By: Aaron Krowne

On July 1, 2014, the first provisions of the Canadian Anti-Spam Law (“CASL”) will come into effect. CASL intends to address the e-mail “spam” problem, where spam is undesired commercial electronic messages (“CEMs”), by requiring that recipients of CEMs to consent to their receipt, either expressly or implicitly. CASL covers the sending of CEMs to all Canadian persons, the unsolicited installation of computer programs, and the alteration of transmitted data by third parties (collectively, “Covered Acts”). If any of the Covered Acts are performed in a manner not compliant with the CASL, the violating party may be subject to a monetary penalty of up to $1,000,000 for an individual and $10,000,000 for an organization (these are in Canadian dollars; however, in recent years the Canadian dollar is nearly equal in value to the U.S. dollar). The below is merely an overview and summary of CASL and therefore does not represent legal advice for any specific scenario or set of facts.

How to Send Compliant CEMs

            The following is required in order for a party to send CASL compliant CEMs:

  1. Obtain consent from potential recipients, either explicitly or implicitly (see below for a more detailed explanation).
  2. Clearly disclose the purpose of the consent being obtained, and clearly indicate who is requesting the consent.
  3. Clearly disclose, in each message, who has sent it, and on whose behalf it has been sent.
  4. Provide working contact information for the party sending CEMs.
  5. Include an unsubscribe mechanism in each message sent.

Consent can be implied and valid under CASL if the sender and recipient have a pre-existing business (or non-business) relationship, and in a limited number of other circumstances. This prior relationship must, generally, be based on actions within the last two years, except for the first 36 months of CASL (a transitional period during which the relationship can go back an unlimited amount of time). Critically, the burden is on the sender of CEMs to establish implied consent. If, for example, a Canadian recipient of CEMs wrongly files a complaint against a sender, and the sender has lost the business records that would establish valid implied consent, the sender may nevertheless be fined as if there was no consent at all.

Express consent can also be inferred by the sender based on actions or expressions of the recipient; however then the burden of proof remains on the sender.

E-mails, Voice Messages, and Text Messages Oh My!

CASL goes beyond e-mail, and applies to any “electronic communications.” This includes text, sound, voice or image messages; and those sent to an e-mail account, instant messaging account, voicemail, or any similar technology. Although this is beneficial in that it dissuades spammers who are increasingly exploiting these other forms of electronic communication, it creates a potential hazard in that unwitting individuals and organizations need to ensure that much, if not all, of their general communications are CASL compliant.

Privacy Concerns

As mentioned above, core requirements of CASL are that the purpose of the consented-to communications, as well as the identities of the sender (and any party they are acting on behalf of) are disclosed. These foundational provisions clearly bear on and protect the privacy of recipients of CEMs. Additionally, Section 10(5) of CASL, which outlines requirements to install programs, sets out that program installers must clearly notice and describe (including any “reasonably foreseeable impact” of) any aspects of the program that do any of the following:

  • collect personal information stored on the computer;
  • interfere with the owner’s control of the system;
  • change preferences, settings or commands;
  • change or interfere with any data stored on the computer;
  • cause the computer to communicate with any other system or device without authorization; or
  • install any third-party program.

All of the above points touch on major privacy concerns of consumers, who have, in recent years, become frustrated not only with “spam” programs and exploits being placed on their computers (or smartphones) by nefarious actors, but also with legitimate companies installing programs. These installations are both known and unknown to consumers, and they unexpectedly collect personal/private information, and transmit such data to the company (or third parties), which constitutes commission of Covered Acts. These actions play into consumers’ increasing preference to know how they are being “tracked” online, and their desire for the ability to disable such tracking.

But I Am Based In the United States

Because the law applies to anyone sending CEMs to Canadians, those outside of Canada who are (or might be) sending CEMs to Canadian persons are affected by CASL. Since American businesses and individuals send (commercial) e-mails to Canadians, they are logically subject to CASL. Thus, if American individuals or businesses do not comply with CASL, they could be subject to fines and/or legal action in Canada. In order to avoid violating CASL and being subject to penalties, American individuals and entities that send CEMs should ensure their solicitation policies are CASL compliant.

Additionally, CASL defines “commercial” very broadly, and includes all businesses, without regard to profit; as such, even nonprofits are included. While there is an exception for registered Canadian charities, American charities, 501(c)(3)’s and other tax-exempt organizations, somewhat counter-intuitively, are subject to CASL – as much as any for-profit business.

