Conference Explores Solutions for “Realizing the Promise of Trust” Online

St. Louis, MO September 19, 2011 –LashBack, today announced it is a sponsor of The Online Trust Alliance (OTA)’s 6th Annual Online Trust Forum, “Realizing the Promise of Trust”, to be held at the Washington Plaza Hotel, Washington, DC, October 17-19, during National Cyber Security Awareness month. LashBack enables transparency and compliance in email marketing for advertisers, networks, publishers, agencies, esps, and regulators. LashBack services allow companies to monitor their reputation online and gives them insight into how their brand is being used in commercial email. Companies who use LashBack build consumer trust.

“The Online Trust Forum is all about the people and organizations who have stepped up to provide stewardship for today’s online ecosystem,” said Craig Spiezle, Executive Director of the Online Trust Alliance.  “We salute their leadership and support their efforts in mitigating emerging privacy, identity and security threats and enhancing online trust.  Combined these are keys to the vitality of the internet.  We look forward to LashBack’s participation in this year’s Forum.”

“In the interest of helping companies protect their reputation and online brand presence, we are proud supporters of the Online Trust Forum,” said LashBack CEO Brandon Phillips. “Through industry leadership, we hope to build and improve upon the trust consumers have for companies in email and online.”

The only conference dedicated to a 360º perspective of online trust, with the viewpoints of government, business, marketers, and consumers, the 2011 Online Trust Forum provides a unique platform for exploring solutions for protecting consumer trust and online confidence.

Forum attendees will gain valuable insights into ideas and best practices for promoting the vitality of online commerce and consumer trust, hearing multiple perspectives on: enhancing brand reputation, customer loyalty and retention, defending against the onslaught of breaches and hacking incidents, and examining peer-tested strategies and technologies, with proven results for privacy and security.

Additional information

Register for the Online Trust Forum: https://otalliance.org/dc.htmlOnline Trust Leadership Awards: https://otalliance.org/events/2011_Forum/2011Awards.html
Follow the OTA on Twitter: @otalliance

The bill specifies that personal information collected on minors cannot be used or shared with third parties for “targeted marketing purposes”. In addition, it requires companies that collect the info to disclose to consumers what type of personal info is being collected and how it’s being used and shared.

Another part of the bill proposes a “Digital Marketing Bill of Rights for Teens” which would limit data collection including geolocation targeting.  While there are few who would argue against protecting the privacy of minors, one might respectfully question the potential effectiveness or enforceability of this legislation. Here are a few questions that come to mind:

How will marketers prove the age of online users?

It seems simple enough on the surface.  Most lead forms include a ‘Date of Birth’ field already. In this scenario, advertisers could segment the data out based on birth date. However,  I’d venture to guess the average teen/child can get around a check box or a DOB field if they truly want to register or view content. The only way to prevent this is at the user level or browser level on a PC or mobile device. The onus of responsibility is ultimately with parents and how heavily they monitor and restrict their child’s online behavior.

What happens to the data once it is collected?

When a minor appears to register or sign up for an offer, marketers should theoretically refrain from targeting that data or tracking the end user behavior. However, the bill doesn’t state specifics on how to implement this across partnerships.  Email marketers are required to maintain and share suppression files with partners. Data that comes from minors could be automatically suppressed in a similar way.

Of course, storing and sharing PII and user email addresses leaves room for abuse, unless the data is properly hashed or encrypted. Marketers may be able to securely maintain a universal opt-out file containing the encrypted information of minors and scrub their own lists against it. In addition, LashBack suggests seeding partner lists with underage user profiles to ensure compliance.

Would it be sufficient for marketers to add ‘parental permission’ language to an already lengthy privacy policy, or a check box on the lead form?

Arguably, this is the easiest portion of the legislation from an implementation level, as well as an enforcement perspective. It’s also the least effective in terms of real protection.  There have been movements to write privacy policies and terms of service in plain, simple language that end users will understand.

These movements have yet to work because simplifying language leaves room for legal liability. Case in point: the terms of service for Apple iTunes are 56 pages long in an era where few have the attention span to read past Twitter’s 140 characters. Lawyers might read privacy policies. Users don’t.

