Case Analysis:
-1- I did not find this case on marketing campaigns serendipitously and its discovery is worth telling.
To arouse interest in a subject matter, nothing is better than a juicy, real life story.
Disgruntled customers with an axe to grind amount to an unlimited source. So it is natural to look for derogatory sites, a practice examined in chapter I-3 on ambush marketing.
Following my own advice, I picked a likely target, Response Unlimited, and made a search keyed to this trademark. Without fail result number 4 brought me back "An expose of Response Unlimited", which I used for the case.
For those who wonder how I came to pick my target, Response Unlimited is the marketing list broker that bought the names of the donors to Terri Schiavo's parents' legal fund as reported by David D. Kirkpatrick and John Schwartz (New York Times) - March 2005.
-2- The story by James Lloyd is told , as one expects, with a strong negative bias. For balance we refer the reader to Response Unlimited.
One must realize that to attract a derogatory attack, plus a sponsored link Why Pay List Brokers? by The List Company, is a testimonial to the commercial success of Response Unlimited.
Nevertheless James Lloyd's account demonstrates clear professional understanding of list-based marketing and this will be our sole focus.
-3- The main point illustrated by the story is not that the name and address of almost everyone, whether individual or business, is available for sale at about 10 US cents a piece. Phone companies have published white pages directories for about a century.
More intriguing is that, together with name and address, come a profile which can be as detailed and inquisitive as one can wish or dread. In the instance any religious activity is fair game, whether doctrinal, political or charitable.
Even more disturbing is that lists can be cross-referenced to yield an in depth profile of a target. For clients of Response Unlimited, key additional considerations can be for example the financial worth of the individual and his or her political affiliation.
Marketing managers already know how to use such selection criteria to build well targeted lists for optimal campaign results. The point to grasp is that the Information Age has given them and the list brokers so much power that they are faced with ever increasing regulatory threats to their livelihood. Most will rather reap the good times as they last. The most forward looking will try to analyse the trends and ride them to achieve dominant positions.
One should study in this light how companies heavily dependent on telemarketing reacted to the creation of the so-called national do not call registry, which put a sudden clamp on this channel (see Harris Interactive report).
-4- So far the general consensus in the United States has been favorable to business. If one is unhappy about being targeted by a marketing sollicitation, one is merely granted the right to "opt-out" by asking the sender to stop.
James Lloyd's account exposes this consensus for what it is: a fig leaf.
As he so vividly explains, the receiver is entitled to protection from the sender of a mailing piece but not from the broker who rented the address in the first place. Imagine if evening walk lovers were given an anti mosquito repellent which had to be used every time a mosquito makes an attack and would deter only this one mosquito. The national do not call registry addressed this issue, but limited the solution to telemarketing by definition.
But the author fails to mention the most ironic reality of the list trade.
Recall his comments on the propensity of lists to be outdated and the significant costs which go into verifying if their addresses are current, such as first class postage. When a receiver opts out from a list rented by some broker's client, this receiver may actually enhance the value of his or her name to the broker by revealing his or her current address. This assumes the broker's client sells back this information to the broker, which is not necessarily going to happen if we follow James Llyod's evidence of non cooperation patterns.
This is of course a well known fact to Internet users: since so much junk mail is sent to addresses automatically generated from dictionaries at no cost to the sender (e.g., adam@target.com, beth@target.com, charles@target.com...), an opt out answer (e.g., by peter@target.com) will establish a valuable real address.
Recalling phishing practices, one will not be surprised some enterprising souls have already created a fake "do not email registry" site to collect real email addresses.
-5- The case does not have much bearing on Internet-based marketing. Yet Response Unlimited is not absent from this field: it proposes 159 lists with email addresses, e.g. one made out of 65,000 names of evangelical christians. Their price per thousand is actually higher than for more run of the mill lists.
There is a reason however for the lack of emphasis on this direct marketing channel. If left unfiltered, the general level of junk mail and the proportion of messages focused on sex or pharmaceuticals (often both at the same time) are so high, one can assume evangelical christians might be difficult to reach through unsollicited emails.
-6- It would be an error to conclude that James Lloyd is against using direct marketing in principle. In fact he states that many consumers have declared themselves grateful for the opportunity provided to them by some direct mailing piece.
