As marketers, we want good data about consumers so that we can craft meaningful and personalized messages. Consumers want marketers to help them filter out irrelevant information. Despite these well-matched objectives, marketers and consumers often hold different opinions on the role of privacy rights.

For consumers, privacy is typically an individualized concept based on experience. They know a privacy violation when they see it. But, they may not be able to tell someone in advance what will constitute a violation.

For marketers, privacy rules can seem vague and unevenly enforced. Even worse, marketers may perceive privacy rules to be a nuisance. In this environment, having a practical understanding of privacy law is indispensable. First and foremost, it helps us avoid brand damaging mistakes. In addition, it serves as a useful proxy for consumer privacy sentiment. This white paper sorts through the noise and identifies those legal standards that are most important for marketers interested in US privacy law.

The topic is timely. Privacy violations, or perceived privacy violations, can make front page news. Facebook, Twitter, and Google have all faced controversy over how they collect data from consumers, and what they do with that data once they have it. When the data collected from consumers is used for advertising and marketing, the term that is commonly used to describe the consumer’s rights is “commercial privacy” – a concept that has roots in the Constitution, federal and state legislation, and Federal Trade Commission (FTC) enforcement actions.

WE THE PEOPLE OF THE UNITED STATES – WHAT THE CONSTITUTION SAYS

While the Constitution does not specifically mention the term “privacy,” the Bill of Rights has been recognized as limiting the government’s intrusion into an individual’s right to privacy. For example, the First Amendment provides a right to free assembly. The Fourth Amendment guards against unreasonable searches and seizures. The Ninth Amendment declares that the absence of a right in the Bill of Rights does not mean that the government can infringe on that right. And, the due process clause of the Fourteenth Amendment prohibits the government from depriving individuals of life, liberty, and property. Furthermore, the Supreme Court has held that the due process clause of the Fourteenth Amendment protected a “right to privacy.”

The Supreme Court also has extended the applicability of the Bill of Rights to those engaged in an indirect relationship with the government. An example would be companies involved in interstate commerce and therefore subject to the jurisdiction of the FTC – which regulates advertising, marketing, and commercial privacy.

FEDERAL LEGISLATION

While the United States does not have a comprehensive commercial privacy law, Congress has passed several acts expanding privacy protections in the past decade. Often, these laws are written as industry-specific legislation and end up containing very influential sections on commercial privacy. Examples include the 1999 Gramm-Leach-Bliley Act (GLBA) in the financial industry, and the 1996 Health Insurance Portability and Accountability Act (HIPAA). Importantly, many of these laws give agencies such as the FTC the authority to write administrative rules that expand again the notion of commercial privacy and the tools for government enforcement.

The following are examples of recent federal legislation that have significant implications for gathering, using, and transmitting customer data:

Children’s Online Privacy Protection Act (COPPA) applies to websites targeting children under the age of 13. This legislation was passed in 2000 in response to an FTC report that highlighted the growing concern for children’s privacy on the internet. Key provisions of the act prohibit the distribution of children’s personal data and require parental notification.

Gramm-Leach-Bliley Act (GLBA) requires clear disclosure of information-sharing practices among financial institutions. These can include, but are not limited to, mortgage lenders, real estate appraisers, loan brokers, investment advisors, and banks.

Health Insurance Portability and Accountability Act (HIPAA) provides federal protection of the privacy of personal health information held by covered entities. While this legislation permits the disclosure of personal health information needed for patient care, it is designed to protect sensitive patient health information by requiring written notice of privacy practices of health care providers.

Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) regulates commercial email. This 2003 law permits email marketers to send unsolicited commercial email as long it complies with three basic requirements. First, it must comply with the “unsubscribe” provisions of the law. Second, it must meet the “content” compliance requirements. Lastly, this law sets out “sending behavior” compliance provisions.

