Direct Marketing Association’s Online Marketing Guidelines and Do the Right Thing CommentaryThe following guidelines cover Online Information for your Web site, approved by the DMA Board of Directors in October 2001, and Commercial Solicitations Online, approved by the Board in January 2002. The Online Information Guidelines cover:
The Commercial Solicitations Online Guidelines cover sending commercial e-mail, including under what circumstances e-mail can be sent, the use of e-Mail Preference Service, and clear identity of the sender. Online Information GuidelinesNotice to Online Visitors
Honoring Choice You should honor a visitor's choice regarding use and transfer of personally identifiable information made in accordance with your stated policy. If you have promised to honor the visitor's choice for a specific time period, and if that time period subsequently expires, then you should provide that visitor with a new notice and choice. You should provide choices of opting out online. You may also offer opt-out options by mail or telephone. Providing Access You should honor any representations made in your online policy notice regarding access. Data Security Your organization should use security technologies and methods to guard against unauthorized access, alteration, or dissemination of personally identifiable information during transfer and storage. Your procedures should require that employees and agents of your organization who have access to personally identifiable information use and disclose that information only in a lawful and authorized manner. Visitors Under 13 Years of Age If your organization has a site directed to children under the age of 13 or collects personally identifiable information from visitors known to be under 13 years of age, your Web site should take the additional steps required by Article #15 of the Guidelines for Ethical Business Practice and inform visitors that your disclosures and practices are subject to compliance with the Children's Online Privacy Protection Act. Accountability There should be a meaningful, timely, and effective procedure through which your organization can demonstrate adherence to your stated online information practices. Such a procedure may include: 1) self or third party verification and monitoring, 2) complaint resolution and 3) education and outreach. This can be accomplished by an independent auditor, public self-certification, a third party privacy seal program, a licensing program, membership in a trade, professional or other membership association or self-regulatory program, or being subject to government regulation. Do the Right Thing Commentary for the Online Information Guidelines The following is staff advice given to marketers to help comply with the ethics guidelines, including comments on what the ethics guidelines mean and various ways to comply with them. Notice to Online Visitors 1. If your organization operates an online site, you should make your information practices available to visitors in a prominent place on your Web site's home page or in a place that is easily accessible from the home page. The notice about information practices on your Web site should be easy to find, read, and understand so that a visitor is able to comprehend the scope of the notice. The notice should be available prior to or at the time personally identifiable information is collected. Comment: One of the best ways to provide notice to consumers is to have a privacy icon or symbol on your home page that would link to your company's privacy policy. The icon could note "click here for our privacy policy" or words to that effect. Notice does not have to be on every page of your Web site in order to be conspicuous to consumers, but linking at all points where personally identifiable information is collected is the best way to ensure consumers will see your notice. "Easy to find, read and understand" basically means that your policy notice is available from your Web site's home page in readable print, not obscured by design elements, and that your privacy policy is written in plain English. Marketers need provide notice only if information about consumers is personally identifiable information, not if you just use aggregate data to help make improvements to your site. Questions to Ask: Do you have a link to your policy in a prominent place or places on your Web site? Do you believe that the average consumer would view your privacy policy as prominent and easily accessible from your Web site's home page? Have you written your policy in plain, easy-to-read English so that it is understandable at a high school level? Are the print, format, and design of the text easy to read? 2. Your organization and its postal address, and the Web site(s) to which the notice applies should be identified so the visitor knows who is responsible for the Web site. You also should provide specific contact information so the visitor can contact your organization for service or information. Comment: It increases consumer confidence to know your company's address. If consumers know where a company is physically located, they can more easily verify that the site they are viewing is the authentic Web site of your company. (Fraudulent operators can copy sites of reputable companies, harming both consumers and legitimate businesses.) Listing a physical address separates legitimate businesses from those who may be disreputable and do not want to be found. Law enforcement is facilitated when a physical address is listed, thus helping legitimate businesses as well. Consumers may need to contact your company for any of the following: to inquire about the status of a purchase they made, to seek help with a service problem, to get more information about one of your services (or for other reasons). If your company has different contacts for different purposes, you should list all of them on your Web site. Online contact information should be available since the consumer is presumably disposed to do business online. Questions to Ask: Does your Web site include your company's physical address? Is it clear to consumers who is responsible for your Web site? Does your site include specific contact information which consumers can use to get their questions or concerns answered or to get the service they require? 