Anthony J. Dispoto
The internet has created countless opportunities for entrepreneurs to create businesses that exist entirely online. While costs for these types of businesses are low, due to a lack of need for infrastructure, there are inherent risks in such activities. Such risks are compounded when businesses collect users’ personal data, generally for marketing purposes. These risks have been exemplified by recent privacy breaches that have made headline news over the past few years.
This article will summarize four laws related to consumer privacy and consumer protection, and will state the importance of adhering to each.
1. California Online Privacy Protection Act of 2003 (“CalOPPA”)
CalOPPA is a consumer privacy law that applies to the collection and use of personal information by commercial websites, online service providers and mobile application operators (both shall be collectively referred to as “providers”). CalOPPA requires providers to state whether or not they are collecting personally identifiable information from its users. Personally Identifiable Information (or “PII”) is just that: information, either by itself or in combination with other information, which can be used to identify a user. Providers must also disclose how such personally identifiable information is used. Online services collect PII to help them make more-informed business decisions, and in some cases generate a new revenue stream by selling that data to affiliates.
CalOPPA Compliance
CalOPPA makes it a legal requirement for all providers that collect information from California residents to post a privacy policy on their platform. The privacy policy should clearly outline the scope of personal information that is to be collected about the users and state how the information will be used by the provider. A company’s privacy policy will generally state that PII is collected, stored and will be used as a marketing tool for advertisers, or may be sold to affiliates who will try to sell you complementary services.
In the event a provider uses or sells the information of a consumer without the implied or express consent of that individual, the provider can be hit with exorbitant penalties and fines by the Federal Trade Commission (“FTC”), which has enforced a variety of different privacy actions in the recent years.
For example, Irvine-based television maker VIZIO agreed last year to pay FTC fines amounting to $2.2 million for collecting the viewing histories of 11 million smart TVs without users’ consent or knowledge.
Fines such as these can be avoided if a website or other online service has a detailed, transparent privacy policy, which users must accept before submitting their information.
2. The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (“CAN-SPAM”)
The CAN-SPAM Act was created as a direct response to the large number of SPAM emails that were flooding inboxes in the late 1990s and early 2000s.
The purpose of the act was to identify and allow users to be unburdened by commercial electronic mail messages, not just bulk-emails. Commercial Electronic Mail Messages are defined by the FTC as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service.”
This distinction specifically excludes “transactional or relationship messages,” or email communications that are necessary in order to maintain a business relationship such as tracking numbers, updates to software, or invoices.
So what does this law actually do?
In general this law requires a business to send e-mails that: (i) are not deceptive to the consumer (this includes the sender’s email address, domain name, or subject of the email), and (ii) gives the consumer an opportunity to opt-out of receiving commercial communications. Companies can be penalized $16,000 per-violation for failure to comply with CAN-SPAM requirements.
For example, in 2004, Detroit-based Phoenix Avatar was sending illegal spam emails directly to potential consumers to sell diet patches. The FTC received more than 490,000 complaints about the spam emails. Although the company was threatened with criminal charges, and the court held that it was responsible for damages of $230,000, the company ultimately settled for $20,000 subject to immediate compliance with the court’s stipulated judgment.
These emails may not be as much of a concern as when this law was first written due to the improvements in spam filters. However, the law does still warrant attention as it relates to advertisements such as newsletters or product offerings by websites.
These types of fines are easily avoidable as long as you stay in compliance and follow the points listed above.
3. Telephone Consumer Protection Act of 1991 (“TCPA”)
The TCPA restricts telemarketing and automated telephone calls to customers unless a customer’s express consent is first obtained. Additionally, it requires providers to cease communicating with customers after receiving a “do-not-call” request, made orally or in writing. As marketing communications have evolved so has the TCPA. The law has been updated to deal directly with text messaging (“SMS”).
This section will specifically relate to the SMS marketing communications.
The TCPA is fairly simple as it relates to SMS. A provider should: (i) obtain a customer’s express written consent to receive marketing communications prior to sending such communications, (ii) not require the consent as a prerequisite to a purchase or service, and (iii) allow the customer the right to opt-out of future marketing communications.
So what does this law actually do?
Generally speaking, the TCPA requires a user’s permission prior to a provider sending telemarketing messages whether it is by phone or SMS. It also penalizes providers in the amount of $500-$1500 in a civil action or $16,000 per violation if enforced by the Federal Communications Commission. These penalties arise from a provider’s failure to seek permission prior to sending unsolicited telemarketing messages to customers, or for a provider’s failure to cease marketing communications once a customer has requested the provider to cease future communications. Penalties for providers can be substantial as they are often assessed per violation, or in many cases, per communication.
For example, a ruling from 2015 found that Lyft and First National Bank violated the TCPA by requiring users to receive automated text messages as a condition to using their services. For Lyft, a user would be unable to receive texts necessary to use the service if a user opted-out of such communications, where First National Bank did not provide users with any option to opt-out. In both situations no fines were imposed, but were threatened against each company if they did not change these issues immediately.
It is highly recommended that every company, regardless of its size, regularly audit their marketing communications to ensure they are in compliance with the TCPA.
4. Children Online Privacy Protection Act of 1998 (“COPPA”).
COPPA was created to give parents more control and protection over their children when they are on the internet. The law applies to the collection of personal information from children under thirteen years of age.
Providers cannot market to children unless they comply with additional safeguards that give parents (i) the type of information being collected from their children, (ii) control over the collection of such information by requiring express consent from parents prior to the collection of such information, and (iii) control over deleting, editing or reviewing their children’s collected information.
So what does this law actually do?
In general, this law puts control in the hands of parents to determine how much information about their children is collected and to what extent such information will be generally used. Although, these protections and restrictions create additional expense on the part of the provider, it creates immediate benefit on the part of the parents and likely a less competitive market for children’s information.
Any provider even considering collecting information from children must perform regular audits at a minimum to ensure its compliance. Due to the time, expense involved in these regular audits, as well as the potential penalties of $41,484 per violation, many companies might believe that a marketable audience of children is more trouble than it is worth.
For example, in 2016 InMobi, a mobile advertising company, was hit with $4 million in civil penalties because it tracked users’ location whether or not the user opted in. The court added that this action included a breach of COPPA because some of the users were children. The penalties were ultimately amended to $950,000 due to the company’s financial condition.
Conclusion
Although compliance to the laws discussed in this article may seem daunting, it doesn’t have to be.
The best way to comply with such laws is by being aware of the laws that are applicable to a respective business, keeping abreast of the latest changes to privacy laws, and conducting regular audits of marketing communications. Business owners who may be uncertain as to the legality of their data collection activities should consider contacting a qualified business attorney who can review current policies and implement changes to ensure compliance.
