Home / Privacy Resources / Article Search / PrivaTalk - June 2001

PrivaTalk - June 2001

PrivaTalk

June 2001
Volume 1
Issue 5

Spam – An Issue of Legality or E-mail Marketing Etiquette?

Spam is most commonly known as electronic junk mail, however some people define spam even more generally as any unsolicited e-mail. Close to 20 states have already enacted various anti-spam laws, several of which are being challenged in the courts. But many say that legislative efforts are unlikely to stop the growing popularity of spam.

A proposed U.S. federal law entitled the Unsolicited Commercial Electronic Mail Act of 2001 (H.R. 718) was recently scaled back by a House Judiciary Committee. As passed by the House Commerce Committee in March, H.R. 718, gave ISPs and consumers the power to sue companies or individuals that continued sending spam after having been asked to stop. The bill also required that spam be labelled as such and include a sender's valid e-mail and physical address, allowing consumers to opt out of receiving further unwanted e-mail.

The amendments approved by the Judiciary Committee cut out provisions that would allow consumers to sue companies that ignored requests to be taken off their mailing lists. Thus, it would simply make it illegal for spammers to "spoof" or fake their return e-mail addresses. This does not address privacy issues related to spam, that is, it does not ensure that the spammer received or is using the e-mail addresses on their list with consent. The amended legislation essentially says, if you don't lie about who you are, you have the right to send unsolicited e-mail to anyone, whether or not they want it. The bill now moves to the Rules Committee, which will try to reconcile the two versions of the bill.

The difficulty in proposing legislation to deal with spam is that there is no clear definition of spam. Some analysts distinguish between unsolicited e-mail from fraud artists and correspondence from legitimate businesses. "Legitimate" junk e-mail typically permits a recipient to remove his or her e-mail addresses from future mailings by simply clicking on a "reply" button and typing the word "unsubscribe." Fraud artists, on the other hand, often send their junk mail from alias addresses and make it difficult, if not impossible, to unsubscribe from their lists.

The U.S. Chamber of Commerce disputes the notion that commercial e-mail is a privacy issue. A spokesman for the Chamber stated that receiving email may annoy some consumers, but it is no more an invasion of privacy than receiving a letter in the mail. The Chamber supports targeted legislation that would make it illegal to send information via the Internet containing misleading or inaccurate header, contact, routing information or e-mail text with the intent to deceive or commit fraud against a consumer. However, it rejects broader legislation that would restrict the ability of businesses to send legitimate commercial email. The problem is that even “legitimate” commercial mail sent to individuals without their consent ignores the rights of individuals to control how their information is used. Whether its e-mail addresses or postal addresses that are used without authorization, there is definitely a privacy concern.

The Canadian government has taken a different approach from the United States – no laws are expected to be introduced or passed that are explicitly aimed at spam, although laws that exist to deal with misrepresentation and fraud could be used to deal with some forms of spam. However, Canada’s new private sector privacy law forces data collectors to notify Web users about who is collecting their data, why it’s being collected and how it will be used. The law thus obstructs junk e-mailers from gathering electronic addresses without consent.

What keeps spammers going despite laws and legal action from ISPs is the low cost of sending spam. A business can flood millions of e-mail boxes for a few hundred dollars (the cost of purchasing bulk e-mailing software and mailing lists). The payoff for a little spam-mail investment can be relatively large in the event that even a few spam victims take up the offer of what is usually a fraudulent claim to help people lose weight or make millions of dollars.

Internet users ultimately pay for spam. It costs ISPs plenty to provide the extra computer servers for the junk e-mail traffic, for the filters that attempt to block spam and for the occasional network crashes that spam proliferations cause.

The challenge for the future is two-fold. First, in my opinion, as long as there is no fraud involved and it is absolutely clear that spam is being sent with the appropriate knowledge and consent of its receivers, this form of marketing is not a problem – the challenge is getting that consent. Second, the amount of spam must be controlled to avoid frustrating Internet communications and commerce.

Opt-out vs. Opt-in in the Canadian Context

There are two opposing philosophies of privacy protection: opt-in and opt-out. Privacy advocates favour opt-in, because companies must get express permission to use, sell, or otherwise manipulate a consumer's personal data. Most industries favour opt-out, which puts the onus on the consumer to read privacy policies and specifically say “don't sell my information.” The reason for the growing popularity of opt-out agreements is obvious – they are profitable because consumers must act in order to prevent their information from being used or shared as the case may be. Studies have shown that consumers won’t bother opting out if doing so involves cost or too much effort. As an example, where a form states that the organization will disclose personal information to a third party unless the individual calls a 1-800 number to object, being put on hold, even if only for 5 minutes, could surely be seen as a scheme that requires too much effort on the part of the consumer.

