Skip navigation

Do It

4 Posts authored by: ddayman

Folks, I just put this on the deliverability.com blog as well.

 

The Federal Trade Commission released updates this week to what is known as the Dot-Com Disclosures, guidance for how marketers can make ad disclosures clear and conspicuous across all platforms. The FTC issued the original Dot Com Disclosures in 2000 (before Twitter, Facebook and apps on mobile devices.), and the recent revision provides guidance with respect to technologies new since then. Although the fundamental rules have not changed, the guidance provides useful direction on how the FTC believes advertisers should comply with the law when making claims in various media.

One of the biggest reminders (not changes) from the FTC is screen size issue. For instance, if the legal and privacy disclosures on an advertiser’s website look fine when the site is viewed on a desktop, but they may not be sufficiently clear and conspicuous when viewed on a mobile browser then the advertiser needs to stop and ensure they are clearly and conspicuously displayed in all such media no matter the device it is viewed on. If not, the ad could be found to be deceptive or unfair. “If the disclosure cannot be made clearly and conspicuously on a device or platform, then that device or platform should not be used”

The FTC in the prior guidance said that such disclosures need to be put near or on the same screen/page as the ad claim. At the same time, they  advise advertisers to avoid using hyperlinks for disclosures that involve product cost or certain health and safety issues. If it is not possible to make a required disclosure clear and conspicuous in a particular medium, then the advertiser should either modify the ad or not run it.

A few highlights:

  • A disclosure will be more effective if it is placed near the qualified claim.
  • To be clear and conspicuous, a disclosure must be prominent in the context of the ad
  • Disclosures should not be buried in long paragraphs of text or in unrelated pages, such as a website’s Terms of Use.
  • Considerations for scrolling. If the placement of a disclosure might require that a consumer scroll (in any direction — consider viewing a website on a mobile device) to see it, the ad should encourage the consumer to scroll to see it.
  • Simple disclosures should NOT be placed behind a hyperlink, and neither should disclosures that are an integral part of a claim or inseparable from it.
  • If a disclosure is placed behind a hyperlink, the link should be named specifically to indicate the nature and importance of the information behind it
  • Disclosures must be effectively communicated before the decision to purchase.
  • Space constraints, such as in social media (Twitter), do not relieve advertisers of their consumer protection responsibilities

 

Remember folks, the FTC has the authority against unfair or deceptive acts or practices broadly covers advertising claims, marketing and promotion, in almost every sector of the economy, and in all media. So, you need to consider ANY ad no matter the channel. It has long been a staple of advertising law that, if a disclosure is necessary to keep an advertisement from being deceptive or is otherwise required by law, then it must be presented clearly and conspicuously.


You and your legal/privacy teams should review this latest update carefully. There is no set formula for making a clear and conspicuous disclosures.


Read it: 2013 Dot-Com Disclosures


-Dennis

Oracle | Eloqua

Don’t Just Send, Deliver!

This post is being provided for informational purposes only. Nothing in this post shall be construed as creating a representation, legal advice, warranty or commitment, contractual or otherwise, by Eloqua or any affiliate of Eloqua, to you or any other person or entity. It also does not guarantee that your email, websites, and/or any other aspect of your business is in compliance with state, federal, or International laws. Eloqua makes no representation, warranty or commitment that any message you send to end users will be delivered. This post is not a substitute for, should not be used in place of, and should not be considered, legal advice. It is recommended that you contact your general or legal counsel.


For those who don't know, the Children's Online Privacy Protection Act of 1998 (COPPA) is a United States federal law that applies to the online collection of personal information by persons or entities under U.S. jurisdiction from children under 13 years of age. It details what a website operator must include in a privacy policy, when and how to seek verifiable consent from a parent or guardian, and what responsibilities an operator has to protect children's privacy and safety online including restrictions on the marketing to those under 13. While children under 13 can legally give out personal information with their parents' permission, many websites altogether disallow underage children from using their services due to the amount of paperwork involved.

 

The Federal Trade Commission (FTC) has the authority to issue regulations and enforce COPPA. The Act applies to websites and online services operated for commercial purposes that are either directed to children under 13 or have actual knowledge that children under 13 are providing information online. Most recognized non-profit organizations are exempt from most of the requirements of COPPA.

 

On Wednesday December 19, 2012, the FTC announced its update to the COPPA Rule during a press conference with Senators Jay Rockefeller (D-WV) and Mark Pryor (D-AR) on Capitol Hill.

 

One of the biggest items for you to consider if you are collecting information from children is the how the Final Rule makes first party operators liable for third-party data collection activities that benefit the first party.  Third parties will also be liable if they have actual knowledge that they are collecting personal information on a site or service that is directed to children.

