Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

Under the Act, Cal. Civ. Code §1798.83, California residents have the right to request from a business with twenty or more employees, with whom they have an established business relationship, certain information about the business’s disclosure of personal information to third parties for direct marketing purposes. Specifically, such California residents may ask for details about what personal information the business shares with third parties for those third parties’ direct marketing purposes during the immediately preceding calendar year. 

There are several compliance options available to businesses under the Act. One option is for the business to adopt and disclose to the public in its privacy policy a procedure that allows its California customers to opt-out of the business’s sharing of their personal information for third parties’ direct marketing purposes. Alternatively, a business can inform its California customers of the business’s designated contact point to which a request under the Act should be directed in any of the three following ways: (A) by instructing its agents or employees to inform the customers of such information; (B) by including such information in the business’s web site privacy policy with the required emphasis and conspicuousness; or (C) by making such information available to customers at the business’s physical locations. 

To date, despite being effective since 2005, there are no published decisions under the Act. But that may change with this month’s wave of class action lawsuits. The complaints in the recently filed class action lawsuits share the same allegation (in addition to sharing the same plaintiff’s lawyer): that each respective business failed to comply with its obligations by not providing its California customers with the information necessary for them to make requests under the Act.

According to Cal. Civ. Code §1798.84(c), violating the Act can result in a civil penalty of up to $500 per violation, unless the violation is willful, intentional or reckless, in which case the business can be on the hook for as much as $3,000 per violation. However, businesses are given a ninety day cure period before they can be held in violation of the law, as long as their violation was not willful, intentional or reckless.  Many companies who have been challenged may be able to avail themselves of this safe harbor to avoid costly settlements and class notification expenses. 

Although these cases are still in their early stages and it is not clear how things will be resolved, it is important to note that while complying with the Shine the Light privacy law may be burdensome, noncompliance may result in a business’s lights being dimmed, or, given the possibility of statutory damages, turned off for good.

• ·      They apply both online and offline. Many companies have privacy policies that apply to the information they collect online, but make no promises to consumers about the information they collect offline, for example in stores, at events, on the phone, via loyalty programs, through registration cards, and the like.   The FTC’s report recommends that companies have privacy policies that apply offline as well.
• ·      They apply to what many companies think of as non-personally identifiable information, such as static IP addresses and other information that identifies a particular computer or device, but not necessarily a particular individual. This means that many companies’ privacy policies will need to be revised.
• ·      They propose that consumers be given a choice, at the time and place that they provide their information to a company, about the use of their data by the company in unexpected ways (i.e., ways other than “commonly accepted practices”).   For example, if the company will share the consumer’s data with a third party for the third party’s marketing purposes, the consumer should be given a choice about this at the time that they provide the information to the company, and on the Web page on which they provide the data to the company. (Yes, we mean no more burying consumer choice notices in a privacy policy.) Other examples of when consumer choice would be required are when data will be sold to a data broker or other third party that is unknown to the customer, or shared with others for behavioral marketing purposes.
• ·      Consumer choices could no longer be obtained using the good old pre-checked consent box.
• ·      When data collected in a brick-and-mortar store will be used by the company in one of these “non-accepted” ways, the FTC proposes that the sales associate communicate the consumer’s choices to the consumer orally.
• ·      When a consumer opts out of a certain use of his or her data, that preference would be durable, and not subject to repeated additional requests from the company. (The FTC did not say this, but we presume this would mean, for example, that the FTC prefers an opt-out method that is not dependent on cookies that could inadvertently be deleted by the consumer, and that opt-out preferences not expire.)
• ·      FTC proposes that data sharing with an affiliate is to be treated like data sharing with an unaffiliated third party, unless, possibly, the affiliate relationship is clear to consumers through common branding or similar means.
• ·      The FTC proposes that companies provide consumers with reasonable access to the data that they have about consumers. (Until now, U.S. law has not required this.)
• ·      The FTC proposes that companies obtain affirmative express consent from consumers before collecting, using or sharing sensitive information about consumers (such as financial or medical information, or precise geolocation data), or information about “sensitive” consumers such as children and possibly teens.
• ·      The FTC’s recommendations cover companies that do not have direct relationships with consumers, such as data aggregators, and propose that these companies allow consumers to access and correct the information they have about consumers.
• ·      The FTC proposes that companies take steps to ensure the accuracy of the data that they have about consumers, especially if the data is being used to make decisions about consumers. A good example of this is a company that provides identity or age verification services to other companies.
• ·      The FTC proposes that companies only collect the data they need for their specific business purposes, and that they dispose of it (securely) when it no longer serves that purpose.  (In other words, don’t collect it or retain it “just in case it comes in handy for something later.”)
• ·      The FTC endorses a universal consumer “Do Not Track” option, whereby a consumer can set his or her web browser to instruct Web sites not to engage in behavioral marketing on that consumer. (More on this when/if the required technology becomes available.)
• ·      The FTC proposes that companies assign personnel to oversee privacy issues.
• ·      The FTC proposes that companies have comprehensive privacy programs, and review them periodically to address changes in data risks and other circumstances. (Did you just finish your comprehensive written data security program? Time to start on your comprehensive written privacy program.)
• ·      The FTC proposes “privacy by design.” In other words, companies should consider privacy issues relating to new products, services and business models in the early stages of their development. (As an example, no more sending new products to legal review the last minute before launch.)
• ·      The FTC proposes shorter and more comprehensible privacy policies. The FTC might provide a model form privacy notice for this purpose. If you still want to include all the details in a shorter policy, the FTC suggests the “layered” policy approach, in which each policy layer links to more detail in the next layer. 
• ·      You should have been honoring this for years, but, once again, companies cannot make material adverse retroactive changes to their privacy policies without robust notice to, and consent from, consumers. So when you are shortening your privacy policy, beware of inadvertent substantive changes that provide for lesser privacy protections than before.

