Marketing: Passport to the EU

June 7, 2012

1

Introduction

Data Protection Directive

Notice and Choice: Transparent Collection and Sharing Data

Email Marketing

Social Media

E-Privacy Directive

The New Data Protection Directive

Data Transfers

Agenda

2

Data Protection Directive (95/46/EC)

Regulatory framework that provides protection for the privacy of individuals and the free movement of personal data within the European Union

Sets limits on the collection and use of personal data and requires each Member State set up an independent national body responsible for the protection of personal data

Privacy and Electronic Communications Directive (2002/58/EC)

Addresses data protection with respect to electronic communications

Establishes rules for unsolicited communications, cookies and use of location data

Amended in 2009 (2009/136/EC)

Directives that Impact e-Marketing

3

Requires:

1. Fair and lawful processing

2. Accurate and up-to-date personal data

3. Explicit consent for processing of sensitive personal data

4. Notice of data collection, purpose(s) of processing and recipients of personal data

5. Right of access for data subjects

Data Protection Directive

4

6. Right of rectification

7. Right to object to the processing of personal data for the purposes of direct marketing

8. Implementation of appropriate measures to protect personal data from destruction, loss, alteration and unauthorized disclosure

9. Remedy for breach of the rights guaranteed by national law

10.Prohibition against the transfer of personal data from a Member State to a third country without an adequate level of protection

Data Protection Directive

5

At the time of collection provide unambiguous notice of:

the organization the collecting the information (who?)

the purpose(s) of the processing (why?)

the method to access and amend incorrect personal information (how?)

disclosure of personal information to third parties (who?)

transfer of personal information outside of the EEA (where?)

Fair and Transparent Personal Data Collection

6

Prior to sharing personal information with third parties for their own marketing purposes, provide notice to the data subjects of the recipients and the purpose(s) of their use

Include the method by which the data subject can withdraw consent from disclosure to third parties for marketing purposes

Sharing Personal Data

7

Requires prior consent

Recipient must be adequately informed, otherwise the consent can be considered invalid

Consent is not required if the email address was acquired during the purchase of products or services if:

the email is clearly identifiable as a commercial

contains an opt-out mechanism

the marketing communication only relates products or services that are similar to those that were part of the sale

the identity of the marketer is clear and conspicuous

the recipient has the opportunity to object at the time of collection

*Anti-spam laws vary by jurisdiction. Verify that the Member States you target permit “soft opt-in” under local law.

Email Marketing

8

Some EU Member States do not require consent to send marketing emails to business contacts

Ensure that the communication is in the context of the position the recipient holds in their organization

Include an opt-out mechanism

*Verify that the Member States you target permit unsolicited email to business contacts. Otherwise, acquire consent.

Emailing Business Contacts

9

Opt-out / Unsubscribe Mechanism

applies to all electronic commercial messages

free of charge

direct and easily accessible

opt-out / unsubscribe requests must be processed in the time frame mandated by Member State law

Email Opt-Out Mechanism

10

• Ensure that the provider has lawfully collected the data and disclosed that it is shared with third parties

• Prior to selecting a email list provider, confirm that it is adhering to opt-in and unsubscribe standards (e.g. go to the vendor’s website to test the customer experience)

• Confirm that opt-in consent took place no more than one year prior to the list acquisition

• Verify that you haven’t received complaints about previous lists provided by the list provider

• Confirm that the list vendor is the original source of the list (i.e. the list wasn’t purchased from another list provider)

• When purchasing multiple lists, de-duplicate the contacts to ensure a recipient is only contacted once for a single message

Email List Providers

11

Refer-A-Friend: Visitors to a website share web content with friends by providing the website owner the friend’s email address

Refer-A-Friends can not be used as a method for consent by the recipient for future emails

Email addresses stored by the website owner rather than used transiently, are collected unlawfully and may result in messages that can be classified as unsolicited email

There is a risk of violating data protection requirements regarding notice of collection and use, as well as choice

Refer-A-Friend

12

Refer-A-Friend Risk Mitigation Tips

Do not store the email addresses of referred friends in a database for later use

Require the referring friend to provide their email address

Use the referring friend's email address in the body of the email

Include “<friend> wants you to see this” in the subject

Include the contact information for your privacy officer

Include a link to your privacy policy

Include the referring person in the “cc” field

Refer-A-Friend

13

Refer-A-Friend Risk Mitigation Tips

Include an introductory paragraph with:

– A statement noting the referring friend has visited the site and would like to share content

– The URL of the site visited

– Notice that their email is not stored due to the referral

Refer-A-Friend

14

EU vs. US Marketing Emails

EU Directive on Privacy and Electronic

Communications

Controlling the Assault of Non-Solicited

Pornography and Marketing

Act (CAN-SPAM)

All direct marketing email messages. Emails with a primary purpose of advertising or

promotion for products and services.

