 |
 |
| |
| |
|
TOP
5 STORIES OF THE MONTH
|
|
|
Public
Policy Update
California passes the strictest anti-spam law in the
nation. Learn how it applies to you. »Learn
More
Knowledge
You Need
Bennie Smith from DoubleClick explains how to make sure
your policy statement doesn’t alienate Web site users.
»Learn
More
TRUSTe
News
TRUSTe and IronPort roll out Bonded Sender, a program
to enhance email delivery. »Learn
More
From
the Desk of the Executive Director
Those of us in the field of privacy and data security are living in exciting times.
»Learn
More
Privacy
Resources
Stanford Persuasive Technology Lab. »Learn
More
Stay
Current!
Upcoming privacy and security events around the nation.
»Learn
More
TRUSTe
Tech Tip
Prevent privacy violations by minimizing the data you
collect from users. »Learn
More
Welcome
New Licensees
The newest Web sites to display the TRUSTe seal. »Learn
More
|
|
 |
 |
| |
California
Bans Unsolicited Commercial Email; Regulates Commercial
Email
by Kaye Caldwell
On
September 23, 2003, California governor Gray Davis signed
into law the strictest piece of anti-spam legislation
in the United States to date. Any business or nonprofit
that uses email marketing as a way to reach clients
will need to study the law carefully to make sure it
is not in violation.
Effective
January 1, 2004, California SB 186 will prohibit the
transmission of and advertising in unsolicited commercial
email advertisements sent from California or to a California
email address, as well as the provision of email address
lists for such ads.
The
law defines a commercial email advertisement as one
“initiated for the purpose of advertising or promoting
the lease, sale, rental, gift offer, or other disposition
of any property, goods, services, or extension of credit.”
A commercial email advertisement is considered “unsolicited”
if the recipient has not provided direct consent to
receive advertisements from the advertiser and the recipient
does not have a preexisting or current business relationship
with the advertiser.
However,
even unsolicited commercial email advertisements sent
to people with whom the advertiser has a “preexisting
business relationship” must provide the recipient
with the ability to opt out of future advertisements
by calling a toll-free number or sending an “unsubscribe”
email to the advertiser.
The
recipient of the email, the recipient’s email
service provider, or the California attorney general
may bring an action against an entity that violates
the above provisions in order to recover actual damages,
liquidated damages of $1,000 per email, and attorney’s
fees and costs. Violation of SB 186 also constitutes
a misdemeanor.
SB
186 also prohibits the following activities if they
are done in order to send or advertise in unsolicited
commercial email advertisements sent from California
or to a California email address:
- Collecting
email addresses posted on the Internet
- Using
an automated means of generating email addresses
- Using
scripts or other automated means to register for multiple
email accounts
In
addition, SB 186 prohibits the following practices when
sending or advertising in commercial email advertisements
sent from California or to a California email address:
- Using
a third party's domain name without authorization
- Sending
any commercial email advertisement containing falsified,
misrepresented, obscured, or forged header information
- Sending
any commercial email advertisement containing a subject
line that the person knows would be likely to mislead
a recipient regarding the contents or subject matter
of the message
Read
the full text of the new law here.
The
Internet Alliance is at work to stop other states already
considering adopting the California law as a model anti-spam
bill. The Direct Marketing Association is considering
a legal challenge. For further information on the new
law and on the status of any legal challenges to it,
please contact Emily Hackett at the Internet
Alliance, (202) 861-2476.
Kaye
Caldwell is California policy director at the Internet
Alliance.
|
|
|
 |
|
| |
Conveying Trust Through Your Privacy Statement
by
Bennie Smith
A
February 2002 Harris Interactive survey showed that
75 percent of respondents believe the companies they
do business with will provide their personally identifiable
information (PII) to other companies without their permission.
Other research has shown that U.S. consumers have no
strong opinions favorably or negatively that posted
privacy notices accurately reflect how Web sites use
the PII they collect. In other words, your customers
are ambivalent about the volatility of the disclosures
you make.
These
data show that a trust gap exists between the consumer
and the marketer. Yet I believe that ultimately, consumers
want to be able to rely on marketers or publishers to
help them make choices about how their personal information
is collected, used, and shared.
How
can you communicate your trustworthiness? Through the
way you craft your privacy statement.
Know
Your Audience
Make
sure that your privacy policy and all related disclosures
on your site are free of industry jargon, technical
terms, and legalese. Does your next-door neighbor know
what a “marketing affiliate” is? Neither
will most of your customers. Make sure your privacy
policy does not read like the fine print in a contract
-- but rather a friendly extension of your brand promise.
Pay
attention to presentation and format. Forcing your customers
to scroll through 10 or 20 paragraphs written in 8-point
type is not likely to result in a sense of “connection”
with you. Instead, mimic the look and feel of the other
customer-oriented sections of your site. Use a navigation
bar or section titles like “How We Collect Information”
to help your customers easily, quickly access the sections
of your disclosure that are most relevant to them.
