|
The U.S. government, by contrast, takes a minimalist approach to business, preferring that it self-regulates and protects key interests through best practice. Where this isn't possible, a strong sector approach to law-making means that laws are rather specific, relate to clearly defined issues--such as advertising via e-mail--and is full of required practical steps to be taken to conform to the law.
The main piece of European legislation on privacy, The Data Protection Directive 1998, comprises eight principles covering the holding and use of personal data. Note the word 'principles', not 'steps'. These eight principles underpin all other legislation in this area, including the recent Privacy and Electronic Communications Regulations that govern, inter alia, e-mail marketing. The eight principles require that:
• Personal data be obtained fairly and lawfully;
• Data be held only for specific and lawful purposes and not processed in any matter incompatible with those purposes;
• Requests for personal data be relevant, adequate and not excessive for those purposes;
• Data collected must be accurate and where necessary kept up to date;
• Data not kept longer than necessary;
• Data be processed in accordance with the data subjects' rights;
• Data be secure;
• Data are not transferred outside the European Economic Area to countries that do not have adequate levels of data protection without the consent of the data subject.
At the heart of those principles stands the twin pillars of notification and fair processing. Notification means that when collecting personal information you must explain why you are doing so and how you plan to use it. You must clearly identify who you are and how you can be easily contacted. Each purpose must be covered, as well as the types of third parties you intend to pass any information on to.
Fair processing requires that an opt-out mechanism exists in each communication sent to the subject, either from you or third parties that may be using the data. Consent can be withdrawn at any time.
These twin pillars underpin everything else. Other mechanisms or steps taken to collect personal information and subsequent electronic marketing, will not be sufficient if the twin pillars are not properly interpreted.
Can Spam in a Global Environment
Trying to enforce Can Spam mechanisms can cause unforeseen consequences. For example, insisting on using a header that identifies the source owner of the data in preference to the third-party sender means that any un-subscribes would require the source owner to stop communicating with the recipient, rather than opting out from future third-party communications. Rather, the desired outcome can achieved by detailing the reasons why the recipient was e-mailed in an link to a Permission Marketing Policy alongside the unsubscribe lin--provided the appropriate degree of consent was been obtained during data collection. So, using headers to mask a lack of consent for use by third parties is no substitute for obtaining personal data with due reference to these twin pillars of European legislation. US CAN SPAM:
• bans false or misleading header information.
• prohibits deceptive subject lines.
• requires that e-mail give recipients an opt-out method.
• requires commercial e-mail be identified as an advertisement and include the sender's valid physical postal address
On the other hand, the European e-communications privacy legislative framework is based on:
• the twin pillars of Notification and Fair Processing.
• the 8 principles of the Data Protection Directive
• Consent is key
• Unless you have an existing two-way relationship with a customer or a prospective customer, you must have explicit prior permission to communicate with all consumers via e-mail (with the exception of France and UK this includes business-to-business communication).
E-mail headers are commonly used in the United States to show that the e-mail is from the data supplier, even though it includes third-party content. In Europe, specific consent must be obtained at point of collection for third-party use. It is preferable to show that the e-mail is from a third-party, but with a privacy link that explains the source of the data.
However, US companies sometimes insist on the data owner using a branded header of the data owner. This is no good for Europeans, because if people then opt out, they are in effect opting out of receiving e-mails from the data owner, even if they have a business relationship with the data owner. Therefore, in insisting on this, US companies are trying to bring CAN SPAM specifics into the mix, rather than paying heed to the European principles, and he need to gain consent upfront for every type of use.
The Impact of the Data Protection Directive
It's hard on the face of it to imagine how the eight principles of The 1998 Data Protection Directive can make a difference when embedded into corporate privacy policies.
The value of the eight principles lies as guiding 'commandments' that create an environment of best practice within companies. The principles force us to choose a practical path based on them, giving due consideration to the nature of the business and the data it collects and holds, together with a clear justification for doing so.
Data security is a good example. Recent history has not been kind to the U.S. track record in safeguarding personal data. There have been a series of high profile thefts culminating in the disclosure that 40 million credit card accounts were stolen from an Atlanta data processing firm. Even Citigroup, the biggest bank in the world, 'lost' information on 3.9 million customers when tapes that were not encrypted went missing during shipment by UPS. We appear to see less high-profile data theft in the EU, and the conclusion that data protection legislation has created an environment where these issues are treated more seriously is hard to dodge.
The seventh principle of The Data Protection Directive states that data must be held securely. Less prescriptive you could not get if you tried! But it works.
If I had to define measures for my business that would represent security for the personal data we control and process, these would include inter alia:
• Technological measures, such as firewalls and safe FTP sites
• Encrypted back-ups to ensure they are protected during transit
• Installation of the latest security updates.
Likewise, it is not too difficult to define, giving due consideration to a company's business, what 'secure' actually means in terms of practical steps that can be taken.
Blend the Best of Both Models
European data protection principles can be interpreted into specific steps that work within local context. Equally, the more specific nature of US legislation will yield many practical steps that can be taken which will not cause conflicts as the use of headers in e-mails can. For example, a privacy policy must include the requirement that easy opt-outs are provided within each e-mail broadcast, which both US and EU laws stipulate. US provisions prohibit misleading statements or subject lines, a rather more specific privacy policy requirement than the EU's general principle that the data be obtained and used fairly and lawfully. Motification is an EU principle that is not specifically covered by CAN SPAM, but ought to be a fundamental tenet of all data collection and use, including e-mail addresses.
Blend the best of both into a corporate privacy policy that is also flexible enough to reflect the most fundamental of local differences, and business will benefit from the thought and analysis that lies behind it.
This means you need to ensure that prospect lists are properly consented. The question is not whether they are consented but what and who they are consented for (the notification issue). Ensure consent has been gained specifically for e-mail marketing. General notification for all forms of communication most probably would not be seen to have sufficiently informed the data subject, therefore you are looking for specific notification in respect of e-mail marketing and third-party use. EU legislation covers all form of e-mail communications, not just advertising messages, so make sure you extend the scope of your privacy policy to include all uses.
Don't rely just on CAN SPAM and assume that headers and subject lines will cover your use of generally notified data. The issue of notification and consent in Europe runs much deeper in fundamental law.
How you fuse US and European best practice into your privacy policy must ultimately lie with legal counsel, but with due regard taken of your views on drafting privacy clauses and the unique circumstances of your own company's business priorities.
Nick Martin is general manager of Mardev, an international organization specializing in business and professional data, related applications and services. Mardev is part of Reed Elsevier, a Fortune 500 company. Martin can be reached at Nick.Martin@mardev.com.
Page 1 | 2
|
