A new bi-partisan bill was released in the U.S. House that expands well beyond the 1998 Children’s Online Privacy Protection Act. Aiming to protect the information of those under eighteen, the draft bill seeks to prevent marketers from gathering and storing info on minors without parental consent, in addition to providing parents with a method of removing personal info that’s ‘already out there’.  It’s been described as a giant eraser button to get rid of data ‘when technologically feasible’.

The bill specifies that personal information collected on minors cannot be used or shared with third parties for “targeted marketing purposes”. In addition, it requires companies that collect the info to disclose to consumers what type of personal info is being collected and how it’s being used and shared.

Another part of the bill proposes a “Digital Marketing Bill of Rights for Teens” which would limit data collection including geolocation targeting.  While there are few who would argue against protecting the privacy of minors, one might respectfully question the potential effectiveness or enforceability of this legislation. Here are a few questions that come to mind:

How will marketers prove the age of online users?

It seems simple enough on the surface.  Most lead forms include a ‘Date of Birth’ field already. In this scenario, advertisers could segment the data out based on birth date. However,  I’d venture to guess the average teen/child can get around a check box or a DOB field if they truly want to register or view content. The only way to prevent this is at the user level or browser level on a PC or mobile device. The onus of responsibility is ultimately with parents and how heavily they monitor and restrict their child’s online behavior.

What happens to the data once it is collected?

When a minor appears to register or sign up for an offer, marketers should theoretically refrain from targeting that data or tracking the end user behavior. However, the bill doesn’t state specifics on how to implement this across partnerships.  Email marketers are required to maintain and share suppression files with partners. Data that comes from minors could be automatically suppressed in a similar way.

Of course, storing and sharing PII and user email addresses leaves room for abuse, unless the data is properly hashed or encrypted. Marketers may be able to securely maintain a universal opt-out file containing the encrypted information of minors and scrub their own lists against it. In addition, LashBack suggests seeding partner lists with underage user profiles to ensure compliance.

Would it be sufficient for marketers to add ‘parental permission’ language to an already lengthy privacy policy, or a check box on the lead form?

Arguably, this is the easiest portion of the legislation from an implementation level, as well as an enforcement perspective. It’s also the least effective in terms of real protection.  There have been movements to write privacy policies and terms of service in plain, simple language that end users will understand.

These movements have yet to work because simplifying language leaves room for legal liability. Case in point: the terms of service for Apple iTunes are 56 pages long in an era where few have the attention span to read past Twitter’s 140 characters. Lawyers might read privacy policies. Users don’t.

Can the data be used for targeting on the prospect’s eighteenth birthday?

If marketers maintain do-not-track lists based on age, theoretically,  information gathered would no longer be protected from targeting once the user is eighteen.  At least with email, addresses don’t expire or change based on age. Records would have to expire from a do-not-track list based on DOB.

Does this thing stand any chance of passing?

The bill is still in the discussion phase, as Congress holds hearings on mobile privacy in the coming weeks. Like many legislative attempts to regulate online activity, ‘Do Not Track’ provokes questions, leaves gray areas when it comes to enforcement, and inspires creativity on the part of marketers.

An article posted on Stuff.co.nz by Lois Cairns discusses how the New Zealand government is cracking down on business and individuals who tout the new unsolicited electronic mail laws. The article gave great insight into what the government is dealing with and ways they are changing their practices to better punish offenders. Included in the article were a few helpful hints to make the average consumer less vulnerable to inundated inboxes.

In New Zealand as of September 2007 it has been illegal to send commercial emails or texts without consent from the recipient. Yet the Department of Internal Affairs anti-spam unit has received over 2,000 complaints for unsolicited material in the last twelve months alone.

In the Unsolicited Electronic Messages Act, businesses that send out marketing material, either through email or SMS messaging must include an opt-out option. Though many companies have followed the new law the DIA is still receiving complaints. In the last twelve months alone 143 SMS message complaints and 1841 email complaints have been reported to the DIA.

In the past the DIA has dealt with these complaints through education and persuasion, but with so many recent blatant violations the DIA has turned to different measures. The DIA is hoping that with fines of $500,000 to companies and $200,000 to individuals who continue to send the unsolicited material the offenders will get the “message” and cease their illegal operations.

One way as a consumer to stop the unsolicited content is with pro-active steps to ensure your email address and phone information is not easily accessible. Here are a few tips to help counter act the problem and protect you:

• Only give your email to organizations you know and trust

• Do not put your email on any webpages

• Do not respond to unsolicited email

• Use a filter. Most web mail services and internet service providers already filter out much of the unsolicited mail.

• Be cautious when giving out your cell number or you could receive commercial SMS messages.

• Check terms and conditions before signing up for any contests. Check the privacy and consent policy before giving out personal information. Read the fine print.

A quick Wiki on the world’s laws governing email suggests that four of the largest, fastest growing national economies and much buzzed about ‘BRIC‘ countries have one thing in common: a lacuna of legislation or enforcement to regulate commercial email. Brazil has a short section in its Empresa Brasileira de Telecomunicações (Portuguese) on email published in 1999, but it is quite vague and lacks enforcement capabilities. Russia loosely addresses advertising email in Russian Civil Code 309. China has passed the most clear legislation on email with its 2006 “Regulations on Internet Email Services“, which holdsESPs responsible and requires opt-in, as well as the placement of “AD” at the beginning of subject lines. However, India has recently passed an amendment to its IT Act of 2000, without addressing commercial email. Below is an overview of IT regulation so far in India. 

