Please note - this Report runs about 21 pages so you may want to print it out, instead of reading it on your screen.Introduction
In order to cover everything marketers need to know about spam, privacy and email, we would have to write a report that's at least 300 pages long. Given time and space restraints, we tried to keep this one around 20 pages.
It contains a basic summary of the biggest spam-related issues that will affect the average American marketer's job this year. You'll learn about the dangers surrounding spam; how to move toward permission-based marketing; and where else to go online for resources.
Sources for this Special Report include general input from the hundreds of marketers we have interviewed over the past year, plus specific data from:
Association for Interactive Media (A Division of the DMA)
Isaacson has tracked regulatory and legal issues surrounding spam and privacy for the past three years. He regularly meets with Capitol Hill lobbyists, as well as the members of AIM's Responsible E-Mail Council.
Chief Privacy Officer
Nicholas advises ReturnPath's clients and partners on privacy issues surrounding the collection, cleaning and maintenance of their email lists. Prior to joining the Company as CPO a year ago, Nicholas worked for PacBell's Internet Services.
President & Founder
As a well-known service provider to the Internet Service Provider industry, Permison continually meets and interacts with dozens of heads of ISPs.
We also received input, advice and questions from literally dozens of MarketingSherpa readers. Thanks everyone! What is Spam?
There is no official, legal, definition of spam that everyone on the Internet has agreed on. However, generally it can be one of three things:
1) Spam posts.
These are messages posted to email discussion groups (aka ListServs TM), chat rooms or bulletin boards that are "off topic" or distinctly promotional in a non-promotional setting. If you belong to a discussion group to discuss the aerospace industry and someone posts a message marketing an aerospace trade show, that could be spam depending on the rules of the list. Most lists publish rules for new joiners so they will know exactly what's considered spam before they post.
2) "Junk" email.
This would be a broadcast (aka blast) email message sent to multiple recipients who did not request it, and who aren't even in the right target audience for it. For an example, an offer for Viagra sent to millions of people regardless of their age, sex or health. This kind of spam is easy to spot -- and avoid creating -- because it's so obvious.
3) Non-permission marketing.
This is an email message which is (or appears to be) a broadcast sent to multiple recipients who did not request it -- even though they may be in the right target audience to potentially appreciate such a message.
This is the hardest kind of spam to understand; and it's the type that is most pervasive in the B-to-B marketing world today.
Anyone who sends a message to a list of customers or targeted prospects, each one of whom did not proactively give permission ahead of time to receive that particular type of message, could be guilty of sending spam.
Unfortunately when it comes to the annoyance factor, spam is in the eye of the beholder. Which means a message you think is perfectly acceptable might intensely annoy some recipients. In the end, THE SENDER'S OPINION DOESN'T MATTER. All that matters is the opinion of the recipient.
If somebody thinks you spammed him or her, you probably did. The Legal Outlook
(Please Note: We at MarketingSherpa are not lawyers, nor did a lawyer review the information below prior to publication. It's merely intended to serve as a starting point for discussion between you and your legal counsel.)
Thanks mostly to the growth of annoying junk emailers, citizens around the world are contacting their governments asking them to stop spam. Although you may not be a junk emailer, the laws being discussed and enacted could affect your organization, simply because their wording can be fairly broad.
So, you may not think of yourself as a spammer, and still get in legal trouble someday.
Every year more bills are introduced into the House and Senate in relation to email. These are moving forward without much opposition (after all, who wants to take the side of a nasty spammer?) Currently six, including a wireless spam bill, are under discussion.
Most require that all email messages include an opt-out option (i.e. a way to get your name off the list) and that list owners are to be held accountable for swift unsubscribe processes. In the B-to-B space, proposed laws look a lot like current fax marketing legislation -- you can email anyone with whom you have a "current business relationship."
15 states, including California, already have spam laws on the books. In general these laws will only affect business marketers if they have an office in that state, and are knowingly sending unsolicited email messages to recipients in that state with whom they have no prior relationship. For example, if you are an office supply store in San Francisco and you send a promotional message to San Francisco businesses that have not bought from you in the past or proactively joined your mailing list, you could get in trouble.
For more information on spam-related laws in the United States, go to the links below:
Canadians are way ahead of the United States in terms of email regulation. New Canadian regulations took effect January 1, 2001 that currently apply to every company doing business with organizations that are regulated by the Canadian government, such as banks, airlines, trucking companies, telecommunications firms, etc.
