Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

In March 2007, Craig E. Kleffman initiated a class action suit in California state court against Vonage Holdings Corp. and certain of its subsidiaries (collectively “Vonage”). Kleffman’s claim arose because Vonage sent him 11 unsolicited commercial e-mail advertisements using 11 different domain names. Id. at 3.

Kleffman alleged that Vonage used these multiple domain names in order to deliberately trick e-mail filters into believing that there were multiple senders (when in fact, all sites were under the control of Vonage). Kleffman alleged that this violated California Business and Professions Code § 17529.5(a)(2), which states that it is unlawful to advertise in a commercial e-mail if the e-mail “contains or is accompanied by falsified, misrepresented, or forged header information.” Id. at 1.

Vonage removed the case to the U.S. District Court for the Central District of California and was granted a dismissal. Kleffman appealed to the U.S. Court of Appeals for the Ninth Circuit which certified the central issue to the Supreme Court of California: “Does sending unsolicited commercial e-mail advertisements from multiple domain names for the purpose of bypassing spam filters constitute falsified, misrepresented, or forged header information under . . . § 17529.5(a)(2)?” Id. at 5.   

Noting that the domain names from which Vonage sent its e-mail advertisements were fully traceable to Vonage’s marketing agents, the Supreme Court of California found that “. . . an e-mail with an accurate and traceable domain name makes no affirmative representation or statement of fact that is false.” Id. at 16. The court also wrote that the state legislature did not intend to prohibit the use of multiple domain names and did not “make it unlawful to use a domain name in a single e-mail that does not make it clear the identity of either the sender or the merchant-advertiser on whose behalf the e-mail advertisement is sent.” Id. at 14.     

The Act applies to two types of information:  (1) health-related information, which includes information related to health or physical condition, nutrition, medications, mental health, medical insurance coverage and similar data; and (2) personal information, which includes a last name with first name or first initial, home or other physical address, social security number, driver’s license or state identification card number, and information about a minor collected in combination with other personal information.  An email address or other online identifier is not expressly included, but it would be considered personal information if combined with other personal information of any of the other types included in this definition. 

Since Maine’s new law is intended to protect the privacy of minors, it can be compared to the federal Children’s Online Privacy Protection Act (“COPPA”).  However, the Maine law is broader than COPPA in many significant ways.  Among the other differences discussed below, under Maine law, a minor is someone under 18.  In contrast, COPPA only protects “children” who are under 13 years old. 

Maine’s new law can also be compared to some other state laws,  As an example, it can be compared to a law that has been in existence in California since 2004.  California’s Civ Code sec. 1798.91 also regulates the collection, use and disclosure of health related information for marketing purposes without notice and consent; however, California’s law is not limited in application to minors.

Maine’s new Act contains three separate prohibitions.

First, the Act makes it unlawful to knowingly collect or receive health-related or personal information for “marketing purposes” from a minor without prior “verifiable parental consent.”  The way the Act is written, it is unclear whether the requirement for “knowing” collection or receipt applies to the type of information or also to the fact that the information is collected from a minor.  The Act defines “marketing purposes” as “the purposes of marketing or advertising products, goods or services to individuals.”  This particular provision – unlike the provisions discussed below – appears to be limited to information collected “from” a minor. “Verifiable parental consent” is defined to mean reasonable efforts to give the parent notice of the collection, use and disclosure practices and to obtain parental authorization for such collection, use or disclosure “before that information is collected from that minor.”  Unlike COPPA, Maine’s Act is not limited to online collection.  Nor does the Act contain any exceptions permitting some collection of “personal information” from the minor, such as for the purpose of obtaining parental consent for additional collection. 

Second, the Act makes it unlawful to sell, offer for sale or otherwise transfer health-related or personal information about a minor if (A) it was collected in violation of the prohibition above; (B) it “individually identifies the minor”; or (B) it will be used for “predatory marketing” as described below.  This provision does not have a scienter requirement (although a “knowledge element is built into Subsection A).  Subsection B – which is not limited to uses “for marketing purposes” – apparently requires that any transfer of information “about a minor” be done on an aggregate basis. 

Third, the Act prohibits “predatory marketing,” which is defined as using health-related or personal information regarding a minor “for the purpose of marketing a product or service to that minor or promoting any course of action for the minor relating to a product.”  Again, there is no scienter requirement, nor any exception permitting a parent to sign up on behalf of a child, or to otherwise consent to such marketing.  