 

Below is a summary of key elements from the announced amendments.

 

  • First Party Liability:  The Final Rule articulates new standards for when first party operators may be liable under COPPA for the activities of other entities that collect data on a first party’s site or service.  Specifically, operators may be responsible under COPPA for (1) agents or service providers or (2) when “the operator benefits by allowing another person to collect personal information directly from users[.]”  The Commission intends this language to impose a strict liability standard for first-party operators that allow third-party online services to collect personal information through their properties.  Such liability is not intended to apply to platforms (such as mobile app market providers) that merely offer public access to content provided by another.
  • Third Party Liability:  Third parties that collect personal information through another operator’s website or online service will be subject to COPPA only if the third party has actual knowledge that the site or service is “directed to children,”
  • “Directed to Children” - New Factors:  The Final Rule retains the longstanding multi-factor analysis for determining whether a site or service is “directed to children,” with the addition of (1) music (as an element of audio content) and (2) presence of child celebrities or celebrities who appeal to children as factors in that analysis.
  • “Directed to Children” - Proposed Audience Standards: The Final Rule abandons the proposed “primary audience” and “disproportionately large” child audience standards for defining when a site or service is “directed to children.”  However, as discussed below, the “primary audience” standard will determine whether a site or service can take advantage of the age-screening safe harbor established in the Final Rule.
  • Age Screening Safe Harbor:  Sites and services that fit the definition of “directed to children” but do not target children as their primary audience can be deemed not “directed to children” if they choose to age screen all users and then provide notice and obtain parental consent only with respect to those users who indicate they are children under 13.

 

 

Definition of “Personal Information”

 

  • Persistent Identifiers: Personal information will include any “persistent identifier that can be used to recognize a user over time and across different websites or online services.”  The Commission’s commentary states that the term “different” means sites or services that are unrelated or where an affiliate relationship is “not clear to the user.”  Operators are not required to meet COPPA’s notice and consent requirements if such persistent identifiers are used to support internal operations, but the Final Rule moves this exception from the “persistent identifiers” definition to a stand-alone exception.  The Commission intends this as a technical rather than substantive change.
  • Online Contact Information:  “online contact information” is defined as “an email address or any other substantially similar identifier that permits direct contact with a person online” including certain examples.  This definition is an element of personal information under the Final Rule, and also defines the scope of COPPA’s application to screen or user names as described below.
  • Screen or User Names:  Screen or user names will be considered “personal information” if they function in the same manner as online contact information.  The commentary states that this is intended to cover “direct, private, user-to-user contact” and does not cover content personalization, filtered chat, public display, operator-to-user communication, or the use of screen or user names to allow children to log in across devices or related properties.
  • Photo, Audio and Video Files:  Photo, audio, and video files will be considered personal information if they contain a child’s image or voice.
  • Geolocation Information:  Geolocation information will be considered personal information if it is sufficient to identify both street name and city/town name.
  • ZIP Code Data:  The Final Rule does not expand personal information to cover either (1) ZIP code + 4 or (2) date of birth combined with gender and ZIP code.

 

Definition of “Support for Internal Operations”:  The Final Rule adopts a slightly broader definition of “support for the internal operations” of a site or service. Specifically, the Commission has added frequency capping of advertising and legal and regulatory compliance to the exhaustive list of purposes recognized as “support for internal operations.”  The Commission has also established a voluntary process for parties to request Commission approval of additional activities to be added to this definition.

 

Parental Notice:  The Final Rule maintains that operators provide certain information to parents in the direct notice, rather than providing a link to a privacy policy.  Like the existing COPPA Rule, the Final Rule permits multiple operators to designate a single operator as parents’ point of contact in a privacy policy.

 

“Email Plus” and Other Parental Consent Methods:  The Final Rule retains the “email plus” method for obtaining parental consent when children’ personal information is used for internal purposes only.  New examples of permissible consent methods have been added, namely: electronic scans of signed forms, video verification methods, checking a parent’s government identification against a database, and certain online payment systems. The Final Rule does not adopt a specific provision regarding the use of common consent platforms.  As proposed, the Final Rule establishes a voluntary Commission approval mechanism for new parental consent methods. 

 

Definition of “Collection”:  The Final Rule expands the definition of “collection” to include “prompting” or “encouraging” the submission of information, and to provide that any “passive tracking” constitutes collection.  The Final Rule also eliminates the existing “100% deletion” standard for filtering user-generated postings in favor of a “reasonable measures” standard.

 

Data Retention and Deletion:  The Final Rule will require operators to retain children’s personal information only as long as reasonably necessary to fulfill the purpose of collection, and then to take reasonable measures to delete the information.

