marketing: passport to the eu. pps12_pass… · pornography and marketing act (can-spam) all direct...
TRANSCRIPT
Marketing: Passport to the EU
June 7, 2012
1
Introduction
Data Protection Directive
Notice and Choice: Transparent Collection and Sharing Data
Email Marketing
Social Media
E-Privacy Directive
The New Data Protection Directive
Data Transfers
Agenda
2
Data Protection Directive (95/46/EC)
Regulatory framework that provides protection for the privacy of individuals and the free movement of personal data within the European Union
Sets limits on the collection and use of personal data and requires each Member State set up an independent national body responsible for the protection of personal data
Privacy and Electronic Communications Directive (2002/58/EC)
Addresses data protection with respect to electronic communications
Establishes rules for unsolicited communications, cookies and use of location data
Amended in 2009 (2009/136/EC)
Directives that Impact e-Marketing
3
Requires:
1. Fair and lawful processing
2. Accurate and up-to-date personal data
3. Explicit consent for processing of sensitive personal data
4. Notice of data collection, purpose(s) of processing and recipients of personal data
5. Right of access for data subjects
Data Protection Directive
4
6. Right of rectification
7. Right to object to the processing of personal data for the purposes of direct marketing
8. Implementation of appropriate measures to protect personal data from destruction, loss, alteration and unauthorized disclosure
9. Remedy for breach of the rights guaranteed by national law
10.Prohibition against the transfer of personal data from a Member State to a third country without an adequate level of protection
Data Protection Directive
5
At the time of collection provide unambiguous notice of:
the organization the collecting the information (who?)
the purpose(s) of the processing (why?)
the method to access and amend incorrect personal information (how?)
disclosure of personal information to third parties (who?)
transfer of personal information outside of the EEA (where?)
Fair and Transparent Personal Data Collection
6
Prior to sharing personal information with third parties for their own marketing purposes, provide notice to the data subjects of the recipients and the purpose(s) of their use
Include the method by which the data subject can withdraw consent from disclosure to third parties for marketing purposes
Sharing Personal Data
7
Requires prior consent
Recipient must be adequately informed, otherwise the consent can be considered invalid
Consent is not required if the email address was acquired during the purchase of products or services if:
the email is clearly identifiable as a commercial
contains an opt-out mechanism
the marketing communication only relates products or services that are similar to those that were part of the sale
the identity of the marketer is clear and conspicuous
the recipient has the opportunity to object at the time of collection
*Anti-spam laws vary by jurisdiction. Verify that the Member States you target permit “soft opt-in” under local law.
Email Marketing
8
Some EU Member States do not require consent to send marketing emails to business contacts
Ensure that the communication is in the context of the position the recipient holds in their organization
Include an opt-out mechanism
*Verify that the Member States you target permit unsolicited email to business contacts. Otherwise, acquire consent.
Emailing Business Contacts
9
Opt-out / Unsubscribe Mechanism
applies to all electronic commercial messages
free of charge
direct and easily accessible
opt-out / unsubscribe requests must be processed in the time frame mandated by Member State law
Email Opt-Out Mechanism
10
• Ensure that the provider has lawfully collected the data and disclosed that it is shared with third parties
• Prior to selecting a email list provider, confirm that it is adhering to opt-in and unsubscribe standards (e.g. go to the vendor’s website to test the customer experience)
• Confirm that opt-in consent took place no more than one year prior to the list acquisition
• Verify that you haven’t received complaints about previous lists provided by the list provider
• Confirm that the list vendor is the original source of the list (i.e. the list wasn’t purchased from another list provider)
• When purchasing multiple lists, de-duplicate the contacts to ensure a recipient is only contacted once for a single message
Email List Providers
11
Refer-A-Friend: Visitors to a website share web content with friends by providing the website owner the friend’s email address
Refer-A-Friends can not be used as a method for consent by the recipient for future emails
Email addresses stored by the website owner rather than used transiently, are collected unlawfully and may result in messages that can be classified as unsolicited email
There is a risk of violating data protection requirements regarding notice of collection and use, as well as choice
Refer-A-Friend
12
Refer-A-Friend Risk Mitigation Tips
Do not store the email addresses of referred friends in a database for later use
Require the referring friend to provide their email address
Use the referring friend's email address in the body of the email
Include “<friend> wants you to see this” in the subject
Include the contact information for your privacy officer
Include a link to your privacy policy
Include the referring person in the “cc” field
Refer-A-Friend
13
Refer-A-Friend Risk Mitigation Tips
Include an introductory paragraph with:
– A statement noting the referring friend has visited the site and would like to share content
– The URL of the site visited
– Notice that their email is not stored due to the referral
Refer-A-Friend
14
EU vs. US Marketing Emails
EU Directive on Privacy and Electronic
Communications
Controlling the Assault of Non-Solicited
Pornography and Marketing
Act (CAN-SPAM)
All direct marketing email messages. Emails with a primary purpose of advertising or
promotion for products and services.