The Act provides for enforcement by the Maine Attorney General as an unfair trade practice, with penalties of $10,000-$20,000 for the first violation and at least $20,000 for subsequent violations.  The Act also provides for a private right of action in Maine state court, including recovery for the greater of actual damages or $250 per violation (with the potential for trebling for willful or knowing violation), plus attorney’s fees.

The potentially broad reach of this statute (particularly due to the lack of a scienter element in several of its provisions) makes it likely to be subject to challenge.  In the meantime, businesses should consider their approach to achieving compliance.  Given the breath of the Act, and the fact that some of its requirements apply regardless of a company’s knowledge of an individual’s age, complying with Maine’s new law will surely prove to be a challenge for essentially every enterprise.
 

The FTC defines online behavioral advertising as “the tracking of a consumer’s online activities over time– including the searches the consumer has conducted, the web pages visited, and the content viewed – in order to deliver advertising targeted to the individual consumer’s interests.” The newly revised Principles now explicitly carve out “first party” advertising, where no data is shared with third parties, and contextual advertising, where an ad is based on a single visit to a web page or single search query.

Our challenge at the Proskauer Privacy Law Blog is to synthesize a 55 page Staff Report and two concurrences from Commissioners Harbour and Leibowitz into a pithy, easily digestible blog post. Hmmm. Well, we thought we would start with the Principles themselves. But first, a couple of observations. 

Observation number one – the Report frequently goes out of its way to note the eroding distinction between traditional personal identifying information (“PII”) such as name, address and Social Security, and non-PII such as IP address. As noted in the Executive Summary, “staff believes that the Principles should apply to data that could reasonably be associated with a particular consumer or computer or other device, regardless of whether the data is ‘personally identifiable’ in the traditional sense. Indeed, in the context of online behavioral advertising, rapidly changing technologies and other factors have made the line between personally identifiable and non-personally identifiable information increasingly unclear. Moreover, this approach is consistent with existing self-regulatory efforts in this area.” Those blurring lines and increasingly complex technology and advertising practices promise to pose considerable challenges for the construction of clear and user-friendly consumer privacy notices.

Observation number two -- the Report makes clear that disclosures regarding the collection of PII and non-PII for purposes of behavioral marketing should be made separate from the traditional privacy policy.  “Staff recognizes that it is now customary to include most privacy disclosures in a website’s privacy policy. Unfortunately, as noted by many of the commenters and by many participants at the FTC’s November 2007 Town Hall, privacy policies have become long and difficult to understand, and may not be an effective way to communicate information to consumers. Staff therefore encourages companies to design innovative ways – outside of the privacy policy – to provide behavioral advertising disclosures and choice options to consumers.”  The Staff Report highlights certain recommendations made by commenters that “appear promising. For example, a disclosure (e.g., 'why did I get this ad?') that is located in close proximity to an advertisement and links to the pertinent section of a privacy policy explaining how data is collected for purposes of delivering targeted advertising, could be an effective way to communicate with consumers. . . . Staff encourages these efforts and notes that they may be most effective if combined with consumer education programs that explain not only what information is collected from consumers and how it is used, but also the tradeoffs involved – that is, what consumers obtain in exchange for allowing the collection and use of their personal information.”

So, without further ado, here are the Principles. They provide for: (1) transparency and consumer control; (2) reasonable security, and limited data retention, for consumer data; (3) affirmative express consent for material changes to existing privacy promises; and (4) affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising. The bolded italicized language below represents the FTC staff’s own annotations showing changes from the first version in late 2007.

(1)        Transparency and Consumer Control

Every website where data is collected for behavioral advertising should provide a clear, concise, consumer-friendly, and prominent statement that (1) data about consumers’ activities online is being collected at the site for use in providing advertising about products and services tailored to individual consumers’ interests, and (2) consumers can choose whether or not to have their information collected for such purpose. The website should also provide consumers with a clear, easy-to-use, and accessible method for exercising this option. Where the data collection occurs outside the traditional website context, companies should develop alternative methods of disclosure and consumer choice that meet the standards described above (i.e., clear, prominent, easy-to-use, etc.)