Review
the “voice” of your privacy policy. Is it
active, friendly, and straightforward? Or does it sound
like a contract? Is the language you use concise and
meaningful? Have you avoided double negatives? Recognizing
that there are situations that don’t necessarily
lend themselves to a simple two-line explanation and
that greater detail is sometimes required, look for
nontraditional ways -- say, diagrams and animation --
to express those concepts.
These
principles apply equally to B2C and B2B Web sites. Businesses
are made up of people, and we don’t react to information
in work settings that differently than we do in non-work
settings.
Identify
the Scope of Your Privacy Statement
What
is your privacy disclosure meant to cover? For businesses
that operate in multiple channels, online and offline,
it is important to say which of these channels or geographic
locations your privacy policy applies to. If your practices
for data use are different for email marketing versus
outbound telemarketing, make sure that’s clear.
If your privacy policy is designed to cover only your
online activities as opposed to your catalog business,
state that clearly, too. If you are unclear or silent
on this point, your customers -- or the Federal Trade
Commission -- may assume that your privacy policy covers
all activities in all places.
Additionally,
if you can reasonably expect non-American visitors to
your Web site, consider reminding them that they are
on a United States-based site. This is becoming increasingly
important as other countries and regions around the
world seek to aggressively regulate the use of data
as it relates to their citizens.
Let
Them Know It’s Not Carved in Stone
While
your privacy policy should always reflect your corporation’s
guiding principles relative to privacy, it is not --
nor should it ever be mistaken for -- a static document
written once and never updated again.
Changes
or improvements in technology, business model, and geographic
locations in which you conduct business are just a few
examples of the things that might affect privacy policy
disclosures. Spell out when and why your privacy policy
might change and how your customers might be made aware
of these changes. A section entitled “What’s
New” is an easy way to convey this information.
Crafted
correctly, your privacy statement is a meaningful communication
that can build consumer trust and confidence. This trust
will help protect your brand and its underlying promise
from the ravages of the highly competitive online marketing
space.
Bennie
Smith is chief privacy officer of DoubleClick.
|
|
|
 |
|
| |
IronPort Systems and TRUSTe Launch Next Generation
of Bonded Sender Program
On
October 13, 2003, TRUSTe and IronPort Systems announced
the next generation of the Bonded Sender Program, the
industry’s only complete solution for identifying
legitimate email. After 12 months of extensive testing,
the second major release of the Bonded Sender Program
-- which includes TRUSTe certification, oversight, and
dispute resolution services -- is now available. Bonded
Sender now reaches in excess of 60 million mailboxes
spanning more than 12,000 ISPs, validating the effectiveness
and scalability of the program.
Studies
show that as much as 30 percent of legitimate outgoing
commercial email can be blocked by the receiving ISP
without the sender’s knowledge. The Bonded Sender
Program allows legitimate senders of mail to avoid being
blocked by overly aggressive spam filters by allowing
senders to identify themselves, adhering to standards,
and posting a financial bond. When consumer complaints
about mail received from a sender’s IP address
exceed a predetermined threshold, the bond is debited.
The
industry is rapidly embracing complaint-driven systems
to help identify spam and legitimate email, with each
of the four largest email providers in the United States
adopting a “report as spam” button in their
client software and using complaint data to block spam.
Messages that are spam have a complaint rate that is
at least 100 times higher than that of a typical Bonded
Sender, creating financial penalties for spammers.
Find
out more about enhancing delivery of your email!
TRUSTe
and IronPort have developed and published a set of email
standards for the Bonded Sender Program. New senders
who meet these high standards and post a financial bond
based on mail volume can now apply for Bonded Sender
status at www.bondedsender.com.
Qualified senders will be certified and admitted to
the program, enabling them to receive enhanced delivery
at thousands of ISPs.
|
|
|
 |
|
| |
Exciting Times in Privacy
California’s
anti-spam law is not the only dramatic development in
the arena of privacy, security, and spam. At TRUSTe,
we are beginning to see some trends that all licensees
need to prepare for -- or against:
- More
legislation on both the state and federal level. California
has been especially active, passing a privacy
law in addition to its anti-spam law. More
regulations are likely to emerge around affiliate
sharing and sensitive data.
- Security
continues to be an important part of privacy. Companies
will be seeing more regulations and rules emerge around
the Patriot Act. Be aware of your own privacy statement
and consider the case of JetBlue, who voluntarily
gave information to the government, and the scandal
that ensued. In addition, California's security-breach
disclosure law went into affect in July,
as did the FTC's safeguard rule for Gramm
Leach Bliley. Basic technology, training,
and good policies and procedures are key to providing
reasonable security. TRUSTe will be issuing additional
guidelines on security in the future.
- Continuing
pressure from the press and regulators in the form
of high-profile stories and enforcement actions. Missouri,
New York, and Massachusetts have been leading the
way on enforcing privacy statements and fraudulent
spam cases. The FTC has focused on COPPA violations,
fraudulent spam, and security breaches as well.
