Tag Line Top

  Tag Line Bottom

Privacy Update

12 February, 2005, 00:35 am

IMPORTANT PRIVACY LAWS AFFECTING MARKETERS — AT A GLANCE*


I GRAMM-LEACH-BLILEY ACT (GLB): FINANCIAL PRIVACY


WHO IS COVERED: “Financial institutions,” which includes banks, securities firms, insurance companies and companies providing many other types of financial products and services that are significantly engaged in financial activities. Among these services are the extension of credit to consumers, brokering or servicing any type of consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, providing residential real estate settlement services, collecting consumer debts and an array of other activities.


WHAT IS REQUIRED: GLB establishes three specific privacy obligations:


1. All customers must receive a written privacy notice at the start of the customer relationship and on an annual basis thereafter that discloses what non-public personal information the company collects, with whom it shares the information, and how it protects or safeguards the information. Privacy notice may need to be given to consumers depending on the business relationship.


2. The privacy notice must give customers the right to opt out of - or say no to - having their information shared with certain third parties and it also must offer a convenient way to opt out. If you are not a financial institution but you receive marketing leads from a covered institution, you step into the shoes of the financial institution and you can only use the information in accordance with the financial institution's privacy notice.


3. Entities receiving personal non-public financial information must observe the Safeguards Rule regarding data security and confidentiality mechanisms for all customer records and information, designate a person to coordinate its information security program, and verify third-party security compliance.




II HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)



WHO IS COVERED: Health plans, health care clearinghouses, prescription providers, and health care providers who transmit health information in electronic form as part of a covered transaction, plus “business associates” of any of these entities that receive any patient health information. HIPAA protects all forms of individually identifiable health information (electronic, written, or oral) held or disclosed by a covered entity.


WHAT IS REQUIRED: If you obtain any protected health information, (broadly defined as personally identifiable information relating to the past, present, or future physical or mental health or condition of an individual or the payment for such services, which even encompasses the name of the person seeking treatment), you must:


1. Provide a written privacy policy that strictly conforms with HIPAA’s requirements.


2. An opt in, or an affirmatively authorized disclosure on a separate form in writing, is required prior to the transfer of protected health information for non-treatment purposes. No opt-in is required for treatment, payment, and health care operations.


3. Business associates of a covered entity must sign an agreement stating that they will abide by HIPAA.


4. Establish security protocols and designate security/privacy compliance officer -- a person to receive and respond to complaints and inquiries regarding privacy practices and policies.


Marketing Purposes: Use of protected health information for marketing purposes requires a separate opt-in written authorization, that includes a statement that the covered entity will be paid for the marketing activity if the marketing involves direct or indirect remuneration by a third party.



III CHILDREN’S ONLINE PRIVACY PROTECTION ACT (COPPA)



WHO IS COVERED: If you operate a commercial Web site or an online service directed to children under thirteen that collects personal information from children or if you operate a general audience Web site and have actual knowledge that you are collecting personal information from children.


WHAT IS REQUIRED: COPPA establishes important privacy obligations:


1. Provide a privacy notice to children and parents of their information practices regarding data collection and use.


2. Operators must first obtain the parent’s verifiable parental consent for the collection, use, and disclosure of personally identifiable data from children. Consent can be for just collection and/or for disclosure to third-party.


3. Operators must allow parents or guardians the right to review the collected data and to revoke further use or maintenance. Operators cannot condition online participation on the collection of more personally identifiable information from children than is reasonably necessary to participate.


4. Operators must establish and maintain reasonable procedures to protect the confidentiality and integrity of personally identifiable information collected from children.


IV TELEMARKETING SALES RULE (TSR)


WHO IS COVERED: TSR regulates persons who make “telemarketing” calls, which is defined as “a plan, program, or campaign . . . to induce the purchase of goods or services or a charitable contribution” involving more than one interstate telephone call.



WHAT IS REQUIRED: Prohibits transferring unencrypted credit card information except for processing orders. Also, the FTC and FCC created and enforce the National Do Not Call Registry, to which all sellers who utilize telemarketing are required to register.



1. The TSR considers it an abusive telemarketing practice to disclose or receive, for consideration, unencrypted consumer account numbers for use in telemarketing. The exception to that prohibition is that you can receive unencrypted account information only to process payment for a transaction.


2. Cannot make telemarketing calls to customers who have registered their telephone number on the National Do Not Call Registry, unless an exemption applies (i.e. established business relationship). Additionally, telemarketers must maintain an internal do not call list for 2 years, of customers who have stated that they wish not to be receive telemarketing calls.



