Marketing Related
Online Behavioral Advertising
Websites or online advertising services that engage in the tracking or analysis of search terms, browser or user profiles, preferences, demographics, online activity, offline activity, location data, etc., and offer advertising based on that tracking.
What is the COPPA safe harbor program
Adherance to a self regulatory program that is approved by the FTC
National Do Not Call Registry
Allows U.S. consumers to place their phone number on a national list, preventing calls from unsolicited telemarketers. This registration is now permanent and can be enforced by the Federal Trade Commission, Federal Communication Commission (FCC) and state attorneys general with up to a $16,000 fine per violation. Cell phones are protected from any unsolicited automatic-dialed calls through other FCC regulations.
What are the disclosure requirements for a call under the Telemarketing Sales Rule (DNC)?
1. Identify the seller 2. Purpose of the call 3. Nature of goods and services 4. For prize or promotion, no purchase necessary.
What records must be maintained under the Telemarketing Sales Rule?
1. Advertising and promotional materials 2. Information about prize recipients 3. Sales records 4. Employee records 5. All verifiable authorizations or records of express informed consent or express agreement
How is CALOPPA enforced?
1. California general consumer protection statute by state or private citizens
What are the calling requirements under the Telemarking Sales Rule (DNC)?
1. Call only between 8 am and 9 pm 2. Screen and scrub against DNC 3. Display caller ID 4. Identify themselves and what they are selling 5. Disclose all material info and terms 6. Comply with special rules for prices and promotions 7. Respect requests to call back 8. Retain records for at least 24 hours 9. Comply with special rules for automated dialers
Exceptions to COPPA consent requirement?
1. Collected along with parent's email to provide the required notice and consent. 2. Respond once to a specific request from a child if the email is immediately deleted. 3. Respond more than once to a specific request of a child (I.e., newsletter subscription) if send notice to parents email to opt out. 4. When necessary to protect safety of the child. 5. To collect for sole purpose of protecting the integrity of the site, respond to legal requests, etc.
Requirements of COPPA privacy notice?
1. Contact information for the website operator 2. Type of information collected. 3. How the information will be used. 4. Whether the information will be disclosed to third parties and if so, the general purpose of the third party, its business and confidentiality 5. A disclaimer providing an option to consent to collection but not disclosure 6. Statement that no condition may be placed on the disclosure of information 7. Statement that it is the parent's final right to forfeit a child's disclosure of information, and the procedures to do so.
What misrepresentations are prohibited in a sales call under the TSR?
1. Cost and Quantity 2. Material Restrictions, Limitations, or Conditions 3. Performance, Efficacy, or Central Characteristics 4. Refund, Repurchase, or Cancellation Policies 5. Material Aspects of Prize Promotions 6. Material Aspects of Investment Opportunities 7. Affiliations, Endorsements, or Sponsorships 8. Credit Card Loss Protection 9. Negative Option Features 10. Debt Relief Services
What are the categories of information about the product that must be disclosed on a marketing call?
1. Cost and quantity 2. Material restrictions and conditions 3. No-refund policy details 4. Prize and promotion details 5. Credit card loss prevention program disclosures (for sellers offering this service) 6. Negative option feature details (for sellers offering this service)
What types of payments under the TSR do NOT require express verifiable authorization?
1. Credit Cards 2. Debit Cards 3. Checks 4. Cash 5. Money Order 6. Gift Certificate 7. Direct Billing
What are transaction or relationship messages under CANSPAM?
1. Facilitate or confirm an agreed upon commercial transaction. 2. Provide warranty or safety information about a product purchased or used by the recipient. 3. Provide certain information regarding an ongoing commercial relationship. 4. Provide information related to employment or a related benefit plan. 5. Deliver goods or services to which the recipient is entitled under the terms of an agreed upon transaction.
What does CANSPAM prohibit or require?
1. False or misleading headers 2. Deceptive subject lines 3. Requires a conspicuous return email address that is functioning. 4. Requires emails to include clear and conspicuous opt out cost free. 5. Prohibits sending commercial email to someone who has asked to opt out (after 10 days) 6. Requires all commercial email to include clear identification as a commercial message 7. Requires senders valid physical postal address 8. Prohibits aggravated violations such as address harvesting and dictionary attacks; auto creation of multiple email accounts; and retransmission of commercial email through unauthorized accounts. 9. Requires any commercial email with sexually oriented material to include a warning label.
