Top
Subscribe to Legal Notes
* indicates required
Back office

Entries in opt-in (3)

Tuesday
Nov082011

Google+ Pages off to a good start for consumers

Google released Google+ Pages for brands publicly last night (South African time) to much excitement on the Web. Google+ has, until now, been reserved for humans posting as themselves and Google has been criticized for not allowing brands to create pages and for insisting that users use their real names and not pseudonyms (Google seems to have reversed course on this and is expected to announce support for pseudonyms soon). The elephant in the room has been brands' inability to create a presence on the growing platform.

Google+ Pages have a number of similarities to personal profiles including their basic design and functionality. Businesses can publish posts, photos, videos, run Hangouts (a very appealing and engaging video conferencing solution) and participate in comment threads as the brand. I enjoy using Google+ and have seen some pretty high engagement levels there. It is a product designed for engagement.

web.tech.law - Google+

That said, there are some very interesting differences between Pages and profiles which are pretty good for consumers weary of the constant flow of direct marketing material. Susan Beebe, a Dell Corporate PR and Social Business Strategist listed a number of differences in a post on Google+:

  • Pages can’t add people to circles until the page is added first or mentioned.
  • Pages can be made for a variety of different entities whereas profiles can only be made for people.
  • The default privacy setting for elements on your page profile is public.
  • Pages have the +1 button.
  • Pages can’t +1 other pages, nor can they +1 stuff on the Web.
  • Pages can’t play games.
  • Pages don’t have the option to share to ‘Extended circles’.
  • Pages don’t receive notifications via email, text, or in the Google bar.
  • Pages can’t hangout on a mobile device.
  • Local pages have special fields that help people find the business’ physical location.

Of these differences, the most significant difference for consumers is the first in that list: Pages can’t add people to circles until the page is added first or mentioned.

Explicit opt in on Google Plus for Pages

The reason this is so significant is that consumers must explicitly and specifically add brands to their circles (or, to use Twitter terminology, follow the brands) before those brands can publish posts targeted at those consumers. Until that point brands' Pages remain publicly visible but their posts don't enter consumers' streams until they are followed. This model is similar to Twitter in that Twitter users won't see brands' tweets in their Twitter stream unless they follow the brand's Twitter profile. Like Twitter is also appears that a brand could publish a post which tags a consumer not following the brand on Google+ and get their attention that way.

It certainly appears that Google is thinking about building a product for brands that doesn't overpower consumers' streams with marketing messaging although an option requiring that consumers add brands to their circles before they can be contacted by brands would protect consumers better.

AuthorPaul Jacobson | DateTuesday, November 8, 2011 at 10:12AM | | CommentPost a Comment
in , ,
Thursday
Jun302011

Tension in the direct marketing industry over opt-in requirements

Tug of War

The Consumer Protection Act sparked quite a bit of interest in direct marketing and consumers' rights to opt-out of receiving direct marketing communications. It has also highlighted a tension between direct marketers and consumer orientated initiatives to protect and enhance consumer rights. Some of these initiatives have been undertaken by two industry bodies, the Internet Service Providers' Association and the Wireless Applications Service Provider Association which are self-regulatory bodies focused on ISPs and mobile service providers, respectively. The ISPA and WASPA Codes of Conduct contain provisions which are somewhat more stringent than the Consumer Protection Act, although more in line with the draft Protection of Personal Information Bill when it comes to regulating direct marketing.

I took a closer look at the relevant provisions in the Code as well as related provisions in the Consumer Protection Act and the current Protection of Personal Information Bill which is expected to be enacted in late 2011 in order to how these regulatory frameworks deal with direct marketing and what effect they seem to have on the industry. This post is an overview of these regulatory frameworks.

