Privacy Lawyer & Attorney : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

S.B. 1 sets forth a broad restriction on the sharing of consumer information with affiliates, stating that “[a] financial institution shall not disclose to, or share a consumer’s nonpublic personal information with, an affiliate unless the financial institution has clearly and conspicuously notified the consumer annually in writing . . . that the nonpublic personal information may be disclosed to an affiliate of the financial institution and the consumer has not directed that the nonpublic personal information not be disclosed.” 

FCRA similarly restricts such affiliate sharing; however, FCRA only applies to “consumer report” information. As defined by FCRA, consumer report information is information used to determine a consumer’s eligibility for credit, insurance or employment.  In particular, consumer report information may include any information “bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part” for purposes of determining eligibility for credit, insurance or employment. Section 625(b)(2) of FCRA preempts states from regulating the exchange of information among affiliates.   

Accordingly, in Gould, the Ninth Circuit held that FCRA preempted S.B. 1 insofar as both laws regulated the sharing of consumer report information with affiliates. The Ninth Circuit remanded the case to determine whether S.B. 1’s restrictions on affiliate-sharing with respect to non-consumer report information were severable, and thus, could survive preemption. On remand, a federal district court held that since the court lacked the power to sever the preempted applications of S.B. 1, the statute’s affiliate-sharing restrictions were preempted entirely.  

The Ninth Circuit reversed the district court’s ruling. In Lockyer, the Ninth Circuit looked to whether California law permits the court to narrow S.B. 1’s application to avoid complete preemption. The court determined that if the Legislature’s intent “clearly would be furthered by application of the revised version rather than by the alternative of invalidation,” then the court “must revise the statute.”  From the language of the statute, the Ninth Circuit found that the California Legislature “would have preferred a narrowed version of [S.B. 1] to no version at all.” Moreover, S.B. 1 contained a severability clause in its enactment of the law – further proof that reforming S.B. 1 to sever its preempted applications would best effectuate the Legislature’s intent.  Thus, because S.B. 1 has non-preempted applications, FCRA does not preempt those provisions of S.B. 1 that do not relate to consumer report information. 

As a result, certain banks and financial institutions should be mindful that, in addition to the affiliate-sharing restrictions contained in FCRA, California law may require them to provide customers an opportunity to opt-out of data-sharing arrangements with affiliates involving non-consumer report information.

Summary of the Final Rule’s Requirements

In general, the Affiliate Marketing Rule prohibits a “person” from using consumer “eligibility information” received from a corporate “affiliate” for making marketing “solicitations” to the consumer, unless:  

• the consumer is first given a clear, conspicuous, concise and written notice explaining that the person may use eligibility information about that consumer received from an affiliate to make solicitations for marketing purposes;
• the consumer is first given a reasonable opportunity and a reasonable and simple method to “opt out,” or prohibit the use of the eligibility information to make solicitations for marketing purposes; and
• the consumer has not opted out thereof. 

Opt-Out Requirements

The opt-out notice must be delivered “so that each consumer can be reasonably expected to receive actual notice.” Examples of delivery methods that can be reasonably expected to provide actual notice include hand-delivery, mailing a printed copy of the notice to the consumer’s last known address, e-mail to consumers who have agreed to receive electronic disclosures from the affiliate providing notice, and posting the notice on a website at which the consumer obtained a product or service electronically and requires the consumer to acknowledge receipt of the notice. 

Once notice has been delivered, a consumer must be given a reasonable opportunity to opt out, and the reasonable opportunity to opt out must be accompanied by a “reasonable and simple” method for exercising the opt-out right, such as a conspicuous check box, a reply form and a self-addressed envelope with the opt-out notice, a toll-free telephone number, and an electronic opt out.

Consumer opt outs must be honored for 5 years, and a renewal notice must be sent to the consumer before the expiration of the initial 5-year opt-out period, giving the consumer an opportunity to extend the opt-out for an additional 5 years. The Final Rule includes model forms that may be used to comply with the Final Rule’s requirements.

Key Definitions

Under the Final Rule, “affiliates” are companies that are related by common ownership or common corporate control with one another. A “solicitation” means the marketing of a product or service initiated by a person to a particular consumer that is based on eligibility information communicated to that person by its affiliate and intended to encourage the consumer to purchase or obtain such product or service. (Communications aimed at the general public such as television or billboard advertisements are not “solicitations,” but marketing emails, telemarketing calls and direct mailings aimed at particular consumers are considered “solicitations.”) 

“Eligibility information,” as defined by the Rule, encompasses any information that, if communicated, would constitute a “consumer report” (as such term is defined by the Act) but for specific statutory exclusions. “Eligibility information” might include, for example, a person’s own transaction or experience information and information from consumer reports or applications, but does not, however, include aggregate or blind data that does not contain personal identifiers. 