What must be disclosed for debt relief services?
1. How much the service costs as well as any material restrictions, limitations or conditions on the debt relief service. 2. If the sales presentation includes a statement about the refund policy, you must also include a clear and conspicuous disclosure of all terms and conditions of the policy; 3. How long it will take the consumer to achieve the represented results based on a good faith estimate; 4. How much money a customer must save before you'll make a settlement offer to creditors; 5. The possible consequences if the customer fails to make timely payments to creditors; 6. The customer's rights regarding dedicated accounts if you ask or require your customers to set aside funds in a dedicated account.
CALOPPA Privacy Notice Requirements
1. Identify the categories of PII the operator collects 2. Identify the categories of third parties with whom the operator may share PII 3. Describe the process by which consumers review and request changes to their PII, if a process exists 4. Describe the process by which the operator notifies consumers of material changes made to the privacy policy 5. Identify its effective date
What are the exceptions for disclosure of PII under the Video Privacy Protection Act of 1988?
1. Made to the consumer. 2. Made subject to the written consent of the consumer contemporaneously. 3. Made to law enforcement via warrant,subpoena or court order. 4. Only names and addresses 5. Only names, addresses and subject matter descriptions used only for marketing to the consumer. 6. For order fulfillment 7. Court order in civil proceeding and consumer can object
What are the requirements for consent for an MSCM?
1. Must have express prior authorization, which means an affirmative action to give consent. 2. Must be given prior to sending the MSCM. 3. No cost to consumers to consent or revoke. 4. Must tell consumer that agreeing to receive MSCM to wireless device from identified seller. 5. Must tell consumer he/she may be charged by provider. 6. Must tell consumer he/she can revoke at any time.
What does the annual privacy notice under the Cable Television Privacy Act of 1984 require?
1. Nature of the PII collected. 2. How the information will be used. 3. Retention period of the information. 4. Manner subscriber can access and correct information.
What does the Cable Television Privacy Act of 1984 regulate?
1. Notice a cable company must provide to consumers 2. Ability of providers to collect, disseminate and retain PII.
Who does COPPA apply to?
1. Operators of commercial websites and online services directed to children under 13; and 2. General audience websites and online services that know they are collecting personal information from children under 13.
What callers are not covered by the DNC registry?
1. Political organizations, 2. Charities calling on own behalf, 3. Telephone surveyors, or 4. Companies with which a consumer has an existing business relationship.
What are the requirements of COPPA?
1. Post a privacy notice on the homepage and a link to privacy notice wherever personal information is collected; 2. Provide notice about the site's information collection practices to parents. 3. Obtain verifiable parental consent before collecting personal information from children 4. Give parents a choice as to whether their children's personal information will be disclosed to third parties. 5. Provide parents access and the opportunity to delete the children's personal information and opt out of future collection or use of the information. 6. Not condition a child's participation in a game, contest or other activity on the child's disclosing more personal information than is reasonably necessary to participate in that activity. 7. Maintain the confidentiality, security and integrity of personal information collected from children.
What are the restrictions on CPNI?
1. Telecoms can use for own purposes such as marketing offerings in services already subscribed, fraud, collections, etc. 2. Must have express consent from customer to share CPNI with joint ventures or independent contractors for marketing.
What misrepresentations are prohibited in a charitable solicitation call for another party?
1. The Nature, Purpose, or Mission of the Entity on Whose Behalf the Solicitation is Made 2. Tax Deductibility 3. Purpose of a Contribution 4. Percentage or Amount of Contribution that Goes to the Charitable Organization or Program 5. Material Aspects of Prize Promotions 6. Affiliations, Endorsements, or Sponsorship
For Oral Authorization under the TSR, what information must be provided to and acknowledged by the customer?
1. The goods and services being purchased, or the charitable contribution for which payment authorization is sought. 2. The number of debits, charges, or payments (if more than one). 3. The date the debits, charges, or payments will be submitted for payment. 4. The amount of the debits, charges, or payments. the customer or donor's name. 5. The customer or donor's billing information, identified in specific enough terms that the consumer understands which account will be used to collect payment for the transaction. 6. A telephone number that is answered during normal business hours by someone who can answer the consumer's questions. 7. The date of the consumer's oral authorization. The TSR also requires that the audio recording of the oral authorization must be made available upon request to the customer or donor, as well as to the customer or donor's bank or other billing entity.