In the end, U.S. entities have nothing to lose by abiding by CASL, as the requirements CASL sets out are simply good digital-age consumer relationship management practice, and can be reasonably considered basic business ethics. Further, by complying, U.S. businesses and individuals have only the elimination of potential international legal hassles to gain. Additionally, in complying with CASL, American entities will also be addressing many current consumer concerns with online data privacy.

Next Steps

The best policy is to put privacy first. United States entities or individuals sending CEMs of any kind should review their privacy policies and compare their procedures and provisions with those required by CASL (as well as U.S. online privacy laws and those of other nations) to determine whether they are compliant. An experienced and certified OlenderFeldman attorney can assist with this process.

Social networking sites, such as Facebook and MySpace, have become repositories of large amount of personal data. Increasingly this data is being viewed as relevant to all manner of litigation proceedings, and as such is increasingly being sought during discovery in civil litigation. Business and individuals that use social networking services should be aware of what data they put on social networking sites, as it could end up in court.

By Adam Elewa

In litigation, businesses or individuals must routinely comply with a process known as discovery, where both parties are compelled by the court to produce relevant documents concerning the issues in dispute to the opposing party. There are only a few areas that are off-limits to opposing counsel in discovery, such as privileged conversations between a lawyer and his client. With the proliferation of social networking, and the large amount of personal information being shared and stored in the cloud, lawyers now routinely attempt to compel disclosure of social networking profiles during discovery.

In general, courts have declined to find a general right of privacy in the information stored on social networking websites. Constitutional protections of privacy do not apply to private parties, only agents of the government. The current trend, reinforced by a recent federal court case in Montana, is to let the rules of civil procedure concerning discovery dictate how much and what kind of data posted to social networking sites must be turned over to the adversarial party. See, e.g., Keller v. National Farmers Union Property & Cas. Co., 2013 WL 27731 (January 2, 2013). Although judges have discretion in applying the rules of discovery, a consensus seems to be forming.

Courts have been clear that adversarial parties cannot compel the disclosure of social networking profiles without some reasonable belief that such information is relevant to the case at issue. In other words, lawyers cannot go on “fishing expeditions” by demanding the maximum amount of data be disclosed, in the hopes that something interesting will turn up.

However, courts have shown a willingness to disregard privacy settings and/or subjective expectations of privacy held by users of social networking websites when deciding whether to compel disclosure. In such instances, courts often rely on publicly shared information to determine whether private information is likely to be relevant. A public photo that is relevant to the litigated issue can be taken as an indication that more relevant information is likely to be lurking on the hidden portions of the user’s profile. Of course, making data unviewable by the public may make it more difficult for an adversarial party to demonstrate that a profile contains relevant information, and thus should be subject to discovery. Regardless, it is important to keep in mind the limits of privacy on Facebook and other social media sites.

Cases where lawyers have been successful demonstrating that information contained on social networking sites was likely to be relevant tend to share similar characteristics. Many of such cases concern private matters that would likely be shared, as a matter of social practice, on social networking sites. For example, the plaintiff in Keller alleged that the defendant’s actions had caused major disruptions to her social life. Lawyers for the defense successfully argued that the women’s social networking profile likely contained information that could demonstrate whether her life was in fact severely disrupted by the defendant’s alleged negligence.

Additionally, lawyers were able to support the contention that private aspects of an individual’s profile likely contained relevant information by reference to non-hidden or publicly viewable aspects of that individual’s profile. For example, in Keller, the contention that the plaintiff’s private profile contained information relevant to her quality of life was bolstered by publicly viewable images showing recent physical activity of a kind claimed by the plaintiff to be impossible.

Businesses seeking to communicate via social networking platforms or reach clients should be aware that such communications and business activities are likely discoverable in litigation. Individual and businesses should be mindful that:

  • Although social networking sites have “privacy” settings, these settings can be deemed legally irrelevant if the information contained on such platforms can be shown to be relevant to pending litigation.
  • Information that is publicly viewable can be used for any purpose by an opposing party. Public indications that a profile is used for business related communications might allow that profile to be subject to discovery where such communications are at issue. Thus, business and individuals should always be mindful of the evolving privacy polices of sites they transact business.

