NOTICE
Patricia Faley, Vice President, Ethics & Consumer Affairs
The Direct Marketing Association
www.the-dma.org
The Direct Marketing Association (“The DMA”) the home page. In outbound email marketing, the
believes that marketers should provide notice to policy is also easy to provide. Most marketers can
their customers if they share contact information give their customer an easy URL link to their Web
about customers with other marketers for use in site to find out about their privacy policy.
future solicitation or donation campaigns. This
principle is the foundation for the fair use of Using the telephone as a marketing medium is
marketing information. It is important to note that an entirely different marketing experience both
DMA guidelines state that marketing information for the marketer and for the customer. Telephone
should be used for marketing purposes only. marketing is relatively expensive compared to online
marketing, requiring the presence and time of
While on its face notice seems straightforward, people, phone or computer stations and the cost
there are a number of operational questions that of long distance calls based on the length of the
arise when a marketer implements the principle. call. The longer the call, the higher the cost.
Some of the most important questions and the
answers from The DMA’s perspective are: Further, the psychology of sales on the phone
would prohibit a marketer from notifying the
• Should the same type of notice be required consumer about the company privacy policy
in every medium? before the purchase. Imagine the theoretical
marketer who says, “Hi, I’m Douglas Smith from
• Who should provide notice? Snow Catalog and we’re having a great sale today
• What should the notice say? on ski wear. But before I tell you about the offers,
I need to spend ten minutes of your time presenting
• When should notice be delivered? our privacy policy!” Giving notice on the phone
• Are the rules the same for the most sensitive just doesn’t work in practice. It’s too time consuming
types of data, such as financial, health care and expensive, and the consumer is not receptive
and data about children? to hearing it. A better practice in this situation would
be for the telemarketer to send the privacy notice
The goal of this paper is to give a brief overview in the fulfillment package. Of course, if the consumer
of The DMA’s perspective on notice. The paper asks a question about the telemarketer’s privacy
discusses how to reach what The DMA believes policy the customer service representative should
to be the optimum condition: that concerned be trained to answer it honestly and succinctly.
consumers receive the notice they desire while Sales via direct TV and radio advertisements provide
marketers retain the ability to contact those a similar dilemma where the time and cost of
consumers who are receptive to their offers. notice are prohibitive.
In traditional mail, the information about whether
Notice necessarily differs by medium the marketer transfers information can be presented
in a catalogue or other print piece. In general,
Online, providing notice is relatively easy. A Web The DMA believes that marketers using mail should
site allows for the space needed for a complete annually inform consumers of their policy
privacy policy and the cost of posting the policy concerning the rental, sale or exchange of data
is minimal. The DMA believes that a complete and give them the opportunity to object. If the
statement of a marketer’s information practices policy changes, marketers have an obligation to
should be located in a prominent place either on inform consumers of that change prior to the
the home page or in a place easily accessible from rental, sale or exchange of data.
17
Clearly, a one-size fits all approach for privacy recognized about the consumer upon a visit
notices in all media will not provide the balance to the site, if anything
of consumer choice and business viability we
would seek. • a description of the data collected
• how the data collected is used
Who Should Provide the Notice? • the cookie policy, if cookies are used
A host of organizations support marketers in their • how to opt out of future communications
business efforts. These entities include list compilers, from the marketer via e-mail
list brokers, list owners, and service bureaus. • how to opt out of transfer of consumer
However, we believe that the marketer with whom contact information to third party marketers
the consumer interacts should be responsible for
providing notice. List compilers, brokers, owners • the ad server policy
and service bureaus, however, should give notice • a description of the procedures the company
if they are communicating directly to the customer will use to notify consumers if their policy
under their own company or organization name. changes
The case of providing notice by a company’s • access and security assurances
affiliates – members of the same corporate family
– is somewhat different and should be viewed • enforcement contacts
from the consumer's perspective. Some companies For traditional mail and phone, the space and time
have several distinct brands or affiliates, divisions to deliver messages is limited and expensive so
or subsidiaries under which they operate. The that, as mentioned earlier regarding the telephone,
question often arises whether in such cases each notice is sometimes difficult to deliver.
must give notice. We believe that each separate
company or brand, as the consumer is likely to
perceive it, must offer notice. Where affiliates,
divisions or subsidiaries market under different When Should the Notice Be Delivered?
names, customers are likely to perceive them as For traditional media we think that the consumer
different entities. Each corporate entity or brand should receive a notice at least once a year. In the
must, therefore, offer its own notice. On the other instance where the consumer is contacted less
hand, where affiliates market under a single frequently than once a year, the notice should
company name, they are likely to be perceived certainly be given as frequently as the consumer
by customers as a single organization. In such is contacted.
cases, one notice is sufficient for all entities.