Excludes transactional messages.
Consent is required prior to sending.
Contact details acquired within the context of sale
may be used for marketing similar products and
services if the recipient is given the opportunity to
object at the time of collection.
Does not require consent prior to sending.
Emails can not be sent after the recipient
unsubscribes / opts-out.
Required for all messages.
Must be honored in the time required by Member
State law.
Required for all messages.
Must be honored within 10 days.
Disguising or concealing the identity of the sender
is prohibited.
Emails can not contain false or misleading
"From," "To," "Reply to" and routing information
(also known as the header information).
Requires physical postal address. Requires a valid address to which the recipient may
send opt-out requests.
15
1. Have I acquired explicit consent from the recipient?
Am I maintaining a record of my consents for email?
2. Have I accurately disclosed the sender of the email?
3. Have I provided an unsubscribe/opt-out mechanism?
Are the instructions for opt-out clear?
Is the mechanism free and easy to use?
4. Do I have a method to ensure that opt-out requests are honored in a timely manner? Is there process to monitor compliance with opt-out requests?
Four Step Checklist EU Email Marketing
16
Connect with friends and family
Founded 2004
850 million users
Microblogging and messaging
Founded 2006
300 million users
Connect with professional contacts for business development and employment
Founded 2003
150 million users
Source: Mashable.com
Social Media Popularity
17
Personal
Created by individuals outside of their official capacity as company employees
Typically used to interact with friends, family and others with similar personal interests (e.g. Facebook, Twitter, personal blogs, online forums)
Internal Company Branded
Created by companies for employees use
Typically used to improve workplace productivity through knowledge sharing (e.g. blogs, wikis, “peoplefinders”)
Expedites the dissemination of information
External Corporate Branded
Created by companies for public use
Typically used to allow companies to engage directly with consumers, build brand loyalty and confidence and conduct employment recruitment activities (e.g. Facebook profiles, blogs, Twitter accounts, or YouTube channels)
Personal vs. Corporate Social Media
18
Risks and Issues
Disclosure of confidential information
Employees acting as company representatives
Inappropriate comments from the public
Misuse of company equipment
Retention of social media records
Tracking of marketing campaign effectiveness leveraging personal information
Social Media
19
Risk Mitigation Tips
Establish a policy regarding employee social media use
Include guidelines for participation during business hours and on their own time and equipment
Address appropriate conduct, confidential information, monitoring of posted comments and expectations of privacy
Beware of the right to privacy in the EU when drafting global social media policies
Social Media: Employee Risk
20
Transparency regarding social media features and plugins is important because some features provide personal information back to the host site
Include a social media disclosure in the privacy statement
Describe social profile data that is available to the host site
List use(s) of social profile data
Provide notice that the user actually goes to a third party site
Disclose that the privacy practices of the third party site apply, not the host site
Describe how to limit sharing of comments and profile data
Social Media: Public Transparency
21
“You can also engage with our content, such as video, games, applications, and other offerings, on or through (1) third-party social networking sites, such as Facebook, (2) third-party social media plug-ins and applications, and (3) Warner Bros. Entertainment Group social media plug-ins and applications that may be available through third-party sites or a Warner Bros. Entertainment Group site. When you engage with our content on or through third party social networking sites, plug-ins and applications you may allow us to have ongoing access to certain information from your social media profile (e.g., name, e-mail address, photo, gender, birthday, location, your list of friends, people you follow and/or who follow you, the posts or the ‘likes’ you make) to deliver the content or as part of the operation of the application. We may also obtain non-personally identifiable information (e.g., content viewed, game performance, high scores, and information about advertisements within the content you have been shown or may have clicked on, etc.) from your interaction with our content.
When you provide information from your social media account, it can help enable us to do things like (1) give you exclusive content, (2) personalize your online experience with us within and outside our applications or websites, and (3) contact you through the social networking sites or directly by sending you the latest news, special offerings, and rewards from the Warner Bros. Entertainment Group. By doing so, you consent to the use of this information in accordance with this privacy policy.