3. If your organization collects personally identifiable information from visitors, your notice should include: The nature of personally identifiable information collected about individual visitors online, and the types of uses you make of such information, including marketing uses that you may make of that information. Comment: Consumer confidence is increased if consumers know what information is collected and how that information will be used. The DMA's Online Privacy Policy Generator can assist you with developing your privacy notice. Your notice is essentially completed after answering a series of questions based on your company's information practices. This online tool can be found at www.the-dma.org/privacy/creating.shtml. The DMA has also developed the Children's Privacy Policy Generator to meet the notice requirements of the Children's Online Privacy Protection Act (www.the-dma.org/library/privacy/childrensppg.shtml), and the GLB Privacy Policy Generator to meet the notice and opt-out requirements of the Gramm-Leach-Bliley Act (www.the-dma.org/privacy/glbppg.shtml). Personally identifiable information would include, for example:
Information collected could be used by you in many different ways, among them:
Questions to Ask: Does your Web site notice clearly describe what personally identifiable information is collected? Does your notice state, in easily understandable terms, how each type of information will be used by your company? Whether you transfer personally identifiable information to third parties for use by them for their own marketing and the mechanism by which the visitor can exercise choice not to have such information transferred. Comment: If it is the case, consumers should understand that other marketers, besides your company, are using data about them. In order to gain consumer confidence and trust, marketers should focus on providing clear notice to consumers, and the opportunity for consumers to opt out of having information about them transferred to other marketers. Third parties who could be the recipient of personally identifiable information and use the data for their marketing could be unrelated entities, but could also include company affiliates, marketing partners, and cooperative databases. Requests for opting out of having information transferred should be honored promptly. Questions to Ask: Does your Web site notice clearly explain whether personally identifiable information is transferred to third parties? Does the notice explain what relationship the third party marketers have with your company, for instance, an affiliate, a marketing partner, or a member of a cooperative database? Does your notice explain how consumers may request that information not be transferred? Do you have systems in place for promptly acknowledging and processing opt-out requests to prevent transfer to other marketers? Are the staff who handle customer service properly trained to identify and respond to such requests? Whether personally identifiable information is collected by, used by or transferred to agents (entities working on your behalf) as part of the business activities related to the visitor’s actions on the site, including to fulfill orders or to provide information or requested services. Comment: "Agents" are the people working directly for you to serve and support your relationship with your customers. They are not the same as third party marketers. Agents include such service entities as delivery companies, print and lettershops, computer service bureaus, ad servers, fulfillment houses, credit card processors, and other companies working on the marketer's behalf to provide information or service to consumers. Consumers should be told that information has to be transferred to other entities so their orders and requests can be fulfilled. Marketers need to give notice of information transfer to agents, but do not need to give consumers the opportunity to opt out of transferring data to support their own orders. That is because opting out could not be honored, since transfer must take place in order for fulfillment and customer service to take place. Questions to Ask: Does your Web site notice clearly explain whether personally identifiable information is collected, used by or transferred to agents? Does the notice explain that these are entities working on your behalf to fulfill consumers' requests? Whether you use cookies or other passive means of data collection, and whether such data collected are for internal purposes or transferred to third parties for marketing purposes. Comment: "Cookies" tag information about individuals and what they do online: a "cookie" is a note your Web site feeds to the consumer's computer when the consumer visits your site. If that computer returns to your site, your site will "recognize" the computer and you can present a targeted message or offer, based on past behavior. Cookies and other passive data collection tools, including Web "bugs," "bots," and "spiders," are often portrayed negatively and as intrusive to consumers' privacy. When these tools are used without consumer knowledge, consumers can be concerned that information is collected and used without their knowledge. Therefore, it is important for marketers to explain to consumers the positive ways in which cookies are utilized, and how consumers can benefit from their use. For example, cookies are used to personalize their visits, remember their preferences, or help tag