These regulations are on an evolving schedule -- by 2004 the laws will affect everyone doing business in Canada regardless of their relationship with the government.
Non-Canadian organizations with Canadian subsidiaries and/or offices located in Canada should learn more about this regulation immediately. We also recommend that others track this area carefully because the evolving Canadian situation could be used as a predictive forecast for American legislation.
For more information, go to:
The European Commission set a fairly strict anti-spam directive more than a year ago. In general European lawmakers are in favor of opt-in lists where the recipients have proactively asked to be on the list. They are not in favor of opt-out lists, where recipients have been placed on the list without their permission and they must opt-out (or unsubscribe) to get off the list.
Many American businesses currently email their customers and prospects on an opt-out basis. So, European laws could definitely affect some legitimate American companies who do not think of themselves as spammers.
You cannot be prosecuted or fined if you do not have a European office. However, if you do have ties to Europe, watch out! Three different expert sources have told us that as of July 1 2001, the European Commission are specifically seeking American violators they can make a very public example of.
One source said, "A lot of people think the Europeans are just rattling their sabers. They're not. They're serious about this."
American companies with offices in the UK must also make sure they are compliant with the Data Protection Act's Safe Harbor principals. If you are collecting customer data in the UK and transferring to and/or storing it in servers in the United States, you may be in violation of Safe Harbor principals.
For more information on the Data Protection Act go to:
For more information on safe harbor go to:
To learn more about European ISPs opinions on and actions against spammers, go to:
For more notes on Canadian and European laws, see the addendum notes at the very end of this Special Report. ISPs, Corporate Mail Managers & Black Holes
Even if you are in full compliance with the law in every country on earth, you can still get in trouble as a spammer.
Why? Because the Internet Service Providers (ISPs), such as UUNet, AOL, Verizon and Earthlink that provide the means for companies and individuals to go online, have to power to stop anyone they think is a spammer from using their systems. Quite simply, if an ISP decides you are a spammer, they can stop any email from your server from going through their system.
If ISPs are so powerful, then why is there so much spam today? Because it's very easy to open an email account. Many junk emailers open email accounts under false names, use them once, and then fold up shop and move to the next account within a few hours. By the time the ISPs move to stop them, they are long gone.
However if you are a legitimate business, chances are you're sending out email using your own company name. So, if an ISP decides to stop you from emailing their members, it's a lot harder for you to get around it. You can't just switch company names!
Aside from ISPs, the other people who can block your email are corporate mail managers and the individual recipients. Most medium-large organizations have someone in charge of their email system. If that mail manager receives a few complaints from folks in the office about a potential spammer, he or she is likely to block all email from that sender in the future. Most individuals can also easily block email these days with just a few keystrokes by using the "mail block" or "block sender" feature in their email program.
In none of these cases -- the ISPs, corporate mail managers and individuals -- are the people involved generally consulting with lawyers before they block your email. It's not about the law. They see something they think is spam and they stop it. End of discussion.
So even if your email is completely legal, it can still be blocked if the recipients think it's spam. It's all a question of perception. We asked several experts on both the ISP and corporate mail manager side to describe the measures they take to decide if something is spam or not. Generally their answer boiled down to the number of complaints they received and who they received them from. If the CEO complains about being spammed, you can bet the mail manager is going to block that emailer!
Most experts also told us to bear in mind that ISPs and managers are busy these days. They don't have a lot of time to closely examine each case of suspected spam. So a couple of complaints can be enough for many of them to take action.
ISPs and many major corporate and governmental mail managers are well-connected. Thanks to email discussion groups and bulletin boards, they often pass the word when they spot a suspected spammer. So, if you've been blocked by one organization, you can find yourself quickly blocked by others.
The most famous blocking list is called the "Black Hole." Aside from the obvious junk emailers, some pretty big company names have appeared on this list at one time or another, reportedly including Microsoft and Real Networks.
To learn more about black lists, or to report a spammer go to:
http://mail-abuse.org Protecting Your Brand
"Why can't I just test it?"
We hear this question all the time. A marketer (usually from a direct mail background) says, "Well sure, spam isn't a great thing. But there's no law against it, and I probably won't end up in the Black Hole because I'm not running a scam or selling sexual material. So, why can't I just test sending a broadcast email to a non-permission list to see if it works for me?"