What he rails against are two unfortunate facts:
- - direct marketing is inherently noisy, with more false positives (wasted mail pieces) than true positives (genuine prospects)
- - list suppliers to direct marketeers appear to benefit from the noise and have therefore little incentive to abate it
Targets would most likely add that, while the list suppliers may not have the interest of their clients at heart, it remains to be seen if, presented with the opportunity to reduce false positives dramatically, direct marketeers themselves would not balked at loosing sales by increasing false negatives (good prospects dropped from the list), a trade off inevitable in pattern recognition.
General Comments:
-1- As with medical data records, the issue is really about who owns customer data ?
- the organization which happens to be in possession of the data, or
- the customer whom the data describes and who originated it in the first place, however indirectly
In the first instance, the data is an ordinary category of information goods, to be freely traded on the market.
In the second instance, the organization in possession is merely acting in a fiduciary capacity for each customer. As the overview shows clearly, by using this data beyond the commercial transaction which it supported, the organization would be embezzling its customers' property.
This is not some academic point. The stakes are tremendous:
- in 2004, Euromonitor International estimated the 2003 market size for US direct selling at US$29.6 billion, an economic activity directly dependent on list brokering
- in 2005, EPIC's analysis of the security breach at ChoicePoint shows how much commercial data brokers threaten consumer privacy
- any number of specific crises has the potential for high drama. Besides the Schiavo donors list (see case analysis) and ChoicePoint, here are some cases recently in the news:
Embracing any one position would deliver a severe blow either to the economy or to the voters and amount to political suicide. Unfortunately striking a compromise is bound to reflect some balance of forces more than a consistent theory. As this balance moves over time, federal laws and regulations are made and changed, once a year on average, to say nothing of state laws.
Marketing compliance requires vigilance and anticipation.
-2- In order to make sense of an endless stream of legislation (see Center for Democracy and Technology for a list of bills introduced in 2005), one needs to rely on a few key notions. Of these the most important is the so-called "opt-out/opt-in" choice:
- opt-in approach: a marketing communication will be made only to those who have given their prior consent
- opt-out approach: anyone who objects to receiving marketing communications can order the sender to stop
Because opt-in protects the targets before the fact and communication cannot proceed without action from the target, opt-in is favorable to customers.
Because opt-out protects the targets after the fact, and communication cannot be stopped without action from the target, opt-out is favorable to business.
Opt-out is further rendered toothless by two additional factors:
- numerous exceptions allowing data sharing to continue after opt-out, due to the decentralized nature of many services (e.g., GLBA section 502 (b)2)
- opt-out requires one customer action for each entity engaged in marketing, while leaving commercial data brokers free to get new clients all the time
Overall the United States has adopted opt-out as its preferred choice (e.g., GLBA section 502 (b)) and Europe opt-in.
However three reasons makes it less simple than it seems :
- other key notions, such as what is an "affiliate", inject complex issues into real life cases
- no approach is applied uniformly as the balance of forces varies with the industry concerned, the media channel chosen for marketing and the nature of the target
- there is in fact a third and better way, besides opt-in and opt-out, although it has not received any attention yet
-3- The key notions to master beyond the opt-in/opt-out choice include the following:
- what is "an established business relationship", to prove implicit prior consent for opt-in or to gain opt-out exemption
- what is "an affiliate", a way to extend communication rights to third parties
- what is "a commercial message", the unwanted sollicitation targeted by all laws
Most laws and regulations will define such notions explicitly but variations may occur. We will focus for each notion on the law which gives it the greatest emphasis.
For definition of "an established relationship", refer to the regulations 47 CFR 64 section 1200, written pursuant to TCPA:
"The term established business relationship means a prior or existing relationship formed by a voluntary two-way communication between a person or entity and a residential subscriber with or without an exchange of consideration, on the basis of the subscriber’s purchase or transaction with the entity within the eighteen (18) months immediately preceding the date of the telephone call or on the basis of the subscriber’s inquiry or application regarding products or services offered by the entity within the three months immediately preceding the date of the call, which relationship has not been previously terminated by either party."
Three elements come into play:
- the nature of the parties involved: residential, business..., including the type of business when the rule is industry-specific
- the nature of the relationship between the parties: purchase, inquiry...
- the length of time since elapsed
As an illustration of rule variability, a lively debate is under way to fix the exact length of the time lapse or whether a time lapse may in fact occur (see June 2005 FCC's order).
For definition of "an affiliate", refer to GLBA:
"The term ‘‘affiliate’’ means any company that controls, is controlled by, or is under common control with another company."