items for their shopping baskets. Your notice should include not only how your company uses cookies, but whether information gained from cookies is made available to others for marketing purposes. Your notice should also inform consumers that, if they choose to, they can stop cookies by a setting in their browser. Questions to Ask: Does your Web site notice state whether you use cookies or other passive means of collecting personally identifiable information? Does your notice state what you use the personally identifiable information collected from cookies for? Do you state whether you use information gleaned from cookies for internal purposes only, or are the data transferred to other marketers? What procedures your organization has put in place for accountability and enforcement purposes. Comment: The Federal Trade Commission and the European Union, among others, have identified the concept of "accountability" as one of the main "Fair Information Practices." Accountability means that you have a process in place that you follow to make sure you adhere to your privacy policy. It also means that if there is a privacy breach, there is an enforcement mechanism in place to fix the problem. This process and mechanism could be either internal or handled by some other entity you use to oversee adherence to your privacy policy. Such third party entity could include the Council of Better Business Bureaus, TrustE, or The DMA. Your Web site notice should include a specific contact within your company, and/or the third party entity, for a consumer to contact regarding a question or problem with your privacy policy. Questions to Ask: Does your Web site's notice include a contact consumers can use internally if they feel you are not living up to your privacy policy? Does your notice include what, if any, third party enforces your privacy policy on your behalf, including how to contact that entity in case of a dispute regarding your handling of personally identifiable information? That your organization keeps personally identifiable information secure. Comment: One of the biggest barriers to consumers conducting commerce online is the fear that information about them, especially sensitive financial information, may not be secure, and that they could be harmed by such crimes as credit card or identity fraud. You should, therefore, reassure consumers for the benefit of your company as well as the general wellbeing of the industry, that your company places a high priority on data security. Without divulging the particulars of how your company keeps information secure, your notice should indicate that you use up-to-date security protocols, both internally, such as keeping data physically secure, and externally, as when data may be transmitted or shared with others. Questions to Ask: Do you have in place reasonable protocols and technologies to protect data in storage and in transit? Does your Web site explain to consumers in a reassuring way that personally identifiable information is kept securely? 4. If you knowingly permit network advertisers to collect information on their own behalf or on behalf of their clients on your Web site, you should also provide notice of the network advertisers that collect information from your site and a mechanism by which a visitor can find those network advertisers to obtain their privacy statements and to exercise the choice of not having such information collected. (Network advertisers are third parties that attempt to target online advertising and make it more relevant to visitors based on Web traffic information collected over time across Web sites of others.) Comment: Consumers should be informed about third party network advertisers that collect data on your Web site. Likewise, they should be informed whether such data collected are transferred to third parties for marketing purposes. Third party network advertisers (also known as ad servers) should be specifically named, so that a visitor to your Web site knows who to contact to get information about that network advertiser's privacy policy and to opt out, if desired. Third party network advertisers' privacy policies themselves do not have to be included on your company's Web site; a link to each company and its policy is a recommended way of accomplishing consumer notice. As with cookies, it is recommended that you explain to consumers the purpose of allowing third party network advertisers to collect information on your site. (Unlike cookies, which visitors cannot see, "banner" or "pop-up" ads are quite visible; they are, in fact, designed to attract visitor attention and have the visitor click through for more information on the subject of the ad.) Visitors should be informed of benefits to them, such as providing a more positive shopping experience. Questions to Ask: If you have relationships with network advertisers who collect information from your Web site, does your notice clearly state that this is the case? Does your Web site notice disclose who the network advertisers are, and provide a contact point for visitors to read their privacy policies and have the chance to opt out of information collection by each ad server? Does your Web site contain a link to network advertisers' privacy policy notices? 