S.B. 1 sets forth a broad restriction on the sharing of consumer information with affiliates, stating that “[a] financial institution shall not disclose to, or share a consumer’s nonpublic personal information with, an affiliate unless the financial institution has clearly and conspicuously notified the consumer annually in writing . . . that the nonpublic personal information may be disclosed to an affiliate of the financial institution and the consumer has not directed that the nonpublic personal information not be disclosed.” 

FCRA similarly restricts such affiliate sharing; however, FCRA only applies to “consumer report” information. As defined by FCRA, consumer report information is information used to determine a consumer’s eligibility for credit, insurance or employment.  In particular, consumer report information may include any information “bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part” for purposes of determining eligibility for credit, insurance or employment. Section 625(b)(2) of FCRA preempts states from regulating the exchange of information among affiliates.   

Accordingly, in Gould, the Ninth Circuit held that FCRA preempted S.B. 1 insofar as both laws regulated the sharing of consumer report information with affiliates. The Ninth Circuit remanded the case to determine whether S.B. 1’s restrictions on affiliate-sharing with respect to non-consumer report information were severable, and thus, could survive preemption. On remand, a federal district court held that since the court lacked the power to sever the preempted applications of S.B. 1, the statute’s affiliate-sharing restrictions were preempted entirely.  

The Ninth Circuit reversed the district court’s ruling. In Lockyer, the Ninth Circuit looked to whether California law permits the court to narrow S.B. 1’s application to avoid complete preemption. The court determined that if the Legislature’s intent “clearly would be furthered by application of the revised version rather than by the alternative of invalidation,” then the court “must revise the statute.”  From the language of the statute, the Ninth Circuit found that the California Legislature “would have preferred a narrowed version of [S.B. 1] to no version at all.” Moreover, S.B. 1 contained a severability clause in its enactment of the law – further proof that reforming S.B. 1 to sever its preempted applications would best effectuate the Legislature’s intent.  Thus, because S.B. 1 has non-preempted applications, FCRA does not preempt those provisions of S.B. 1 that do not relate to consumer report information. 

As a result, certain banks and financial institutions should be mindful that, in addition to the affiliate-sharing restrictions contained in FCRA, California law may require them to provide customers an opportunity to opt-out of data-sharing arrangements with affiliates involving non-consumer report information.