 

Service Provider and Third Party Oversight:  Operators will have new obligations under the Final Rule to “take reasonable steps” to release children’s personal information only to third parties (including service providers) that are (1) capable of maintaining its confidentiality, integrity and security and (2) provide assurances to that effect.

 

For more information, please contact your account manager who will get you in touch with Eloqua's privacy office to schedule an appointment or post your thoughts here and we will answer them ASAP.

 

 

-Dennis

 

------------------------------------

Dennis Dayman, CIPP, CIPP/IT

Chief Privacy and Security Officer

Eloqua

 

http://www.eloqua.com

http://www.deliverability.com

Twitter: ddayman

Twitter: deliverability

Well it certainly is not 1939 and this story doesn’t tell about a single man's effect on American politics as the title conveys, but it is about a bit of the things I did see last week during one of my visits to Washington D.C.


 

For the entire month of March I was in and out of beautiful Washington D.C. meeting with different groups and people who have an effect on marketing and privacy. As you know I was just there for a meeting a few weeks ago where I spent the day at the United States Institute of Peace in Washington D.C attending the EU Conference on Privacy and Protection of Personal Data which today still has a ring in my ear of how fragmented we as a world are when it comes to government imposed privacy regulations that affect the Internet.

 

 

However, last week's visit seemed to focus on “local” issues. The United States Federal Trade Commission (FTC), the nation’s chief privacy policy and enforcement agency for 40 years, issued their final and long awaited industry privacy report. I also did a long day on Capitol Hill (in the middle of the health care debates) with Congresspersons and Senators who are tackling privacy in their committees or offices to help them understand and shape our and customers online marketing landscapes.


 

On March 26, the DMA hosted its annual policy conference, DMA in DC 2012 in which we heard from representatives of the nation’s enforcers of consumer protection laws. We had dinner with Representative Mary Bono Mack (R-CA) who heads the House Energy and Commerce subcommittee taking the lead on the privacy issues. In her remarks she said that Congress has considerable work to do to understand data privacy issues before deciding what, if any, sort of privacy legislation is needed. She did praise us for hard work on self-regulation and she did recognize the need for more security regulations to address the real problems with Internet.


 

That same day in the morning the FTC released their report and within thirty (30) minutes of that release we were treated to a lunch and keynote from FTC Commissioner Julie Brilll covering the report. In her note she said.


 

  • The FTC would be vigilant in enforcing self-regulatory codes of conduct among companies in the area of data privacy
  • A company’s failure to live up to a voluntary code of conduct would act as a scarlet letter in an FTC enforcement action which we’ve already seen heavily in the last year.
  • They were interested in developing of sector-specific codes of conduct, meaning tackling specific issues with specific regulations vs. umbrella regulations.

 

You can see her entire keynote in more detail here

 

To save me time here, I am copying from the FTC site here. The final privacy report also expands on a preliminary staff report the FTC issued in December 2010. The final report calls on companies handling consumer data to implement recommendations for protecting privacy, including:


  • Privacy by Design - companies should build in consumers' privacy protections at every stage in developing their products. These include reasonable security for consumer data, limited collection and retention of such data, and reasonable procedures to promote data accuracy. This is a wonderful concept invented and championed by Ontario Privacy Commissioner Ann Cavoukian and one in which Eloqua is taking head on by having her present it to our engineers last year and us putting into play process to help manage the concept.
  • Simplified Choice for Businesses and Consumers - companies should give consumers the option to decide what information is shared about them, and with whom. This should include a Do-Not-Track mechanism that would provide a simple, easy way for consumers to control the tracking of their online activities. As you know, Eloqua has already done things like this with our Strict Mode release early last year.
  • Greater Transparency - companies should disclose details about their collection and use of consumers' information, and provide consumers access to the data collected about them. This has always been a forefront thinking here at Eloqua and one that we push to many of you to highly consider.

 

The final report also notes that the FTC received over 450 comments on the staff's preliminary recommendations. Based on technological advances and industry developments since the December 2010 staff report and in response to the comments. The report refines the guidance for when companies should provide consumers with choice about how their data is used. While Congress considers privacy legislation, the Commission also urges individual companies and self-regulatory bodies to accelerate the adoption of the principles contained in the privacy framework.

