Notice

Patricia Faley, Vice President, Ethics & Consumer Affairs
The Direct Marketing Association

The Direct Marketing Association (The DMA) believes that marketers should provide notice to their customers if they share contact information about customers with other marketers for use in future solicitation or donation campaigns. This principle is the foundation for the fair use of marketing information. It is important to note that DMA guidelines state that marketing information should be used for marketing purposes only.

While on its face notice seems straightforward, there are a number of operational questions that arise when a marketer implements the principle. Some of the most important questions and the answers from The DMA's perspective are:

Should the same type of notice be required in every medium?
Who should provide notice?
What should the notice say?
When should notice be delivered?
Are the rules the same for the most sensitive types of data, such as financial, health care and data about children?

The goal of this paper is to give a brief overview of The DMA's perspective on notice. The paper discusses how to reach what The DMA believes to be the optimum condition: that concerned consumers receive the notice they desire while marketers retain the ability to contact those consumers who are receptive to their offers.

Notice necessarily differs by medium

Online, providing notice is relatively easy. A Web site allows for the space needed for a complete privacy policy and the cost of posting the policy is minimal. The DMA believes that a complete statement of a marketer's information practices should be located in a prominent place either on the home page or in a place easily accessible from the home page. In outbound email marketing, the policy is also easy to provide. Most marketers can give their customer an easy URL link to their Web site to find out about their privacy policy.

Using the telephone as a marketing medium is an entirely different marketing experience both for the marketer and for the customer. Telephone marketing is relatively expensive compared to online marketing, requiring the presence and time of people, phone or computer stations and the cost of long distance calls based on the length of the call. The longer the call, the higher the cost.

Further, the psychology of sales on the phone would prohibit a marketer from notifying the consumer about the company privacy policy before the purchase. Imagine the theoretical marketer who says, Hi, I'm Douglas Smith from Snow Catalog and we're having a great sale today on ski wear. But before I tell you about the offers, I need to spend ten minutes of your time presenting our privacy policy! Giving notice on the phone just doesn't work in practice. It's too time consuming and expensive, and the consumer is not receptive to hearing it. A better practice in this situation would be for the telemarketer to send the privacy notice in the fulfillment package. Of course, if the consumer asks a question about the telemarketer's privacy policy the customer service representative should be trained to answer it honestly and succinctly. Sales via direct TV and radio advertisements provide a similar dilemma where the time and cost of notice are prohibitive.

In traditional mail, the information about whether the marketer transfers information can be presented in a catalogue or other print piece. In general, The DMA believes that marketers using mail should annually inform consumers of their policy concerning the rental, sale or exchange of data and give them the opportunity to object. If the policy changes, marketers have an obligation to inform consumers of that change prior to the rental, sale or exchange of data.

Clearly, a one-size fits all approach for privacy notices in all media will not provide the balance of consumer choice and business viability we would seek.

Who Should Provide the Notice?

A host of organizations support marketers in their business efforts. These entities include list compilers, list brokers, list owners, and service bureaus. However, we believe that the marketer with whom the consumer interacts should be responsible for providing notice. List compilers, brokers, owners and service bureaus, however, should give notice if they are communicating directly to the customer under their own company or organization name.

The case of providing notice by a company's affiliates � members of the same corporate family � is somewhat different and should be viewed from the consumer's perspective. Some companies have several distinct brands or affiliates, divisions or subsidiaries under which they operate. The question often arises whether in such cases each must give notice. We believe that each separate company or brand, as the consumer is likely to perceive it, must offer notice. Where affiliates, divisions or subsidiaries market under different names, customers are likely to perceive them as different entities. Each corporate entity or brand must, therefore, offer its own notice. On the other hand, where affiliates market under a single company name, they are likely to be perceived by customers as a single organization. In such cases, one notice is sufficient for all entities.

What Should the Notice Say?

What a privacy notice should include depends upon the medium in which it is presented. Since online it is relatively easy and inexpensive to provide a full notice, The DMA requires a complete privacy policy notice for Web sites. We have developed a Privacy Policy Generator for our members that assists them in communicating their policy to consumers. Contents of a privacy policy notice should include:

the identity of the Web site administrators
a description of what is automatically recognized about the consumer upon a visit to the site, if anything
a description of the data collected
how the data collected is used
the cookie policy, if cookies are used
how to opt out of future communications from the marketer via e-mail
how to opt out of transfer of consumer contact information to third party marketers
the ad server policy
a description of the procedures the company will use to notify consumers if their policy changes
access and security assurances
enforcement contacts

For traditional mail and phone, the space and time to deliver messages is limited and expensive so that, as mentioned earlier regarding the telephone, notice is sometimes difficult to deliver.