For online media the notice should be available
to the consumer in a prominent place on the Web
What Should the Notice Say? site’s home page or in a place that is easily
accessible from the home page. It should be easy
What a privacy notice should include depends upon to find, read and understand so that a visitor is
the medium in which it is presented. Since online able to quickly comprehend it. This means that
it is relatively easy and inexpensive to provide a the policy notice is available in readable print,
full notice, The DMA requires a complete privacy not obscured by design elements and that it is
policy notice for Web sites. We have developed a written in plain English. Clearly, it should be
Privacy Policy Generator for our members that available prior to or at the time personally
assists them in communicating their policy to identifiable information is collected.
consumers. Contents of a privacy policy notice
should include: One of the best ways to provide notice online is
to have a privacy icon or symbol on the home
• the identity of the Web site administrators page that links to the company’s privacy policy.
While the notice need not appear on every page
• a description of what is automatically of the Web site in order to be conspicuous,
18
linking to the notice at all points where personally or their family. The DMA requires that, at the
identifiable information is collected is the best way time such data are collected, a clear notice of
to ensure consumers will see the notice. the marketer’s intended use of the data, whether
the marketer will transfer the data to third parties,
The DMA's Online Privacy Policy Generator is the name of the collecting organization, and the
available at: . should all be presented to the consumer.
Finally, The DMA considered “inferred data”
What About Notice Regarding Sensitive related to health care. This is data gathered
outside of a relationship with a health care
Data? provider, and based principally on consumer
Sensitive data includes information about illnesses, purchasing behavior. Such data could include
health conditions and treatments, financial services data captured by consumer inquiries, donations,
account identifiers and data about children. It is purchases, frequent shopper programs, advertised
very important that consumers understand how toll-free telephone numbers or other consumer
this most sensitive data is used, so that the response devices. The DMA believes that any
requirements of notice are more rigorous. entity, including a seller of over-the-counter
drugs, that uses inferred health-related data should
promptly provide notice to the consumer and the
Health Data opportunity to opt out of any transfer of the data
for marketing purposes.
The DMA has developed separate guidelines for
the collection, use and transfer of health-related
data. The guidelines apply to any individual or Financial Data
entity that collects, maintains, uses and/or transfers
health-related data for marketing purposes. The The DMA was very concerned that our members
guidelines provide that personally identifiable give consumers clear notice about what will be
health-related data obtained in the context of a done with their financial data. To make compliance
relationship between consumers and health care with the Gramm-Leach-Bliley Act easy for our
providers or treatment facilities should not be members we created a special Privacy Policy
transferred for marketing purposes without the Notice Generator. The Generator can be used by
specific prior consent of those consumers. Health a company wishing to communicate to consumers
care providers include licensed health care its policy regarding the use of financial data. The
practitioners such as doctors, nurses, psychologists, Generator is available at: . The goal was to
health care providers such as insurance companies, provide a plain English notice that met the spirit
pharmacy benefits managers or other business and the letter of the law.
partners and businesses that sell prescription Additionally, under DMA Guidelines, credit card
drugs. numbers, checking account numbers and debit
We do think that medical care providers should account numbers are considered sensitive personal
be allowed to contact their own patients for information and should not be transferred, rented,
marketing purposes. However, those patients sold or exchanged when there is a reasonable
should have a clear notice of the provider’s expectation by the consumer that the information
intended use of the data and the opportunity to will be kept confidential.
request not to be contacted for marketing purposes.
In some instances consumers voluntarily give Data About Children
information about their health to entities that are
not health care providers. For example, sometimes To meet the requirements for notice under the
a consumer will respond to a survey or Children’s Online Privacy Protection Act, The DMA
questionnaire with information about themselves created a Privacy Policy Generator that meets the
19
letter and the spirit of the law in providing adequate to children that require marketers to provide notice
notice to parents about any collection of data about and an opportunity to opt out of the marketing
children online. The generator is available at process so that parents have the ability to limit the
. names, addresses or other personally identifiable
information. Upon request from a parent, marketers
In media wherein collection requires mailing back should promptly provide the source and general
to the company or responding to the telephone, nature of information maintained about a child.
The DMA has created guidelines regarding marketing
20