 

Over the course of the next year, Commission staff will work to encourage consumer privacy protections by focusing on five main action items:


  • Do-Not-Track - The Commission commends the progress made in this area: browser vendors have developed tools to allow consumers to limit data collection about them, the Digital Advertising Alliance has developed its own icon-based system and also committed to honor the browser tools, and the World Wide Web Consortium standards-setting body is developing standards. We are confident that we as an industry can continue the self-regulatory efforts without legislation and the FTC agrees in their report
  • Mobile - The FTC urges companies offering mobile services to work toward improved privacy protections, including “short” and meaningful disclosures. To that end, it will host a workshop on May 30, 2012 to address how mobile privacy disclosures can be short, effective, and accessible to consumers on small screens. If you haven’t seen TRUSTe’s mobile-optimized privacy notice, I suggest you check it out here
  • Data Brokers - The Commission calls on data brokers to make their operations more transparent by creating a centralized website to identify themselves, and to disclose how they collect and use consumer data. In addition, the website should detail the choices that data brokers provide consumers about their own information. As a personal note, I’m all for this idea to some extent. As an individual who tends to get a lot of junk and bulk marketing I want to know more about who has my information and how to prevent them from selling it. I’ve never been a huge supporter of data brokers whether it is legal or not. However, in context of what the FTC proposed here this will be a difficult thing to do as a centralized service.
  • Large Platform Providers - The report cited heightened privacy concerns about the extent to which platforms, such as Internet Service Providers, operating systems, browsers and social media companies, seek to comprehensively track consumers' online activities. The FTC will host a public workshop in the second half of 2012 to explore issues related to comprehensive tracking. I know the guys at The Messaging Anti-Abuse Working Group (MAAWG) will be watching this one as it could affect feedback loops and other legal and effective anti-spam services they use.
  • Promoting Enforceable Self-Regulatory Codes - And again, the FTC will work with the Department of Commerce and stakeholders to develop industry-specific codes of conduct. To the extent that strong privacy codes are developed, when companies adhere to these codes, the FTC will take that into account in its law enforcement efforts. If companies do not honor the codes they sign up for, they could be subject to FTC enforcement actions.


 

The following day, I joined DMA’s Government Affairs team and other member companies for a series of Capitol Hill meetings, advocating directly on the issues of privacy and data security proposals. We with the offices of Senators Susan Collins (R-ME), Al Franken (D-MN), Mark R. Warner (D-VA), Michael F. Bennet (D-CO), Tom Carper (D-DE), Jim DeMint (R-SC), Pat Toomey (R-PA), John F. Kerry (D-MA), Scott Brown (R-MA), Joe Lieberman (I-CT), as well as Representatives Cliff Stearns (R-FL), G. K. Butterfield (D-NC), Marsha Blackburn (R-TN), John B. Larson (D-CT), Stephen Lynch (D-MA 9), Elijah Cummings (D-MD 7) and Adam Kinzinger (R-IL).


 

All in all, another wonderful trip to Washington D.C. in which we heard some great news about our ongoing efforts to build transparent and easy choices for consumers in many of our platforms. Most officials seem very happy with the way things are going and asked us to continue to push our objectives forward without the immediate need for government imposed regulations. There is lots more work to be done here though so not much time to relax.

As some of you know there were privacy reforms that were released a few weeks ago by the European Union (EU).  The European Commission is proposing a comprehensive reform of the EU’s 1995 data protection rules to strengthen online privacy rights and boost Europe’s digital economy. Last week I spent the day at the United States Institute of Peace in Washington D.C attending the EU Conference on Privacy and Protection of Personal Data. This was the second event in the past two years allowing global stakeholders like legislators and business to sit down and talk face to face about technological progress and globalisation have profoundly changed the way data is collected, accessed and used.

What makes this of interest for US based stakeholders is that the 27 EU Member States have implemented the 1995 rules differently, resulting in divergences in enforcement. The proposal reforms will do away with the current fragmentation and costly administrative burdens, leading to savings for businesses of around €2.3 billion a year. The initiative will help reinforce consumer confidence in online services, providing a much needed boost to growth, jobs and innovation in Europe.

Attitudes towards data protection

  • Just over a quarter of social network users (26%) and even fewer online shoppers (18%) feel in complete control of their personal data.
  • 74% of Europeans see disclosing personal information as an increasing part of modern life.
  • 43% of Internet users say they have been asked for more personal information than necessary.
  • Only one-third of Europeans are aware of the existence of a national public authority responsible for data protection
  • 90% of Europeans want the same data protection rights across the EU.

 

The Commission’s proposals update and modernise the principles enshrined in the 1995 Data Protection Directive to guarantee the right of personal data protection in the future. They focus on: reinforcing individuals’ rights; strengthening the EU internal market; ensuring a high level of data protection in all areas, including police and criminal justice cooperation; ensuring proper enforcement of the rules; and setting global data-protection standards.With all this going on, we thought we might answer some additional questions for you so you can better understand how we are seeing this and reacting to it.What are the key changes in these reforms?