Our answer is - you can. But be forewarned, you may be risking something more than a few legal fines and IT problems. You may be risking your brand.
Even if you don't get think spam is a big deal, plenty of other people do. In fact, plenty of your customers and best prospects do. Studies have shown that about 40% of recipients really, really hate anything they perceive as spam, and an additional 30% just dislike it.
So, your non-permission campaign may get orders. In fact if the list is a highly targeted one, and your offer is strong, you may make a profit ... initially. But at what cost?
Even if some of the people on the list respond positively, up to 70% of people on that list may have been annoyed by your message. Some may even be annoyed enough to swear to never do business with you again. Some may tell their ISP or corporate mail manager to block all email from you in future. Some may decide just to delete all emails from you in future without opening them.
This is a particular problem for B-to-B marketers because your sales prospect pool is probably fairly limited. You don't have tens of millions of potential customers. You may not even have tens of thousands. If you are operating in a tightly targeted pool, you shouldn't further limit your prospects by sending something they might perceive as spam.
Conversely, if your company is a big famous brand name, and you are caught spamming, it could turn into an online PR crisis as users email each other and post the news on public boards and chat rooms.
How can you know up-front if your customers and/or prospects will perceive your email as spam? The easiest and best way to know is to ask them.
If you are currently sending regular emails to a list of people who have opted-in to get email from you, you should consider sending a survey as well. Lots of surveying software on the market now makes this remarkably quick, inexpensive and easy. We've already tested surveying technology from SurveyMonkey.com and Zoomerang.com with good results, and there are many more providers.
If you are currently sending emails to a list of people who have not specifically asked to get that type of email from you, you should begin investigating permission-based marketing immediately. Read on.... Gathering Permission
If you are new to permission marketing, your first step should be to get a copy of Seth Godin's book, "Permission Marketing: Turning Strangers Into Friends and Friends Into Customers." This best-seller, published in 1999, is still the basis of most strategies and tactics behind successful email marketing today.
MarketingSherpa covers permission marketing campaigns frequently. Here are some of the basics every marketer should know:
THE THREE TYPES OF PERMISSION
All permission is not alike.
In this situation the list owner informs people that they are on the list -- and the only way they can get off the list is to take action by unsubscribing, cancelling or "opting out." Basically you're saying, "You're already on my list and if you don't want to be on my list then you'll have to tell me. Otherwise I'm going to keep emailing you."
Some opt-out lists are created when there are pre-checked boxes on registration or order forms online. If visitors have to take action by unchecking the box, then that is considered opting-out.
In general opt-out lists perform less well for marketing campaigns than opt-in lists because people haven't proactively asked to receive the information. In a growing number of recipient's minds opt-out lists are spam. So, if you plan to go in this direction, it's worth thinking twice first.
As one businessperson told us, "I get antagonized when a company assumes I want to be on their list. If you just ask me first, I might happily agree to be on it. But if you tell me I'm already on it and I have to do some work to get off, you've antagonized me from the start. Opt-out is not a very customer-friendly way to proceed."
Unlike opt-out, people on opt-in lists have actively requested to be added to the list. They are hand-raisers. They have not only given you their email address, they have also given you explicit permission to email them a certain type of message with a certain type of frequency.
Here's the biggest point of confusion -- if someone has given you their email address, perhaps on a business card or on a form they filled out as a site visitor, they are NOT an opt-in. The only someone can be an opt-in is if they know what they are opting-in for. A newsletter, a regular sales message, a third party ad message ... whatever. It's got to be spelled out.
That's why if you are collecting email names (and what company these days isn't?) you need to also collect specific permissions. You need to ask people at the point of collection what sorts of things you can do with their name in the future -- such as send them a newsletter.
If you don't ask anything, if you just gather an email address at the point of sale without questions, then in strict terms the only way you can use that email address is to communicate with that customer about that particular sale -- sending shipping information and/or a receipt by email. You can't add them to your newsletter list and say it's "opt-in." Because they didn't.
3. Double Opt-In:
Have you ever been tempted to put someone else's email address into a registration form? Or have you ever signed up a friend or colleague for an email newsletter? Double opt-in is designed to prevent this from happening.