Summary of the Final Rule’s Requirements

In general, the Affiliate Marketing Rule prohibits a “person” from using consumer “eligibility information” received from a corporate “affiliate” for making marketing “solicitations” to the consumer, unless:  

• the consumer is first given a clear, conspicuous, concise and written notice explaining that the person may use eligibility information about that consumer received from an affiliate to make solicitations for marketing purposes;
• the consumer is first given a reasonable opportunity and a reasonable and simple method to “opt out,” or prohibit the use of the eligibility information to make solicitations for marketing purposes; and
• the consumer has not opted out thereof. 

Opt-Out Requirements

The opt-out notice must be delivered “so that each consumer can be reasonably expected to receive actual notice.” Examples of delivery methods that can be reasonably expected to provide actual notice include hand-delivery, mailing a printed copy of the notice to the consumer’s last known address, e-mail to consumers who have agreed to receive electronic disclosures from the affiliate providing notice, and posting the notice on a website at which the consumer obtained a product or service electronically and requires the consumer to acknowledge receipt of the notice. 

Once notice has been delivered, a consumer must be given a reasonable opportunity to opt out, and the reasonable opportunity to opt out must be accompanied by a “reasonable and simple” method for exercising the opt-out right, such as a conspicuous check box, a reply form and a self-addressed envelope with the opt-out notice, a toll-free telephone number, and an electronic opt out.

Consumer opt outs must be honored for 5 years, and a renewal notice must be sent to the consumer before the expiration of the initial 5-year opt-out period, giving the consumer an opportunity to extend the opt-out for an additional 5 years. The Final Rule includes model forms that may be used to comply with the Final Rule’s requirements.

Key Definitions

Under the Final Rule, “affiliates” are companies that are related by common ownership or common corporate control with one another. A “solicitation” means the marketing of a product or service initiated by a person to a particular consumer that is based on eligibility information communicated to that person by its affiliate and intended to encourage the consumer to purchase or obtain such product or service. (Communications aimed at the general public such as television or billboard advertisements are not “solicitations,” but marketing emails, telemarketing calls and direct mailings aimed at particular consumers are considered “solicitations.”) 

“Eligibility information,” as defined by the Rule, encompasses any information that, if communicated, would constitute a “consumer report” (as such term is defined by the Act) but for specific statutory exclusions. “Eligibility information” might include, for example, a person’s own transaction or experience information and information from consumer reports or applications, but does not, however, include aggregate or blind data that does not contain personal identifiers. 

Exceptions

The provisions of the Affiliate Marketing Rule do not apply to certain uses of eligibility information obtained from an affiliate in certain situations, including:

o       to make a marketing solicitation to a consumer with whom the person has a “pre-existing business relationship” as that term is defined in the Rule;

o       to facilitate certain communications to a consumer for whose benefit the company has provided employee benefits or other services;

o       to perform services on behalf of an affiliate, except that this does not permit a person to send solicitations on behalf of an affiliate if the affiliate would not be permitted to send the solicitation on its own behalf due to the consumer’s opt-out election;

o       in response to a communication initiated by the consumer;

o       in response to a consumer’s authorization or request to receive a solicitation; and

o       if compliance with the Final Rule would prevent the person from complying with state insurance laws relating to unfair discrimination.

As the compliance deadline quickly approaches, it is important for covered entities to understand that the potential consequences of non-compliance with the Final Rule’s requirements not only could include enforcement by the applicable federal banking agency or the FTC (if the FTC has jurisdiction over such covered entity), but also could result in civil liability to affected consumers (including punitive damages for certain willful actions, as well as attorneys’ fees).

Multi-advertiser E-mails

The FTC’s modification of the term “sender” addresses the situation in which there is more than one advertiser in a commercial e-mail. Prior to this rule’s enactment, the Act, strictly read, required that each advertiser in a commercial e-mail was responsible for complying with the Act’s requirements. In other words, each advertiser was required to provide an opt-out mechanism, display a valid physical postal address, honor opt-out requests, and otherwise comply with the Act’s requirements.

