Datran Settlement Goes Beyond the Law: DMA

Datran Media’s recent settlement with New York Attorney General Eliot Spitzer has Datran jumping through hoops well beyond what is required by law, and at least one of the measures will be difficult for even Datran to follow, according to representatives of the Direct Marketing Association.

On the plus side for other marketers, however: The settlement doesn’t seem to set the legal bar any higher. Most of the measures are simply industry best practices, said two DMA representatives in a conference call with members yesterday.

Still, one caller said he believes the settlement was one more step toward marketers being on the hook for their business partners’ privacy policies.

E-mail lead generation firm Datran Media agreed last month to pay $1.1 million to settle Spitzer’s Internet team’s investigation into Datran’s e-mail marketing deals with a company called Gratis Internet.

Gratis is the parent company of such sites as FreeiPods.com, FreeGiftPlanet.com, FreeDVDs.com and FreeVideoGames.com.

Spitzer’s office claimed that Datran knowingly sent millions of messages to Gratis’ e-mail list in violation of the privacy promises made to consumers when Gratis gathered their names.

Gratis promised consumers on some of its Web sites it would never “lend, sell or give out” their information, according to Spitzer’s office.

Spitzer’s office on March 22 sued Gratis. Gratis responded by claiming its relationship with Datran was a service-bureau arrangement rather than list-rental deal and, as a result, it did not violate its promises to consumers.

Meanwhile, Datran’s settlement left many marketers wondering how much responsibility they now have for their business partners’ privacy policies.

The key is whether or not the marketer knows of a business partner’s violations, said Stuart Ingis, an attorney with DLA Piper Rudnick Gray Cary.

“If you know that the third party that gives you the list is violating its privacy policy, you would be liable for fraud or deception,” said Ingis, who is also the DMA’s privacy attorney. “If you’re not aware that a company violated its privacy policy, there is not, I don’t think, anything in this case or other cases that would say that you are liable.”

Ingis said some of the terms in the settlement would be considered industry best practices, but aren’t required by law.

For example, according to Datran’s settlement, Datran cannot “purchase, acquire, license, manage or use” any so-called personally identifiable information without independently reviewing the current privacy statements governing the information and those that were in place when the data were collected.

Datran also must independently confirm that the privacy policies of the companies they wish to do business with tell consumers their names might be shared and that they “affirmatively opted in to permit such sharing,” according to the settlement.

“I think that both of those terms probably go beyond what is in existing law,” said Ingis. “It’s required now of Datran because it’s a condition of the settlement, but there is no requirement to review applicable privacy policies of the entities that you get your lists from, nor to check and make sure that the information was done correctly. Now that would be a very good business practice if manageable, but it doesn’t scale in a lot of cases.”

Moreover, Jerry Cerasale, senior vice president of government affairs for the DMA, said later in the call that verifying privacy-policy histories will be difficult even for Datran.

“To follow Datran, you’ve got to go back and try and untangle the entire data collection process of the third party, which we think, at least from my perspective, is very costly and I don’t know how fruitful it would be,” said Cerasale.

Cerasale added that the DMA would be opposed to any law requiring the type of privacy practices to which Datran agreed, especially the requirement that it verify data promises made when data were collected. “We think it puts a burden on the company that they probably cannot meet—to know the exact date and know what the privacy policy was for that specific time,” Cerasale said.

Ingis also said the law doesn’t require companies to disclose to consumers that they plan to share their addresses. The Federal trade Commission and some attorneys general have made efforts to change that, “but as of today, that is not the state of the law,” he said.

However, he said, disclosure “is an excellent business practice” and a condition of DMA membership.

Under the settlement, Datran is also required to maintain copies of all applicable privacy policies for five years and make them available to the attorney general if he asks for them in writing—a practice also not required by law, according to Ingis.

The settlement also says that written assurances by companies Datran does business with aren’t enough to satisfy its requirements.

“Again, this is not a legal requirement. It is now a legal requirement upon Datran,” he said. Still, Ingis added, it is a good idea to get “written warranties and representations” that data complies with the privacy policies under which it was collected.

Moreover, the settlement says, if Datran learns that a business partner is marketing contrary to promises made in its privacy policy, it must immediately stop using that partner’s lists and inform the attorney general within five days.

Ingis said nothing about the requirement to call the attorney general’s office, but said the law does require companies to stop using data immediately whenever executives find out the company that collected it is violating promises in its privacy policy.

“If you take one thing away from this call it is that once you become aware, you better take action,” said Ingis. “We believe as an association that it is critical to follow best practices to prevent further investigations, or laws, or negative perception by the public.”

Ingis also said that vendors could be held responsible if they knowingly send e-mail on behalf of clients in violation of their privacy promises.

“That doesn’t go to say that you have an affirmative duty as a service provider to do background checks on all the sources of data,” said Ingis.

One caller said he believes that marketers will be increasingly responsible to check out their business partners’ privacy practices.

“I think what’s going to come out of this [Datran settlement] case is that we’re responsible to make some reasonable and serious inquiries into people whose businesses we deal with as to their privacy policies,” the caller said.

Ingis responded: “He [Spitzer] certainly is clearly trying to assert that legal principle, and it may be that he continues to push it into the advertising model, but to date that hasn’t been the model.”

Cerasale added: “This is an example of what I call legislating through settlements.”

Datran also agreed under the settlement to hire a chief privacy officer.

Spitzer’s Internet team began investigating Datran and Gratis after privacy assurance firm TRUSTe pulled its seal from Gratis in Feb. 2005.