Exceptions

The provisions of the Affiliate Marketing Rule do not apply to certain uses of eligibility information obtained from an affiliate in certain situations, including:

o       to make a marketing solicitation to a consumer with whom the person has a “pre-existing business relationship” as that term is defined in the Rule;

o       to facilitate certain communications to a consumer for whose benefit the company has provided employee benefits or other services;

o       to perform services on behalf of an affiliate, except that this does not permit a person to send solicitations on behalf of an affiliate if the affiliate would not be permitted to send the solicitation on its own behalf due to the consumer’s opt-out election;

o       in response to a communication initiated by the consumer;

o       in response to a consumer’s authorization or request to receive a solicitation; and

o       if compliance with the Final Rule would prevent the person from complying with state insurance laws relating to unfair discrimination.

As the compliance deadline quickly approaches, it is important for covered entities to understand that the potential consequences of non-compliance with the Final Rule’s requirements not only could include enforcement by the applicable federal banking agency or the FTC (if the FTC has jurisdiction over such covered entity), but also could result in civil liability to affected consumers (including punitive damages for certain willful actions, as well as attorneys’ fees).

Multi-advertiser E-mails

The FTC’s modification of the term “sender” addresses the situation in which there is more than one advertiser in a commercial e-mail. Prior to this rule’s enactment, the Act, strictly read, required that each advertiser in a commercial e-mail was responsible for complying with the Act’s requirements. In other words, each advertiser was required to provide an opt-out mechanism, display a valid physical postal address, honor opt-out requests, and otherwise comply with the Act’s requirements.

This new rule allows one of the advertisers to assume the role of “sender” as defined by the Act. This sole advertiser would then have the responsibility of honoring opt out requests, etc., and only the opt-out mechanism and “physical postal address” of the designated sender would have to be included in the e-mail in order to comply with the Act.

In order for one advertiser to become the designated sender with respect to the Act, the advertiser must meet three requirements:

1. the person must be a “sender” as defined by the Act – simply put, this person must induce the e-mail to be sent and have their product, service, or web site advertised or promoted in the e-mail;

2. the person must be identified as the sole sender in the “from” line of the e-mail message; and

3. the person must be in compliance with the following five sections of the Act:

·         the header information must not be materially false or misleading and it must accurately identify the sending computer (15 U.S.C. 7704(a)(1));

·         the subject heading cannot mislead a reasonable recipient as to a material fact about the contents of the e-mail (15 U.S.C. 7704(a)(2));

·         the e-mail must include a valid opt-out mechanism (15 U.S.C. 7704(a)(3)(A)(i));

·         the e-mail must include a clear commercial identifier, opt-out notice, and physical address (15 U.S.C. 7704(a)(5)(A)); and

·         a sexually oriented e-mail must have the appropriate disclaimer and be formatted correctly (16 CFR 316.4).

As an example of how the FTC’s new rule would be implicated, take the situation in which a travel agency sends out a commercial e-mail that includes advertisements from the travel agency, a car rental shop, and a hotel chain. In this case, each of these three entities would be advertisers in the e-mail, but if they collectively designate the travel agency to be the “sender” of the e-mail under the Act, and if the travel agency meets the three requirements above, then only the travel agency would be considered the sender, and all sender responsibility under the Act would fall on the travel agency, not the hotel chain nor the car rental shop.

This new definition clarifies the responsibility of each advertiser and alleviates redundant obligations for the various advertisers in a single e-mail while still providing recipients with the benefits of the CAN-SPAM Act. However, while all sender responsibility is shifted to one advertiser, all advertisers are still responsible as initiators under the Act and must still comply with the provisions that apply to initiators. (That is, they are all responsible for ensuring that the header information in the e-mail is not false or deceptive.) Also, if the designated sender fails to comply with its obligations, the other advertisers can be held accountable. For this reason, from the perspective of the other advertisers, it is imperative that they secure a written agreement with the designated sender that includes contractual obligations on the sender to perform the required duties, and a strong indemnification provision protecting the other advertisers who are counting on the designated sender’s compliance with the Act.

Tell-A-Friend Campaigns and Affiliate Marketing Programs

Since the inception of the Act, advertisers have been confused about how the Act applies to their “tell-a-friend” campaigns and affiliate marketing programs.