There has been considerable debate over whether the CSA Code, which makes up Schedule 1 of Canada’s private sector privacy law, is too weak on its consent provisions. Clause 4.3.7 states that one of the ways in which consent can be given is by using “a checkoff box to allow individuals to request that their names and addresses not be given to other organizations. Individuals who do not check the box are assumed to consent to the transfer of this information to third parties.” Although the Canadian legislation allows for opt-out consent, Canada’s Privacy Commissioner has expressed concern and skepticism about opt-out clauses, claiming that they are often misunderstood by the public. Since “no action” signifies consent, there is always a risk that the individual may have simply overlooked the opportunity to decline and is unaware that they have agreed to something. The privacy legislation requires “knowledge and consent” – unless a reasonable effort has been made to explain the purposes for which the information will be used, opt-out consent may not be legally binding under the Canadian law. The difficulty is, how does an organization ensure that the person who has not ticked off the checkbox has read the purposes and is fully informed of how their information will be used?

A number of opt-out consent factors were presented by the Australian Privacy Commissioner in his recently published Guidelines on the Privacy Amendment (Private Sector) Act 2000, that will make Australia’s Privacy Act applicable to the private sector. Some of the conditions given, which if met tend to indicate clear consent from an individual's failure to opt-out, are useful in the Canadian context:
· opt-out is part of a contact that the organization would be making anyway with the individual;
· the individual fully understands the implications of not opting out;
· opting in or opting out is freely available and not bundled with other purposes;
· opting out involves little effort;
· the cost of exercising the opt-out is so low as to be almost immeasurable;
· the consequences of failing to opt-out are harmless; and
· if the individual opts-out later the individual is fully restored to the circumstances he or she would have been if the opt-out had been exercised earlier.

From a marketing rather than a legal point of view, an opt-in list, where customers have said they want to hear from you, is an incredibly valuable marketing tool. With opt-out, it should always be kept in mind that the customer’s willingness is not a sure thing. A plaintiff in San Francisco recently won a lawsuit against the now-defunct Kozmo.com because Kozmo had sent her additional e-mails after she opted out of their mailing list. Amazingly, Kozmo had sent the customer an e-mail which explicitly acknowledged that she had opted out but also advised her of new Kozmo services and offered her a chance to opt back in. This is an example of a poor e-mail marketing strategy – but one that would not be as offensive with an opt-in list.

Given some of the difficulties in how the Canadian law deals with opt-out, companies should remain cautious about opt-out and keep in mind that it is never as good as opt-in – the customers never really said they want to be contacted by you, just that they will not object to you contacting them…for now.

Ontario led the way with E-commerce Legislation, and it will do the same with Privacy

Ontario took the lead in October 2000 when the province’s Electronic Commerce Act 2000 came into force. Next came Manitoba and then Saskatchewan. Just this past month, Prince Edward Island, New Brunswick and Alberta introduced their e-commerce legislation. Nunuvut, the Northwest Territories and Newfoundland are the only Canadian provinces and territories that have not yet taken steps to enact such legislation.

E-commerce legislation is designed to reduce legal uncertainty by allowing electronic communications to be used interchangeably with conventional paper-based communications and by ensuring that contracts made electronically are legally binding. The provinces differ slightly in their legislative initiatives, with some adopting Canada’s Uniform Electronic Commerce Act more closely than others. This e-commerce law, adopted in October 1999, is designed to implement the principles of the UN Model Law in Canada.

The flurry of activity has been all in the name of facilitating e-commerce. Canada’s Personal Information Protection and Electronic Documents Act is another law with a similar purpose, although it goes much further by promoting privacy both on-line and off-line. Legally binding electronic documents and privacy protection can only facilitate e-commerce if the rules are similar across the country. There was a great deal of outcry from the legal community when Ontario came up with an e-commerce law that differed fundamentally in some respects from the UN Model Law that was endorsed by Canada.

Now, once again it looks like Ontario is taking the lead with their own “made in Ontario” privacy legislation that is likely to be introduced in the Fall of this year. Only this time the government has to meet the test of being “substantially similar” to the federal private sector privacy legislation in order to avoid the federal legislation all together. The Federal Privacy Commissioner will provide its opinion to Parliament on whether a province meets this test. The Commissioner has provided no clear direction on just how similar he expects provincial legislation to be, but to avoid finding out, Ontario is unlikely to diverge too drastically in the final version of their privacy law.

Privacy Laws in the United States – Many Moves and No Direction

Privacy and data security issues are getting a great deal of attention from government legislators in the United States. Despite the heated debates over the need for legislation at the national level, many States are not hesitating to take up privacy initiatives. The Digital Marketing Association reported in May that 465 privacy-related bills have been introduced in 46 U.S. States this year. The move comes despite growing concern among some State regulators about their ability to effectively address on-line privacy concerns.

