Legal Constraints Regarding the Usage of Customer Data. What Is an "opt-In"?

1. PRIVACY WANTED 3

2. THE REGULATION - EU DIRECTIVE AND THE CAN SPAM ACT 3

2.1. Safe Harbor 4

2.1.1 Opt-in or Opt-out? 4

1. Privacy wanted

Most of us have already asked ourselves who all owns the information about our name, our address and telephone number or the amount we keep in our checking account. Instinctively we feel that our names and other personal information belong to us and dislike the thought that someone else could profit from marketing them. However, it is the obvious reality that it happens very often. It is enough to look at our mailboxes to see big amounts of unsolicited mails with various kinds of offers for a number of products and services. Clearly, customer information is seen as a business asset that is acquired and utilized aggressively.

To understand the dimensions of the privacy debate, it is valuable to remember that e-commerce allows marketers to advertise goods and services ever more accurately, in an increasingly personalized manner. Rather than relying on demographic statistics that lump consumers into broad target groups, or collating credit card purchasing data into marketing profiles, the Internet allows businesses to track profiles and information provided directly by the consumer -- and then create automated marketing programs tailored specifically to that customer. By monitoring clicks made on the Web and leaving behind "cookies" on the computer to help the system remember an individual, marketers can gather a startling amount of personal information with which to sell goods and services.

There is a lot of talk about the desired level of privacy regarding the wide range of customer data held by businesses. The consumers are becoming more displeased by marketers buying and selling their personal information, while at the same time the rise of e-commerce has raised fears about this issue, due to the ease with which all types of sensitive data may be gathered, copied, shared, and misused via the Internet.

In response, the European governments have passed tough laws regulating how businesses manage and share personal information -- including a prohibition on sharing data with businesses located in countries that fail to provide adequate data protection. Given the far less restrictive policies on privacy in the US, many in the business community feared that the new laws would effect e-commerce between the US and Europe.

2. The Regulation - EU Directive and the CAN Spam Act

The view on how much protection consumers deserve regarding their data and how much control should they be allowed in the way businesses use that data depends on where one lives. There are substantial differences between the US and the EU. The US prefers to give businesses a maximum of freedom within the constraints of existing business law. For the most part, the US relies on an "opt-out" philosophy of privacy, where the matter is regulated by the US CAN Spam Act. It is essentially an "opt-out" law, whereby recipients must reply to emails in order to unsubscribe from handling of their data for commercial purposes and allowing consumers the right to request that their data be excluded from sales to third parties. The EU Privacy Directive specifies that individuals should have to "opt-in", that is give consent, before they can be sent commercial emails. An exemption to the opt-in consent rule states that where an existing customer relationship exists, it is acceptable to continue to send unsolicited, commercial e-mail until the addressee requests that the communications stop. Some important conditions are attached to this exemption. Businesses must have obtained the customer's e-mail address in course of a sale or the negotiations for the sale of a product or service, and must only continue to market their own similar goods and services. They must have obtained the address fairly in accordance with the existing data protection regime and must always offer an opt-out facility free of charge. The Directive also requires that senders of commercial e-mail do not conceal their identity, and that they always provide a valid return address to which the addressee can send 'unsubscribe' requests.

2.1. Safe Harbor

A clear problem is that the vast majority of spam originates in the US and is therefore governed by the "opt-out" principle rather than an "opt-in" principle in which businesses must specifically get permission from each individual before selling or releasing personal data. Responding to the fears of data abuse, the two sides have negotiated a truce in the privacy war, by creating the "Safe harbor" program

...