Strictly read, the Act would make advertisers responsible in at least some instances for CAN-SPAM compliance with respect to e-mails that are sent to a person’s friend in connection with a tell-a-friend campaign. This would mean that the e-mails cannot be sent to a friend who has opted out of receiving commercial e-mails from the company (which is, in many cases, burdensome or impossible to prevent). Also, the e-mails that are sent to the friend would have to include the company’s physical postal address and opt-out mechanism, accurate routing information, a subject line that is not misleading, and, in some cases, be identified as an ad. Depending on how a particular tell-a-friend campaign functions (e.g., a company may encourage e-mail recipients to forward an e-mail to a friend or use a web-based interface to allow people to cause a message to be sent to their friend), it may be impossible for a company to ensure that these requirements are complied with.

The FTC’s report accompanying the rule makes the FTC’s interpretation of the Act’s application to tell-a-friend campaigns clear. First off, if a company offers to “pay or provide other consideration” to a person in exchange for sending the commercial e-mail to his or her friend, the company will be responsible for the e-mail’s compliance with the Act. Consideration includes offering “something of value (such as an act, forebearance or return promise),” even things of minimal or de minimis value including coupons, discounts, awards, sweepstakes entries or the like.

Similarly, when a company offers consideration to someone in exchange for driving traffic to the company’s Web site or generating other forms of referrals (e.g., a marketing affiliate relationship), resulting in the transmission of the company’s e-mail message by the affiliate or its sub-affiliate, the company will be responsible for the CAN-SPAM compliance of the e-mails that are sent.

In contrast, where a company merely “urges” or “exhorts” a person to forward a message to a friend, without offering something of value in exchange, the company will not be responsible for the CAN-SPAM compliance of the e-mails that are sent.

In summary, the FTC’s newly issued interpretation in effect will cause most companies to avoid CAN-SPAM coverage with respect to their tell-a-friend campaigns by refraining from offering anything of value in exchange for a person sending or forwarding a promotional message to a friend. Instead, such programs will be completely void of incentive. A company may, however, verbally encourage people to send their commercial messages on to thier friends. As for affiliate marketing programs, since inherent in them is some form of consideration to the affiliate marketer, it will be harder to avoid responsibility for CAN-SPAM compliance.

Opt-out Requests

This rule requires senders to allow recipients to opt-out of subsequent commercial e-mails in at least one of two ways. The recipients should be able to opt-out by (1) replying to a specified e-mail address or (2) visiting a single Web page and selecting their opt-out preferences. Recipients cannot be required to pay a fee or provide any other information besides their e-mail address and opt-out preferences. For example, the recipient can be asked to indicate which kind of e-mails, if any, she would like to receive, but can not be required to log into her account or to submit her name, address, or any form of payment in order to opt-out. This new rule could prove burdensome on companies that currently rely on recipients to log into an account in order to opt out, or to click through to more than one web page.

The FTC declined to shorten or lengthen the amount of time senders have to process opt-out requests. The final rule maintains the original ten-business day opt-out request processing period (or, for wireless e-mail addresses, ten days). After the applicable time period from receipt of an opt-out request, senders are prohibited from initiating commercial e-mail messages to the recipient.

Definition of Person

The FTC added a definition of “person” to clarify that the CAN-SPAM Act applies to more than just natural persons. As defined by the rule, person includes:

• individuals,

• groups,

• unincorporated associations,

• limited or general partnerships,

• corporations; and

• other business entities.

Valid Physical Postal Address

Since the Act was enacted, legitimate e-mailers (in particular small businesses) have been asking whether they can use a P.O. box to meet the requirement that a physical postal address be included in commercial e-mails. The final rule adds a definition of “Valid physical postal address” to clarify its meaning. Under the definition, the sender may use his current street address, a Post Office box the sender has accurately registered with the United States Postal Service, or a private mailbox the sender has accurately registered with a commercial mail-receiving agency that is established pursuant to United States Postal Services regulations.

Real parties in interest Sebastian Rodriguez and Jose Luis Mosqueda filed a putative wage and hour class action against their former employer, Belaire-West Landscaping. During precertification discovery, the trial court compelled Belaire-West to provide the names and contact information of all current and former employees and adopted the plaintiffs’ proposed notice to those individuals that required them to opt-out in writing to prevent their information from being disclosed. The court reviewed in detail the analysis applied in Pioneer, and determined that the opt-out notice adequately protected the privacy rights of the current and former employees.

