DMA's Marketing Online Privacy Principles and Guidance
While the DMA's Guidelines apply to marketing in all media, the following principles and illustrations highlight issues unique to online and Internet marketing. They cover:
Online Notice and Opt Out
All marketers operating online sites, whether or not they collect personal information online from individuals, should make available their information practices to consumers in a prominent place. Marketers sharing personal information that is collected online should furnish individuals with an opportunity to prohibit the disclosure of such information.
The Online Notice
The notice should be easy to find, easy to read, and easy to understand.
A marketer should post its notice so as to readily enable the consumer to learn about the marketer's information practices in a manner that permits a consumer effective choice over the collection and disclosure of personal information.
A marketer operating a World Wide Web site that collects personal information from individuals who visit it could post notice of its information practices on its home page or on the page where information is collected (e.g., survey questionnaire).
A marketer could provide an icon on its home page that, when clicked, will furnish the consumer with access to additional screens disclosing the marketer's information practices.
The notice should identify the marketer, disclose an e-mail and postal address at which it can be contacted, and state whether the marketer collects personal information online from individuals. If the marketer collects personal information online, the notice should contain disclosures about:
The nature of personal information collected with respect to individual consumers.
Depending on the circumstances, information collected about a consumer may include:
For example, a marketer could include language such as:
The information may be used, for example, to ensure that a consumer is properly billed, for marketing by e-mail, or for evaluating and understanding consumer reactions to content, services, or merchandise offered online. It also may include using the consumer's name and address for marketing by mail or other media.
For example, a marketer could include language such as:
An opt out will traditionally be the means offered to consumers to limit the disclosure of information collected about them.
The Means of Opting-Out
All marketers sharing personal information that is collected online should furnish consumers with the opportunity to opt out from the disclosure of such information. The notice and opt out process should enable consumers to request that their personal information not be rented, sold, or exchanged.
Marketers' notices should clearly and accurately inform consumers of their opt out choices (e.g., tranfer of all information to third parties, contact by third parties in a particular medium, re-contact by the marketer, etc.)
Marketers should suppress in a timely fashion the personal information of individuals who request that their personal information not be rented, sold, or exchanged.
Whenever possible, marketers should provide consumers with the opportunity to opt out via e-mail.
In opting out from lists used for online solicitation purposes, consumers may also seek to opt out from solicitations in other media, such as mail or telemarketing. Marketers should honor these consumer requests for opt-outs from solicitations in other media.
Click here for an illustration of DMA's Web Site Privacy and Opt Out Policy. DMA's notice is limited because the type of consumer information collected at the site is limited. If, for example, sales were transacted or a chat room were sponsored at the site, then the notice would require additional disclosures.
Unsolicited Marketing E-Mail
1. On-line solicitations should be posted to newsgroups, bulletin boards, and chat rooms only when consistent with the forum's stated policies.
To facilitate adherence to this principle, forum operators should publicize their policies regarding solicitations in their forums, for example, "We would like to send offers for valuable services and products that may be of interest to consumers."
Marketers should inquire about the forum's policies before directing online e-mail solicitations to the forum.
2. On-line e-mail solicitations should be clearly identified as solicitations and should disclose the marketer's identity. Marketers using e-mail should furnish consumers with whom they do not have an established business relationship with notice and a mechanism through which they can notify the marketer that they do not wish to receive future on-line solicitations. Marketers using e-mail should furnish consumers with whom they have an established business relationship with notice and a mechanism through which they can request that the marketer suppress their e-mail addresses from lists or databases rented, sold, or exchanged for on-line solicitation purposes.
Online solicitations should be identified in a way that allows recipients to readily recognize them as solicitations.
For example, a marketer should use clear language, such as "End-of-Season Sale," that ensures that -- without reading more than the first paragraph -- a consumer will recognize the e-mail message as a solicitation.
The identifying information in the solicitation should include the name of the marketer making the solicitation and an e-mail address, postal address, and telephone number at which it can be contacted.
For example, a marketer could say, "Here's how you can reach us ... (name, address, etc.)."
Marketers should have systems in place that will honor consumer requests to not receive future online solicitations or, in the case of consumers with whom they have an established business relationship, to have their e-mail addresses removed from their lists or data bases that are made available for rental, sale, or exchange for online solicitation purposes.
For example, a marketer could say, "We value our relationship with you and if you wish to opt-out of receiving further e-mail advertisements, let us know. To get on our opt-out list, all you have to do is send an "unsubscribe" message to ..."