Can the data be used for targeting on the prospect’s eighteenth birthday?

If marketers maintain do-not-track lists based on age, theoretically,  information gathered would no longer be protected from targeting once the user is eighteen.  At least with email, addresses don’t expire or change based on age. Records would have to expire from a do-not-track list based on DOB.

Does this thing stand any chance of passing?

The bill is still in the discussion phase, as Congress holds hearings on mobile privacy in the coming weeks. Like many legislative attempts to regulate online activity, ‘Do Not Track’ provokes questions, leaves gray areas when it comes to enforcement, and inspires creativity on the part of marketers.

Epsilon took the lead and reported to their advertiser customers on the data breach almost immediately.  It is estimated that about 2% of their 2200 clients were affected. The advertisers followed by openly notifying individuals of the data breach via email. Many of the  notification emails sent by affected companies warn consumers of the potential risk associated with phishing emails and remind them that the respective companies will never ask for login info or account information in an email.

The Consumer Point of View

The real concern for consumers is potential phishing emails disguised as legitimate offers meant to trick them into forking over personal information.  An increase in the amount of spam they receive seemed to be a lesser concern, but an overall fear surrounding personal privacy and identity theft persists.

One ‘industry outsider’ friend, Kyle Jones commented, “I got an email from Best Buy about it. My initial thought was, ‘That sucks…I mean, if the only private information they leaked was my email address then oh well…there is nothing I can do about that.’ We are constantly bombarded with spam daily as it is, so I am almost completely immune to all of it anyway.” Whether we will see a discernible jump in the volume of spam is questionable, but it may be more targeted and effective.

The Advertiser Perspective

It can be argued that both Epsilon and the advertisers who sent proactive notifications to customers did the right thing explaining potential risks, given the circumstances. However, a light has been shone onto how consumer data is shared between email service providers and advertisers. The relationship between branded advertisers and ESPs, often perceived as one and the same by an average customer, still relies on a great deal of trust.  Password protected data is only as safe as the people who have access to the login information.

Companies spend millions of dollars building a brand and the trust of their customers.  It’s up to these companies to regulate and monitor internally how their customer data is stored, accessed and used by their marketing partners and third parties. Phishing attacks are nothing new, but they continue to grow more targeted and sophisticated .  No longer can these large companies sit idly by while they occur, especially as a result of a data breach. They must go the extra mile to gain visibility in how their brand is being used in email.   While you can’t un-ring a bell that’s been rung, you can employ every method possible to protect and educate your customers and protect the integrity of your brand.

Here is a short list of notable companies allegedly affected by the data breach:

AbeBooks
Ameriprise Financial
Barclays Bank
Best Buy
Brookstone
Citibank
Disney Destinations
Hilton Worldwide
JP Morgan Chase
Kroger
Lacoste
Marriott International
McKinsey Quarterly
New York & Company
Robert Half
Target
Tivo
US Bank
Walgreens

The event begins with lunch and networking Speaking panels will discuss and debate Diversification Strategies and Technology Insights, in addition to networking and cocktails. The event is a must-attend for anyone who owns or runs an ad network, or operates on a Cost Per Acquisition basis. Registration is free. REGISTER HERE.

Last year’s Leadership Summit was a great success and valuable both for both learning and networking .  LashBack will sponsor the summit, along with our partners, CPA Detective and LinkTrust. See you there!

As LashBack powers forward in 2011, we’re excited to announce new partnerships and integrations with advertising platforms and ground-breaking new technology providers such as Optizmo Technologies and CPA Detective.  Optizmo is a lightning fast suppression file management solution that provides campaign level stats on opt-outs, user complaint feedback, and brand management tools. CPA Detective is a powerful service for detecting and eliminating lead generation fraud, potentially saving advertisers thousands of dollars per month. By partnering with companies that complement LashBack service offerings, we’re taking the leg work out of searching for ways to protect your marketing investments, while minimizing  the workload on your compliance team. Trust us, we’re better together!

Just as cases of brand hijacking, fraud, incentivized offers, and deception in the edu vertical take center stage on the regulatory scene, LashBack has the tools and partnerships to combat and eliminate these issues. The path to sustainability starts here.

