The Online Marketer’s Guide to Privacy
I’ve hesitated to write this post because the law is always changing and you can’t cover it all in one blog post (thank goodness for linking). I did a presentation to the Houston Interactive Marketing Association this week which forced me to boil it down to digestable bites. If I had to give you three simple rules they would be:
1. Disclose what you do in plain English;
2. Avoid storing or transmitting Personal Health Information if you can; and
3. Avoid marketing to minors if you can.
At the presentation, we identified the numerous laws and regulations marketers had to know about including at least COPPA, HIPAA, the FTC’s guidelines, Self Regulatory Organization Guidelines, Cal-OPPA and the EU Safe Harbor status.
Regarding the Children’s Online Privacy and Protection Act and marketing to minors, you should check out my five-part series here. COPPA only applies if you collect personal information from children under 13, but the determination of whether you market to minors is not as clear as you might think. Last year, the FTC allowed private companies to send in suggestions on how to satisfy the parental notification requirement. The FTC recently rejected the idea of using the social graph.
In September, there were changes to HIPAA – the law governing the privacy of health information. If you are marketing for a medical practice or anyone that may retain Personal Health Information, unless you want to make medical a core business segment, you may want to avoid becoming what the law calls a “Business Associate.” If you are a Business Associate, you have to comply with HIPAA and compliance can be a pain.
A Business Associate is defined as someone or a company that provides “consulting, data aggregation, management, [or] administrative . . . services” to or for a Covered Entity, where the provision of the service involves the disclosure of protected health information from the Covered Entity, or from another business associate of such Covered Entity, to the person.
So the issue becomes whether you store or otherwise have access to Personal Health Information. Again, the analysis is not that simple. See here. You need to know both email and IP addresses are covered which is pretty basic information for online marketers.
The specifics of your marketing strategy will determine whether you need to be concerned. The point of this blog post is to make you think about it. Here is one marketer’s take on the issue. If you do a lot of marketing work for medical practices, doctors or hospitals, you should confer with a good HIPAA lawyer. If you have one medical practice as a client in an otherwise hearty stable of clients, you may want to consider whether that one client is worth the headaches and the risk.
The Federal Trade Commission is the agency insisting you disclose, disclose and disclose. The FTC’s more recent focus has been on mobile including this report from February 2013.
The more recent interesting drama has come from the W3C group’s unsuccessful attempts to come up with some “Do Not Track” proposals. The powerful Digital Advertising Alliance recently backed out leaving the ability of the W3C to promulgate suggestions in jeopardy.
Several years ago, the FTC urged private organizations to make some proposals. I previously warned the industry needed to police itself or the government would make their own regulations and you can read my 5-part series on Do Not Track here. For now, there is no Do Not Track law. You can still do it – as long as you disclose what you are doing and don’t mislead people. That was Google’s $17 million mistake.
You can read the DMA’s guidelines for online behavorial advertising which is a pretty good place to start. For mobile, check out the NAI Code of Conduct.
In the meantime, Wyndham Hotels is challenging the FTC’s authority to enforce alleged misrepresentations regarding privacy in a case we are watching. The court recently heard oral arguments on Wyndham’s motion to dismiss but no ruling has been made yet.
That’s where California comes in and strikes a middle ground. California did not ban tracking. But, effective January 1, 2014, if you retain personally identifiable information of a Californian, you will have to disclose how you respond to Do Not Track requests. I earlier posited that many companies will have to amend their privacy policies because of Cal-OPPA.
Finally, there is the EU requirements on privacy. Generally speaking, the E.U. prohibits the transfer of personal data to non-European Union countries that do not meet the European Union “adequacy” standard for privacy protection as directed in the European Union Directive on Data Protection of 1995. The U.S. is not on that list.
Generally, to comply with existing E.U. guidelines you need to:
1. Give a notice of what you collect and what you do with it and how individuals can ask about it.
2. Give individuals the chance to opt-out of disclosure to third parties for reasons outside of the main purpose.
3. Ensure that the company to whom you transfer data also had adequate protections.
4. Provide users access to the data you have about them.
5. Initiate adequate security, data integrity and enforcement procedures.
If you deal with customers in Europe you should consider looking into the Commerce Department’s Safe Harbor provisions that works like a Good Housekeeping Seal of Approval for dealing with the information of European consumers.
This post does not and cannot answer every question. Hopefully, now, however, you realize you may need to think a little more about the law when you start storing information about visitors to websites.