(2)               Reasonable Security, and Limited Data Retention, for Consumer Data

Any company that collects and/or stores consumer data for behavioral advertising should provide reasonable security for that data. Consistent with data security laws and the FTC’s data security enforcement actions, such protections should be based on the sensitivity of the data, the nature of a company’s business operations, the types of risks a company faces, and the reasonable protections available to a company. Companies should also retain data only as long as is necessary to fulfill a legitimate business or law enforcement need.

(3)               Affirmative Express Consent for Material Changes to Existing Privacy Promises

As the FTC has made clear in its enforcement and outreach efforts, a company must keep any promises that it makes with respect to how it will handle or protect consumer data, even if it decides to change its policies at a later date. Therefore, before a company can use previously collected data in a manner materially different from promises the company made when it collected the data, it should obtain affirmative express consent from affected consumers. This principle would apply in a corporate merger situation to the extent that the merger creates material changes in the way the companies collect, use, and share data.

(4)               Affirmative Express Consent to (or Prohibition Against) Using Sensitive Data for Behavioral Advertising

Companies should collect sensitive data for behavioral advertising only after they obtain affirmative express consent from the consumer to receive such advertising.

We will have future occasion to discuss other elements of the FTC’s Report, but it is clear this will not be the last we hear from the FTC on this issue. “Looking forward, the Commission will continue to monitor the marketplace closely so that it can take appropriate action to protect consumers. During the next year, Commission staff will evaluate the development of self-regulatory programs and the extent to which they serve the essential goals set out in the Principles; conduct investigations, where appropriate, of practices in the industry to determine if they violate Section 5 of the FTC Act or other laws; meet with companies, consumer groups, trade associations, and other stakeholders to keep pace with changes; and look for opportunities to use the Commission’s research tools to study developments in this area.”

Multi-advertiser E-mails

The FTC’s modification of the term “sender” addresses the situation in which there is more than one advertiser in a commercial e-mail. Prior to this rule’s enactment, the Act, strictly read, required that each advertiser in a commercial e-mail was responsible for complying with the Act’s requirements. In other words, each advertiser was required to provide an opt-out mechanism, display a valid physical postal address, honor opt-out requests, and otherwise comply with the Act’s requirements.

This new rule allows one of the advertisers to assume the role of “sender” as defined by the Act. This sole advertiser would then have the responsibility of honoring opt out requests, etc., and only the opt-out mechanism and “physical postal address” of the designated sender would have to be included in the e-mail in order to comply with the Act.

In order for one advertiser to become the designated sender with respect to the Act, the advertiser must meet three requirements:

1. the person must be a “sender” as defined by the Act – simply put, this person must induce the e-mail to be sent and have their product, service, or web site advertised or promoted in the e-mail;

2. the person must be identified as the sole sender in the “from” line of the e-mail message; and

3. the person must be in compliance with the following five sections of the Act:

• the header information must not be materially false or misleading and it must accurately identify the sending computer (15 U.S.C. 7704(a)(1));
• the subject heading cannot mislead a reasonable recipient as to a material fact about the contents of the e-mail (15 U.S.C. 7704(a)(2));
• the e-mail must include a valid opt-out mechanism (15 U.S.C. 7704(a)(3)(A)(i));
• the e-mail must include a clear commercial identifier, opt-out notice, and physical address (15 U.S.C. 7704(a)(5)(A)); and
• a sexually oriented e-mail must have the appropriate disclaimer and be formatted correctly (16 CFR 316.4).

As an example of how the FTC’s new rule would be implicated, take the situation in which a travel agency sends out a commercial e-mail that includes advertisements from the travel agency, a car rental shop, and a hotel chain. In this case, each of these three entities would be advertisers in the e-mail, but if they collectively designate the travel agency to be the “sender” of the e-mail under the Act, and if the travel agency meets the three requirements above, then only the travel agency would be considered the sender, and all sender responsibility under the Act would fall on the travel agency, not the hotel chain nor the car rental shop.

This new definition clarifies the responsibility of each advertiser and alleviates redundant obligations for the various advertisers in a single e-mail while still providing recipients with the benefits of the CAN-SPAM Act. However, while all sender responsibility is shifted to one advertiser, all advertisers are still responsible as initiators under the Act and must still comply with the provisions that apply to initiators. (That is, they are all responsible for ensuring that the header information in the e-mail is not false or deceptive.) Also, if the designated sender fails to comply with its obligations, the other advertisers can be held accountable. For this reason, from the perspective of the other advertisers, it is imperative that they secure a written agreement with the designated sender that includes contractual obligations on the sender to perform the required duties, and a strong indemnification provision protecting the other advertisers who are counting on the designated sender’s compliance with the Act.