Finally, litigants should bear in mind that while social media evidence may be relevant to litigation, it is important not to make discovery requests overbroad. For the best likelihood of success, social media discovery requests should be narrowly tailored to produce evidence directly pertinent to the issues, rather than engaging in a fishing expedition.

When should you provide your social security number? State Farm asked us when sharing is required.

State Farm contacted OlenderFeldman LLP‘s Aaron Messing to ask when sharing your social security number is appropriate:

Think before revealing your Social Security Number (SSN). Its unauthorized use could lead to privacy invasion and identify fraud. Aaron Messing, an information privacy attorney at OlenderFeldman LLP, says sharing is generally required by law only for:

  • Records of financial transactions in which the IRS is interested (banking, stock market, investment, property, insurance or other financial transactions
  • Employment records
  • Driver’s license applications
  • Government benefit applications (Medicade, student loans, etc.)
  • Joining the armed forces
  • Obtaining some professional or recreational licenses

You can see the Fast Tracks article here.

Protect Against Data Breaches

Protect Against Data Breaches

All companies, big and small, are at risk for data breaches. Most companies have legal obligations with respect to the integrity and confidentiality of certain information in its possession.  Information privacy and security is essential to  protect your business, safeguard your customers’ privacy, and secure your company’s vital information.

 

Recently, hackers gained access to Yahoo’s databases, exposing over 450,000 usernames and passwords to Yahoo, Gmail, AOL, Hotmail, Comcast, MSN, SBC Global, Verizon, BellSouth and Live.com accounts. This breach comes on the heels of a breach of over 6.5 million LinkedIn user passwords. With these embarrassing breaches, and the widespread revelation of their inadequate information security practices, Yahoo and LinkedIn were added to the rapidly growing list of large companies who have suffered massive data breaches in recent years.

While breaches at large companies like Yahoo and LinkedIn make the headlines, small businesses are equally at risk, and must take appropriate measures to keep their information safe. Aaron Messing, an information privacy attorney with OlenderFeldman LLP, notes that most businesses networks are accessible from any computer in the world and, therefore, potentially vulnerable to threats from individuals who do not require physical access to it.A recent report by Verizon found that nearly three-quarters of breaches in the last year involved small businesses. In fact, small business owners may be the most vulnerable to data breaches, as they are able to devote the least amount of resources to information security and privacy measures. Studies have found that the average cost of small business breaches is $194 per record breached, a figure that includes various expenses such as detecting and reporting the breach, notifying and assisting affected customers, and reimbursing customers for actual losses. Notably, these expenses did not include the cost of potential lawsuits, public embarrassment, and loss of customer goodwill, which are common consequences of weak information security and poorly managed data breaches. For a large business, a data breach might be painful. For a small business, it can be a death sentence.

LinkedIn presents a good example of these additional costs. It is currently facing a $5 million class action lawsuit related to the data breach. The lawsuit does not allege any specific breaches of cybersecurity laws, but instead alleges that LinkedIn violated its own stated privacy policy. Businesses of all sizes should be very careful about the representations they make on their websites, as what is written in a website terms of use or privacy policy could have serious legal implications.

Proactive security and privacy planning is always better than reactive measures. “While there is no sure-fire way to completely avoid the risk of data breaches,” says Aaron Messing, an information privacy lawyer with OlenderFeldman LLP, “steps can be taken, both before and after a breach, to minimize risk and expense.” To preserve confidential communications and to obtain advice on possible legal issues related to your company, consulting with privacy attorneys about your specific requirements is recommended. OlenderFeldman recommends the following general principles as a first step towards securing your business.

First, consider drafting a detailed information security policy and a privacy policy tailored to your company’s specific needs and threats which will to guide the implementation of appropriate security measures. A privacy policy is complementary to the information security policy, and sets the standards for collection, processing, storing, use and disclosure of confidential or personal information about individuals or entities, as well as prevention of unauthorized access, use or disclosure. Your policies should plan for proactive crisis management in the event of a security incident, which will enable coordinated execution of remedial actions. Most companies have legal obligations with respect to the integrity and confidentiality of certain information in its possession. Your company should have and enforce policies that reflect the philosophy and strategy of its management regarding information security.