This new rule allows one of the advertisers to assume the role of “sender” as defined by the Act. This sole advertiser would then have the responsibility of honoring opt out requests, etc., and only the opt-out mechanism and “physical postal address” of the designated sender would have to be included in the e-mail in order to comply with the Act.

In order for one advertiser to become the designated sender with respect to the Act, the advertiser must meet three requirements:

1. the person must be a “sender” as defined by the Act – simply put, this person must induce the e-mail to be sent and have their product, service, or web site advertised or promoted in the e-mail;

2. the person must be identified as the sole sender in the “from” line of the e-mail message; and

3. the person must be in compliance with the following five sections of the Act:

• the header information must not be materially false or misleading and it must accurately identify the sending computer (15 U.S.C. 7704(a)(1));
• the subject heading cannot mislead a reasonable recipient as to a material fact about the contents of the e-mail (15 U.S.C. 7704(a)(2));
• the e-mail must include a valid opt-out mechanism (15 U.S.C. 7704(a)(3)(A)(i));
• the e-mail must include a clear commercial identifier, opt-out notice, and physical address (15 U.S.C. 7704(a)(5)(A)); and
• a sexually oriented e-mail must have the appropriate disclaimer and be formatted correctly (16 CFR 316.4).

As an example of how the FTC’s new rule would be implicated, take the situation in which a travel agency sends out a commercial e-mail that includes advertisements from the travel agency, a car rental shop, and a hotel chain. In this case, each of these three entities would be advertisers in the e-mail, but if they collectively designate the travel agency to be the “sender” of the e-mail under the Act, and if the travel agency meets the three requirements above, then only the travel agency would be considered the sender, and all sender responsibility under the Act would fall on the travel agency, not the hotel chain nor the car rental shop.

This new definition clarifies the responsibility of each advertiser and alleviates redundant obligations for the various advertisers in a single e-mail while still providing recipients with the benefits of the CAN-SPAM Act. However, while all sender responsibility is shifted to one advertiser, all advertisers are still responsible as initiators under the Act and must still comply with the provisions that apply to initiators. (That is, they are all responsible for ensuring that the header information in the e-mail is not false or deceptive.) Also, if the designated sender fails to comply with its obligations, the other advertisers can be held accountable. For this reason, from the perspective of the other advertisers, it is imperative that they secure a written agreement with the designated sender that includes contractual obligations on the sender to perform the required duties, and a strong indemnification provision protecting the other advertisers who are counting on the designated sender’s compliance with the Act.

Tell-A-Friend Campaigns and Affiliate Marketing Programs

Since the inception of the Act, advertisers have been confused about how the Act applies to their “tell-a-friend” campaigns and affiliate marketing programs.

Strictly read, the Act would make advertisers responsible in at least some instances for CAN-SPAM compliance with respect to e-mails that are sent to a person’s friend in connection with a tell-a-friend campaign. This would mean that the e-mails cannot be sent to a friend who has opted out of receiving commercial e-mails from the company (which is, in many cases, burdensome or impossible to prevent). Also, the e-mails that are sent to the friend would have to include the company’s physical postal address and opt-out mechanism, accurate routing information, a subject line that is not misleading, and, in some cases, be identified as an ad. Depending on how a particular tell-a-friend campaign functions (e.g., a company may encourage e-mail recipients to forward an e-mail to a friend or use a web-based interface to allow people to cause a message to be sent to their friend), it may be impossible for a company to ensure that these requirements are complied with.

The FTC’s report accompanying the rule makes the FTC’s interpretation of the Act’s application to tell-a-friend campaigns clear. First off, if a company offers to “pay or provide other consideration” to a person in exchange for sending the commercial e-mail to his or her friend, the company will be responsible for the e-mail’s compliance with the Act. Consideration includes offering “something of value (such as an act, forebearance or return promise),” even things of minimal or de minimis value including coupons, discounts, awards, sweepstakes entries or the like.