What are the requirements of the DNC Safe Harbor?
1. The marketer has established and implemented written procedures to honor DNC requests 2. Marketer has trained its personnel in the procedures 3. Marketer has maintained and recorded an entity specific DNC list 4. Marketer uses and maintains records documenting a process to prevent calls to the DNC list 5. Marketer monitors and enforces compliance with the DNC procedures 6. The call was an error
What must a telemarketer disclose about prizes or promotions?
1. The odds of winning the prize(s). If the odds can't be calculated in advance because they depend on the number of people who enter the promotion, for example, you must tell that to consumers, along with any other factors used to calculate the odds. 2. That they can participate in the prize promotion or win a prize without buying anything or making any payment, and that any purchase or payment will not increase the chances of winning. 3. How they can enter the prize promotion without paying any money or purchasing any goods or services. This disclosure must include instructions on how to enter, or an address or local or toll-free telephone number where consumers can get the no-purchase/no-payment entry information. any material costs or conditions to receive or redeem any prize.
What types of calls are not subject to TSR?
1. Unsolicited calls from consumers. 2. Calls placed by consumers in response to a catalog. 3. Business-to-business calls unless they involve retail sales of nondurable office or cleaning supplies, or solicit sales or charitable contributions from employees. 4. Calls made in response to general media advertising (with some important exceptions). 5. Calls made in response to direct mail advertising (with some important exceptions).
What are the requirements of the Call Abandonment Safe Harbor under the DNC?
1. Uses technology that ensures abandonment of no more than 3% of all calls answered by a live person per day per campaign 2. Allows the phone to ring 15 seconds or 4 times before disconnecting 3. Plays a recorded message stating the name and number of the caller when a live sales rep is unavailable within 2 seconds of answering. 4. Maintains records documenting adherence to the 3 requirements.
How can fax numbers be obtained under the Junk Fax Protection Act?
1. Voluntary provision of fax number from customer within the context of the business relationship 2. A directory or site where people voluntarily agree to make fax number available for public distribution.
What must be disclosed in a negative option feature?
1. the fact that the customer's account will be charged unless he or she takes an affirmative action — such as canceling — to avoid the charge. 2. the date(s) on which the charge(s) will be submitted for payment. 3. the specific steps the customer must take to avoid the charges.
What is a Mobile Service Commercial Message (MSCM) under CANSPAM?
A commercial electronic mail message that is transmitted directly to a wireless device that is utilized by a subscriber of a commercial mobile service. Applies only internet to mobile and not mobile to mobile.
Do Not Track
A proposed regulatory policy, similar to the existing Do Not Call Registry in the United States, which would allow consumers to opt out of web-usage tracking.
What is the Wireless Domain Registry?
A registry of wireless domain names created by the FCC. Commercial mobile radio service providers are required to update it.
Cookie
A small text file stored on a client machine that may later be retrieved by a web server from the machine. Cookies allow web servers to keep track of the end user's browser activities, and connect individual web requests into a session. Cookies can also be used to prevent users from having to be authorized for every password protected page they access during a session by recording that they have successfully supplied their user name and password already. Cookies may be referred to as "first-party" (if they are placed by the website that is visited) or "third-party" (if they are placed by a party other than the visited website). Additionally, they may be referred to as "session cookies" if they are deleted when a session ends, or "persistent cookies" if they remain longer.
Value-Added Services
A telecommunications industry term for non-core services; i.e., services beyond voice calls and fax transmissions. More broadly, the term is used in the service sector to refer to services, which are available at little or no cost, and promote their primary business. For mobile phones, while technologies like SMS, MMS and GPRS are usually considered value-added services, a distinction may also be made between standard (peer-to-peer) content and premium-charged content. These are called mobile value-added services (MVAS), which are often simply referred to as VAS. Value-added services are supplied either in-house by the mobile network operator themselves or by a third-party value-added service provider (VASP), also known as a content provider (CP) such as Headline News or Reuters. VASPs typically connect to the operator using protocols like short message peer-to-peer protocol (SMPP), connecting either directly to the short message service centre (SMSC) or, increasingly, to a messaging gateway that gives the operator better control of the content.