5. If your organization’s policy changes materially with respect to the sharing of personally identifiable information with third parties for marketing purposes, you will update your policy and give consumers conspicuous notice to that effect, offering an opportunity to opt out. Comment: "Doing the right thing" when there is a major change in your privacy policy means alerting consumers to any change that would affect the previous choices they made, and giving them the opportunity to react to the new policy. A material change, from the consumer perspective, is one where there are fewer restrictions placed on sharing personally identifiable information with third parties for marketing purposes. For instance, your policy may change from not sharing information with other marketers, to renting lists of customer names to other marketers. Or, you may begin participating in a cooperative database, in which personally identifiable information is shared with other catalogers. Marketers immediately incur additional business risks if their policies become less restrictive. Therefore, you should be prudent in making sure that you let visitors know as soon as possible about any less restrictive privacy policy. Make sure that you do not use personally identifiable information collected under the new policy until you have provided notice and allowed a reasonable time period for consumers to opt out of having information shared from that time forward. Thirty days is a reasonable time for consumers to respond to your notice. Your policy cannot be changed retroactively; in other words, data collected under your old policy cannot be used as per your new policy without notice to the consumer. At a minimum, you should post clear and conspicuous notice on your Web site that alerts visitors to the policy change. Other ways of "conspicuously" notifying consumers include, for example, "pop-up" notices or flashing signs on your Web site which serve to inform returning visitors to click onto your new privacy policy, or sending e-mail notices to consumers. You can assume after a reasonable time period that consumers who have not opted out do not object to the new policy. Notwithstanding this, however, it may be more prudent to honor the consumer's choice regarding data collected under your old policy if you don't hear from the consumer. Requests for name removal should be honored promptly. Questions to Ask: Do you have a mechanism or system in place for promptly notifying consumers of any material change in your privacy policy? Does your new notice clearly explain the nature of the change? Do you allow enough time (at least 30 days) for consumers to review the notice and respond with an opt-out request, if they desire? Do you have a system for tracking consumers who let you know that they do not want personally identifiable information shared under your new policy? Do you promptly honor requests for name removal? Honoring Choice You should honor a visitor's choice regarding use and transfer of personally identifiable information made in accordance with your stated policy. If you have promised to honor the visitor's choice for a specific time period, and if that time period subsequently expires, then you should provide that visitor with a new notice and choice. You should provide choices of opting out online. You may also offer opt-out options by mail or telephone. Comment: Not adhering to your own privacy policy is a breach of industry self-regulation and consumer confidence, and of federal law. Time frames for honoring privacy choices can differ from marketer to marketer, including anywhere between a year and infinity, for example. Since consumers' e-mail addresses frequently change, many online marketers choose limited time periods. If your notice's stated time period is expiring, then the visitor should be furnished a new notice and choice. Notice should ideally be furnished by e-mail, but it could be furnished by posting a notice on your Web site. The Web site could indicate, for example, that visitors' requests not to have data about themselves shared one year ago are now expiring. The notice would ask visitors to register their preferences again. Most consumers would reasonably expect that if they do not register a new preference, information about themselves would not be used after the stated time period. Questions to Ask: Does your Web site policy indicate a specific time for honoring visitors' privacy preferences? Do you have a mechanism or system for alerting consumers that the time has lapsed and they should re-register their preferences with you? Do you offer opt-out choices by e-mail? How do you track Web site visitors who saw the new notice and opt-out option? Do you discontinue the use of data provided by consumers before the time expiration if they do not register their choices again? Providing Access You should honor any representations made in your online policy notice regarding access. Comment: Some companies offer the opportunity to consumers to check their transaction records and to correct inaccurate data. If your company makes any public statements about consumer access to information, the promises should be kept. Individuals usually request access to data, such as contact information, registration, application or enrollment information, consumer preferences regarding information exchange, and recent transaction/purchase information in order to assure their accuracy. The DMA recommends that you give consumers "reasonable access" to the information that will answer these customer service questions. You should also take reasonable steps to verify the identity of the individual requesting access, indicate a time frame to the consumer in which the request will be honored, and make requested corrections as appropriate. Consumers should agree to any fees you may charge for data access before work is initiated to retrieve the requested data. Questions to Ask: Does your company state in its privacy policy or elsewhere that consumers can have access to information about them? If so, does your policy state what your procedures are for releasing information to requesting individuals? Have you trained your customer service personnel to identify and properly handle or refer requests for access? Have you assigned particular staff to handle consumer requests for access to data (and correction, if appropriate)? What kinds of information do you make available, and how far back in time do you research your records? Do you make a reasonable