Excludes transactional messages.

Consent is required prior to sending.

Contact details acquired within the context of sale

may be used for marketing similar products and

services if the recipient is given the opportunity to

object at the time of collection.

Does not require consent prior to sending.

Emails can not be sent after the recipient

unsubscribes / opts-out.

Required for all messages.

Must be honored in the time required by Member

State law.

Required for all messages.

Must be honored within 10 days.

Disguising or concealing the identity of the sender

is prohibited.

Emails can not contain false or misleading

"From," "To," "Reply to" and routing information

(also known as the header information).

Requires physical postal address. Requires a valid address to which the recipient may

send opt-out requests.

15

1. Have I acquired explicit consent from the recipient?

Am I maintaining a record of my consents for email?

2. Have I accurately disclosed the sender of the email?

3. Have I provided an unsubscribe/opt-out mechanism?

Are the instructions for opt-out clear?

Is the mechanism free and easy to use?

4. Do I have a method to ensure that opt-out requests are honored in a timely manner? Is there process to monitor compliance with opt-out requests?

Four Step Checklist EU Email Marketing

16

Facebook

Connect with friends and family

Founded 2004

850 million users

Twitter

Microblogging and messaging

Founded 2006

300 million users

LinkedIn

Connect with professional contacts for business development and employment

Founded 2003

150 million users

Source: Mashable.com

Social Media Popularity

17

Personal

Created by individuals outside of their official capacity as company employees

Typically used to interact with friends, family and others with similar personal interests (e.g. Facebook, Twitter, personal blogs, online forums)

Internal Company Branded

Created by companies for employees use

Typically used to improve workplace productivity through knowledge sharing (e.g. blogs, wikis, “peoplefinders”)

Expedites the dissemination of information

External Corporate Branded

Created by companies for public use

Typically used to allow companies to engage directly with consumers, build brand loyalty and confidence and conduct employment recruitment activities (e.g. Facebook profiles, blogs, Twitter accounts, or YouTube channels)

Personal vs. Corporate Social Media

18

Risks and Issues

Disclosure of confidential information

Employees acting as company representatives

Inappropriate comments from the public

Misuse of company equipment

Retention of social media records

Tracking of marketing campaign effectiveness leveraging personal information

Social Media

19

Risk Mitigation Tips

Establish a policy regarding employee social media use

Include guidelines for participation during business hours and on their own time and equipment

Address appropriate conduct, confidential information, monitoring of posted comments and expectations of privacy

Beware of the right to privacy in the EU when drafting global social media policies

Social Media: Employee Risk

20

Transparency regarding social media features and plugins is important because some features provide personal information back to the host site

Include a social media disclosure in the privacy statement

Describe social profile data that is available to the host site

List use(s) of social profile data

Provide notice that the user actually goes to a third party site

Disclose that the privacy practices of the third party site apply, not the host site

Describe how to limit sharing of comments and profile data

Social Media: Public Transparency

21

“You can also engage with our content, such as video, games, applications, and other offerings, on or through (1) third-party social networking sites, such as Facebook, (2) third-party social media plug-ins and applications, and (3) Warner Bros. Entertainment Group social media plug-ins and applications that may be available through third-party sites or a Warner Bros. Entertainment Group site. When you engage with our content on or through third party social networking sites, plug-ins and applications you may allow us to have ongoing access to certain information from your social media profile (e.g., name, e-mail address, photo, gender, birthday, location, your list of friends, people you follow and/or who follow you, the posts or the ‘likes’ you make) to deliver the content or as part of the operation of the application. We may also obtain non-personally identifiable information (e.g., content viewed, game performance, high scores, and information about advertisements within the content you have been shown or may have clicked on, etc.) from your interaction with our content.

When you provide information from your social media account, it can help enable us to do things like (1) give you exclusive content, (2) personalize your online experience with us within and outside our applications or websites, and (3) contact you through the social networking sites or directly by sending you the latest news, special offerings, and rewards from the Warner Bros. Entertainment Group. By doing so, you consent to the use of this information in accordance with this privacy policy.

When you provide personal information to us on our sites, on social networking sites (depending on your privacy settings) or through an application on social networking sites, it could be seen by anyone on the Internet. Therefore, we cannot prevent further use of this information. You can control what data you share through privacy settings available on some social networking sites. For more information about how you can customize your privacy settings and how social networking sites handle your personal information, please refer to their privacy help guides, privacy policies and terms of use.”