Tell-A-Friend Campaigns and Affiliate Marketing Programs

Since the inception of the Act, advertisers have been confused about how the Act applies to their “tell-a-friend” campaigns and affiliate marketing programs.

Strictly read, the Act would make advertisers responsible in at least some instances for CAN-SPAM compliance with respect to e-mails that are sent to a person’s friend in connection with a tell-a-friend campaign. This would mean that the e-mails cannot be sent to a friend who has opted out of receiving commercial e-mails from the company (which is, in many cases, burdensome or impossible to prevent). Also, the e-mails that are sent to the friend would have to include the company’s physical postal address and opt-out mechanism, accurate routing information, a subject line that is not misleading, and, in some cases, be identified as an ad. Depending on how a particular tell-a-friend campaign functions (e.g., a company may encourage e-mail recipients to forward an e-mail to a friend or use a web-based interface to allow people to cause a message to be sent to their friend), it may be impossible for a company to ensure that these requirements are complied with.

The FTC’s report accompanying the rule makes the FTC’s interpretation of the Act’s application to tell-a-friend campaigns clear. First off, if a company offers to “pay or provide other consideration” to a person in exchange for sending the commercial e-mail to his or her friend, the company will be responsible for the e-mail’s compliance with the Act. Consideration includes offering “something of value (such as an act, forebearance or return promise),” even things of minimal or de minimis value including coupons, discounts, awards, sweepstakes entries or the like.

Similarly, when a company offers consideration to someone in exchange for driving traffic to the company’s Web site or generating other forms of referrals (e.g., a marketing affiliate relationship), resulting in the transmission of the company’s e-mail message by the affiliate or its sub-affiliate, the company will be responsible for the CAN-SPAM compliance of the e-mails that are sent.

In contrast, where a company merely “urges” or “exhorts” a person to forward a message to a friend, without offering something of value in exchange, the company will not be responsible for the CAN-SPAM compliance of the e-mails that are sent.

In summary, the FTC’s newly issued interpretation in effect will cause most companies to avoid CAN-SPAM coverage with respect to their tell-a-friend campaigns by refraining from offering anything of value in exchange for a person sending or forwarding a promotional message to a friend. Instead, such programs will be completely void of incentive. A company may, however, verbally encourage people to send their commercial messages on to thier friends. As for affiliate marketing programs, since inherent in them is some form of consideration to the affiliate marketer, it will be harder to avoid responsibility for CAN-SPAM compliance.

Opt-out Requests

This rule requires senders to allow recipients to opt-out of subsequent commercial e-mails in at least one of two ways. The recipients should be able to opt-out by (1) replying to a specified e-mail address or (2) visiting a single Web page and selecting their opt-out preferences. Recipients cannot be required to pay a fee or provide any other information besides their e-mail address and opt-out preferences. For example, the recipient can be asked to indicate which kind of e-mails, if any, she would like to receive, but can not be required to log into her account or to submit her name, address, or any form of payment in order to opt-out. This new rule could prove burdensome on companies that currently rely on recipients to log into an account in order to opt out, or to click through to more than one web page.

The FTC declined to shorten or lengthen the amount of time senders have to process opt-out requests. The final rule maintains the original ten-business day opt-out request processing period (or, for wireless e-mail addresses, ten days). After the applicable time period from receipt of an opt-out request, senders are prohibited from initiating commercial e-mail messages to the recipient.

Definition of Person

The FTC added a definition of “person” to clarify that the CAN-SPAM Act applies to more than just natural persons. As defined by the rule, person includes:

• individuals,
• groups,
• unincorporated associations,
• limited or general partnerships,
• corporations; and
• other business entities.

Valid Physical Postal Address

Since the Act was enacted, legitimate e-mailers (in particular small businesses) have been asking whether they can use a P.O. box to meet the requirement that a physical postal address be included in commercial e-mails. The final rule adds a definition of “Valid physical postal address” to clarify its meaning. Under the definition, the sender may use his current street address, a Post Office box the sender has accurately registered with the United States Postal Service, or a private mailbox the sender has accurately registered with a commercial mail-receiving agency that is established pursuant to United States Postal Services regulations.