effort to verify the identity of individuals before releasing information to them? If you charge a fee for accessing information, do you notify consumers of the fee and get their permission before proceeding? Data Security Your organization should use security technologies and methods to guard against unauthorized access, alteration, or dissemination of personally identifiable information during transfer and storage. Your procedures should require that employees and agents of your organization who have access to personally identifiable information use and disclose that information only in a lawful and authorized manner. Comment: It is important to maintain data security, and to let your Web site's visitors know that your company keeps personally identifiable information secure, in order to build consumer trust. Questions to Ask: Has your company implemented measures to provide secure transactions for consumers? Are you confident that data are kept physically secure when in storage, and in the process of transfer? Do you use current security and encryption technologies to ensure that consumer data are secure? Do you have a security policy concerning employee and agent access to data? Are employees instructed on your security policy and routinely monitored to ensure their compliance? Are visitors to areas where personal data are stored and processed specifically authorized? Are your security practices routinely audited to assess any weaknesses and to assure that policies are followed? Visitors Under 13 Years of Age If your organization has a site directed to children under the age of 13 or collects personally identifiable information from visitors known to be under 13 years of age, your Web site should take the additional steps required by Article #15 of the Guidelines for Ethical Business Practice and inform visitors that your disclosures and practices are subject to compliance with the Children's Online Privacy Protection Act. Comment: Article #15 of the Guidelines for Ethical Business Practice says, among other things, that marketers should not collect personally identifiable information online from a child under 13 without prior parental consent or direct parental notification of the nature and intended uses of such information online and an opportunity for the parent to prevent such use and participation in the activity. Questions to Ask: Is your Web site directed to visitors under the age of 13, or does your company collect personally identifiable information from visitors who are under that age? Do you have systems in place and staff responsible for assuring adherence to the Children's Online Privacy Protection Act (COPPA)? The DMA has several tools you can use if you market online to children: The Children's Privacy Policy Generator was designed to meet the notice requirements of the Children's Online Privacy Protection Act (COPPA). Like the Privacy Policy Generator, a marketer answers a series of questions online about its information collection and sharing practices, which generates a customized policy to be modified and reviewed and then posted on your Web site. The Children's Privacy Policy Generator can be found at www.the-dma.org/privacy/childrensppg.shtml. A video stream presentation on Marketing to Children (both on- and offline) is one of The DMA's series of Do the Right Thing Online Briefing Sessions. This 12-minute session can be found at www.the-dma.org/dotherightthing. How to Comply with the Children's Online Privacy Protection Rule was developed in cooperation with the Federal Trade Commission to help marketers understand and comply with COPPA, a federal law implemented by the FTC. It is located online at www.the-dma.org/library/privacy/children.shtml. Accountability There should be a meaningful, timely, and effective procedure through which your organization can demonstrate adherence to your stated online information practices. Such a procedure may include: 1) self or third party verification and monitoring, 2) complaint resolution and 3) education and outreach. This can be accomplished by an independent auditor, public self-certification, a third party privacy seal program, a licensing program, membership in a trade, professional or other membership association or self-regulatory program, or being subject to government regulation. Comment: You should advise visitors of procedures your organization has put in place for accountability and enforcement. Accountability means you have a process in place that you follow to make sure you adhere to your privacy policy. It also means that if problems occur, there is an enforcement mechanism to correct them. There are several ways in which you can be held accountable to your online privacy policies, including the following examples: being a member of a trade association, such as The DMA, which administers a membership seal and the Privacy Promise to American Consumers and has enforcement capabilities; applying for a third party privacy seal program, such as TrustE or the Better Business Bureau's online seal; or having an independent firm audit your company on a yearly basis. Your company may also monitor itself and have an internal compliance and complaint resolution process. Whatever your accountability mechanism is, you should summarize it on your Web site in plain English so that it is easy for visitors to understand and use. Questions to Ask: Do you have a procedure or program in place that holds your company accountable for its information practices? Are your employees knowledgeable as to what the procedure/program is? Do you notify Web site visitors about your procedure/program and how to access it if they have a dispute regarding your privacy practices? Does your notice include specific contacts, including at any third party organization you may be responsible to? Do you maintain records as to any monitoring program you have in place?