V CONTROLLING THE ASSAULT OF NON-SOLICITED PORNOGRAPHY AND MARKETING ACT OF 2004 (CAN-SPAM)



WHO IS COVERED: The law applies to all commercial email whose "primary purpose" (undefined under the law) is selling a product or service, including business-to-business marketing as well as business to consumer marketing. It does not apply to informational e-mail such as billing. Under the statute, the "sender" is defined as the party whose goods or services are being promoted, not just the person who initiates the email. The sender has many important responsibilities.


WHAT IS REQUIRED: The CAN-SPAM Act establishes these obligations:


1. Subject line: While the law pre-empts statutes which required ADV-like disclosures in the subject line and (with the exception of sexually-oriented email) the law does not mandate any particular type of subject heading for the present time. However, the subject line must accurately reflect the subject matter of the email.


2. Text: The text of the email must make clear that it is an "offer" for goods or services. The law does not mandate the specific language that must be used, so marketers may have creative license, assuming the fact that the message is otherwise clearly and conspicuously conveyed to the recipient. This requirement does not apply if the marketer has affirmative consent from the recipient to send the email.


3. Notice and Opt-Out: While there is no opt-in requirement (like California tried to enact), the law does require each email to contain a clear and conspicuous notice of how to opt-out from receiving future emails, as well as provide a functioning return email address or other Internet-based communication to effectuate the opt-out. Critically important is that the opt-out must be performed within 10 days from the notice. The marketer of the product or service is responsible for removing the email address from the mailing list.


4. From Line/Header Information: The law prohibits using false header information (such as source, destination, and routing information, including the original domain name, and originating electronic mail address) or otherwise hiding the sender's identity.


5. Postal Address: The email message must contain a valid physical postal address of the Sender - the party that is offering the product or service -- not the party who necessarily sends the email.



VI. FAXING REGULATIONS UNDER THE TELEPHONE CONSUMER PROTECTION ACT (TCPA)


WHO IS COVERED: An “unsolicited advertisement” is defined as “any material advertising the commercial availability or quality of any property, goods, or services which is transmitted to any person without that person’s prior express invitation or permission.”


WHAT IS REQUIRED: A business or entity on whose behalf a fax is being sent must identify itself in the top or bottom margin of each page or on the first page of the fax message, and must include its telephone number and the date and time the fax is sent. Beginning June 30, 2005, a person may grant permission to send a fax advertisement only with a signed, written statement that includes the fax number to which any advertisements may be sent. Until June 30, 2005, a fax sender may continue to rely on an “established business relationship” for permission to fax an advertisement.




VI THE SPY ACT (SPYWARE)


The House of Representatives recently passed legislation which prohibits “taking control” of a computer, surreptitiously modifying a Web browser’s home page, or disabling antivirus software without proper authorization. The Act would also create a complicated set of rules governing software capable of transmitting information across the Internet.


VIICALIFORNIA ONLINE PRIVACY PROTECTION ACT (OPPA)


WHO IS COVERED: OPPA which went into effect on July 1, 2004 requires that an operator of a website or online service that collects personal information from California residents through the Internet must conspicuously post its privacy policy on its website.


WHAT IS REQUIRED: The Act requires website operators or online service providers to comply with the terms of their own privacy policy. The privacy policy must contain the following information:


1. Categories of personally identifiable information collected.

2. Categories of third parties with whom the information may be shared.

3. Description of the process, if one is offered, for reviewing one’s own information collected through the site.

4. Description of the process for communicating changes in the policy.

5. Effective date of the policy.



VIII CALIFORNIA DISCLOSURE OF PERSONAL INFORMATION TO

DIRECT MARKETERS


WHO IS COVERED: Effective January 1, 2005, companies outside the financial services sector that do business in California, online or offline, and disclose customer information to third parties have more stringent compliance obligations regarding information sharing disclosure requirements.


WHAT IS REQUIRED: Upon a customer’s request, a business must provide details about the type of personal information it shares with other businesses, along with the names and addresses of companies with whom the information is being shared. Alternatively, a business may provide a privacy statement that offers a cost-free means to opt out of a businesses’ information sharing activities.


--------------------------------------------------------------------------------

* IF YOU HAVE ANY QUESTIONS, please email Andrew Lustigman at andy@LFirm.com or call at 212 683 9180. This outline is intended to provide only an overview of important aspects of certain federal privacy statutes. These laws and the related regulations are complex and neither all laws nor all aspects are addressed in this document. This outline is not intended to be a substitute for legal advice or a replacement for the specific advice of counsel. Copyright 2004.