The ISPA Code

The ISPA Code binds Internet Service Providers directly, and direct marketers that use ISPs to host their services, indirectly. Section E of the ISPA Code states the following:

E. Unsolicited communications

  1. ISPA members must not send or promote the sending of unsolicited bulk email and must take reasonable measures to ensure that their networks are not used by others for this purpose. ISPA members must also comply with the provisions of section 45(1) of the ECT Act, and must not send or promote the sending of unsolicited commercial communications that do not comply with the provisions of section 45(1) of the ECT Act.
  2. ISPA members must provide a facility for dealing with complaints regarding unsolicited bulk email and unsolicited commercial communications that do not comply with the provisions of section 45(1) of the ECT Act originating from their networks and must react expeditiously to complaints received.

ISPA's members generally adopt a fairly firm approach to unsolicited bulk email for a variety of reasons, and for good reason in many instances. We are all familiar with the deluge of spam that clogs our mailboxes on an ongoing basis. Unfortunately well meaning direct marketers are often caught in the cross-fire largely because they are reliant on ISPs to operate their businesses.

The WASPA Code

WASPA is a self-regulating industry association that watches over mobile service providers. Its members include most mobile service providers and marketers in South Africa as well as a number of foreign mobile content providers. If you market to customers by SMS, the odds are you are using a WASPA member to distribute your messages.

The current version of the WASPA Code is 11.0.  The section in the Code dealing with spam is section 5 which is titled “Commercial communications”.  Section 5.1 deals with “Sending of commercial messages” and specifies certain minimum requirements such as the requirement that WASPs terminate commercial messaging services when a recipient responds to a commercial message with the “STOP” instruction or similar words such as “END”, “CANCEL”, “UNSUBSCRIBE” or “QUIT”.

The definition of “commercial message” is also relevant and it is the following:

A “commercial message” is a message sent by SMS or MMS or similar protocol that is designed to promote the sale or demand of goods or services whether or not it invites or solicits a response from a recipient.

Sections 5.2 and 5.3 deal with spam identification and prevention and are directly relevant.  These provisions state the following:

5.2. Identification of spam

5.2.1. Any commercial message is considered unsolicited (and hence spam) unless:

(a) the recipient has requested the message;

(b) the message recipient has a prior commercial relationship with the message originator and has been given a reasonable opportunity to object to direct marketing communications

(i) at the time when the information was collected; and

(ii) on the occasion of each communication with the recipient; or

(c) the organisation supplying the originator with the recipient’s contact information has the recipient’s explicit consent to do so.

5.2.2. Any commercial message is considered unsolicited after a valid opt-out request.

5.2.3. WASPA, in conjunction with the network operators, will provide a mechanism for consumers to determine which message originator or wireless application service provider sent any unsolicited commercial message.

5.3. Prevention of spam

5.3.1. Members will not send or promote the sending of spam and will take reasonable measures to ensure that their facilities are not used by others for this purpose.

5.3.2. Members will provide a mechanism for dealing expeditiously with complaints about spam originating from their networks.

When it comes to classifying a commercial message as not “spam”, the Code sets out a two part test.  A commercial message is regarded as spam if it is unsolicited except where -

  1. The recipient has either requested the message or has a prior commercial relationship with the message originator and “has been given a reasonable opportunity” to opt-out of further marketing communications from the originator (this is implicit opt-in with an opt-out requirement); or
  2. The recipient has given his or her “explicit consent” to receive the commercial message concerned.

The focus of this test is on unsolicited commercial messages and the default position is that such messages are spam and prohibited unless the originator can prove one of two scenarios (mentioned above), both of which are consent-based.  The first scenario is a combination of explicit opt-in and the second scenario involves a more implicit opt-in.  This is a departure from the current legislative position, although not necessarily of the anticipated legislative framework detailed in draft legislation.

The Consumer Protection Act

The Consumer Protection Act deals with “unwanted direct marketing” in section 11 of the Act.  Consumers’ right to pre-emptively block, refuse to accept or to require a person to discontinue direct marketing communications or approaches is specifically included in consumers’ broader right to privacy which is entrenched in the Bill of Rights.  While the Consumer Protection Act does not explicitly state that it operates on the basis of an opt-out paradigm, section 11(2) supports this conclusion:

To facilitate the realisation of each consumer’s right to privacy, and to enable consumers to efficiently protect themselves against the activities contemplated in subsection (1), a person who has been approached for the purpose of direct marketing may demand during or within a reasonable time after that communication that the person responsible for initiating the communication desist from initiating any further communication.