The opt-out notice adopted by the trial court advised current and former employees “of the lawsuit and its core allegations, and explained who may be a member of the proposed class. It described the investigation plaintiffs’ attorneys were performing, and stated that ‘[t]o assist in the investigation, the attorneys for the Plaintiffs wish to gather information regarding the nature of the work you do (or used to do), while employed by Belaire-West, including the amount of any overtime you may have worked. They have sought to obtain your names, addresses and telephone numbers, so that they can communicate with you about the allegations made in the lawsuit.’” The notice further stated as follows:

By order of the Los Angeles Superior Court, Plaintiffs’ counsel has already been provided your names. The Court has ordered that a letter be sent to you to determine if you would object to Plaintiffs’ counsel receiving your address and telephone number. You may elect not to provide your address and/or telephone number to Plaintiffs’ counsel on the grounds of privacy. [] Plaintiffs’ counsel would like to have your address and telephone number to help in their investigation. The Plaintiffs’ lawyers would like to contact you to obtain your input as to whether the Plaintiffs’ allegations in their lawsuit are accurate. [] THEREFORE, IF YOU DO NOT WANT YOUR ADDRESS AND TELEPHONE NUMBER TO BE PROVIDED TO THE PLAINTIFFS’ ATTORNEYS, YOU MUST complete and return THE ENCLOSED POST CARD to the address listed on the postcard.

The notice included the names, addresses, and telephone numbers of plaintiffs’ counsel, with the information that recipients had the right to contact plaintiffs’ counsel and that they speak Spanish. Finally, the notice advised current and former employees that they were “under no obligation to provide information to or discuss this matter with the Plaintiffs’ attorneys or any person representing the former employees,” were “also under no obligation to provide information to or discuss this matter with Belaire-West or any of its agents or attorneys,” and that their “employer[s] may not retaliate against [them] in any way for providing or refusing to provide any information.”

As explained in a previous post, the Court in Pioneer held that, under the privacy provision of the California Constitution, a representative plaintiff in a class action may obtain from defendant company the personal identifying information of other complaining consumers, even when those consumers do not affirmatively grant permission for their personal identifying information to be used.

The Belaire-West court concluded that the opt-out notices in the instant matter sufficed under Pioneer. The court acknowledged that the privacy concerns in the Belaire-West case were more significant than those in Pioneer because the information was provided to Belaire-West as a condition of employment (as opposed to the voluntary disclosures of consumers in Pioneer), and that employees reasonably expected that their employer would not divulge the information except as required to governmental agencies or benefits providers, in light of employers’ usual confidentiality customs and practices. Nonetheless, the court found that this did not mean that current and former employees would wish their contract information to be withheld from a class action plaintiff seeking relief for violations of employment laws.

The court found reasonable the trial court’s implicit finding that “no serious invasion of privacy would result from the release of the [information] to the named plaintiffs in a putative class action filed against their employer following a written notice to each employee giving them the opportunity to object to the disclosure of that information.” As in Pioneer,

the information, while personal, was not particularly sensitive, as it was contact information, not medical or financial details. Disclosure of the contact information with an opt-out notice would not appear to unduly compromise either informational privacy or autonomy privacy in light of the opportunity to object to the disclosure, as the court specifically found that there was no evidence of any actual or threatened misuse of the information.

While the Joint Agencies had deferred policy action in the midst of studying how to improve privacy notices, on October 13, 2006, President Bush signed the Financial Services Regulatory Relief Act of 2006 (“Regulatory Relief Act”). Section 728 of the Regulatory Relief Act amended Section 503 of the GLBA (15 U.S.C. § 1603) to require the Joint Regulators to propose a model form by April 11, 2007. Although financial institutions will not be required to use the model form, the Regulatory Relief Act includes a safe harbor that deems any financial institution using the form to be in compliance with the Section 503 disclosures.    

The model form is largely based on a report issued by the Kleimann Communications Group in March 2006. The proposed model form would be 2-3 pages, depending on whether there is an opt-out. The first page would include general background information and a keyframe with why, what and how information regarding a financial institution’s use of personal information, reasons for sharing, and opt-out rights. The second page includes supplementary information such as definitions and further explanatory information in the form of Frequently Asked Questions. The final page includes an opt-out form for those financial institutions that share information in a manner that triggers consumer opt-out rights. The proposed rules would require a minimum font size and that financial institutions provide sufficient spacing between lines of type with further recommendations on font type, spacing, paper size and color. One year after enactment of the model proposal, financial institutions will lose any safe harbor from using the sample clauses in the current rules for their notices.     

Comments on the proposal will be due 60 days from publication in the federal register, which is expected later in March. The Joint Agencies are seeking comment on the content of the model form, including whether modifications to the opt-out are necessary and whether financial institutions intend to incorporate the Fair Credit Reporting Act opt-out for affiliate marketing into the form, the format of the form, and other issues such as the likelihood financial institutions will use the form and issues regarding some financial institutions’ requirement that consumers provide their social security numbers to opt-out. Interested parties need only submit comments to one of the Joint Agencies.