Marketers may send commercial solicitations online under the following circumstances:
a) have already provided affirmative consent to receive solicitations online, or In each solicitation sent online, marketers should furnish individuals with a link or notice they can use to:
The above requests should be honored in a timely manner. Only those marketers that rent, sell, or exchange information need to provide notice of a mechanism to opt out of information transfer to third-party marketers. Marketers should process commercial e-mail lists obtained from third parties using The DMA's e-Mail Preference Service suppression file. E-MPS need not be used on one's own customer lists, or when individuals have given affirmative consent to the marketer directly. Solicitations sent online should disclose the marketer's identity, and the subject line should be clear, honest, and not misleading. A marketer should also provide specific contact information at which the individual can obtain service or information. The marketer's street address should be made available in the e-mail solicitation or by a link to the marketer's Web site. Do the Right Thing Commentary and Best Practices for the Commercial Solicitations Online GuidelinesThe following is staff advice given to marketers to help comply with the ethics guidelines, including comments on what the ethics guidelines mean and various ways to comply with them. The guidelines are broad principles developed to describe the minimum standards DMA members are required to follow. "Best practices"examples are listed at the end of each section for those members who want to go beyond the basic requirements. Marketers may send commercial solicitations online under the following circumstances: 1. The solicitations are sent to the marketers' own customers, or 2. Individuals have given their affirmative consent to the marketer to receive solicitations online, or 3. Individuals did not opt out after the marketer has given notice of the opportunity to opt out from solicitations online, or 4. The marketer has received assurances from the third party list provider that the individuals whose e-mail addresses appear on that list
Comment: "Affirmative consent" is when the consumer has to take an action before being added to an e-mail list, for example, through a check-off box. It is another way of saying "permission was granted" or "the individual said yes " or "the consumer opted in." The overriding principle here is that consumers on your lists, and on lists you received from others should have either agreed to receive e-mails, or, at a minimum, should have been given notice and the choice to opt out. Online "solicitations" are e-mails that are sales messages or advertisements. If you send an e-mail notifying a consumer on the status of an order, or any other customer service matter, such as updating account information, or acknowledging a transaction, payment, or communication, that is not a solicitation and these guidelines would not apply. When such customer service messages and sales messages or advertisements are combined within the same e-mail, these guidelines would apply. Point one is the principle that you can contact your own customers online, even if the prior relationship with them was conducted in another medium. This also allows for e-appending, for example, obtaining your customer's e-mail address from a directory or listing based on their physical address information. "Customers" include individuals with whom marketers have previously conducted business (e.g., they have made a purchase or donation) or individuals who have contacted a marketer or the marketer's agent and included their e-mail addresses. Examples of such contacts could include requests for information, responses to questionnaires or surveys, product registrations, or responses to sweepstakes or contests. Points two and three apply to your own actions: that consumers gave you permission to contact them by e-mail, or they did not opt out of receiving e-mail solicitations when you provided them notice. The guideline allows you to send individuals (customers or prospects) at least one e-mail solicitation, and if recipients do not ask you to stop, you can continue to send them solicitations online. Since point four relates to third party lists, permission would have been granted to the third party marketer (or the marketer's agent) who is sharing the e-mail list with your company. In other words, it is the original marketer's responsibility to provide the individual with notice and an opt-out opportunity (for example, a check-off box) before renting or exchanging the e-mail addresses with your company. Your responsibility is to ask the list provider whether permission was granted or opt-out notice was given, and to be reasonably reassured of the answer before proceeding to send e-mail solicitations to consumers on the list. Marketers should be aware that some Internet Service Providers (ISPs) have policies to block the receipt of unsolicited commercial e-mail. A marketer should take into account the e-mail policies of the destination ISP because that is one way of ensuring that your messages will be delivered. Questions to Ask: Do you ask your customers whether they wish to receive e-mail communications, including solicitations, from your company and from other marketers? Do you provide a means for individuals to easily register their preferences? If you e-mail commercial solicitations to individuals who are not currently your customers, do you have their consent to receive