountering this area is to adopt a corporate policy that applies globally the most restrictive regulations found in any one jurisdiction. This "high-road" or "conservative" approach can be a mistake, however. Adopting an opt-in approach to an e-mail marketing campaign, for example, when an opt-out approach is allowable and culturally acceptable within a certain country can make the difference between a positive or negative return-on-investment for the campaign.

What do more experienced companies do in these situations? Adopt a global policy that says the company will obtain appropriate consent for direct-marketing communications, and supplement it with country policies that define how consent is obtained in each locale.

"That approach provides the most flexibility while maintaining compliance with relevant law in each jurisdiction where the company targets consumers," said D. Reed Freeman, partner at Kelley Drye & Warren. "But flexibility is not free. It comes with the obligation to know the law in each relevant jurisdiction, as well as the enforcers' views on the application of the law to specific marketing programs, and an obligation to keep track of the consents received on a per-consumer, per-country basis."



E-mail marketing consent requirements

The table below indicates what level of consent a U.S.-based company is likely to need to obtain in order to send marketing messages about its products or services to the different types of e-mail addresses indicated in the table. Because circumstances of a particular campaign can alter these requirements, however, companies should consult an attorney.

Country

Direct marketing
sent to a
consumers
e-mail
address obtained
in the course of
negotiating the
sale of a product
or service to that
consumer

Direct marketing
sent to a
consumer's
e-mail
address obtained
during the
conclusion of a sale
of a similar product
or service to that
consumer

Direct marketing
sent to personal
e-mail addresses
obtained from
third parties,
online sources,
or refer-a-
friend

Direct marketing
sent to workplace
e-mail addresses
obtained from
third parties,
online sources,
or refer-a-
friend

USA Opt-out Opt-out Opt-out Opt-out

Canada

Opt-out

Opt-out

Opt-in

Opt-in

Mexico

Opt-out

Opt-out

Opt-out

Opt-out

UK Opt-out Opt-out Opt-in Opt-out

France

Opt-in

Opt-out

Opt-in

Opt-out

Belgium

Opt-in

Opt-out

Opt-in

Opt-out

Germany Opt-in Opt-out Opt-in Opt-in

Spain

Opt-in

Opt-out

Opt-in

Opt-in

Italy

Opt-in

Opt-out

Opt-in

Opt-in

Australia

Opt-out

Opt-out

Opt-in

Opt-out


Source: USA - Jay Cline; Canada - Kris Klein; Mexico - Luis Salazar; UK - Eduardo Ustaran; France - Pascale Gelly; Belgium - Jan Dhont, Lorenz Law; Germany - Sachiko Scheuing; Spain - Eduardo Ustaran; Italy - Rocco Panetta; Australia - Malcolm Crompton

Jay Cline is president of Minnesota Privacy Consultants.
Academy Banner

MEANINGFUL EDUCATION FOR TODAY'S PRIVACY CHALLENGES
From operational privacy and technology to theoretical discussion and debate, this year's Academy offers a wealth of educational programming. This September the IAPP will bring together scholars, authors, and privacy professionals to share challenges, network with peers, and engage with the world's top experts on managing privacy. Sign up for our Preconference Workshop Day on Wednesday, September 16 to add even more practical education to your Academy experience.
Register Now

Privacy's nutrition label

By Larry Dobrow

The need for more simplified privacy policies isn't exactly breaking news. For years, consumers--at least those few who bothered to read them--flailed amid the policies' mix of dense legalese and impermeable jargon. While pundits and consumer advocates railed against the worst offenders and pressed the need for a different approach, it's not as if they could do much about how, say, Best Buy or Bank of America framed their privacy/information-sharing disclosures.

Behind the scenes, however, a team of academics, researchers, and wonks from Carnegie Mellon University and Microsoft have been attempting to bring clarity and ease-of-use to the privacy-policies debate. The first drafts of their efforts, dubbed the "nutrition label for privacy," have been tested extensively with consumers and privacy experts alike. While a final product is still months away, the initial versions would make privacy policies easily interpretable for the first time ever.

The academic/research team set out with a single goal, according to Lorrie Cranor, a professor in Carnegie Mellon's School of Computer Science: to create a standardized format for privacy policies. At first, a bulleted-list format was discussed and mocked up, but it ultimately proved unworkable. Before long, however, the group glanced at a nutrition label on the back of a box of cereal and had a collective "Eureka!" moment.

"Nutrition labels--you don't read them every time you buy a product, but you know they're there and you know what you're going to find on them," Cranor explains. "Let's say you go to the doctor and you're told you have high cholesterol--well, then you look at the label. We were thinking a nutrition-label-type setup might be useful in the same way for privacy."

The mantra throughout the nutrition label's evolution was singular: Keep it simple. To that end, the Carnegie Mellon/Microsoft team endeavored to eliminate verbiage not familiar to privacy novices. Phrases like "behavioral profiling" were broken down and explained in basic language. Even terminology like "opt in" and "opt out" was briefly removed from consideration, before being re-installed in later iterations.

"It was very tempting to use symbols to represent various things, but it's hard for people to understand symbols when you're talking about fudgy concepts like privacy," Cranor recalls, admitting with a knowing laugh that there were "all kinds of disasters." As of late July, she and her peers were still deciding the fate of the dreaded red exclamation point, used in the nutrition label to announce that a company collects data and doesn't allow users to opt in or opt out, among other things. Apparently focus groups found it too harsh and negative.

So far, feedback from those groups as well as privacy experts--Cranor and her peers handed out drafts of the nutrition label at several conferences, encouraging attendees to mark them up and send them back--has been largely positive. Several A-list companies have responded with enthusiasm and hinted they might eventually want to use the label (Cranor declines to identify them). Others have praised the snapshot the nutrition label gives of an organization's privacy practices, but are hoping it can be amended to include information about third-party advertising or social-networking practices.