The direct marketing framework contemplated by the Consumer Protection Act is similar to the framework established for electronic direct marketing in the Electronic Communications and Transactions Act.  Both frameworks enable marketers to send unsolicited commercial messages (to use the basic term in the Code) directly to consumer provided they facilitate and honour requests from consumers to opt-out of receiving further commercial messages from those marketers.  The press release mentioned a Do Not Call Registry which section 11(3) of the Consumer Protection Act provides for.  This registry doesn’t exist yet, at least not in the form contemplated by the Consumer Protection Act, but such registries do exist in varying degrees.

The Direct Marketing Association of South Africa (“DMASA”) operates a National Opt Out Register which its members are bound to comply with.  This Register presently represents the closest registry of its kind to the registry contemplated in the Consumer Protection Act.  Unfortunately this Register is limited in its scope.  It binds DMASA members and its distribution is limited to those members.  It is also subject to exploitation (such an exploit was publicised in ITWeb on 30 May 2011) for illegitimate purposes in its current form although its distribution method is due to shift from email to an authenticated file transfer protocol.

Protection of Personal Information Bill

The Protection of Personal Information Bill deals with “unsolicited electronic communications” in section 66 of the current draft Bill.  This section begins with the premise than unsolicited electronic communications (including SMS and email) for direct marketing purposes are prohibited unless certain conditions are met (the Bill speaks of “processing” which has broader implications than simply sending marketing SMSes or emails but I will confine my discussion to direct marketing messages).  These conditions are, essentially, that the person whose personal information is being used (the “data subject”) has consented to receiving these commercial messages or where the data subject is a customer of the party sending the commercial messages.

This latter condition is a complex one.  In order for a business to market its products and services to a consumer under the Protection of Personal Information Bill, it must have obtained the consumer’s contact details in the context of a sale of a product or service for the purpose of directly marketing the business’s “own similar products or services” and the consumer must have been afforded opportunities to opt-out of receiving those marketing messages both at the time the contact details were collected and “on the occasion of each communication with the data subject for the purpose of marketing if the data subject has not initially refused such use”.

Going further, the Protection of Personal Information Bill requires that “any communication for the purpose of direct marketing” must contain the following information:

  1. details of the identity of the sender or the person on whose behalf the communication has been sent; and
  2. an address or other contact details to which the recipient may send a request that such communications cease.

This section of the Protection of Personal Information Bill appears to shift the current opt-out paradigm to something closer to an opt-in paradigm in that a consumer’s consent is required before a business may market products and services to the consumer or the consumer must be the business’s customer and the consumer’s personal information was collected for that purpose.  The first scenario entails an express opt-in and the second an implicit opt-in with the comfort of a subsequent opt-out option.  These provisions are similar to the provisions of the Code dealt with above and represent a departure from the current paradigm the Consumer Protection Act operates under.  While the Protection of Personal Information Bill is not a final Bill yet and there is still scope for these provisions to change before its finalization and adoption by Parliament, it is worth bearing its current provisions in mind.

Where does this leave direct marketers

Direct marketers are largely dependent on either ISPs or WASPs to conduct their businesses and this presents a number of challenges. The current business model relies on an opt-out paradigm to exist and the ISPA and WASPA Codes are precursors to the Protection of Personal Information Act which shift the paradigm to an opt-in paradigm which most direct marketers probably can't easily transition to. If the ultimate Protection of Personal Information Act will have the current opt-in provisions for direct marketers then the industry will have to change the fundamental basis on which it operates starting with its database development strategy.

Some marketers have already begun exploring more innovative models based on social media. One of my recent clients, Virtuosa, sent out an email in April informing its newsletter subscribers that it was discontinuing its newsletter and invited its subscribers to follow it on Twitter, Facebook and LinkedIn:

Newsletters are old-fashioned. Research and feedback from you has shown that overall the preferred means to receive updates and engage with us is via our social profiles. We will no longer be sending regular newsletters but rather communicate with you on Social Media. Please connect and engage with us via our social media profiles.