Second, although external breaches from hackers gain the most publicity, the vast majority of data breaches are internal. Accordingly, physical security is one of the most important concerns for small businesses.  Informal or non-existent business attitudes and practices with regards to security often create temptations and a relatively safe environment for an opportunist within to gain improper or unauthorized access to your company’s sensitive information. Mitigating this risk requires limiting access to company resources on a need to know/access basis and restricting access to those who do not need the access. Theft or damage of the system hardware or paper files presents a great risk of business interruption and loss of confidential or personal information. Similarly, unauthorized access, use, or disclosure, whether intentional or unintentional, puts individuals at risk for identity theft, which may cause monetary liability and reputational damage to your company.

Third, be vigilant about protecting your information. Even if your company develops a secure network, failure to properly monitor logs and processes or weak auditing allows new vulnerabilities and unauthorized use to evolve and proliferate. As a result, your company may not realize that a serious loss had occurred or was ongoing.  Develop a mobile device policy to minimize the security and privacy risks to your company. Ensure that your technology resources (such as photocopy machines, scanners, printers, laptops and smartphones) are securely erased before it is otherwise recycled or disposed. Most business owners are not aware that technology resources generally store and retain copies of documents that have been printed, scanned, faxed, and emailed on their internal hard drives. For example, when a document is photocopied, the copier’s hard drive often keeps an image of that document. Thus, anyone with possession of that photocopier (i.e., when it is sold or returned) can obtain copies of all documents that were copied or scanned on the machine. This compilation of documents and potentially sensitive information poses serious threats of identity theft.

Finally, in the event of a breach, consult a privacy lawyer to determine your obligations. After a breach has been discovered, there should be a forensic investigation to determine what information was accessed and whether that information is still accessible to unauthorized users.  Your business may be legally obligated to notify customers or the authorities of the breach. Currently, there are no federal laws regulating notification, but 46 states and the District of Columbia have enacted data breach notification laws, which mandate various breach reporting times, and to various authorities.

 

Privacy lawyer Aaron Messing gave a presentation on Wednesday at the SES New York 2012 conference about emerging legal issues in search engine optimization (SEO) and online behavioral advertising. The topic of his presentation, Legal Considerations for Search & Social in Regulated Industries, focused on search and social media strategies in regulated industries. Regulated industries, which include healthcare, banking, finance, pharmaceuticals and publicly traded companies, among others, are subject to various government regulations, he said, but often lack sufficient guidance regarding acceptable practices in social media, search and targeted advertising.

Messing began with a discussion of common methods that search engine optimization companies use to raise their client’s sites in the rankings. The top search spots are extremely competitive, and the difference between being on the first or second page can make a huge difference in a company’s bottom line. One of the ways that search engines determine the relevancy of a web page is through link analysis. Search engines examine which websites link to that page, and what the text of those links — the anchor text – says about the page, as well as the surrounding content, to determine relevance. In essence, these links and contents can be considered a form of online citations.

A typical method used by SEO companies to raise website rankings is to generate content, using paid affiliates, freelance bloggers, or other webpages under the SEO company’s control, in order to increase the website’s ranking on search engines. However, since this content is mostly for the search engine spiders, and not for human consumption, the content is rarely screened, which can lead to issues with government agencies, especially in the regulated industries. This content also rarely contains disclosures that the author was paid to create the content, which could be unfair and deceiving to consumers. SEO companies dislike disclosing paid links and content because search engines penalize paid links. Messing said, “SEO companies are caught between the search engines, who severely penalize disclosure [of paid links], and the FTC, which severely penalizes nondisclosure.”

The main enforcement agency is the Federal Trade Commission, which has the power to investigate and prevent unfair and deceptive trade practices across most industries, though other regulated industries have additional enforcement bodies. The FTC rules require full disclosure when there is a “material connection” between a merchant and someone promoting its product, such as a cash payment, or a gift item. Suspicious “reviews” or unsubstantiated content can raise attention, especially in regulated industries. “If a FTC lawyer sees one of these red flags, you could attract some very unwanted attention from the government,” Messing noted.

Recently, the FTC has increased its focus on paid links, content and reviews. While the FTC requires mandatory disclosures, it doesn’t specify how those disclosures should be made. This can lead to confusion as to what the FTC considers adequate disclosure, and Messing said he expects the FTC to issue guidance on disclosures in the SEO, social media and mobile devices areas. “There are certain ecommerce laws that desperately need clarification,” said Messing.

