Reading: Privacy Laws

Drawing of a computer keyboard. All the keys are blank except seven in the center row, which spell the word PRIVACYWhat does privacy mean in today’s world? Privacy is the ability of an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectively. Most of us expect some level of privacy, but the boundaries around privacy can differ depending on the individual and the situation.

The right-to-privacy issue has gotten more complicated as our culture has come to rely so heavily on digital communication—for everything from social networking to education to conducting business. Marketers have been quick to capitalize on the potential of digital technology to yield creative, aggressive techniques for reaching their target buyers. Sometimes these aggressive tactics cause a public backlash that results in new laws. For example, intrusive telephone marketing activities led to the passage of the the Do-Not-Call Implementation Act of 2003, which permits individuals to register their phone number to prevent marketing calls from organizations with which they don’t have an existing relationship. The act was intended to protect consumers from a violation of privacy (incessant sales phone calls particularly during the evening hours), and it closed down many businesses that had used telephone solicitation as their primary sales channel.

What follows is an overview of important privacy laws that have a particular impact on marketers. These are areas in which marketers need to be thinking ahead of the law. While there are plenty of perfectly legal marketing tactics that utilize personal information, if they are a nuisance to prospective customers, they are probably not good marketing and may be affected by future legislation when the public decides it has had enough.

Email Spam

Have you received email messages without giving permission to the sender? The Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act, passed in 2003, establishes federal standards for commercial email.  Consumers must be given the opportunity to opt out of receiving future solicitations, as in this opt-out notice provided by the clothing company Abercrombie & Fitch:

This is a product offering from Abercrombie & Fitch. You have received this email since you submitted your email address to our list of subscribers. To unsubscribe, please click here and submit your email address. Please see our Website Terms of Use, and to know how we use your personal data, please see our Privacy Policy.

Despite its name, the CAN-SPAM Act doesn’t apply just to bulk email. It covers all commercial messages, which the law defines as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service,” including email that promotes content on commercial Web sites. The law makes no exception for business-to-business email. That means that all email—even, for example, a message to former customers announcing a new product line—must comply with the law. Each separate email in violation of the CAN-SPAM Act is subject to penalties of up to $16,000, so non-compliance can be very costly. The good news is that following the law isn’t complicated.

Managing Customer Data

Graphic representing tech privacy. Silhouette of a person on the right. Surrounding the person are various logos for online sites and activities (e.g., Facebook, Twitter, Google).

Sometimes companies and organization possess personal data about their customers that is collected during the course of doing business. The most obvious examples are medical organizations that keep confidential patient records, financial institutions that capture your financial data, and educational institutions that record student test scores and grades. Other companies might know your contact information, your purchase patterns, and your Internet-shopping or search history. These organization all have important legal responsibilities to protect your data.

The Federal Trade Commission (FTC) gives access to an important source of information about the necessity of securing sensitive data: the lessons contained in the more than fifty law enforcement actions taken by the FTC so far. These are settlements—no findings have been made by a court—and the details of the orders apply just to the companies involved, but learning about alleged lapses that have led to law enforcement actions can help your company improve its practices. Most of these alleged practices involve basic, fundamental security missteps or oversights. Without getting into the details of those cases, below are ten practical tips that we can learn from them. Distilling the facts of those cases down to their essence, here are ten lessons to learn that touch on vulnerabilities that could affect your company, along with practical guidance on how to reduce the risks they pose.

  1. Start with security: only collect customer data when necessary; be transparent; and treat the data with extreme care.
  2. Control and restrict access to sensitive data.
  3. Require strong, secure passwords and authentication; protect access to sensitive data
  4. Store sensitive personal information securely and protect it during transmission: use best-in-class security technology.
  5. Segment your network and monitor who’s trying to get in and out
  6. Secure remote access to your network: put sensible access limits in place.
  7. Apply sound security practices when developing new products; train engineers in security and test for common vulnerabilities.
  8. Make sure your service providers implement reasonable security measures: write security into contracts and verify compliance.
  9. Establish procedures to keep your security current and address vulnerabilities that may arise; heed credible security warnings.
  10. Secure paper, physical media, and devices—not all data are stored digitally.

These may seem like overly technical considerations that aren’t important to someone working in a marketing organization, but in the same way that it is important for a marketer to protect its company from product liability suits, it is important to protect customers from security breaches related to the company’s products, services, and marketing activities.

Protecting Privacy Online

The Internet provides unprecedented opportunities for the collection and sharing of information from and about consumers. But studies show that consumers have very strong concerns about the security and confidentiality of their personal information in the online marketplace. Many consumers also report reluctance to engage in online commerce, partly because they fear that their personal information can be misused. These consumer concerns present an opportunity for marketers to build consumer trust by implementing sound practices for protecting consumers’’ information privacy.

The FTC recommends four Fair Information Practice Principles. These are guidelines that represent widely accepted concepts concerning fair information practice in an electronic marketplace.


Consumers should be given notice of an entity’s information practices before any personal information is collected from them, including, at a minimum, identification of the entity collecting the data, the uses to which the data will be put, and any potential recipients of the data.


Choice and consent in an online information-gathering sense means giving consumers options to control how their data is used. Specifically, choice relates to secondary uses of information beyond the immediate needs of the information collector to complete the consumer’s transaction. The two typical types of choice models are “opt-in” or “opt-out.” The opt-in method requires that consumers give permission for their information to be used for other purposes. Without the consumer taking these affirmative steps in an opt-in system, the information gatherer assumes that it cannot use the information for any other purpose. The opt-out method requires consumers to affirmatively decline permission for other uses. Without the consumer taking these affirmative steps in an opt-out system, the information gatherer assumes that it can use the consumer’s information for other purposes.


Access, as defined in the Fair Information Practice Principles, includes not only a consumer’s ability to view the data collected but also to verify and contest its accuracy. This access must be inexpensive and timely in order to be useful to the consumer.


Information collectors should ensure that the data they collect is accurate and secure. They can improve the integrity of data by cross-referencing it with only reputable databases and by providing access for the consumer to verify it. Information collectors can keep their data secure by protecting against both internal and external security threats. They can limit access within their company to only necessary employees to protect against internal threats, and they can use encryption and other computer-based security systems to stop outside threats.

In June 1998, the FTC issued a report to Congress noting that while more than 85 percent of all Web sites collected personal information from consumers, only 14 percent of the sites in the FTC’’s random sample of commercial Web sites provided any notice to consumers of the personal information they collect or how they use it. In May 2000, the FTC issued a follow-up report that showed significant improvement in the percent of Web sites that post at least some privacy disclosures; still, only 20 percent of the random sample sites were found to have implemented all four fair information practices: notice, choice, access, and security. Even when the survey looked at the percentage of sites implementing the two critical practices of notice and choice, only 41 percent of the random sample provided such privacy disclosures.

In the evolving field of privacy law there is an opportunity for marketers build trust with target customers by setting standards that are higher than the legal requirements and by respecting customers’ desire for privacy.