"One thing you do lose is that very detailed bit about third-party advertising. We can represent in the grid everything that comes as a part of it, but maybe not at the level of detail some people may want," Cranor concedes. As a result, the label is being tweaked for online use: When a user mouses over any cell in the grid, more information will appear on his screen.

As for the future, Cranor says that the nutrition label will be built into the privacyfinder.org search engine--possibly by the time you read this. More testing is currently taking place, with Cranor et al particularly focused on whether the nutrition label deals with privacy too generically and doesn't take into account quirks from various industries (sensitive ones like healthcare and finance vs. less-sensitive ones like retail).

Cranor is also keen to address a question she was initially asked while participating in a Federal Trade Commission workshop on the topic of privacy policies a year ago. "Somebody asked me point blank, 'If nobody reads privacy policies, why are we bothering with them?'" she recalls. "What I told them, and what I've told a bunch of people since then, is that our goal isn't that everybody reads privacy policies all the time. Our goal is that when somebody has a question about privacy, that information is there for them and that they can quickly and easily access it. We hope that we're on our way to that."
In This Issue...
Opt in or opt out for global direct marketing?

Privacy's nutrition label

Editorial Advisory Board
Don Peppers
Partner
Peppers & Rogers Group


Martha Rogers, Ph.D.
Partner
Peppers & Rogers Group


J. Trevor Hughes, CIPP
Executive Director
IAPP


Larry Ponemon, CIPP
Founder
The Ponemon Institute


Jonathan D. Avila, CIPP
Vice President - Counsel, Chief Privacy Officer
The Walt Disney Company 
Spacer Image
Spacer Image
Spacer Image
Research Update

Let's collaborate

Privacy leaders ranked how important it is for their organization's privacy function to collaborate with other corporate functions, revealing that:

100 percent feel collaboration with Information Security is very important or important

98 percent feel collaboration with Information Technology is very important or important

93 percent feel collaboration with Regulatory Compliance is very important or important

83 percent feel collaboration with Human Resources is very important or important

According to the results, important to a lesser extent is collaboration with:

  • Corporate ethics
  • Physical security
  • Internal audit
  • Records management
  • Marketing
  • Government affairs
  • Public relations and procurement

Those who attend the IAPP Privacy Academy 2009 next month will receive the full findings of the Ponemon Institute-International Association of Privacy Professionals benchmarking survey at no cost.

Privacy Academy 2009 takes place September 16-18 in Boston.

www.privacyacademy.org

Spacer Image
Spacer Image
Spacer Image
Spacer Image



Stay on Top of the Latest Legislative Action
PRIVACY TRACKER THIS MONTH

Legal experts discussed the outlook on Maine's new predatory marketing law, set to take effect next month, during a special Privacy Tracker audio call. Get streaming audio of the call to learn about the broad-reaching law, which prohibits the collection and use of a minor's personal information. Not a Privacy Tracker subscriber yet?
Spacer Image
Spacer Image
Spacer Image
Spacer Image
Sponsorship Opportunities
Sponsorship opportunities are available for this newsletter, the IAPP Privacy Academy 2009 in Boston, the IAPP Practical Privacy Series in Washington, DC, and more.
E-mail
Spacer Image
Spacer Image
Spacer Image
Spacer Image
Privacy Tools
IAPP KnowledgeLink
Learn More

Privacy Career Postings
Learn More

Useful Privacy Links
Learn More

Publications from Peppers & Rogers Group
Learn More

IAPP Educational Library
Learn More

Spacer Image
Spacer Image
Spacer Image
Spacer Image
IAPP Certification Testing
Boston, MA
Fri., September 18

Cincinnati, OH
Weds., September 23

Los Angeles, CA
Weds., September 30

Atlanta, GA
Weds., October 7

Denver, CO
Weds., October 14

Washington, DC
Thurs., October 15

Vancouver, BC
Fri., October 16

Folsom, CA
Mon., October 19

Ottawa, ON
Thurs., October 22


Learn More About CIPP Training and Testing
Spacer Image
Spacer Image
Spacer Image
Spacer Image
UPCOMING IAPP KNOWLEDGENETS

Detroit, MI
Tues., August 25
11:30 a.m. to 1 p.m.
Speaker: Stuart Feravich, Compuware Corporation
Topic: Hidden PII, What are You Missing? How to Lock All the Doors


Philadelphia, PA
Weds., September 2
11:30 a.m. to 2 p.m.
Speakers: Barbara Jones, Keystone Mercy; James Parker, Deloitte Services; Sarah Morrow, The Pennsylvania State University
Topic: Managing the Privacy Function across Organizations


Chicago, IL
Thurs., September 3
11:30 a.m. to 1 p.m.
Topic: Red Flags Rule Revisited: How Does it Apply to You?

RSVP Now

Spacer Image
Spacer Image
Spacer Image
Spacer Image
About Us
The International Association of Privacy Professionals (IAPP) is the world's largest association of privacy professionals with more than 6,200 members in 47 countries. The IAPP helps define and support the privacy profession through networking, education, and certification.
Read More

Peppers & Rogers Group is a management consulting firm recognized as the world's leading authority on customer-based business strategy. The company is dedicated to helping enterprises identify differences within the customer base and to use that knowledge to gain a competitive advantage.
Read More
Spacer Image
170 Cider Hill Road, York, Maine 03909 Phone 207-351-1500 or 800-266-6501 [email protected]
Copyright� 2000-2009 International Association of Privacy Professionals.
The views in this eNewsletter, if any, are those of the authors and are not necessarily those of the IAPP.