When you provide personal information to us on our sites, on social networking sites (depending on your privacy settings) or through an application on social networking sites, it could be seen by anyone on the Internet. Therefore, we cannot prevent further use of this information. You can control what data you share through privacy settings available on some social networking sites. For more information about how you can customize your privacy settings and how social networking sites handle your personal information, please refer to their privacy help guides, privacy policies and terms of use.”
Social Media Disclosure Warner Brothers
22
Risk Mitigation Tips
Formalize a process to post content on official corporate social media channels (e.g. Facebook, Twitter, YouTube, LinkedIn)
Draft Social Media Channel Guidelines
Channel set-up, ownership and accountability
Content
Engaging with individuals through social media
Data loss prevention
Tools to monitor confidential and/or personal information leaving the organization via the internet
Social Media: Additional Controls
23
Social Media Metrics and Tracking
Although social media content is public, data protection laws, website terms and privacy policies govern the content
Metrics and tracking should be aggregate and anonymous, unless you have provided notice and acquired consent
Automatic copying of social media profiles to create marketing targets may violate the website’s terms of service, privacy policy and copyright protections
Social Media Monitoring
24
What are cookies?
Small text files sent from a website and stored on your computer the first time you visit a site
Allows the website to recognize your computer on subsequent visits
During your next site visit, your PC checks to see if it has a cookie pertaining to the site and sends the information contained in that cookie back to the site
The site recognizes that you have been there before, and in some cases, tailors content based on your previous visit to the site
Cookies
25
e-Privacy Directive
(2002) Required website operators to provide information about their privacy practices and options to refuse or delete cookies
“………is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, about the purposes of the processing, and is offered the right to refuse such processing by the data controller”
(2009) Requires informed consent:
“……… is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information in accordance with Directive 95/46/EC about the purposes of the processing”
Member States were required implement national law by May 2011
e-Privacy Directive
26
Member State Implementation Status
Austria Yes Latvia Yes
Belgium No Liechtenstein No
Bulgaria Yes Lithuania Yes
Cyprus No Luxembourg Yes
Czech Republic Yes Malta No
Denmark Yes Netherlands No
Estonia Yes Norway No
Finland Yes Poland No
France Yes Portugal Yes
Germany No Romania No
Greece No Slovak Republic Yes
Hungary Yes Slovenia No
Iceland No Spain Yes
Ireland Yes Sweden Yes
Italy No United Kingdom Yes
27
Read and understand the Directive as well as applicable local laws
Inventory public facing websites for cookies/tracking technology
Identify the purposes of cookies/tracking technology
Assess intrusiveness, need, and website impact
Enhance website disclosures
Evaluate methods for obtaining consent
Monitor guidance from data protection authorities regarding interpretation and enforcement of member state laws
e – Privacy Directive Analysis
28
Pop Windows – Pop up presented to the user that requests consent for non-essential cookies
Banners – Banner on the page that users click to accept cookies
Acceptance of Terms and Conditions – Consent is acquired by express acceptance of the terms and conditions of the website
Privacy Notice – Consent acquired via notice and continued use of the website
Consent Methods
29
Pop-Up Cookie Disclosure
30
Banner Cookie Disclosure
31
Notice Cookie Disclosure
32
Potential Marketing Implications
Consent
Right to Be Forgotten
Measured Based Profiling
New Data Protection Directive
33
Consent
Available to companies in all sectors
Applicable to transfers to any country
Consent in the employee context may not be considered freely given, thus invalid
Difficult to acquire consent from total population for large initiatives
Typical Successful Application: e-commerce offerings
Data Transfers
34
Safe Harbor
Streamlined process
Simplifies local registrations in some countries
Enforcement occurs primarily in the US, except for employee data
Limited to transfers from the EEA to the US
Only available to companies regulated by the FTC or the Department of Transportation
Can be extremely resource intensive
Data Transfers
35
Model Contracts
Facilitates transfers of data from the EU to any country not otherwise deemed as offering adequate protection
Available to companies in all sectors
Pre-approved data protection terms by the European Commission
Requires the execution of a network of intercompany privacy agreements between and among affiliates worldwide
Corporate acquisitions, changes in business processes or modifications to data flows necessitates ongoing maintenance agreements
Modifications to the standard clauses may require additional notifications or approvals by local data protection authorities
Data Transfers
36
Binding Corporate Rules
Covers intra-group data transfers
Lead DPA coordinates submission for approval and liaises with other DPAs
Achieve compliance in accordance with company values and internal policies
Does not cover transfers to or from unaffiliated parties
Not all countries subscribe to mutual recognition
Costly and time intensive
Data Transfers
37
Questions?
38
Kristine Scott Privacy Director Aon Corporation
312-381-3618
39