One of the advantages of social media as a broad marketing platform is that services like Twitter, Facebook and LinkedIn are built to be opt-in and have easy opt-out mechanisms built into the platforms. In a way, this model is an ideal direct marketing model because of its higher engagement levels and opt-in basis but shifting to this model basically means discarding existing email and SMS databases in favour of a relatively young channel. Even if marketers ignore social media, they need to seriously start thinking about how they will transition to an opt-in paradigm if the current Protection of Personal Information Bill is passed in more or less the same form it is currently in. As it is, they operate in an environment that is, at least partly, fundamentally opposed to their existing business model.

Image credit: Tug of War by joshwept, licensed CC BY 2.0
AuthorPaul Jacobson | DateThursday, June 30, 2011 at 12:09PM | | CommentPost a Comment
in , , , ,
Thursday
Jun092011

You have already opted in to Facebook's facial recognition feature

News that Facebook has rolled out its facial recognition technology to users outside the United States caused considerable consternation. This facial recognition technology is being used to enhance Facebook's photo tagging feature by enabling users to tag friends a couple times in photos and have the software find their friends elsewhere in other photos. According to the post titled "Making Photo Tagging Easier":

Now if you upload pictures from your cousin's wedding, we'll group together pictures of the bride and suggest her name. Instead of typing her name 64 times, all you'll need to do is click "Save" to tag all of your cousin's pictures at once. By making tagging easier than before, you're more likely to know right away when friends post photos. We notify you when you're tagged, and you can untag yourself at any time. As always, only friends can tag each other in photos.

What this is all about?

Facebook commented that this technology works just like "many photo editing tools" like Google's Picasa and Apple's iPhoto except these applications run facial recognition software within the application itself and is used to tag users in albums. That facial recognition translates into face tags on Facebook when uploaded (in iPhoto's case) or in Picasa Web Albums (in Picasa's case). The Facebook option is a little different because it potentially spans all your friends' albums and is not limited to your own albums, which would be the case in Picasa or iPhoto. The result is facial recognition which has much broader application and which could be applied to photos you simply would not want to be tagged in for various reasons.

As with products like Groups, Facebook elected to opt users in by default, while giving them an opt-out mechanism through their privacy settings (Sophos' Naked Security blog has a great post which explains how to disable this function in your privacy settings). This means that the vast majority of Facebook's 600+ million users will have this function enabled when it is rolled out to them. While most users won't notice or be too concerned about it (a factor which Facebook seems to rely on as implicit assent to these sorts of moves), privacy advocates in both the United States and Europe (where the EU has launched a probe to assess Facebook's compliance with privacy guidelines and laws in the EU) have expressed concern about the apparent opt-out paradigm which Facebook has gone with. This issue is somewhat more complicated than it appears.

Legal issues and considerations

An important question is whether this new functionality would pass muster under South African law? To answer that question we need to consider which laws apply to this sort of thing. The Electronic Communications and Transactions Act contains provisions in Chapter 8 which would have a bearing on Facebook's new photo tagging feature. These provisions include requirements that users consent to collection and use of their personal information as well as certain use and disclosure requirements but compliance with these provisions is voluntary. The Consumer Protection Act has created considerable buzz about consumers' privacy rights but these are in the context of direct marketing which doesn't describe the Facebook photo tagging functions so the Consumer Protection Act may not be very useful here.

We are then forced to go back to the source of our right to privacy in South Africa, namely the Right to Privacy in the Bill of Rights which establishes a general Constitutional right to privacy. The right to privacy has been explored by our courts and is given substance by concepts like the legitimate expectations of privacy (I wrote about this is broad terms in this post). This principle begs the question whether allowing Facebook friends to use facial recognition software to enhance photo tagging would exceed our legitimate expectation of privacy? Its worth bearing in mind that photo tagging has been available for some time now and facial recognition is an enhancement of that feature. Whether users have a legitimate expectation that the association between photos of them and their identities not be made unless they specifically consent to those associations being made takes us to the Facebook privacy policy.