solicitations? Or, have the individuals on your list previously been given notice and the opportunity to opt out of receiving commercial e-mail from your company? If you receive an e-mail list from another entity, have you asked that list provider whether the individuals on the list have given permission to receive e-mail solicitations? Or, do you know whether the individuals on the rented list have been provided notice and the opportunity to opt out of having their names transferred? Do you include a provision in your list rental contract stating that list providers must obtain consumer permission or give notice and opt out to consumers? If you rent your customer lists to other marketers, do you first ascertain how the lists will be used, to make sure they are not used for promotions that may violate any of the Guidelines for Ethical Business Practice? Do you know the policies of major destination Internet Service Providers concerning the sending of e-mails? Best Practices: Include a link to your privacy statement at the point of collection of an e-mail address, as well as each subsequent e-mail, for easy access to your notice. At the point of collecting consumers' e-mail addresses (either online or offline), provide consumers with a clear and conspicuous way to find out how the marketer will use their e-mail address. Ask consumers whether they want to receive solicitations by providing an unchecked box for them to check their preferences. Send an e-mail acknowledging that you are in receipt of their agreement to receive e-mails from you and/or from third party marketers. Include some reference within the first e-mail message to remind customers how you obtained their e-mail address, what they signed up for, and why they are receiving the e-mail. When using a third party list, the source should be identified in your solicitation to remind the consumer of where the permission was granted. One way to be reasonably reassured as to whether permission was granted, or opt-out notice was given, to a list provider is to include a provision in your list rental contract that states the obligation of the list provider to obtain consumer permission or give notice and opt out. Test the mechanism third-party list providers used to obtain a list before using their list to make sure that consumers receive adequate notice and the opportunity to opt out. Test where and how e-mail addresses are collected to be sure that your intended list use is consistent with how it was advertised and that it abides by these online guidelines. Familiarize yourself with the e-mail policies of the top Internet Service Providers before sending e-mails to their subscribers. In each solicitation sent online, marketers should furnish individuals with a link or notice they can use to:
The above requests should be honored in a timely manner. Comment: This part of the guideline states that every commercial e-mail you send should allow consumers to tell you that they want you to stop sending such e-mails, and that their names should not be included on lists you transfer to other marketers. Specific instructions on how to opt out do not need to be included in the e-mail itself, though they could be. An example of unsubscribe language would be: "To unsubscribe from this e-mail list, reply to this e-mail with unsubscribe in the subject line." A link to a suppress mechanism with instructions as to how to opt out also fulfills this requirement. The link should say something to the effect of: "Click here for unsubscribe options." Note that simply providing a link marked "Privacy Policy" does not make clear to consumers how they can opt out of receiving future e-mails from your company. Any consumer requests for suppression should be honored, and action should be taken expeditiously. Consumers would reasonably expect that, in the online medium, you would be able to act on their requests quickly. Questions to Ask: Do all of your e-mail solicitations include a notice of how the recipient can request not to receive future e-mails from your company? Do the e-mails include notice of how the recipient can opt out of having their e-mail addresses transferred to other marketers? If your e-mails include a link to a suppress mechanism on your Web site, is the description of the link clear? Do you have in place a system for removing, as requested, individuals' e-mail addresses? Do you let individuals know their requests have been taken care of? Best Practices: To ensure that an e-mail address can be accurately matched and suppressed, a marketer should include the consumer's e-mail address in the unsubscribe instructions. For example, "You are currently subscribed as name@domain.com. Please reply with "unsubscribe" in the subject line if you no longer wish to receive your weekly updates." Provide a clear and easy method for consumers to opt out -- for example, a link to a one click away unsubscribe mechanism for your e-mails. Unsubscribe requests should be processed automatically and promptly, upon receipt. (Where a system is not in place for automatic suppression, a reasonable time frame is to suppress the e-mail address within 10 business days.) Only those marketers that rent, sell, or exchange information need to provide notice of a mechanism to opt out of information transfer to third-party marketers. Comment: Consumer notice of information exchange with third parties is not applicable in situations where you do not exchange or transfer information to other marketers. Questions to Ask: If you transfer information to