If a list is a double opt-in list, a message is automatically sent to the person who's been signed up, asking if he or she really wants to be added to the list. Unless he or she actively replies positively, his or her name is wiped from the list very shortly thereafter and they never get another message.
Some purists believe the only way you can be safe and sure that your list is really opt-in is to make it double opt-in. This is probably a good idea if you plan to rent your list (most lists on the rental market are double opt-in) or if highly secure or confidential information will be sent to the names on the list.
Otherwise, most marketers can simply use the singular opt-in -- but be prepared for some complaints from people who will angrily email you saying, "Hey I never signed up for this!" Every singular opt-in emailer in the world gets these complaints at least occasionally. So you need a procedure in place to deal with them.
TOP 4 WAYS TO GATHER PERMISSION
The number one question we're asked by readers is, "Am I allowed to send someone just one unsolicited email in order to ask for permission to add them to my list?" In other words, is it ok to spam someone once, so you can avoid spam in the future? Given the legal, ISP and branding concerns we've outlined above, the answer is probably not.
So how do you gather permission? By using all the media -- both online and offline -- that you already use to interact with your marketplace successfully, such as:
1) Direct Mail: Many companies have gathered opt-ins by using postal postcards, snap-packs or other direct mail packages to ask people on their postal list to opt-in to their email list. Usually they direct recipients to a Web address where they can sign up. You might also want to add a phone number.
2) Broadcast Email: Be very sure the email list you use is either an opt-in list (or double-opt-in to be safest.) Your best bet is to ask to see the form that people opted-in on. If a list owner can't show you that, then don't rent the list. Also, if a list owner offers to sell you the list -- so the list is in your hands and goes out under your company name -- then it is assuredly NOT an opt-in list.
On occasion if you have a very strong, beloved brand name, and you have an email list of customers who have bought from you recently, you may be able to get away with sending a broadcast email to those customers once to ask them to opt-in. This may not be legally safe in Europe or Canada, and unless you are careful, it can hurt your brand in the USA. So proceed with caution.
3) Email Newsletter Ads: Many marketers have had great success gathering qualified prospect opt-ins by advertising in email newsletters because newsletter lists are often more targeted than broadcast email lists. You won't have much space
- sometimes less than 50 words -- so focus your copy on a single strong offer. White papers, free newsletters, sweepstakes and other free offers work well.
4) Your Communications Materials: Your opt-in offer should be on almost every communication your company makes. This includes, every page of your Web site (consider making it part of your navigation bar), business cards, employee email signatures, space advertising in magazines, print materials, order forms, customer service in-bound calls, etc. Remember a few years ago when you had to add your URL to everything? Now you have to do the same with your opt-in offer.
HOW LONG DOES PERMISSION LAST?
Not as long as you think. People have short memories. In fact one research report showed that just under 5% of opt-ins will completely forget they signed up for your list within 30 days. The general rule of thumb is any name you haven't emailed in six months to a year has probably forgotten they ever gave you permission. So if you email them, they may think you're a spammer.
This means you should take two steps:
1. Have a plan of action for the opt-in names you collect. With their permission you might want to email them some sort of useful information at least every 4-6 weeks. Quarterly mailings are probably too far apart.
In some senses privacy policies are the 100% money-back guarantees of the 21st century. Having a good strong one can help raise your sales, although customers may rarely use it.
Your Privacy Manager will need to coordinate with every department that collects, touches or uses customer or prospect data in some way. This includes sales, accounting, marketing, customer service ... you name it! Some companies have found that whoever headed up Y2K compliance is a good person to tap for this role as well.
You may want to start the process by hiring the services of a privacy consultant. Although there are plenty of them in Europe and Canada, there are still only a handful in the United States.
American readers have recommended the following:
The Privacy Council
How often should you update a policy? As often as things change in the way your organization handles data. Experts recommend your policy manager check with all departments for changes at least every six months. In fast-moving organizations, quarterly might be your best bet.
And yes, expect changes. Saying "This policy will never ever change until the end of time" is a sure way to invite trouble. MarketingSherpa Reader Questions About Spam
NOTE: The following answers are solely our editor's opinions based on the research you've read above. Some marketers will disagree with these answers. In the end, you'll need to make your own decision.