Messing stated that clients need to ask what their SEO company is doing and SEOs companies need to tell them, because ultimately, both can be held liable for unfair or deceptive content. He recommends ensuring that all claims made in SEO content be easily substantiated, and recommended building SEO through goodwill. “In the context of regulated industries,” he said, “consumers often visit healthcare or financial websites when they have a specific problem. If you provide them with valuable, reliable and understandable information, they will reward you with their loyalty.”

Messing cautioned companies to be careful of what information they collect for behavioral advertising, and to consider the privacy ramifications. “Data is currency, but the more data a company holds, the more potential liability it is exposed to.” Messing expects further developments in privacy law, possibly in the form of legislation. In the meantime, he recommends using data responsibly, and in accordance with the data’s sensitivity. “Developing policies for data collection, retention and deletion is crucial. Make sure your policies accurately reflect your practices.” Finally, Messing noted that companies lacking a robust compliance program governing collection, protection and use of personal information may face significant risk of a data breach or legal violation, resulting litigation, and a hit to their bottom lines. He recommends speaking to a law firm that is experienced in privacy and legal compliance for businesses to ensure that your practices do not attract regulatory attention.

Navigating the Privacy Minefield - Online Behavioral Tracking

Navigating the Privacy Minefield - Online Behavioral TrackingBy Aaron Messing

The Internet is fraught with privacy-related dangers for companies. For example, Facebook’s IPO filing contains multiple references to the various privacy risks that may threaten its business model, and it seems like every day a new class action suit is filed against Facebook alleging surreptitious tracking or other breaches of privacy laws. Google has recently faced a resounding public backlash related to its new uniform privacy policy, to the extent that 36 state attorney generals are considering filing suit. New privacy legislation and regulatory activities have been proposed, with the Federal Trade Commission (FTC) taking an active role in enforcing compliance with the various privacy laws. The real game changer, however, might be the renewed popularity of “Do Not Track”, which threatens to upend the existing business models of online publishers and advertisers. “Do Not Track” is a proposal which would enable users to opt out of tracking by websites they do not visit, including analytics services, advertising networks, and social platforms.

To understand the genesis of “Do Not Track” it is important to understand what online tracking is and how it works. If you visit any website supported by advertising (as well as many that are not), a number of tracking objects may be placed on your device. These online tracking technologies take many forms, including HTTP cookies, web beacons (clear GIFs), local shared objects or flash cookies, HTML5 cookies, browser history sniffers and browser fingerprinting. What they all have in common is that they use tracking technology to observe web users’ interests, including content consumed, ads clicked, and other search keywords and conversions  to track online movements, and build an online behavior profiles that are used to determine which ads are selected when a particular webpage is accessed. Collectively, these are known as behavioral targeting or advertising. Tracking technologies are also used for other purposes in addition to behavioral targeting, including site analytics, advertising metrics and reporting, and capping the frequency with which individual ads are displayed to users.

The focus on behavioral advertising by advertisers and ecommerce merchants stems from its effectiveness. Studies have found that behavioral advertising increases the click through rate by as much as 670% when compared with non-targeted advertising. Accordingly, behavioral advertising can bring in an average of 2.68 more revenue than of non-targeted advertising.

If behavioral advertising provides benefits such as increased relevance and usefulness to both advertisers and consumers, how has it become so controversial? Traditionally, advertisers have avoided collecting personally identifiable information (PII), preferring anonymous tracking data. However, new analytic tools and algorithms make it possible to combine “anonymous” information to create detailed profiles that can be associated with a particular computer or person. Formerly anonymous information can be re-identified, and companies are taking advantage in order to deliver increasingly targeted ads. Some of those practices have led to renewed privacy concerns. For example, recently Target was able to identify that a teenager was pregnant – before her father had any idea. It seems that Target has identified certain patterns in expecting mothers, and assigns shoppers a “pregnancy prediction score.” Apparently, the father was livid when his high-school age daughter was repeatedly targeted with various maternity items, only to later find out that, well, Target knew more about his daughter than he did (at least in that regard). Needless to say, some PII is more sensitive than others, but it is almost always alarming when you don’t know what others know about you.

Ultimately, most users find it a little creepy when they find out that Facebook tracks your web browsing activity through their “Like” button, or that detailed profiles of their browsing history exist that could be associated with them. According to a recent Gallup poll, 61% of individuals polled felt the privacy intrusion presented by tracking was not worth the free access to content. 67% said that advertisers should not be able to match ads to specific interests based upon websites visited.