The biggest difference between FISA and CAN-SPAM is FISA requires opt-in consent before marketers can send a CEM.  FISA also accepts circumstances of implied consent, including when the sender has an existing business relationship with the recipient.

While CAN-SPAM requires a company postal address, FISA requires address information along with the identity of the person who is sending the email message.  If the email is being sent on someone’s behalf other than the sender, the name of that person needs to be included.

There are similarities between FISA and CAN-SPAM.  They both require easy and clear unsubscribe mechanisms.  The unsubscribe requests must be honored within ten business days.  Both guidelines  say Marketers cannot use address harvesting or dictionary attacks to generate lists.

As the Federal Trade Commission and Commerce Department recently released reports on the best privacy practices, it is important that the government looks at ways to improve international cooperation.  Creating unified privacy and compliance laws across different countries will create more focused marketing messages and an improve internet user experience.

FISA may not go into effect until September 2011.  For more information on FISA along with an excellent guide on how to become compliant with the new law, head over to Return Path.

The Commerce Department’s Privacy Policy Office would help in enforcing the codes of conduct.  The report says commercial privacy policy “must be able to evolve rapidly to meet a continuing stream of innovations.  A helpful step would be to enlist the expertise and knowledge of the private sector, and to consult existing best practices, in order to create voluntary codes of conduct that promote informed consent and safeguard personal information.”  The report wants to “…streamline industry compliance, and allow businesses to develop a strong, nationwide data management strategy.”

The report did not endorse or criticize the Federal Trade Commission’s “Do Not Track” report issued earlier this month.  Instead, it seeks further comment on how the agency can “best encourage discussion and development of technologies such as “Do Not Track.” The Commerce Department also wants comments on how the privacy principles should be enforced, whether the FTC should be given authority to issue more detailed rules and whether privacy legislation should include the right for consumers to sue over privacy breaches.

The report also calls for improved international cooperation on privacy.  It says, “The process of trying to comply with the different privacy regimes around the world can be time consuming and costly for U.S. businesses.”

It is great to see government agencies acknowledging the need for an Internet privacy leader that can evolve and enforce privacy policies.  As more social networks allow for more connectedness however, we can only hope the FTC’s and Commerce Department’s plans are not too little too late.

The new feature, called Tracking Protection will allow users to create lists of trusted web sites and domains allowed to track their information.  Tracking Protection would then identify and block third parties from collecting and exchanging data through cookies and other tracking mechanisms.  While tracking allows for more personalized, relevant ads, Microsoft is giving consumers a way to block that tracking altogether.

Jon Leibowitz, the FTC chairman was encouraged by Microsoft’s move and said in the NY Times, “Microsoft deserves enormous credit for taking a critical step toward providing consumers with more choice about who can track their online browsing.”

While advertisers will have to rethink their deliverability strategies, privacy experts will have to keep up-to-date Trusted Tracking Protection lists.  Privacy policies are likely to broaden and change, and it is up to Tracking Protection programs and privacy experts to keep their users informed.

This is a step in the right direction and it will be interesting to see how other browsers respond, and if privacy and online advertising can co-exist at all.

Restricting advertisers to track data regarding online searches and other browsing activities could result in an increase of unwanted advertisements and the loss of free content that is paid for by advertising.  Mike Zaneis, Senior Vice President at the Interactive Advertising Bureau said in the  Wall Street Journal article, “Web Privacy ‘Inadequate’” that consumers wouldn’t benefit from turning off tracking because “consumers depend on sharing data… to customize news sites, optimize Web services such as social networks, and provide relevant content and advertising across the Web.”

The report also recommends that companies improve their privacy policies.  Most of these found on the bottom of websites have become far too long and complicated.  Even if consumers do read it, it is not easy to understand or see how it applies to their usage of the website.

A factor that should not be overlooked is consumer education.  While these policies are not legislation yet, the online marketing industry should ensure its consumers are aware of commercial data practices and the choices available to them.

The FTC will accept comments on its proposals through January 31, 2011 and will issue a final version of its report later in 2011.

The US Commerce Department is also planning to release a report containing online privacy recommendations soon.   And it may contain ideas conflicting with what the FTC proposed.  Stay tuned for updates.