The Facebook contractual framework

I've mentioned before that the "subjective component [of a legitimate expectation of privacy] means that a person can't have an expectation of privacy where that person has consented to have his or her privacy invaded". By making use of Facebook, users' necessarily and implicitly agree to the Facebook privacy policy by virtue of the Facebook Statement of Rights and Responsibilities and the Privacy Policy. The Statement of Rights and Responsibilities establishes the requirement for your agreement to the Privacy Policy as a condition for your Facebook use:

Date of Last Revision: October 4, 2010.

Statement of Rights and Responsibilities

This Statement of Rights and Responsibilities ("Statement") derives from the Facebook Principles, and governs our relationship with users and others who interact with Facebook. By using or accessing Facebook, you agree to this Statement.

  1. Privacy

    Your privacy is very important to us. We designed our Privacy Policy to make important disclosures about how you can use Facebook to share with others and how we collect and can use your content and information.  We encourage you to read the Privacy Policy, and to use it to help make informed decisions.
     
  2. Sharing Your Content and Information

    You own all of the content and information you post on Facebook, and you can control how it is shared through your privacy and application settings. In addition:
    1. For content that is covered by intellectual property rights, ...
    2. When you delete IP content, ...
    3. When you use an application, your content and information is shared with the application.  We require applications to respect your privacy, and your agreement with that application will control how the application can use, store, and transfer that content and information.  (To learn more about Platform, read our Privacy Policy and Platform Page.)
    4. When you publish content or information using the "everyone" setting, ...
    5. We always appreciate your feedback or other suggestions about Facebook, but you understand that we may use them without any obligation to compensate you for them (just as you have no obligation to offer them).
       

The Privacy Policy gives your consent further substance:
To make suggestions.  We use your information, including the addresses you import through our contact importers, to make suggestions to you and other users on Facebook. For example, if another user imports the same email address as you do, we may suggest that you add each other as friends.  Similarly, if one of your friends uploads a picture of you, we may suggest that your friend tag you in the picture. We do this by comparing your friend’s pictures to information we’ve put together from the photos you’ve been tagged in.  We may also suggest that you use certain tools and features based on what your friends have used.  You can control whether we suggest that another user add you as a friend through your “search for you on Facebook” privacy setting. You can control whether we suggest that another user tag you in a photo by clicking customize from your privacy settings.

In a nutshell, you have already opted in to the new feature on the following basis:

  • You have to agree to Facebook's Statement of Rights and Responsibilities and Privacy Policy as a condition for your Facebook use;
  • Between these two documents, Facebook has created a contractual framework which binds users to its current terms and ongoing amendments;
  • This contractual framework enables the new facial recognition enhanced photo tagging feature and, by virtue of your agreement to this contractual framework, you also consent to this feature subject to your ability to disable the feature in your privacy settings.

The Protection of Personal Information Bill currently includes a requirement that personal information like the association of a name with a face be collected directly from the "data subject" (in this case, the user being identified in the photo) although even this requirement is subject to an exception where the "data subject has consented to the collection of the information from another source". Consenting to other users tagging you in photos would probably be covered by this exception.

What can you do?

Facebook image tagging

So where does this leave you? Well, Facebook has been pretty clear about your ability to change your privacy settings. The Privacy Policy contains this paragraph:

We give you tools to control how your information is shared with applications and websites that use Platform.  For example, you can block all platform applications and websites completely or block specific applications from accessing your information by visiting your Applications and Websites privacy setting or the specific  application’s “About” page.  You can also use your privacy settings to limit which of your information is available to “everyone”.

If you are concerned about the impact this facial recognition function will have on your privacy, take advantage of the controls in your privacy settings and change the defaults. Facebook takes advantage of the broad consents you give it to enable controversial features. It has been doing this for some time and will continue doing so. As users, the best thing you can do is to make use of the privacy settings Facebook makes available to adjust your privacy levels to a level of publicity you are comfortable with.

AuthorPaul Jacobson | DateThursday, June 9, 2011 at 12:36PM | | CommentPost a Comment
in , ,