When Should the Notice Be Delivered?

For traditional media we think that the consumer should receive a notice at least once a year. In the instance where the consumer is contacted less frequently than once a year, the notice should certainly be given as frequently as the consumer is contacted.

For online media the notice should be available to the consumer in a prominent place on the Web site's home page or in a place that is easily accessible from the home page. It should be easy to find, read and understand so that a visitor is able to quickly comprehend it. This means that the policy notice is available in readable print, not obscured by design elements and that it is written in plain English. Clearly, it should be available prior to or at the time personally identifiable information is collected.

One of the best ways to provide notice online is to have a privacy icon or symbol on the home page that links to the company's privacy policy. While the notice need not appear on every page of the Web site in order to be conspicuous, linking to the notice at all points where personally identifiable information is collected is the best way to ensure consumers will see the notice.

The DMA's Online Privacy Policy Generator is available at: http://www.the-dma.org/library/privacy/creating.shtml.

What About Notice Regarding Sensitive Data?

Sensitive data includes information about illnesses, health conditions and treatments, financial services account identifiers and data about children. It is very important that consumers understand how this most sensitive data is used, so that the requirements of notice are more rigorous.

Health Data

The DMA has developed separate guidelines for the collection, use and transfer of health-related data. The guidelines apply to any individual or entity that collects, maintains, uses and/or transfers health-related data for marketing purposes. The guidelines provide that personally identifiable health-related data obtained in the context of a relationship between consumers and health care providers or treatment facilities should not be transferred for marketing purposes without the specific prior consent of those consumers. Health care providers include licensed health care practitioners such as doctors, nurses, psychologists, pharmacists and counselors and those who support health care providers such as insurance companies, pharmacy benefits managers or other business partners and businesses that sell prescription drugs.

We do think that medical care providers should be allowed to contact their own patients for marketing purposes. However, those patients should have a clear notice of the provider's intended use of the data and the opportunity to request not to be contacted for marketing purposes.

In some instances consumers voluntarily give information about their health to entities that are not health care providers. For example, sometimes a consumer will respond to a survey or questionnaire with information about themselves or their family. The DMA requires that, at the time such data are collected, a clear notice of the marketer's intended use of the data, whether the marketer will transfer the data to third parties, the name of the collecting organization, and the opportunity to opt out of the transfer of data, should all be presented to the consumer.

Finally, The DMA considered inferred data related to health care. This is data gathered outside of a relationship with a health care provider, and based principally on consumer purchasing behavior. Such data could include data captured by consumer inquiries, donations, purchases, frequent shopper programs, advertised toll-free telephone numbers or other consumer response devices. The DMA believes that any entity, including a seller of over-the-counter drugs, that uses inferred health-related data should promptly provide notice to the consumer and the opportunity to opt out of any transfer of the data for marketing purposes.

Financial Data

The DMA was very concerned that our members give consumers clear notice about what will be done with their financial data. To make compliance with the Gramm-Leach-Bliley Act easy for our members we created a special Privacy Policy Notice Generator. The Generator can be used by a company wishing to communicate to consumers its policy regarding the use of financial data. The Generator is available at: http://www.the-dma.org/library/privacy/glbppg.shtml. The goal was to provide a plain English notice that met the spirit and the letter of the law.

Additionally, under DMA Guidelines, credit card numbers, checking account numbers and debit account numbers are considered sensitive personal information and should not be transferred, rented, sold or exchanged when there is a reasonable expectation by the consumer that the information will be kept confidential.

Data About Children

To meet the requirements for notice under the Children's Online Privacy Protection Act, The DMA created a Privacy Policy Generator that meets the letter and the spirit of the law in providing adequate notice to parents about any collection of data about children online. The generator is available at http://www.the-dma.org/library/privacy/childrensppg.shtml.

In media wherein collection requires mailing back to the company or responding to the telephone, The DMA has created guidelines regarding marketing to children that require marketers to provide notice and an opportunity to opt out of the marketing process so that parents have the ability to limit the collection, use and disclosure of their children's names, addresses or other personally identifiable information. Upon request from a parent, marketers should promptly provide the source and general nature of information maintained about a child.