Similarly, when a company offers consideration to someone in exchange for driving traffic to the company’s Web site or generating other forms of referrals (e.g., a marketing affiliate relationship), resulting in the transmission of the company’s e-mail message by the affiliate or its sub-affiliate, the company will be responsible for the CAN-SPAM compliance of the e-mails that are sent.

In contrast, where a company merely “urges” or “exhorts” a person to forward a message to a friend, without offering something of value in exchange, the company will not be responsible for the CAN-SPAM compliance of the e-mails that are sent.

In summary, the FTC’s newly issued interpretation in effect will cause most companies to avoid CAN-SPAM coverage with respect to their tell-a-friend campaigns by refraining from offering anything of value in exchange for a person sending or forwarding a promotional message to a friend. Instead, such programs will be completely void of incentive. A company may, however, verbally encourage people to send their commercial messages on to thier friends. As for affiliate marketing programs, since inherent in them is some form of consideration to the affiliate marketer, it will be harder to avoid responsibility for CAN-SPAM compliance.

Opt-out Requests

This rule requires senders to allow recipients to opt-out of subsequent commercial e-mails in at least one of two ways. The recipients should be able to opt-out by (1) replying to a specified e-mail address or (2) visiting a single Web page and selecting their opt-out preferences. Recipients cannot be required to pay a fee or provide any other information besides their e-mail address and opt-out preferences. For example, the recipient can be asked to indicate which kind of e-mails, if any, she would like to receive, but can not be required to log into her account or to submit her name, address, or any form of payment in order to opt-out. This new rule could prove burdensome on companies that currently rely on recipients to log into an account in order to opt out, or to click through to more than one web page.

The FTC declined to shorten or lengthen the amount of time senders have to process opt-out requests. The final rule maintains the original ten-business day opt-out request processing period (or, for wireless e-mail addresses, ten days). After the applicable time period from receipt of an opt-out request, senders are prohibited from initiating commercial e-mail messages to the recipient.

Definition of Person

The FTC added a definition of “person” to clarify that the CAN-SPAM Act applies to more than just natural persons. As defined by the rule, person includes:

• individuals,
• groups,
• unincorporated associations,
• limited or general partnerships,
• corporations; and
• other business entities.

Valid Physical Postal Address

Since the Act was enacted, legitimate e-mailers (in particular small businesses) have been asking whether they can use a P.O. box to meet the requirement that a physical postal address be included in commercial e-mails. The final rule adds a definition of “Valid physical postal address” to clarify its meaning. Under the definition, the sender may use his current street address, a Post Office box the sender has accurately registered with the United States Postal Service, or a private mailbox the sender has accurately registered with a commercial mail-receiving agency that is established pursuant to United States Postal Services regulations.
 

Real parties in interest Sebastian Rodriguez and Jose Luis Mosqueda filed a putative wage and hour class action against their former employer, Belaire-West Landscaping. During precertification discovery, the trial court compelled Belaire-West to provide the names and contact information of all current and former employees and adopted the plaintiffs’ proposed notice to those individuals that required them to opt-out in writing to prevent their information from being disclosed. The court reviewed in detail the analysis applied in Pioneer, and determined that the opt-out notice adequately protected the privacy rights of the current and former employees.

The opt-out notice adopted by the trial court advised current and former employees “of the lawsuit and its core allegations, and explained who may be a member of the proposed class. It described the investigation plaintiffs’ attorneys were performing, and stated that ‘[t]o assist in the investigation, the attorneys for the Plaintiffs wish to gather information regarding the nature of the work you do (or used to do), while employed by Belaire-West, including the amount of any overtime you may have worked. They have sought to obtain your names, addresses and telephone numbers, so that they can communicate with you about the allegations made in the lawsuit.’” The notice further stated as follows:

By order of the Los Angeles Superior Court, Plaintiffs’ counsel has already been provided your names. The Court has ordered that a letter be sent to you to determine if you would object to Plaintiffs’ counsel receiving your address and telephone number. You may elect not to provide your address and/or telephone number to Plaintiffs’ counsel on the grounds of privacy. [] Plaintiffs’ counsel would like to have your address and telephone number to help in their investigation. The Plaintiffs’ lawyers would like to contact you to obtain your input as to whether the Plaintiffs’ allegations in their lawsuit are accurate. [] THEREFORE, IF YOU DO NOT WANT YOUR ADDRESS AND TELEPHONE NUMBER TO BE PROVIDED TO THE PLAINTIFFS’ ATTORNEYS, YOU MUST complete and return THE ENCLOSED POST CARD to the address listed on the postcard.