How "control" is established may be subject to variations. For example the SEC, whom GLBA granted some regulatory power, defined control in 2000 as"power to exercise a controlling influence over the management or policies of a company whether through ownership of securities, by contract, or otherwise" (Note: the author has not ascertained if this definition is still in force).
For definition of "a commercial message", refer to the regulations 16 CFR 316.3, written pursuant to the CAN-SPAM Act. This section, not reproduced here, defines the primary purpose of a message in great details to establish whether a message is commercial or not.
Combining key notions, such as "an established business relationship with an affiliate", turns compliance into a complex task which varies over time.
-4- The interplay of competing forces without possiblity of clear victory means that the law is fragmented by industry, communication channel and target.
One can easily justify an industry specific approach by the differences in impact between user profile data held by different industries:
- medical data, already covered in chapter II-1 relative to HIPPA,
- financial data, which inspired GLBA,
- credit report data, which inspired FACTA, etc...
Notice that once an industry is regulated for privacy, all profile data held by a specific organization in this industry is normally concerned.
Nothing prevents one organization to be subject to several regulations. For example a mortgage company affiliated with a bank will be subject to FACTA and GLBA.
Even more important is to understand that communication channels used for marketing have received sharply distinct solutions.
- Fax: telemarketing by fax forces the target to spend not only time but money on paper and ink. Fax is especially used by business customers.
For these reasons TCPA has picked opt-in rather than opt-out, thereby providing a higher degree of protection to customers
- Telephone: marketing pressure and outright fraud somehow broke through an annoyance threshold which lead to the creation of the Do Not Call Registry (see TCFAPA).
By enabling the consumer to opt-out of marketing calls from all companies in a single action, the FTC suddenly gave teeth to the opt-out approach
- Email: the impossibility to police foreign countries, the risk created by phishing and the preventive use of junk filters have made this channel both freer from effective regulation and less desirable for effective marketing
Ultimately mail remains today the main channel for direct marketing communications, although it is far more expensive than email and less effective than telephone.
The case of children under 13 over the Internet has given rise to yet another special case examined in chapter II-3: Safe Harbors.
-5- ePrio In., in which the author of these lines has a majority interest, has in fact developped a third way which eliminates the unpalatable dilemma between hampering the economy or leaving the customers at the mercy of swarming sollicitors.
Based on Internet, ePrio's solution allows marketers to send personalized emails and engaged in other forms of personalized advertising without the targeted prospect having to grant possession to his or her profile to anyone at all. In other words each side can have its cake and eat it too.
In particular this solution requires:
- -1- no explicit opt-in action by the customer, such as an explicit declaration of trust, before a personalized marketing interaction can occur
- -2- nor the implicit granting of access to profile information to the marketer or its agent in order for the personalized interaction to occur
- -3- nor the creation of a central database
- -4- nor the granting of decentralized access to each profile to a so-called trusted third party, Big Brother by another name
Fact (1) means that the interest of the marketer is protected from the natural laziness and suspicion of targets, the issue behind opt-in. Adopting ePrio's solution can be seen as one single opt-in action valid for all marketers.
Facts (2), (3) and (4) mean that the interest of the prospect is protected from the collection of any data by anyone, thus making opt-out unnecessary.
It is useful to recall the distinction between two different aspects of marketing:
- direct marketing, which aims at turning prospective targets into customers
- market research, which requires the collection of prospect profiles for in depth analysis
ePrio's solution allows direct marketing to happen without data collection. If they so choose, users can still allow data collection to occur in response to market research inquiries, but this will each time require a user action and should be treated like recruiting users for focus groups, i.e. with some appropriate compensation. Since market research is typically conducted on small market samples, this is not an issue.
There are three major reasons why this approach is ignored today:
- it is an innovation
- it is disruptive, perceived as a threat by those who has invested into marketing contact database, especially commercial list brokers and other intermediaries
- its effectiveness rests on large scale acceptance by both prospects and marketers, which takes time to achieve
Solutions:
Different laws, as seen in the previous sections, will lead to different solutions. Look beyond for a general methodology, impervious to accidental variations in rule making. Expect to see elements already encountered in previous chapters.
- Designate a person responsible for compliance
See the Safeguarding rule (16 CFR 314.4) implementing GLBA for an explicit mandate:"In order to develop, implement, and maintain your information security program, you shall: (a) Designate an employee or employees to coordinate your information security program.".