- Companies
will face continuing challenges in getting their email
messages delivered because of aggressive spam filtering
from ISPs. “Legitimate sender” programs,
like Bonded
Sender, will continue to emerge.
- Continued
strengthening of best practices in privacy standards.
For example, “opt-in”
is emerging as the standard for third-party sharing
and list rentals.
- The
Recording Industry Association of America and the
music industry continue to clamp down on file sharing,
and spyware continues to come under scrutiny.
- Corporations
will continue to be affected by the EU
Data Protection Directives and will need
to consider moving to a global standard.
TRUSTe
is closely monitoring all these developments and actively
participating in developing solutions. Look to this
newsletter for continuing updates -- and, of course,
call us when you have specific questions.
--
Fran Maier
|
|
|
 |
|
| |
Stanford Persuasive Technology Lab
captology.stanford.edu
The
Stanford Persuasive Technology Lab creates insight into
how computing products -- from Web sites to mobile-phone
software -- can be designed to change what people believe
and what they do. Like human persuaders, persuasive
interactive technologies can bring about positive changes
in many domains, including health, business, safety,
and education. With such ends in mind, the lab is creating
a body of expertise in the design, theory, and analysis
of persuasive technologies, an area called “captology.
You can find a link to its Web credibility study and
other interesting resources on the lab's Web site.
|
|
|
| |
 |
|
| |
14th Annual Northern California Information
Security Conference
Dates:
November 4-5, 2003, 8:00 a.m. - 5:30 p.m.
Location:
Sacramento Convention Center, 13th and J Streets,
Sacramento, Calif.
Overview:
InfoSeCon 2003 is the largest and most informative
security conference in Northern California.
Hear from industry leaders and attend the free
all-day security product exposition. The conference
will be divided into four subject-area tracks:
Security Management, Technical Security, Privacy
& HIPAA, and Homeland Security. To learn
more and to register, visit the InfoSeCon
Web site.
Call
for Proposals: Computers, Freedom, and Privacy
The
Program Committee of the 14th Conference on
Computers, Freedom, and Privacy (CFP2004) is
seeking proposals for innovative conference
topics, presentations, and speakers on all aspects
of computers, freedom, and privacy, especially
those with an international perspective. CFP2004
will be held in Berkeley, Calif., on April 20-23,
2004.
The
primary themes for this year’s conference
are the following: the role of technology in
providing national security and preserving individual
privacy and freedom; the impact of new legal
and technical developments on the Internet’s
utility as a medium for disseminating and archiving
information; and the role of computer and telecommunications
technologies in the political process.
Complete
submission instructions appear on the CFP2004
Web site. All
submissions must be received by October 31,
2003.
|
|
|
|
 |
|
| |
Tip: Minimize data collection on your Web site --
only collect enough personal data from visitors to provide
them with your products or services or to allow them
to participate in an activity on the site.
It
is now common practice for Web sites to obtain information
from users by requiring them to submit personal information
before granting access to the site or certain sections
of it. Many organizations find this information valuable
in profiling and targeting users.
However,
the less information you collect, the better. Web site
users are more willing to provide more information as
it is needed or if an incentive is provided. The more
information you collect, the greater your risk of exposure
and potential misuse of information.
Here
are a few tips to keep in mind when developing or revamping
a data collection page such as a registration form,
newsletter subscription page, or contest entry page:
- The
collection form should indicate "required"
and "optional" fields.
- On
the collection page, tell users why you are collecting
their personal information.
- Collect
only the information you need for the purpose of allowing
the user to participate in a selected activity or
receive certain products or services.
- Collect
age only if required for the selected activity. Remember,
the Children's Online Privacy Protection Act (COPPA)
is triggered whenever a Web site collects both age-identifying
information and personally identifiable information.
- Never
collect sensitive information such as social security
number, financial information, or health information
unless it is required for the selected activity.
- Always
use commercially reasonable practices such as encryption
to protect information received -- and tell users
about your data safeguards.
-
Jessica Coy, account manager
|
|
|
 |
|
| |
TRUSTe would like to congratulate
the following new licensees on successfully completing
our certification process:
American
Century Services, Affirme, BidChaser, Casale Media,
Eid Passport, Healthyroads, IncidentReports, Incredimail,
Indianhead Council, LiveDeal, Maven Networks, Monsterpin
Information Exchange, Open House Spain, Pivotal Veracity,
SmartSource, 3conx Corporation, WarrantyWarehouse.
|
|
|
 |
|
| |
Got Feedback?
We would like to hear what you
think of the TRUSTe Advocate. Send an email with your
comments and suggestions to newsletter@truste.org.
TRUSTe
is an independent, nonprofit organization that administers
the Internet's first and largest privacy seal program.
685
Market Street, Suite 560
San Francisco, CA 94105
(415) 618-3400
Email: privacyseals@truste.org
Web: www.truste.org
|
|
|
 |
|
 |
|