Do-Not-Call Improvement Act of 2007
Amending the Do-Not-Call Implementation Act to remove the re-registration requirement. Originally registration with the National Do-Not-Call Registry ended after 5 years, but with this act the registrations became permanent.
De-identification
An action that one takes to remove identifying characteristics from data. De-identified data is information that does not actually identify an individual. Some laws require specific identifiers to be removed (See HIPAA 165.514(b)(2)). Hashing is not enough to de-identify data
Data Matching
An activity that involves comparing personal data obtained from a variety of sources, including personal information banks, for the purpose of making decisions about the individuals to whom the data pertains.
Established Business Relationship
An exemption to the Do Not Call (DNC) registry, a marketer may call an individual on the DNC registry if a prior or existing relationship formed by a voluntary two-way communication between a person or entity and a residential subscriber with or without an exchange of consideration, on the basis of an inquiry, application, purchase or transaction by the residential subscriber regarding products or services offered by such person or entity, which relationship has not been previously terminated by either party.
Commercial Electronic Message
Any form of electronic messaging, including e-mail, SMS text messages and messages sent via social networking about which it would be reasonable to conclude its purpose is to encourage participation in a commercial activity. Examples include electronic messages that offer to purchase, sell, barter or lease products, goods, services, land or an interest or right in land; offers to provide a business, investment or gaming opportunity; advertises or promotes anything previously mentioned.
What is a video tape service provider under the Video Privacy Protection Act of 1988?
Anyone engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials.
Who is a sender under CANSPAM?
Anyone who initiates an email message and whose product or service is advertised or promoted by the message.
Unfair Trade Practices
Commercial conduct that intentionally causes substantial injury, without offsetting benefits, and that consumers cannot reasonably avoid.
What does CANSPAM stand for?
Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003.
Junk Fax Prevention Act of 2005
Creates the Existing Business Relationship exception to the Telephone Consumer Protection Act's ban of fax-based marketing without consent but contains a requirement that all marketing faxes be accompanied by instructions on how to opt-out of further unsolicited communications.
What is CPNI?
Customer Proprietary Network Information. Information collected by telecom carriers on their subscribers. Includes subscription info, services used, billing info, call log data, personal information.
What are the rules around Robocalls?
Even if there is an established business relationship, the caller must get prior express written consent for a robocall to a residential line.
Do-Not-Call Implementation Act of 2003
Grants the authority to the Federal Trade Commission (FTC) to create the National Do-Not-Call Registry in the United States. The registry is open to all consumers, allowing them to place their phone numbers on a national list which makes it illegal for telemarketers to make unsolicited calls to those numbers, the only exceptions being for political activities and non-profit organizations. Originally consumers would have to re-register their numbers with the FTC every 5 years for continued prevention, but the Do-Not-Call Improvement Act of 2007 extended registration indefinitely. Violations can be enforced by the FTC, Federal Communications Commission, and state attorneys general with up to a $16,000 fine per violation.
What is the Do Not Call Safe Harbor?
If a seller or telemarketer can establish that as part of its routine business practice, it meets certain requirements, it will not be subject to civil penalties or sanctions for erroneously calling a consumer who has asked not to be called, or for calling a number on the National Registry:
When does an Existing Business Relationship exist with a prospect for the exception to the DNC registry?
If the consumer has made an application or inquiry regarding the seller's goods or services. The EBR runs for 3 months from the date of the inquiry or application.
When does an Existing Business Relationship exist with a customer for the exception to the DNC registry?
If the customer has purchased, rented or leased the seller's goods or services (or completed a financial transaction with the seller) within 18 months preceding a telemarketing call. 18 months runs from date of last payment or shipment.
What does the Telecommunications Act of 1996 cover?
Information collected by the telecom companies on consumers.
Is there a private right of action under COPPA?
No. The FTC has authority and states can bring civil actions under COPPA.
When are calls from consumers in response to general media advertisements covered by TSR?
Relating to: 1. Franchises not covered by the FTC's Franchise Rule, 2. Business opportunities not covered by the FTC's Business Opportunity Rule, 3. Credit card loss protection, credit repair, recovery services, 4. Advance-fee loans, 5. Investment opportunities, or 6. Debt relief services
Location Based Service
Services that utilize information about location to deliver, in various contexts, a wide array of applications and services, including social networking, gaming and entertainment. Such services typically rely upon GPS, RFID or similar technologies in which geolocation is used to identify the real-world geographic location of an object, such as a cell phone or an Internet-connected computer terminal.