Yes, we'll keep on answering future questions from readers. Email yours to: AHolland@MarketingSherpa.com Question:
I am an online marketing executive for one of the UK's largest finance web sites. We have close to 250k users who subscribed to our services, but yet we have never emailed. Another 400k or so have opted in to be sent regular newsletters. The 250k are users who used our site maybe 2/3/4 years ago before we even had a regular newsletter, and have either never returned, or have no idea we still exist.
How do I contact these people without it looking like Spam?
1)Send them a one off email stating 'hey remember me, look at me now I've grown and can help you now in your every day finances like never before etc..."
2)Just add them to our regular news alert and hope for the best
3)Send them an email asking them permission for me to send them emails in the future. (maybe a form within an email)
If you are absolutely, positively sure these folks opted in to get a regular email (i.e. you've seen the opt-in form with your own eyes) then you can email them.
However, as you guessed, it's very dangerous because spam is in the eye of the beholder and yes, certainly someone who opted in four years ago (or even four months ago) has probably forgotten they ever gave that permission. Some marketers would go so far as to consider it rescinded.
1) Dump the oldest names. Anything older than 12 months probably isn't any good anymore, even if you were to email them. According to research, every year about 1/3 of people on your list change their email address. So although you think you have 250k names... you may really have up to 250k bad addresses!
2) If you can divide the newer names by month they came in, we suggest you create a special, one-time-only campaign with a very strong offer for everybody older than 3 months. In that campaign you might want to very honestly start out saying, "You registered for our newsletter in May 2000 and we're very sorry to have kept you waiting for so long. If you are still interested, then please ...."
3) Start sending everyone 3 months or newer the newsletter on a regular basis from now on, being sure to include and "opt-out" (how to unsubscribe) line in every single issue.
4) Add an auto-reply message to your opt-in collection campaign now so when someone opts-in they immediately get a welcome message in reply that lets them know when to next expect an email message from you.
Good luck! Question:
Would it be considered a bad practice to send out a mass mailing to people who have once visited your site, and either bought something or not, but didn't sign up for any type of opt-in list etc.?
We have all their e-mail addresses, but before I got to the company and began planning an e-mail/newsletter campaign, there was no intent to ever use those names like this. We are growing very rapidly and our expansion will be helpful to out users, so what I want to do is notify those people about changes to our site and services and basically about our re-launch. But I'm not sure if they will be offended about our using their names like this w/o their direct consent. In the future we are planning to add an opt in form to avoid this problem.
Strategic Business Development
Unfortunately you really can't email these people. In fact we suggest you get rid of that email list so nobody there is tempted to use it!
The only time you really should email a buyer from your site without any sort of permission is when it's in relation to their specific order -- for example a note indicating shipping details. If the person wasn't even a buyer and they didn't give you permission to email them, then we're not sure how you even got their name in the first place!
There is only one exception. Purists might not agree with us, but we think you can get away with one single email sent to buyers who would definitely guaranteed remember doing business with you. For most companies that would mean very recent buyers. This could be a thank you note with an offer to opt-in to receive special offers in the future.
However, this should be a one-time affair for your company. Once you get your site set up so that you can collect opt-in permission from buyers and visitors, then you should never, ever send an unsolicited mass email again. It's just too risky.
Good luck! Question:
If any non-invited e-mail contact is considered spam, even if the recipient is given an option to say no to further contact, than how does one ask a prospect if they'd like to get information? It just seems like an endless loop leading nowhere... you can't ask someone if they want information because they didn't ask you to ask them.
Is it acceptable, then, to send one uninvited e-mail to a prospect and simply tell them who you are and why you are contacting them and tell them that they won't hear back from you, unless they opt-in to do so?
Nancy Beckman, President
Marketing Works!, Inc.
The bad news is, nope you shouldn't send out something that might be considered spam in order to avoid spam in the future. With spam, once is too many times.
The good news is there are loads of other tactics you can use. Some are passive, like adding an opt-in form to every page of your Web site, plus an offer to the signature after your name when you send email.
Some are aggressive -- such as using telemarketing, direct marketing, ezine advertising, co-registration, and even renting permission-based lists to send email to. (Also, remember, when renting a permission-based list, don't ever take the list owners word for it. Always ask for proof in the form of the actual form that list members opted-in on.)
Collecting opt-ins is work. That's why real permission-based email lists are so valuable.