Here are a few examples of the kind of legislation being brought to the table:

1) Massachusetts has passed new State privacy rules that will require all of the State's 150 agencies to post a privacy policy by early June. Senator Kerry is also pushing an Internet privacy bill in Massachusetts that forces Internet businesses to post clear privacy policies, and that gives on-line consumers the option to not have any personally identifiable information sold to a third party. For most Internet business transactions, Kerry says businesses by default should be able to sell the information, unless a consumer specifically says the information shouldn't be sold. Privacy advocates say such an opt-out scheme lacks teeth.

2) Several bills at various stages in the Texas Legislature deal with electronic record privacy: a bill that seeks to regulate information obtained by medical institutions, how it is retained, used and eventually discarded; a bill that seeks to give Texans the right to know exactly what information, in electronic and paper form, the State has collected about them; and a bill recommending the creation of the Texas Privacy Act that would enforce standards concerning the way State and local governments handle electronic information collected from Texans.

At the same time, with little indication from President Bush on how he leans on the privacy debate, legislators are finding it difficult to build support for a specific measure. The introduction of so many bills and the extreme variations in many of these bills suggests a lack of understanding among elected officials as to what consumers want and need in terms of protection on the Internet.

The Progressive Policy Institute (PPI) recently asked the U.S. Congress to enact federal privacy legislation that would preempt State law and made a number of suggestions in its policy paper entitled “Online Privacy and a Free Internet:
Striking a Balance.” The report states that overly restrictive privacy regulations could bury many on-line companies that are struggling to find a way to replace fading advertising revenues. The PPI said Congress also should not mandate standards for protecting data or making it available to users – the so-called “access” provision which is dear to many privacy groups. The paper calls for a set of reasonable federal guidelines for penalties that can be imposed on violators, as well as a “safe harbour” for Web sites that participate in approved third party seal programs. A copy of the report may be found at http://www.ndol.org/documents/E-Privacy2.pdf.

With the industry resistance to legislative initiatives, we are unlikely to see U.S. federal privacy laws come to fruition any time in the near future. However, self-regulation initiatives are getting stronger and stronger. Microsoft plans to apply the European Union's tough data privacy rules to its global business. The U.S. software giant will sign up to the Safe Harbor Data Transfer Agreement between the E.U. and the U.S. that allows the transfer of Europeans’ personal data to the United States. Participating U.S. companies that import or process E.U. data must adhere to the following seven principles when conducting business with E.U. consumers: notice, choice, onward transfer, access, security, data integrity and enforcement. Microsoft is also going a step further and using the E.U.’s standards as a basis for its information transfers around the globe. The decision to adopt E.U. data protection rules is a big boost for the European Commission. Recently, the DMA became the first and only trade association to provide a European Union Safe Harbor Enforcement Program free to members, ensuring online and off-line data privacy for European consumers through a third-party dispute resolution mechanism. Companies that participate will be able to display The DMA Safe Harbor Mark.

Although these are positive signs of a commitment to privacy, regardless of the extent of self-regulation efforts, consumer pressures and fears about sharing personal information will continue to bring about an influx of State laws. Whether the differing rules between States will lead to some form of cooperation on questions of jurisdiction or whether federal laws will eventually clean up the mess of laws is hard to tell. What is clear is that businesses outside the United States must not overlook privacy laws or initiatives cropping up at the State level when doing business there.


A Study on the Cost of Complying with Privacy Laws

A U.S. industry-sponsored study took a new approach to the argument against privacy laws by doing a cost analysis and finding that privacy laws will be extremely expensive for business. The Association for Competitive Technology (ACT) (http://www.actonline.com) found that new rules, as proposed in various privacy bills that have been released in the United States could cost businesses between $9 billion and $36 billion. Economist Robert Hahn (Director of the American Enterprise Institute-Brookings Joint Center for Regulatory Studies) gathered data from 17 information-technology consulting firms, who were asked to estimate how much they would charge if involved in helping organizations make the changes to their information systems as would be required under several pending bills. The bills generally would require companies with websites to give consumers access to whatever personal information is collected about them and the opportunity to change or remove it. These are also among the requirements that federally regulated companies in Canada currently face and that all Canadian businesses will face in the next few years.

Based on the 17 estimates from consulting firms in ten states, the study assumes $100,000 as the average primary cost of compliance tracking software in the United States. One reason software development would be so costly is the strict access requirements in many privacy bills, which will result in websites giving on-line access to website databases that would need to be secure. Based on a study by eMarketer, the number of active commercial websites was estimated to be around 3.7 million. According to the Federal Trade Commission, 97% of commercial websites collect personal information, so the proposed laws could affect as many as 3.6 million websites.