What are the damages under the Video Privacy Protection Act of 1988?
Statutory damages of $2,500, punitive damages, attorneys fees and costs. Private right of action.
Who must comply with the Telemarketing Sales Rule (TSR)?
The TSR regulates "telemarketing" — defined in the Rule as "a plan, program, or campaign . . . to induce the purchase of goods or services or a charitable contribution" involving more than one interstate telephone call. (The FCC regulates both intrastate and interstate calling.) With some important exceptions, any businesses or individuals that take part in "telemarketing" must comply with the TSR. This is true whether, as "telemarketers," they initiate or receive phone calls to or from consumers, or as "sellers," they provide, offer to provide, or arrange to provide goods or services to consumers in exchange for payment. It makes no difference whether a company makes or receives calls using low-tech equipment or the newest technology. Similarly, it makes no difference whether the calls are made from outside the United States; so long as they are made to consumers in the United States. Those making the calls, unless otherwise exempt, must comply with the TSR's provisions. If the calls are made to induce the purchase of goods, services, or a charitable contribution, the company is engaging in "telemarketing." Certain sections of the TSR apply to individuals or companies other than "sellers" or "telemarketers" if these individuals or companies provide substantial assistance or support to sellers or telemarketers. The Rule also applies to individuals or companies that help telemarketers gain unauthorized access to the credit card system by using another merchant's account to charge consumers, a practice known as credit card laundering.
Federal Trade Commission
The United States' primary consumer protection agency, the FTC collects complaints about companies, business practices and identity theft under the FTC Act and other laws that they enforce or administer. Importantly, the FTC brings actions under Section 5 of the FTC Act, which prohibits unfair and deceptive trade practices.
Multi-factor Authentication
The authentication of a user by multiple means. This is typically accomplished by a requirement for both a password and at least one other form of authentication such as a pass card, biometric scan or an "out of band" means such as a phone call.
Telephone Consumer Protection Act of 1991
The first enactment of laws limiting unsolicited and automated telemarketing for both telephone and fax communications. Most notably the act creates a private right of action for those receiving unsolicited faxes, carrying a $500 fine per violation and any damages sustained because of the fax. The Telephone Consumer Protection Act (TPCA) also gives rule-making authority to the Federal Communications Commission, allowing it to make further regulations in this area. Among other provisions, the act prevents faxing without consent from the recipient (this requirement was amended by the Junk Fax Prevention Act of 2005 to not include customers with an existing business relationship) and requires companies to create and honor internal do-not-call registries (in 2003 the National Registry was created by the Federal Trade Commission).
Re-identification
The process of using publicly available information to re-associate personally identifying information with data that has been anonymized.
What is a negative option feature?
This occurs when the seller interprets the consumer's silence, or failure to take an affirmative action to reject goods or services or cancel an agreement, as acceptance of the offer. One type of negative option offer is a "free-to-pay conversion" offer (also known as a "free-trial offer"), where customers receive a product or service for free for an initial period and then have to pay for it if they don't take some affirmative action to cancel before the end of the period. Other types of negative option features include continuity plans and other arrangements where consumers automatically receive and incur charges for shipments in an ongoing series unless they take affirmative action to stop the shipment.
Consent
This privacy requirement is one of the fair information practices. Individuals must be able to prevent the collection of their personal data, unless the disclosure is required by law. If an individual has choice (see Choice) about the use or disclosure of his or her information, consent is the individuals' way of giving permission for the use or disclosure. Consent may be affirmative; i.e., opt-in; or implied; i.e., the individual didn't opt out. (1) Explicit Consent: A requirement that an individual "signifies" his or her agreement with a data controller by some active communication between the parties. According to the EU Data Protection Directive, explicit consent is required for processing of sensitive information. Further, data controllers cannot infer consent from non-response to a communication. (2) Implicit Consent: Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual.
What are the fines under CANSPAM?
Up to $16,000 per violation.
What are the penalties for violating the DNC Registry?
Violators will be subject to civil penalties of up to $40,654 for each violation, as well as injunctive remedies.
When does the Junk Fax Prevention Act of 2005 allows inferred consent?
With an Existing Business Relationship within the last 18 months or if an inquiry has been made in the last 3 months.
Does CALOPPA apply to mobile platforms?
Yes