STATES’ ROLES IN COMMERCIAL PRIVACY LAW

In the current absence of a comprehensive federal commercial privacy law, some states have filled the gap with their own legislation. The primary example of this is California’s 2002 “data breach notification” law which has been copied by most states. These laws address breaches of consumer databases containing personal identifiers and require the owners of such databases to disclose the breach.

FTC ENFORCEMENT ACTIONS – CURRENT GUIDANCE

Until a government agency enforces a specific legislative act, or a collection of acts, it can be difficult to determine how to apply the provisions to marketing practices. The FTC’s recent enforcement actions have revealed that their enforcement actions will serve both to protect consumer privacy and to protect consumers from deceptive practices – two concepts that are often intertwined.

Alleging a violation of deceptive practices standards, the FTC reached a settlement with Google regarding its social networking site Google Buzz. Google had attempted to leverage people’s gmail accounts into a social network to compete with Facebook. The crux of this case was Google’s claim that users could opt out of Buzz, which in fact could not easily be done. In addition, if users did not change the default settings, Buzz exposed users’ email contacts. The FTC found that Google violated its own privacy policy and used deceptive tactics when it launched Buzz. As part of its settlement, Google was required to create a comprehensive privacy program, be subject to regular privacy audits for the next 20 years, and obtain people’s express consent before sharing information.

Another example of an FTC enforcement action involving “deceptive practices” is a settlement with video advertiser network, ScanScout. ScanScout claimed in their terms of service that one could opt out of targeted ads by disabling the cookie function of the browser. According to the FTC, changing the browser setting did not block ScanScout’s “flash cookies” which cannot easily be blocked or deleted by users. The FTC found that ScanScout had engaged in deceptive practices by violating its own terms of service.

The FTC also recently settled a case with an operator of a website over violations of COPPA for collecting personal information from over 5,000 children without obtaining prior parental consent as required. As part of its settlement, the operator of the website agreed to destroy the illegally obtained information, refrain from future COPPA violations, and pay a $100,000 fine; all but $1,000 of which was suspended. The FTC also required the operator to link to online educational material and retain an online privacy professional, or join an FTC approved Safe Harbor program, to oversee any COPPA covered website he may run.

But, the big news is that the FTC and Facebook are discussing a settlement concerning deceptive practices as it relates to privacy settings. The reported terms of the settlement has Facebook agreeing to privacy audits for 20 years. Facebook would also be prohibited from making public any information that a user originally shared privately without his or her explicit permission. It reportedly does not require Facebook to get consent from its users on new sharing features. This settlement stemmed from a 2009 complaint that Facebook had changed its settings to make more information public, without obtaining the consent of the users.

THE FUTURE OF COMMERCIAL PRIVACY

Pressure is mounting on two fronts for Congress to enact some version of a comprehensive commercial privacy law. First, there is international pressure to have some semblance of uniformity to enable cross-border commerce. And second, in the absence of federal leadership on commercial privacy, the states may legislate independently. Of the various legislative proposals that have been made, the Commercial Privacy Bill of Rights co-sponsored by Senator John Kerry and Senator John McCain has the most support. This legislation, introduced in April of 2011, would bring commercial privacy protection standards up to those of our most important trading partners in Europe and Asia, as well as preempt any state specific acts.

This proposed law stands a good chance of passing, in some form. And if it does, the area of commercial privacy will be undergoing rapid change in the next few years as marketers transition from dealing with a patchwork of federal and state legislation to dealing with a comprehensive federal commercial privacy law with international repercussions. While the downside may be more restrictions, the upside is that the future may offer more clarity for marketers.

ABOUT CATALYSIS

For nearly 20 years, Catalysis has specialized in the digital integration of award-winning marketing campaigns that drive connected, measurable results. Our clients include Microsoft, Moss Adams, Banner Mattress, Thunder Valley Casino, BabyLegs, and WineBid.

For more information, contact info@catalysis.com or visit our website at www.catalysis.com.

The information contained in this publication is general and is for informational purposes only. Catalysis makes no warranties, express or implied, in this material.