The wild west of internet tracking may soon be coming to a close. The FTC has issued its recommendations for Do Not Track, which they recommend be instituted as a browser based mechanism through which consumers could make persistent choices to signal whether or not they want to be tracked or receive targeted advertising. However, you shouldn’t wait for an FTC compliance notice to start rethinking your privacy practices.

It goes without saying that companies are required to follow the existing privacy laws. However, it is important to not only speak with a privacy lawyer to ensure compliance with existing privacy laws and regulations (the FTC compliance division also monitors whether companies comply with posted privacy policies and terms of service) but also to ensure that your tracking and analytics are done in an non-creepy, non-intrusive manner that is clearly communicated to your customers and enables them to opt-in, and gives them an opportunity to opt out at their discretion. Your respect for your consumers’ privacy concerns will reap long-term benefits beyond anything that surreptitious tracking could ever accomplish.

Massachusetts Data Security Regulations

Massachusetts Data Security RegulationsService Providers Face New Regulations Covering Personal Information

By Aaron Messing

If your company is a service provider (generally any company providing third-party services, ranging from a payroll provider to an e-commerce hosting provider) or your company utilizes service providers, you need to be aware of the Massachusetts Data Security Regulations (the “Regulations”). The Regulations require that by March 1, 2012, all service provider contracts must contain appropriate security measures to protect the personal information (as described below) of Massachusetts residents. See 201 CMR 17.03(2)(f). All companies that “own or license” personal information of Massachusetts residents, regardless of where the companies are physically located, will need to comply with the Regulations. Additionally, all entities that own or license personal information of Massachusetts residents are required to develop, implement and maintain a written information security program (“WISP”), which lists the administrative, technical and physical safeguards in place to protect personal information.

“Personal information” is defined by the Regulations as a Massachusetts resident’s first and last name, or first initial and last name, in connection with any of the following: (1) Social Security number; (2) driver’s license number or state-issued identification card number; or (3) financial account number, or credit or debit card number.

If your company uses service providers, you are responsible for your service provider’s compliance with the Regulations as it relates to your business and your customers. The Regulations are clear that if your service provider receives, stores, maintains, processes, or otherwise has access to personal information of Massachusetts residents, you are responsible to make sure that your service providers maintain appropriate security measures to protect that personal information. Therefore you should make sure that your agreements with service providers contain appropriate language, obligations and indemnifications to protect your interests and assure compliance by your service provider. If you are a service provider, you need to develop a comprehensive WISP in order to protect yourself from liability.

If you have any questions or concerns regarding the implementation of the Regulations or how it may affect your business, please feel free to contact us.

“Putting Privacy First” was originally published in the August 2011 edition of TechNews.

By: Michael J. Feldman

Many businesses view legal compliance as a necessary evil and an obstacle to profits. Thus, compliance is often made a mere formality. Dealing with the complex privacy and data protection rules and regulations is often viewed no differently – be it industry-specific rules such as HIPAA (healthcare), age-specific rules such as COPPA (online marketing to minors), agency-specific rules (i.e., SEC or FTC rules), the rules and regulations of each individual state, or even the various foreign laws such as the Data Protection Act (applies to businesses which conduct any business with many European nations). However counterintuitive it may be for some, forward-thinking businesses do not view privacy and data protection compliance as a necessary drag on revenue, but instead, they use it as a marketing tool to distinguish themselves from the competition and grab an increased market share.

As privacy and data breach issues continue to make front page news on a near-daily basis, and with the U.S. Congress working on sweeping new privacy laws, such compliance concerns are increasing in magnitude and importance. The reality is that whether you are aware or not, the various privacy and data protection laws impact and govern the operations of almost all businesses. For example, if you can answer “Yes” to any of these questions, there are privacy and data protection laws that govern your operations: Do you accept credit cards for payment? Do you gather any personal information about your customers, patients, employees, members or vendors? Do you electronically store any data on your computers or servers? Do you sell or market on the Internet? Do you conduct any business with, or market your business to, any person or entity located in another country? Are you in the financial industry? Do you seek to conduct any credit checks on potential employees or customers? The above only addresses a tiny fraction of the activities which subject you to regulation.

So what can and should a business do to not only survive, but actually thrive in this ever-changing regulatory environment? The answer is quite simple – be compliant and market the advantages of your privacy policies.