Good luck! Question:
I work for a market research firm. One of our high tech clients wants us to send a survey to their email list. To get the cleanest results, we must send the survey anonymously so recipients don't know whom it's being sent on behalf of. My client says their list is opt-in, can I use it?
Anonymous in Austin Texas Answer:
Here's the problem -- the nature of an opt-in list is that each person on it has given specific permission to the owner to email him or her. If you take the list owner's name off the mailing to make it anonymous, then recipients won't know if they gave permission to be emailed or not. So, you'll definitely get complaints about spam.
This brings up a good point -- the only time you can email somebody else's list is if they email a message out with their name on it on your behalf. Anybody who hands you a list and lets you put a different name as sender and doesn't require that their name be mentioned anywhere in the text of the message, is almost certainly a spammer.
How do market research firms get around this? By renting guaranteed permission-based opt-in lists, and by placing ads in opt-in email newsletters. It costs a little more, but it's much, much safer.
Good luck! Question:
If I do an email blast to the last year attendees of an event my company has produced announcing this year's event, is it spam?
Junior Marketing Manager
marcus evans Summits Division
Although technically yes, such a message would be spam because the recipients didn't say, "Let me know about next year's event" because you have a very strong brand name you may be able to get away with it just once.
(Repeated blasts however, should be out of the question.)
You might want to make sure of two things:
1) Make your offer compelling in this blast so that the maximum people will click through and you can collect their names for future email. Perhaps instead of a straightforward paid registration form, you might want to do a no-obligation, free, send me more info form. Plus, let people know this will be the ONLY time they'll get this offer.
2) This year, add a line to your registration form asking if you can alert people about future events. That way you won't have this problem in the future.
BTW: We know of one major events organizer who actually hired a telemarketing team to call all previous attendees up and get permission for future mailings. It's definitely an idea!
Good luck! Question:
I want to start a small biz where I live in Spain, translating existing websites into English, plus SE optimizing, copywriting, etc-- everything to do with online text in English. I´m thinking of emailing target webmasters and SMEs individually with my suggestions, it would be different for every site. Would these unsolicited, although polite and restrained messages count as spam? And what do you think of the basic idea? I plan to back it up with a "resources & tips" type-site in Spanish, newsletter, etc.
Laurel Lyon Answer:
First of all, if you are sending what appears to be a form letter, yes it's going to be viewed by many as spam. Even if you personalize it a little bit, by putting the Webmaster's name or domain name in the letter, form letters are usually obviously form letters.
Webmasters, simply by virtue of having their email address posted in public, get much more of this sort of email than most professionals. In fact some get dozens of these notes a week! So, even if you work very hard to send each one a note that's truly personalized and not a form letter, many will simply hit "delete."
So, your best bet when marketing to webmasters is to get the word out through sources they already trust and read regularly -- such as email newsletters they've signed up for and email discussion groups they share advice on. You can purchase ad space in both these places, and your free newsletter offer sounds like something good to test.
If you can't afford to purchase ad space, then your next best bet is to contact media who serve webmasters and ask them if they would like an article. Often online media are eager for useful content. (Although we must note, we do not accept unsolicited content for our newsletters.)
Good luck! Addendum
Want to learn more about privacy and spam? Nick Nicholas of Return Path heartily recommends that privacy managers attend at least one of these two annual events:
Zero Knowledge Systems in Quebec
Privacy & American Business
Nicholas also graciously shared his own quick summary of his more than 50 pages of notes from both of these events last fall:
"The first conference was sponsored by Zero Knowledge Systems and took place outside of Montreal, Quebec. The title of the conference, Privacy by Design, was well-chosen. Privacy *must* become a design element, a key component embedded into a company's business practices and culture.
Fortunately, as the ZKS conference proved, "Privacy by Design" is no mere slogan. The legal and regulatory consequences of privacy and data protection laws in EU and Canada have resulted in an abundance of resources to help businesses comply with the new regulatory climate. The "revolving door" phenomenon for which Washington is notorious seems to be playing out in Canada and Europe as well: former government officials (and their minions) are setting up consulting practices in which they help companies deal with the data protection commissions.
Since Canadian and European businesses have been dealing with privacy issues for years, there is a substantial infrastructure - - in both the public sector and the private sector -- surrounding compliance. The *meaning* of privacy is well developed and spelled out. Practical guidance abounds; the bureaucracies responsible for administering data protection laws are doing everything possible to simplify compliance.