Social Media Disclosure Warner Brothers

22

Risk Mitigation Tips

Formalize a process to post content on official corporate social media channels (e.g. Facebook, Twitter, YouTube, LinkedIn)

Draft Social Media Channel Guidelines

Channel set-up, ownership and accountability

Content

Engaging with individuals through social media

Data loss prevention

Tools to monitor confidential and/or personal information leaving the organization via the internet

Social Media: Additional Controls

23

Social Media Metrics and Tracking

Although social media content is public, data protection laws, website terms and privacy policies govern the content

Metrics and tracking should be aggregate and anonymous, unless you have provided notice and acquired consent

Automatic copying of social media profiles to create marketing targets may violate the website’s terms of service, privacy policy and copyright protections

Social Media Monitoring

24

What are cookies?

Small text files sent from a website and stored on your computer the first time you visit a site

Allows the website to recognize your computer on subsequent visits

During your next site visit, your PC checks to see if it has a cookie pertaining to the site and sends the information contained in that cookie back to the site

The site recognizes that you have been there before, and in some cases, tailors content based on your previous visit to the site

Cookies

25

e-Privacy Directive

(2002) Required website operators to provide information about their privacy practices and options to refuse or delete cookies

“………is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, about the purposes of the processing, and is offered the right to refuse such processing by the data controller”

(2009) Requires informed consent:

“……… is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information in accordance with Directive 95/46/EC about the purposes of the processing”

Member States were required implement national law by May 2011

e-Privacy Directive

26

Member State Implementation Status

Austria Yes Latvia Yes

Belgium No Liechtenstein No

Bulgaria Yes Lithuania Yes

Cyprus No Luxembourg Yes

Czech Republic Yes Malta No

Denmark Yes Netherlands No

Estonia Yes Norway No

Finland Yes Poland No

France Yes Portugal Yes

Germany No Romania No

Greece No Slovak Republic Yes

Hungary Yes Slovenia No

Iceland No Spain Yes

Ireland Yes Sweden Yes

Italy No United Kingdom Yes

27

Read and understand the Directive as well as applicable local laws

Inventory public facing websites for cookies/tracking technology

Identify the purposes of cookies/tracking technology

Assess intrusiveness, need, and website impact

Enhance website disclosures

Evaluate methods for obtaining consent

Monitor guidance from data protection authorities regarding interpretation and enforcement of member state laws

e – Privacy Directive Analysis

28

Pop Windows – Pop up presented to the user that requests consent for non-essential cookies

Banners – Banner on the page that users click to accept cookies

Acceptance of Terms and Conditions – Consent is acquired by express acceptance of the terms and conditions of the website

Privacy Notice – Consent acquired via notice and continued use of the website

Consent Methods

29

Pop-Up Cookie Disclosure

30

Banner Cookie Disclosure

31

Notice Cookie Disclosure

32

Potential Marketing Implications

Consent

Right to Be Forgotten

Measured Based Profiling

New Data Protection Directive

33

Consent

Available to companies in all sectors

Applicable to transfers to any country

Consent in the employee context may not be considered freely given, thus invalid

Difficult to acquire consent from total population for large initiatives

Typical Successful Application: e-commerce offerings

Data Transfers

34

Safe Harbor

Streamlined process

Simplifies local registrations in some countries

Enforcement occurs primarily in the US, except for employee data

Limited to transfers from the EEA to the US

Only available to companies regulated by the FTC or the Department of Transportation

Can be extremely resource intensive

Data Transfers

35

Model Contracts

Facilitates transfers of data from the EU to any country not otherwise deemed as offering adequate protection

Available to companies in all sectors

Pre-approved data protection terms by the European Commission

Requires the execution of a network of intercompany privacy agreements between and among affiliates worldwide

Corporate acquisitions, changes in business processes or modifications to data flows necessitates ongoing maintenance agreements

Modifications to the standard clauses may require additional notifications or approvals by local data protection authorities

Data Transfers

36

Binding Corporate Rules

Covers intra-group data transfers

Lead DPA coordinates submission for approval and liaises with other DPAs

Achieve compliance in accordance with company values and internal policies

Does not cover transfers to or from unaffiliated parties

Not all countries subscribe to mutual recognition

Costly and time intensive

Data Transfers

37

Questions?

38

Kristine Scott Privacy Director Aon Corporation

kristine.scott@aon.com

312-381-3618

39