As acknowledged by the Washington Post on July 18 in “Tech IPO’s Grapple With Privacy,” Google did not have to deal with online privacy in 2004 as such a concept did not exist. Times have certainly changed. On the same day as the Washington Post article, the New York Times reported in an article entitled “Privacy Isn’t Dead. Just Ask Google+” that “Rather than focus on new snazzy features — although it does offer several — Google has chosen to learn from its own mistakes, and Facebook’s. Google decided to make privacy the No. 1 feature of its new service.” Google+ represents a significant attempt by Google to break Facebook’s near stranglehold on social media. Given Google’s past success, it is no surprise that Google has attacked privacy concerns head-on, and turned consumers’ concern for privacy into a marketing bonanza. Such a strategy has been used successfully in the automobile industry for years by companies such as Volvo, Subaru and Mercedes; each of whom turned consumer concern about automobile safety into a marketing opportunity to distinguish themselves from the competition by marketing their superior safety features.

The obvious next question is how does a business use consumers’ privacy concerns as a marketing tool? The answer is to acknowledge your customers’ concerns, explain how and why your business cares about the customer more than your competitors, and that you will keep them safe. To accomplish this goal, you must first determine which regulatory scheme(s) govern the operation of your business. Second, you must determine the best method for compliance with the applicable law, and whether it makes business sense to implement privacy and data security policies which go beyond the minimum required by law. Third, you should examine how, if at all, your competitors address and promote their privacy obligations. Fourth, you must develop a strategic plan to promote to your customers the superiority of your privacy and data security policies. Importantly, you must not only inform your customers of what your privacy and data security policies are, but how such policies help and protect your customers. For example, Mercedes realized that people were scared of getting injured in car crashes, so their advertisements often explained how Mercedes technology would help avoid accidents (i.e., anti-lock brakes) and how they would protect you if you did crash (i.e., airbags and crumple zones). The same applies to privacy and data protection concerns. In the end, by carefully planning out and implementing each of the above four-steps, you will avoid regulatory problems while simultaneously gaining a leg up on the competition.

A recent data breach demonstrates some relevant concerns.  Last week a large marketing firm announced that numerous email addresses and possibly names and addresses of customers of some of its large clients (including banks) were compromised.  Some might say email addresses: “No big deal.”  Certainly, in and of themselves, email addresses probably don’t qualify as protected personal data under most, if not all, state data breach laws.  However, the fallout from the breach has proven somewhat concerning, at least on a reputational front.  Numerous articles, blogs, and comments have shown up citing the potential for increased phishing attacks.  More importantly, this breach may increase the potential that “spear-phishing” attacks will be successful.  Spear-phishing occurs when the bad guys have accurate personal data that they know is attributable to a specific business; thus, they can send a customer an email with specific information engendering a much higher likelihood of confidence that the email is genuine, allowing the bad guys to potentially gain additional information needed to do some damage.

From a larger standpoint, this breach demonstrates why businesses must approach privacy and security from an overall information governance standpoint, and internalize privacy decisions in their business offerings.  Artificial acronyms or descriptions about the type of data and its perceived sensitivity, without proper thought and analysis can lead to poor results.  Broad assumptions (i.e. email addresses don’t so much matter) don’t work.  Privacy must be an internalized function embedded within organizational strategic decisions.    A customer name and email address about a bank or brokerage client might be much more sensitive than that of an ordinary retailer providing only brick-and-mortar sales, without offering branded store credit card accounts.  This doesn’t mean that ordinary email addresses don’t need protection, they do (particularly if you say you will protect them in your privacy policy).  It means that businesses must understand the risk behind the information and the way it is managed, without arbitrarily attaching significance or insignificance to it.

Blindly reading laws, rules, or written industry standards and designing programs solely to meet defined requirements won’t always get a business where it needs to be.  Obviously, legal requirements must be interpreted and followed.  However, more than that, a thoughtful approach by those who think about privacy and security implications is desirable.

For that matter, the same ideas apply to the way in which a business deals with a breach.  For example, if email addresses, street addresses, and names are stolen, and there is a concern surrounding “spear-phishing,” it might not be such a great idea for the compromised business to send out notifications via email asking someone to “click-here” for more information (Note: The author has no information that this was, or was not, done in the actual case).  In such a scenario, the business might want to discourage customers from replying to email messages (the exact vector of the phishing attack).