The notice included the names, addresses, and telephone numbers of plaintiffs’ counsel, with the information that recipients had the right to contact plaintiffs’ counsel and that they speak Spanish. Finally, the notice advised current and former employees that they were “under no obligation to provide information to or discuss this matter with the Plaintiffs’ attorneys or any person representing the former employees,” were “also under no obligation to provide information to or discuss this matter with Belaire-West or any of its agents or attorneys,” and that their “employer[s] may not retaliate against [them] in any way for providing or refusing to provide any information.”

As explained in a previous post, the Court in Pioneer held that, under the privacy provision of the California Constitution, a representative plaintiff in a class action may obtain from defendant company the personal identifying information of other complaining consumers, even when those consumers do not affirmatively grant permission for their personal identifying information to be used.

The Belaire-West court concluded that the opt-out notices in the instant matter sufficed under Pioneer. The court acknowledged that the privacy concerns in the Belaire-West case were more significant than those in Pioneer because the information was provided to Belaire-West as a condition of employment (as opposed to the voluntary disclosures of consumers in Pioneer), and that employees reasonably expected that their employer would not divulge the information except as required to governmental agencies or benefits providers, in light of employers’ usual confidentiality customs and practices. Nonetheless, the court found that this did not mean that current and former employees would wish their contract information to be withheld from a class action plaintiff seeking relief for violations of employment laws.

The court found reasonable the trial court’s implicit finding that “no serious invasion of privacy would result from the release of the [information] to the named plaintiffs in a putative class action filed against their employer following a written notice to each employee giving them the opportunity to object to the disclosure of that information.” As in Pioneer,

the information, while personal, was not particularly sensitive, as it was contact information, not medical or financial details. Disclosure of the contact information with an opt-out notice would not appear to unduly compromise either informational privacy or autonomy privacy in light of the opportunity to object to the disclosure, as the court specifically found that there was no evidence of any actual or threatened misuse of the information.

While the Joint Agencies had deferred policy action in the midst of studying how to improve privacy notices, on October 13, 2006, President Bush signed the Financial Services Regulatory Relief Act of 2006 (“Regulatory Relief Act”). Section 728 of the Regulatory Relief Act amended Section 503 of the GLBA (15 U.S.C. § 1603) to require the Joint Regulators to propose a model form by April 11, 2007. Although financial institutions will not be required to use the model form, the Regulatory Relief Act includes a safe harbor that deems any financial institution using the form to be in compliance with the Section 503 disclosures.    

The model form is largely based on a report issued by the Kleimann Communications Group in March 2006. The proposed model form would be 2-3 pages, depending on whether there is an opt-out. The first page would include general background information and a keyframe with why, what and how information regarding a financial institution’s use of personal information, reasons for sharing, and opt-out rights. The second page includes supplementary information such as definitions and further explanatory information in the form of Frequently Asked Questions. The final page includes an opt-out form for those financial institutions that share information in a manner that triggers consumer opt-out rights. The proposed rules would require a minimum font size and that financial institutions provide sufficient spacing between lines of type with further recommendations on font type, spacing, paper size and color. One year after enactment of the model proposal, financial institutions will lose any safe harbor from using the sample clauses in the current rules for their notices.     

Comments on the proposal will be due 60 days from publication in the federal register, which is expected later in March. The Joint Agencies are seeking comment on the content of the model form, including whether modifications to the opt-out are necessary and whether financial institutions intend to incorporate the Fair Credit Reporting Act opt-out for affiliate marketing into the form, the format of the form, and other issues such as the likelihood financial institutions will use the form and issues regarding some financial institutions’ requirement that consumers provide their social security numbers to opt-out. Interested parties need only submit comments to one of the Joint Agencies.