Overview: The closest legislation relating to email in India is the newly amended Information Technology Act of 2000. It was previously ammended in 2006, and Indian lawmakers amended the IT Act again in December of 2008. However, the 2008 amendments have yet to be published in the Gazette of India and still do not address email. The law addresses the following, summarized by Justice Rajesh Tandon of the Indian Cyber-Regulations Appellate Tribunal:

-Tampering computer source documents

-Hacking with Computer system

-Loss/damage to computer resource/utility

-Hacking

-Obscene publication/transmission in electronic form.

-Failure of compliance/orders of Certifying Authority.

-Failure to assist in decrypting the information intercepted by Govt. Agency.

-Un-authorized access/attempt to access to protected computer system.

-Obtaining license or Digital Signature Certificate by misrepresentation/suppression of fact.

-Publishing false Digital Signature Certificate.

-Fraud Digital Signature Certificate.

-Breach of confidentiality/privacy.

Enforcement Effects: Interestingly enough, India’s 2008 amendment to its IT Act has reduced the punishment for “cyber crime” from 5 years to 2-3 years and has made violations of the act bailable offenses. However, the amendment has apparently closed a lot of loopholes in the existing law. As India’s economy develops, a stronger IT infrastructure and a greater presence in the online marketplace will come to fruition. Without enforceable email laws specific to India, the online reputations of companies with a global reach could potentially suffer.

Industry Self-Regulation: CAUCE India was founded in 1999 and later merged with CAUCE Australia to form APCAUCE (Asia-Pacific), a volunteer organization lobbying against unsolicted comercial email. APCAUCE is a division of iCAUCE. In a growing economy, Indian companies with a global reach are in the right position to develop functioning rulesets that are fair to both marketers and consumers. Many email marketing laws around the globe find their roots in industry-developed best practices.

Relevant Resources:

Department of Information Technology (IT Act 2000)

iCAUCE - International Coalition Against Unsolicited Commercial Email

Cyberlaw India- Information on the IT Act, amendments, opinions, articles and resources from Mr. Pavan Duggal, a prominent India IT legislation advocate. 

IT Act 2008 (Actual Legislation in English)

  With the expansion of LashBack email intelligence and compliance services in Europe and the acquisition of new European sources of data, LashBack becomes a truly global company. In order to ensure our data is protected and in full compliance with EU Data Privacy standards, LashBack has recently chosen to enroll in the International Safe Harbor program.

US-EU Safe Harbor is the process by which US companies comply with EU Directive 95/46 EC on the protection of personal data. LashBack was officially added to the Safe Harbor list February 25, 2009, and must obtain new certification each year. In order to comply with the EU Directive and obtain Safe Harbor, LashBack data must meet the following seven privacy principles: Notice, Choice, Onward Transfer, Security, Data Integrity, Access, and Enforcement.

• Notice- Individuals must be informed that their data is being collected and about how it will be used.
• Choice- Individuals must have the ability to opt out of the collection and forward transfer of the data to third parties.
• Onward Transfer- Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.
• Security-  Reasonable efforts must be made to prevent loss of collected information.
• Data Integrity- Data must be relevant and reliable for the purpose it was collected for.
• Access- Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.
• Enforcement- There must be effective means of enforcing these rules.

 LashBack is regulated by the Federal Trade Commission and has contracted with the Better Business Bureau to investigate and resolve complaints. More can be read about Safe Harbor at Export.gov.

Overview:

Commencing April 11, 2004, Australia’s Spam Act 2003 is one of the earliest opt-in laws surrounding commercial email.   The law bans the sending of unsolicited commercial emails containing an Australian link. The act also pertains to instant messaging and telephone accounts. It states that the advertiser in a commercial message must provide identifying contact information as well as a working unsubscribe mechanism. In addition, address-harvesting software, as well as lists compiled using address-harvesting software are banned. The governing body in Australia responsible for enforcement is the Australian Communications and Media Authority(ACMA). Violators of Australia’s Spam Act typically incur civil penalties and injunctions, the severity of which are based on previous offenses and damages incurred by victims.  Government bodies, registered political parties, charities, religious organizations and educational institutions are exempt. The Act underwent a mandatory two-year review in 2005, where few amendments were made.

Enforcement Effects:

According to the ACMA, as a result of Spam Act 2003, 200 businesses have since been required to ammend their email practices, five businesses have been fined over civil penalties totalling $20,ooo, and three businesses have provided enforceable undertakings. The ACMA has recently begun a federal case under the act against three companies for allegedly sending mobile users unsolicited SMS messages concerning Australian dating sites, seeking fines of up to $1.1 million per day. A hearing has been set for February 6.

Industry Self-Regulation:

The Australian eMarketing Code of Practice, coordinated by the Australian DMA outlines best practices for Australian businesses sending commercial email. It applies to all companies who use email or mobile as their main form of marketing, as well as third parties and affiliates who send on their behalf.

The Internet Industry Association’s Spam Code of Practice outlines regulations for ISPs and email service providers which are enforceable by the ACMA under the Spam Act. Compliance with this code provides ISPs and ESPs legal protection under certain statutes. 

Relevant Sources and Resources:

Current Spam Act 2003 (pdf): full text of the legislation

ACMA: Spam and e-Security page

EFA Australian Spam Laws: includes EFA 2006 Review and Analyses of the Spam Act 2003

OECD Task Force on Spam: includes links to the laws, government enforcement contacts, organization pages and education and awareness initiatives. 

White SW Computer Law: Updates and an informative history the Spam Act and its enforcement  from an Australian law office specializing in IT and intellectual property.

Email Marketing Reports: Outlines links, reviews, and relevant documents pertaining to Australian anti-spam legislation.