Moral: Be careful about making arbitrary decisions based upon the perceived sensitivity attributed to the type of information without thinking it through.

New Laws Place Restrictions and Limits on After Sale Data Passes and Negative Option Marketing

On December 29, 2010, President Obama signed the “Restore Online Shoppers’ Confidence Act” into law. This new law places restrictions and limits on after sale “data passes” and “negative option” marketing through Internet sales.   Senator John D. (Jay) Rockfeller, IV Chairman of the U.S. Senate Committee on Commerce, Science, and Transportation originally introduced the Bill, ultimately becoming this law, in May after the Senate conducted hearings into the practices of Affinion, Vertrue, and Webloyalty.  The Committee published information about the objectionable practices.  The New York Attorney General’s Office had also opened an investigation against these companies resulting in multi-million dollar settlements.

In a nutshell, these third-parties were offering various membership clubs to users of e-commerce sites. Typically, when a user of an e-commerce site completed an online purchase, that user would be re-directed to join a membership discount club for promotions, rebates, and the like. The user never had to re-enter his or her credit card, because the card information was passed off from the e-commerce site where the user just completed a transaction. Many users apparently did not understand that their credit cards would be charged, since they did not need to re-enter credit card data at the membership club registration. The clubs then typically offered a free trial period after which the user’s credit card would be charged if they did not cancel the membership. If not cancelled, the club operator placed recurring monthly charges to the user’s credit card. In general, the process of interpreting silence as acceptance or automatically charging the user unless they cancelled is a “negative option” sale.

The law prohibits an initial e-commerce vendor from passing-off a user’s credit card information to a third-party in a post-transaction sale for the purposes of that post-transaction third-party’s sale of goods or services to the user.

The law makes it unlawful for a post-transaction third-party seller to charge or attempt to charge a user’s credit or debit card, or bank or other financial account for an Internet sale, unless:

(1) before obtaining the consumer’s billing information, the post-transaction third party seller has clearly and conspicuously disclosed to the consumer all material terms of the transaction, including: (A) a description of the goods or services being offered; (B) the fact that the post-transaction third party seller is not affiliated with the initial merchant, which may include disclosure of the name of the post-transaction third party in a manner that clearly differentiates the post transaction third party seller from the initial merchant; and, (C) the cost of such goods or services; and, (2) the post-transaction third party seller has received the express informed consent for the charge from the consumer whose credit card, debit card, bank account, or other financial account will be charged by: (A) obtaining from the consumer— (i) the full account number of the account to be charged; and (ii) the consumer’s name and address and a means to contact the consumer; and (B) requiring the consumer to perform an additional affirmative action, such as clicking on a confirmation button or checking a box that indicates the consumer’s consent to be charged the amount disclosed.”

The law also makes “negative option” sales illegal unless the seller:

“(1) provides text that clearly and conspicuously discloses all material terms of the transaction before obtaining the consumer’s billing information; (2) obtains a consumer’s express informed consent before charging the consumer’s credit card, debit card, bank account, or other financial account for products or services through such transaction; and (3) provides simple mechanisms for a consumer to stop recurring charges from being placed on the consumer’s credit card, debit card, bank account, or other financial account.”

The law gives the Federal Trade Commission enforcement authority, and also allows state attorneys general to enforce the law, with the remedies and penalties available under the Federal Trade Commission Act.

There has been some confusion generated in online content about this law. Apparently, some are concerned that the law absolutely prevents any post-transaction up-selling, even if it were done by the first-party website where the user made the initial purchase.

However, the law defines a “post-transaction third party seller’’ as one who:

“(A) sells, or offers for sale, any good or service on the Internet; (B) solicits the purchase of such goods or services on the Internet through an initial merchant after the consumer has initiated a transaction with the initial merchant; and (C) is not: (i) the initial merchant; (ii) a subsidiary or corporate affiliate of the initial merchant; or (iii) a successor of an entity described in clause (i) or (ii).”

Thus, it seems fairly clear that an “initial merchant” is not prevented from post-transaction marketing, but is clearly prevented from passing the financial data allowing the charging of the user to another entity. Nevertheless, if e-commerce vendors are cross-selling through any non-subsidiary or corporate affiliate strategic alliances, they should ensure that data passes are not made, and the entity to which the user is referred complies with all transparency obligations. All should note the requirements on “negative option” sales.