Even without an explicit mandate, this is a requirement to insure compliance or to convince anyone that all reasonable measures were taken to this effect.
However it is important to realize the complexity of the associated responsability. The person in charge must understand:
- the business function being regulated, marketing in the instance
- the practical meaning of the applicable regulations, e.g. what is "an established business relationship"
- the tools, especially the MIS tools, available to carry out the mandate
- the changing nature of all of the above over time, whether from business, law or technical evolution
- Develop appropriate written policies
All laws and regulations are meant to enforce specific conditions on business. This leads to new or revised business procedures. If they were not documented in advance, responsabilities in case of system break down could not be assigned either to improve business practices or to assess penalties. Indeed most laws will explicitly include "policy writing" as one of their first conditions.
The same remark made apropos the person responsible for compliance will carry over to policy writing. Effective policies will combine business, regulatory and MIS aspects.
For example an organization which wants to engage in telemarketing can do so if it makes sure MIS guarantees calling lists are "scrubbed" against the appropriate Do Not Call registries. But business considerations might exclude as not worth the extra expense calling prospects in the states whose registry is distinct from the national one.
Included under this heading will be drafting of customer notices and designing of communication channels mandated by law, such as annual privacy policy notices and opt out methods from GLBA.
- Ensure proper operational documentation
While policies are general, few and stable, operational documentation is transactional in nature and accumulates daily.
From the point of view of marketing compliance (e.g. the Telemarketing Sales Rule 16 CFR 310.5), the five most important documentation tasks are to log:
- - established business relationships or other opt-in declarations
- - opt-out requests
- - scrubbing of prospect lists against opt-out registries, from administrations, internal opt-out registries and even industry voluntary registries (see the Direct Marketing Association)
- - actual marketing sollicitations
- - actual sharing/selling of cutomer data (see California Shine the Light law)
Notice that three of these tasks make business sense besides insuring mere compliance:
- - logging marketing sollicitations is essential to measure and improve the yield of marketing campaigns
- - list scrubbing should include steps to remove duplicates and undeliverable messages, thus increasing campaign yield
- - recording established business relationships comes with every sound customer management system
For forward looking organization, compliance is only one aspect of best business practices. Being one step ahead of new regulations might even be a source of competitive advantage. For instead of reacting under enforced deadlines, one can have the time to optimize the implementation in line with all other business goals.
- Develop Training
Like any business process, nothing of value will come out of a compliance program if the human factor is neglected. For an explicit mandate for training, see Senators Specter and Leahy's "Personal Data Privacy Security Bill" section 402 (b).
Besides employee training, one should mention executive buy in. The more compliance costs are designed to be shared with regular business expenses, the more compliance programs will be supported.
- Integrate Compliance and Risk Management
In the overview, we made the link between the subject matter and risk management. This is because accidents and hostile attacks can lead to the same adverse effects as a lack of formal compliance. The legislator has picked up this fact of life and made the link explicit: see the HIPPA statute in chapter II-1 and the "Personal Data Privacy Security Bill" section 402 (a)3-4 and (c).
Again it is best to deal with risks from an integrated point of view, whether they are against business continuity or customer data privacy. While insuring business continuity is not a responsability of the compliance officer, tasks and costs involved share a significant overlap: preventing attackers from taking over the control of online customer databases protect against both disruption of business activities and theft of private data.
Tools available:
Lawyers specialized in corporate law
While the author endeavors to demystify laws and regulations for business men and engineers, it is important to remember that only professional training and practice can inform advice bearing on specific cases.
For example if an organization is part of a large diversified group, a careful determination of what exactly the "established business relationship with an affiliate" clause does allow could lead to profitable marketing programs both legal and imaginative.
list scrubbing
Most tasks requires setting or customizing customer management systems, tools which lie outside of our scope. But the existence of Do Not Call registries make specialized scrubbing tools appealing.
To get a sense of what is on the market, see:
and make a Google search for more list scrubbing suppliers.
privacy policy generators
Privacy policies can be rather formulaic and software tools are available to help generate them. See:
For more information, here is a Google search.
compliance audit services
When an organization needs to reinforce its current compliance program, it can be useful to have it independently assessed. This Google search needs to be refined.
ePrio's technology: beyond opt in and opt out
Finally, for more information about tEC, the Electronic Confident, by ePrio Inc., please see ePrio.
a link to an organisation, public or private, does not represent an endorsement and no compensation has been received nor sollicited by the author for its inclusion.
|