It should be no surprise that financial institutions are at the front lines of dealing with privacy issues. They realized that privacy was a fundamental concern for their customers. Rather than treat this as a burden, however, they set about using it as an opportunity to revitalize their customer relations. Banks followed a strategy that had proven successful in the US time and time again: Give the Customer What He Wants.
And what customers want is privacy, not just at financial institutions, but throughout their online *and* offline lives. Fortuitously, meeting this need is good for business in a number of ways. Aside from the obvious benefits of meeting demands of the market, there are benefits arising from the discipline imposed by running a business based on "privacy by design".
The excitement at the ZKS conference was palpable. Everyone sensed we were on the threshold of a new era, but there was also a strong sense of confidence and competence. The challenges of compliance were large, but they could be managed. The excitement at the Privacy & American Business Conference was also palpable, but it was a more nervous energy than the confidence prevalent at the ZKS conference. American businesses by and large have been caught short by the "sudden" interest in privacy issues. They are now scrambling to get up the learning curve the Canadians and Europeans have been traversing for years, and many of the companies at the P&AB conference were sweating.
Even though the P&AB conference took place in Washington DC only four blocks away from the Capitol Building, it was just as much an international privacy conference as the one in Quebec. American business is acutely aware of the European and Canadian privacy laws, and they are concerned about protecting their markets and their employees abroad.
An unexpected case in point: administrative and staffing expenses of American businesses with offices in EU countries. The EU privacy laws are so strict that even the transfer of expense reports to the home office in the US invokes application of the data protection laws. Consequently, even though businesses thought they could ignore the legal situation in Canada and Europe, they are suddenly finding that they cannot even pay the payroll in foreign offices, or transmit sales and marketing data to the states without taking steps to comply.
Hence the great deal of attention paid to "Safe Harbor". Safe Harbor is an arrangement the US Department of Commerce reached with the EU data protection commissioners. Safe Harbor sets out a plan for US companies to be deemed in compliance with EU data protection regulations so long as they follow a simple series of four steps. *Any* US company making transfers of *any* personal data from an EU country is obligated to comply with Safe Harbor; otherwise they may be required to follow the far more burdensome requirements of each of the 15 EU data protection commissions.
Again, the financial services companies such as American Express have made the most progress in dealing with privacy issues. They are particularly strong in employee training programs, some of which are quite slick with professionally produced videos and training binders.
I hope this will serve as a high level overview of what I gained from these two conferences, and a springboard for questions and further discussions. Key themes I would like identify by way of summary.
1. Privacy is huge and is going to get even bigger.
2. Businesses will be transformed; the very way of doing business will be transformed.
3. This change is one that will benefit consumers and businesses.
4. Rule 1: Privacy programs must be thoroughly embedded into a company's culture and practices.
5. Our friends in Canada and Europe, as well as savvy businesses in the US, have helped pave the way on what would otherwise be a very rocky road.
 The ten core principles of fair information practices are:
· The purpose for which personal information is collected shall be identified at or before the time the information is collected.
· The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information.
· No information shall be collected or used with respect to consumers which is not necessary and relevant to the services provided. Information shall be collected by fair and lawful means.
· Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.
· Personal information shall be retained only as long as necessary for the fulfillment of the purposes disclosed. Personal information which is no longer needed shall be disposed of as required by law, regulation, or contract.
· A company shall take all reasonable steps to ensure the integrity of personal information it collects, and shall maintain personal information in a manner as accurate, complete, and up- to-date as is necessary for the purposes for which it is used.
· All information collected from consumers shall be protected during transmission by appropriate security protocols. All personal information collected from consumers and in the possession of a company shall be stored in a physically and electronically secure location, and protected by security safeguards appropriate to the sensitivity of the information.
· A company shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
· Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information in the possession of a company and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
· An individual who wishes to challenge company’s compliance with its privacy principles, policies or practices may submit a complaint to a company’s Chief Privacy Officer who shall then investigate such complaint.
 It is estimated that there are approximately 75 chief privacy officers in the US currently. It is also estimated that, by the end of this decade, *every* company handling personal information will have a CPO."
The above notes submitted by:
Chief Privacy Officer
Return Path Inc.