Whenever possible, consumers should be provided with the opportunity to opt out via e-mail. Marketers should identify where consumers are invited to send such opt-out e-mail requests, particularly if the e-mail address is different than the one from which the marketing e-mail solicitation is sent.
Because of the unique characteristics of automated mailing lists (e.g., listservs), subscribers to such lists cannot individually opt out if the list manager permits online solicitations to be directed to its subscribers. This prevents a marketer from suppressing online solicitations to some subscribers of a listserv but not to others. Consequently, a marketer directing online solicitations to subscribers of an automated mailing list should honor the list manager's stated policies regarding online solicitations. To facilitate adherence to this principle, managers of automated mailing lists should identify themselves and make their policies known to marketers and their agents prior to a solicitation. Marketers should also ask about policies that effect them.
3. Any person who uses for on-line solicitation purposes e-mail addresses or screen names collected from the on-line activities of individuals in public or private spaces should see to it that those individuals have been offered an opportunity to have this information suppressed.
Ideally, marketers using e-mail addresses and related information they have harvested should provide consumers with an opportunity to opt out prior to using the information for online solicitations.
For example, a marketer could say, "We see that you frequent the ( ) site -- we'd like to send you offers of (computer equipment). If you don't want to receive these offers, just let us know."
When using lists of e-mail addresses harvested by others, marketers should ensure that consumers have already been offered an opportunity to have their e-mail addresses and related information removed. Marketers should contractually require the sellers of harvested lists to contain the e-mail addresses of only persons who did not respond to a notice and opportunity to opt out.
4. Marketers who operate chat areas, newsgroups, and other public forums should inform individuals using these spaces that information they voluntarily disclose in these areas may result in unsolicited messages to those individuals by others.
For example, a marketer may inform visitors to a Web site with a message board that: "You should be aware that when you voluntarily disclose personal information (such as your screen name) in our message boards or other public areas, your information can be collected and used by others."
Marketers should also support industry and other efforts to help educate consumers about ways to protect their privacy online.
5. All persons involved in the use, rental, sale or exchange of lists and data for on-line solicitation purposes should take reasonable steps to ensure that such sharing of lists and data adheres to these industry principles. Industry groups should take appropriate steps to encourage their members to follow these principles.
For example, marketers should incorporate these principles into their list rental contracts and should furnish these third parties with a copy of DMA's Guidelines for Ethical Business Practice.
Online Data Collection from or about Children
This section contains additional principles that apply to online activities that are directed primarily at children who, more so than adults, may not understand the nature of information elicited from them nor the uses to which the information may be put. Because of this difference in maturity, marketers operating online or Internet sites directed primarily at children should encourage parents to share in and monitor their children's online experiences.
1. In making decisions whether to collect data from or communicate with children on-line, marketers should take into account the age, knowledge, sophistication, and maturity of their intended audience.
For example, marketers should encourage young children to obtain their parents' permission, using language such as "Your mom or dad should say it's okay for you to answer these questions."
2. Marketers should be sensitive to parents' concerns about the collection of their children's names, addresses, or other similar information, and should support the ability of parents to limit the collection of such data for marketing purposes through notice and opt out.
Marketers should encourage children to consult with their parents before furnishing data.
Marketers should also support industry and other efforts to help educate parents about ways to protect their children's privacy online, including informing them about software tools and parental access controls that prevent their children from disclosing their name, address, or other personal information.
DMA's Web site, for example, hosts a special For Parents section on its Consumer Assistance page, which informs parents of the various software packages available for helping parents provide a kid-friendly Internet for their children. Marketers could hyperlink to this page.
3. In conjunction with supporting the ability of parents to limit the collection of such data online, marketers should limit the use of data collected from children in the course of their online activities to the promotion, sale, and delivery of goods and services, the provision of all necessary customer services, the performance of market research, and other appropriate marketing activities.
4. Marketers should also effectively explain that the information is being requested for marketing purposes.
For example, a toy manufacturer's disclosure to young children might state: "If you give us your e-mail address, we will tell you when new ____ arrive at the stores, but it's important that you ask your parents if that's okay."
The same toy manufacturer's disclosure to parents might say: "Information collected from children at this site is used only to understand their preferences among products and to notify the children of new toys."
5. Marketers should implement strict security measures to ensure against unauthorized access, alteration, or dissemination of the data collected on-line from children.
[Marketers should consult DMA's Guidelines for Personal Information Protection (Articles 7, 8, and 9) for suggested measures that should be taken to ensure security. These articles lay out the guidelines direct marketers should follow for the security of personal data; for authorization of visitors to areas where personal data are processed and stored; and for secure transfer of data.]
Copyright © 1997 Direct Marketing Association, Inc.