other marketers, do you provide notice and the opportunity to opt out to individuals on your list? Do you honor any opt-out requests promptly? Marketers should process commercial e-mail lists obtained from third parties using The DMA’s e-Mail Preference Service suppression file. E-MPS need not be used on one's own customer lists, or when individuals have given affirmative consent to the marketer directly. Comment: Following the same principle as with the Mail and Telephone Preference Services, marketers must remove individual names before prospecting, according to the wishes of individuals who register for The DMA's name-removal services. You do not need to remove your own customers who may be on e-MPS because you have a business relationship with them. Similarly, individuals who have checked opt-in boxes or otherwise gave permission to receive commercial e-mail can be contacted. (Although it is not required when the lists you use are permission-based, using e-MPS can provide an extra level of privacy protection for those consumers who are especially concerned about privacy.) Even if someone is given an opportunity to opt out of e-mail address sharing originally, any marketer who rents the e-mail address for prospecting should use e-MPS for suppression. Service providers that are DMA members are required to take steps to comply with the Privacy Promise, including endorsing use of DMA's e-MPS file and documenting efforts to encourage their clients to comply. Subscriber information for e-MPS is available at http://preference.the-dma.org/products/empssubscription.shtml, and is now available in downloadable form. Questions to Ask: Does your company clean its e-mail lists with e-MPS when appropriate? If you use lists obtained from list providers, do you ask whether the individuals on those lists have given their permission, or have been given notice and have not opted out of receiving e-mail solicitations? Best Practice: You should use and/or inform all DMA member clients that they should use e-MPS when processing third party e-mail lists, and require all non-member clients who refuse to use e-MPS in connection with third party e-mail lists to sign an appropriate waiver acknowledging their refusal to use e-MPS as requested. Solicitations sent online should disclose the marketer's identity, and the subject line should be clear, honest, and not misleading. A marketer should also provide specific contact information at which the individual can obtain service or information. The marketer's street address should be made available in the e-mail solicitation or by a link to the marketer's Web site. Comment: Individuals should be able to easily understand who sent the e-mail they received. The subject line should not claim "your personal account information attached" if that is not the case or is not the primary purpose of the e-mail, for example, because such a heading has the potential to mislead. Likewise, a subject line should not state "Open this for your free gift" unless there is an attachment with a certificate for merchandise or service that can be obtained without conditions to the consumer. The use of invalid, forged, or fraudulent information used to direct messages (e.g., making it appear as though the e-mail were from a different entity), use of invalid or non-existent domain names, or any other means of deceptive addressing is not appropriate or acceptable. Legitimate marketers do not use techniques meant to obscure the source of the e-mail. If you use an agent to deliver your e-mail campaigns on your behalf, it is not considered fraudulent to publish the marketer's name in the "from" line. It should always be possible to send a reply to an e-mail, and the full e-mail headers should accurately identify the sender of the e-mail as specified in standard mail transfer protocol ("SMTP"). This guideline does not mean that the e-mail or its subject heading must include "ADV" or "this is an advertisement" or similar terminology (unless such language is required by the laws of the states into which you are sending e-mail). Consumer confidence is greatly enhanced if the e-mail includes specific contact information for your company. Your company's physical address can be included in the e-mail, and at a minimum, should be accessible from a link to your Web site. To assist e-mail marketers who wish to improve their response rates and best practices education, The DMA and its subsidiary, the Association for Interactive Marketing, have developed seminars, white papers, research, councils, and regular educational opportunities. To find out more, refer to www.the-dma.org and www.interactivemarketing.org. Questions to Ask: Do consumers reasonably understand that the e-mail is a sales message? Are consumers able to easily see that the e-mail is from your company? Is your company's address either on the e-mail or available from a link to your Web site? Does the e-mail include specific contact information so that the recipient can obtain information or service? Is the e-mail straight-forward in its message and unlikely to be misconstrued? Best Practice: Certain types of e-mail including fraudulent and deceptive marketing messages are regulated by the Federal Trade Commission (and some states) and marketers who violate these laws can be held accountable and fined accordingly. Marketers should help fight fraud by reporting what they believe to be deceptive e-mail solicitations to the Federal Trade Commission at uce@ftc.gov.
© Direct Marketing Association | Privacy Statement | Share
|