For an initial estimate, Mr. Hahn assumes that only 10% of businesses would make the investment in their websites and related systems to track all uses of personal information and the choices made by users. This was partly assumed because the size of the business and the registered customer base could affect a business’s decision to implement costly regulations. This results in around 360,000 businesses spending $100,000 each, for a total cost of $36 billion. As a more conservative estimate, the study assumes that only 5% of businesses (180,000) would make the $100,000 investment in tracking systems for their websites, resulting in a total cost of $18 billion. As a lower bound estimate, Mr. Hahn assumes that only those businesses with more than 100 employees would continue to collect and share personal information they collect on-line. Under this scenario, the legislation would only apply to 94,000 companies, and would cost $9 billion.

Hahn admits that this approach is not perfect and most definitely requires further research. However, he emphasizes the need to quantify the costs and benefits of proposed legislation using the most reliable numbers that can be found.

ACT is an advocacy group for the technology industry funded by Microsoft Corporation. Microsoft and other large companies have been seeking to foster doubts about potential privacy laws being debated by Congress, as they continue pushing to show that on-line privacy need not be regulated.

A study commissioned by the Financial Services Roundtable recently made the similar arguments, finding that the U.S. Gramm-Leach-Bliley Act will cost its member firms more than $400 million. Banks, credit card companies and other financial institutions have until July 1st to start notifying customers annually about how their personal data is used. The costs include the millions of privacy notices that have to be sent out, fulfilling customer requests to not have their data shared, and evaluating new products and marketing campaigns to ensure compliance with the law's provisions.

The argument thus appears to be that laws that cost far more than they provide in benefits to consumers are generally counterproductive. Although this seems logical, there are some major flaws that cannot be ignored. Developing systems that support compliance means large initial costs for business that hopefully taper off substantially over time. Meanwhile the benefits of increased customer control over their information and hence customer trust will be felt more and more as companies that don’t take compliance seriously are singled out. We need to look at the implications years from now, and not just the immediate costs and benefits. The privacy laws being introduced around the world may be far from perfect, but they are a good initial step. The long term costs of privacy laws on business are just as difficult to measure as the cost associated with a lack of legislation – linked to customers being wary about sharing information and buying on-line.

Privacy and Security Issues in the Wireless World

Wireless privacy and security issues are quickly moving to the forefront as consumers begin to do their banking on cell phones and use their hand-held devices for confidential communications. The Bank of America predicts that the world will have 400 million wireless users in the year 2003. In 2000, the first viruses and Trojan horses were detected as hackers began to show an interest in the wireless world. Many companies now give their employees the ability to access corporate information through wireless local area networks (LANs), that have been shown to leave corporate systems exposed to security and privacy risks. Most companies wouldn’t even know if corporate information were being captured by passive wireless hackers.

A major problem in wireless security is known as the WAP gap. WAP stands for Wireless Application Protocol, an emerging standard that lets surfers access information formatted for the Web on their hand-held devices. When sending any sensitive data across wireless networks, an additional layer of encryption is a must. There are a wide variety of products available to automatically scramble all such transmissions. However, even if the information is encrypted from a user's device across the wireless network, when it reaches the WAP gateway, which separates the network from the Internet, there is a brief gap when the information is not encrypted and ripe for a hacker's taking. Networks and protocols are not the only weak links. The actual handheld devices (cell phones, Palms) introduce security risks. Most don't have adequate encryption for the data that resides on them. While these devices may have basic password protection, very few are protected by a smart card, so as to strongly secure lost hand-helds against information theft. Off the shelf encryption software for Palms and other PDAs (personal digital assistants) can be purchased, but are not nearly as effective as the software you can buy for a PC, because of the physical limitations of the wireless device – limited battery power and limited memory.

With respect to privacy, wireless location-tracking technologies have received a great deal of attention and are sure to lead to “mobile spam”. A new U.S. federal law requires wireless phone companies to have technology in place by October of this year to locate cell phone users making 911 calls. Among other things, the legislation forbids
cellular carriers, which have access to this location information, from using it in any way without the explicit consent of individual cell phone users.

But as web-enabled PDAs and cell phones merge into single devices and carry location-driven applications - such as services, for example, that will flash advertisements on a PDA when users pass stores having sales, or services that alert users to traffic conditions – privacy advocates are eager to make sure that this information cannot be freely distributed. The 911 provision applies to wireless carriers, but do not necessarily address applications providers.

Although not yet deployed, wireless application providers that offer such mobile commerce applications are likely to generate significant additional revenue from it, but the privacy implications could scare off consumers. These providers are pushing for self-regulation, however the privacy standards advocated by many companies in the industry and wireless trade groups such as the Cellular Telecommunications Industry Association in Washington appear to be more rigorous than those supported in the wired world. They suggest requiring end users to "opt in" by actively contributing to data collection and explicitly consenting to its use, as opposed to the opt-out standard where users are asked to actively refuse the collection or else give up their privacy. If the default setting for location blocking on wireless devices will be “on”, this will resolve many of the wireless privacy issues of concern.