  • A ‘right to be forgotten’ will help people better manage data-protection risks online. When they no longer want their data to be processed and there are no legitimate grounds for retaining it, the data will be deleted.
  • Whenever consent is required for data processing, it will have to be given explicitly, rather than be assumed.
  • Easier access to one’s own data and the right of data portability, i.e. easier transfer of personal data from one service provider to another.
  • Companies and organisations will have to notify serious data breaches without undue delay, where feasible within 24 hours.
  • A single set of rules on data protection, valid across the EU.
  • Companies will only have to deal with a single national data protection authority – in the EU country where they have their main establishment.
  • Individuals will have the right to refer all cases to their home national data protection authority, even when their personal data is processed outside their home country.
  • EU rules will apply to companies not established in the EU, if they offer goods or services in the EU or monitor the online behaviour of citizens.
  • Increased responsibility and accountability for those processing personal data.
  • Unnecessary administrative burdens such as notification requirements for companies processing personal data will be removed.
  • National data protection authorities will be strengthened so they can better enforce the EU rules at home.

 

Q: How will the data protection reform affect social networks?

A: Social networks provide a useful tool for staying in touch with friends, family and colleagues, but they also present a risk that your personal information, photos and comments might be viewed more widely than you realise. In some cases, this can have financial, reputational and psychological consequences. The Commission is proposing a strengthened right to be forgotten so that if you no longer want your personal data to be processed, and there is no legitimate reason for an organisation to keep it, it must be removed from their system. Data controllers must prove that they need to keep the data rather than you having to prove that collecting your data is not necessary. Providers must take account of the principle of ‘privacy by default’, which means that the default settings should be those that provide the most privacy. Companies will be obliged to inform you as clearly, understandably and transparently as possible about how your personal data will be used, so that you are in the best position to decide what data you share.

Q: How do the current data protection rules hold back the single market?

A: As we said before, today’s data protection rules are divergent and inconsistent across the EU’s 27 member countries. Companies may have to deal with 27 different sets of data protection rules within the EU. The result is a fragmented legal environment with legal uncertainty and unequal protection for individuals. This has also caused unnecessary costs and a significant administrative burden for businesses. This complex situation is a disincentive for businesses – particularly small and medium-sized companies (SMEs) – to expand their operations across the EU and represents an obstacle to economic growth. The Commission is proposing new rules to remove barriers to the internal market which exist because of the divergent legal approaches of the 27 EU countries. This will create a ‘level playing field’ on data processing within the EU. The Commission will achieve substantial harmonisation of data protection rules at EU level, creating one single law applicable across the EU.

Q: How will the EU’s data protection reform make international cooperation easier?

A: Personal data is increasingly being transferred across borders – both virtual and geographical – and stored on servers in multiple countries both within and outside the EU. That is the nature of cloud computing. The globalised nature of data flows calls for a strengthening of the individual’s data-protection rights internationally. This requires strong principles for protecting individuals’ data, aimed at easing the flow of personal data across borders while still ensuring a high and consistent level of protection without loopholes or unnecessary complexity. To respond to these challenges, the Commission is proposing a system which will ensure a level of protection for data transferred out of the EU similar to that within the EU. This will include clear rules defining when EU law is applicable to companies or organisations established outside the EU, in particular by clarifying that whenever the organisation’s activities are related to the offering of goods or services to EU individuals, or to the monitoring of their behaviour, EU rules will apply.

Moving Forward

There remains quite a lot of work to do before these reforms take effect and it is not yet known what form the final regulations will take. Industry stakeholders including businesses, trade associations, and Data Protection Authorities around the world have already or are preparing their comments to the European Commision regarding their concerns about areas of the proposed regulation. From a US perspective, while some of the proposed regulations are welcome such as having only a single set of rules to comply with, other areas are sure to raise significant concern as hurdles that may hinder global compliance. This underscores not only the different attitudes and approaches to data protection in the US and EU, but also the need for each to continue to pursue more harmonized frameworks as the global economy grows. The Internet has no borders, and regulations must recognize this in order to foster continued growth of the internet economy on both sides of the Atlantic.

The interesting timing of this blog post is that this week the United States Federal Trade Commission (FTC), the nation’s chief privacy policy and enforcement agency for 40 years, issued their final and long awaited industry privacy report. Also, yesterday I was on the Hill meeting with Congresspersons and Senators who are tackling privacy in their committees to help them understand and shape our and customers online marketing landscapes. I will work up a blog post to address this weeks fun here in DC.

Filter Blog

By date: By tag: