US Private Sector Privacy Telecommp2 PDF

Summary

This document discusses US private sector privacy regulations related to telecommunications, including the CAN-SPAM Act and CPNI requirements. It also touches upon digital advertising regulations, including self-regulatory initiatives and ethical considerations.

Full Transcript

MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 11 – as of 03/11/2024 © IAPP do not fall under the definition of telephone facsimile machine and therefore cannot be subject to the junk fax lawsuits. 59 Some states have enacted their own laws regulating unsolicited commercial fax transmissions. Notably, California attempted to eliminate the TCPA’s EBR exception with legislation applicable to unsolicited faxes sent to or from a fax machine located within the state. 60 The law, however, was declared unconstitutional when applied to interstate fax transmissions due to the TCPA’s preemption of interstate regulation. 61 11.3 Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 Along with the rules governing commercial telemarketing and faxes, Congress has created rules for unsolicited commercial electronic mail in the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003. 62 The act applies to anyone who advertises products or services by electronic mail directed to or originating from the United States. The law covers the transmission of commercial email messages whose primary purpose is advertising or promoting a product or service. CAN-SPAM was never intended to eliminate all unsolicited commercial email, but rather to provide a mechanism for legitimate companies to send emails to prospects and respect individual rights to opt out of unwanted communications. Spam-filtering software is still widely used to screen out as much of the continuing spam as possible. The act nonetheless has fulfilled an important purpose. It has created the rules of the road for how legitimate organizations send emails, including clear identification of the sender and a simple unsubscribe or opt-out. The CAN-SPAM Act: Prohibits false or misleading headers Prohibits deceptive subject lines Requires commercial emails to contain a functioning, clearly and conspicuously displayed return email address that allows the recipient to contact the sender Requires all commercial emails to include clear and conspicuous notice of the opportunity to opt out along with a cost-free mechanism for exercising the opt-out, such as by return email or by clicking on an opt-out link Prohibits sending commercial email (following a grace period of 10 business days) to an individual who has asked not to receive future email Requires all commercial email to include (1) clear and conspicuous identification that the message is a commercial message (unless the recipient has provided prior affirmative consent to receive the email) and (2) a valid physical postal address of the sender (which can be a post office box) Prohibits “aggravated violations” relating to commercial emails, such as (1) addressharvesting and dictionary attacks, (2) the automated creation of multiple email accounts, and (3) the retransmission of commercial email through unauthorized accounts 11 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 11 – as of 03/11/2024 © IAPP Requires all commercial email containing sexually oriented material to include a warning label (unless the recipient has provided prior affirmative consent to receive the email) CAN-SPAM is enforced primarily by the FTC and carries penalties of fines of up to $42,530 per violation. 63 In addition, deceptive commercial email is subject to laws banning false or misleading advertising. The FTC has the authority to issue regulations implementing the CAN-SPAM Act and did so in 2008 to clarify a number of statutory definitions. 64 CAN-SPAM distinguishes commercial email messages from “transactional or relationship messages,” which are messages whose primary purpose is to: Facilitate or confirm an agreed-upon commercial transaction Provide warranty or safety information about a product purchased or used by the recipient Provide certain information regarding an ongoing commercial relationship Provide information related to employment or a related benefit plan Deliver goods or services to which the recipient is entitled under the terms of an agreedupon transaction CAN-SPAM contains a number of requirements generally applicable to the sender of a commercial email message. A sender is anyone who initiates an email message and whose product or service is advertised or promoted by the message. More than one person may be deemed to have initiated a message. The FTC issued a regulation in 2008 clarifying that the entity identified in the “from” line can generally be considered the single sender as long as there is compliance with the other provisions of CAN-SPAM. 65 The 2008 regulation also provides additional detail on (1) a prohibition on having the email recipient pay a fee to opt out, (2) the definition of “valid physical postal address,” and (3) the application of the term person to apply beyond natural persons. CAN-SPAM grants enforcement authority to the FTC and other federal regulators, along with state attorneys general and other state officials. Internet service providers that have been adversely affected by a violation may sue violators for injunctive relief and monetary damages. Unlike some state spam laws that are now preempted, the act does not provide for a right of action for other parties. For those authorized to sue, the act provides for injunctive relief and damages up to $250 per violation, with a maximum award of $2 million. The act further provides that a court may increase a damage award up to three times the amount otherwise available in cases of willful or aggravated violations. Certain egregious conduct is punishable by up to five years’ imprisonment. In an example from 2009, a federal judge shut down a company called 3FN based on the FTC’s allegations that it had knowingly distributed spam and malware as well as hosted illegal content, such as child pornography. 66 CAN-SPAM preempts most state laws that restrict email communications, although state spam laws are not superseded by CAN-SPAM to the extent such laws prohibit false or deceptive activity. 11.3.1 Wireless Message Rules Under CAN-SPAM In addition to the email rules discussed above, the FCC has issued rules implementing the CANSPAM Act with regard to mobile service commercial messages (MSCMs), including many commercial text messages. 12 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 11 – as of 03/11/2024 © IAPP The CAN-SPAM Act defines an MSCM as “a commercial electronic mail message that is transmitted directly to a wireless device that is utilized by a subscriber of a commercial mobile service.” The message must have (or utilize) a unique electronic address that includes “a reference to an Internet domain.” The FCC also notes in its commentary that the rule is designed to apply only to mail addresses designed by carriers for mobile services messaging. Importantly, the FCC’s rules cover messages sent using SMS technology, but do not cover phone-to-phone messages. 67 The FCC rule defers to the FTC rules and interpretation regarding the definitions of “commercial” and “transactional” (with respect to the mail messages) as well as the mechanisms for determining the “primary purpose” of messages. Accordingly, the FCC rule must be analyzed in the context of the FTC regulatory framework for the CAN-SPAM Act. 11.3.2 Express Prior Authorization The CAN-SPAM Act prohibits senders from sending any mobile service commercial messages (MSCMs) without the subscriber’s “express prior authorization.” Express prior authorization must be obtained for each MSCM, regardless of sender or industry. The FCC requirements are quite detailed, and can be summarized as follows: 68 “Express prior authorization” must be “express,” meaning that the consumer has taken an affirmative action to give the authorization. Authorization may not be obtained in the form of a negative option. If the authorization is obtained via a website, the consumer must take an affirmative action, such as checking a box or hitting a button. The authorization must also be given prior to the sending of any MSCMs. There is no provision to grandfather existing authorizations that senders may have obtained. Because of the disclosure requirements in these authorizations, the FCC notes that senders who claim they have obtained authorization prior to the effective date of these rules will not be in compliance unless they can demonstrate that these existing authorizations have met each of the requirements in the rule. Consumers must not bear any cost with respect to the authorization or revocation processes. Each authorization must include certain required disclosures stating that: ° The subscriber is agreeing to receive MSCMs sent to their wireless device from a particular (identified) sender ° The subscriber may be charged by their wireless provider in connection with the receipt of such messages ° The subscriber may revoke the authorization at any time These disclosures must be clearly legible and in sufficiently large type (or volume, if given via audio). They must be presented in a manner that is readily apparent to the consumer. These disclosures must be separate from any other authorizations contained in another document. Additionally, if any portion of the authorization/disclosure is translated into another language, then all portions must be translated into that language. 13 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 11 – as of 03/11/2024 © IAPP As noted above, the authorization must be specific to the sender and must clearly identify the entity that is being authorized to send the MSCMs. The FCC rule prohibits any sender from sending MSCMs on behalf of other third parties, including affiliates and marketing partners. Each entity must obtain separate express prior authorizations for the messages it sends. Authorization may be obtained in any format, oral or written, including electronic. Although writing is not required, the FCC requires that each sender of MSCMs must document the authorization and be able to demonstrate that a valid authorization (meeting all the other requirements) existed prior to sending the commercial message. The commentary notes that the burden of proof rests with the sender. With regard to revocations, senders must enable consumers to revoke authorizations using the same means the consumers used to grant authorizations. (For example, if a consumer authorizes MSCMs electronically, the company must permit the consumer to revoke the authorization electronically.) Additionally, the MSCMs themselves must include functioning return email addresses or another internet-based mechanism that is clearly and conspicuously displayed for the purpose of receiving opt-out requests. 69 The FCC rule maintains the CAN-SPAM–mandated 10-business-day grace period following a revoked authorization, after which messages cannot be sent. 70 11.3.3 The Wireless Domain Registry To help senders of commercial messages determine whether those messages might be MSCMs (rather than regular commercial email), the FCC has created a registry of wireless domain names (available on the FCC website). 71 It is updated on a periodic basis, as new domains are added. Senders are responsible for obtaining this list and ensuring that the appropriate authorizations exist before sending commercial messages to addresses within the domains. In other words, the requirements listed above will apply to messages sent to any address whose domain name is included on the wireless domain name list. 72 With regard to the domain name list, all commercial mobile radio service providers are required under the rule to identify all electronic mail domain names that are dedicated for use by subscribers for wireless devices. The providers are also responsible for updating information on the domain name list to the FCC within 30 days before issuing any new or modified domain names. 11.4 The Telecommunications Act of 1996 The chapter thus far has examined marketing rules for telecommunications channels such as telephones, faxes, emails and texts. The discussion now turns to rules affecting the telecommunications companies themselves in connection with personal information. The Telecommunications Act of 1996 was a major piece of legislation that reshaped numerous aspects of telecommunications markets. 73 Section 222 of the act governs the privacy of customer information provided to and obtained by telecommunications carriers. Prior to the act, carriers were permitted to sell customer data to third-party marketers without consumer consent. The 14 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 11 – as of 03/11/2024 © IAPP statute imposed new restrictions on the access, use and disclosure of customer proprietary network information (CPNI). 11.4.1 CPNI Requirements CPNI is information collected by telecommunications carriers related to their subscribers. This includes subscription information, services used, and network and billing information as well as phone features and capabilities. It also includes call log data such as time, date, destination and duration of calls. Certain personal information such as name, telephone number, and address is not considered CPNI. The act imposes requirements on carriers to limit access, use and disclosure of CPNI. Specifically, carriers can use and disclose CPNI only with customer approval or “as required by law.” 74 Carriers do not need approval, however, to use, disclose, or provide marketing offerings among service categories to which customers already subscribe. Carriers can also use CPNI for billing and collections, fraud prevention, customer service, and emergency services. 11.4.2 Opt-In and Opt-out Rules for CPNI The rules concerning opt-in and opt-out for use of CPNI have shifted over time. In 1998, the FCC issued a rule requiring carriers to obtain express consent from customers before using CPNI, even for the carriers’ own marketing purposes. This rule was struck down in 1999 in U.S. West, Inc. v. Federal Communications Commission. 75 In that case, the Tenth Circuit found that the opt-in requirement violated the First Amendment speech rights of the carriers. Thus, the standard shifted to an opt-out system for carriers’ own use of CPNI. In 2002, the FCC issued final rules requiring carriers to obtain express consent before CPNI could be shared with third parties, but allowed sharing of CPNI with joint venture or independent contractors unless customers opted out within 30 days of being notified. In 2007, the FCC issued new CPNI regulations governing carriers’ use and sharing of CPNI. 76 The 2007 CPNI order requires customers to expressly consent, or opt in, before carriers can share their CPNI with joint venture partners and independent contractors for marketing purposes. The 2007 CPNI order imposes requirements aimed at curbing pretexting, or gaining access to CPNI through fraudulent means. First, carriers must notify law enforcement when CPNI is disclosed in a security breach within seven business days of that breach. Second, customers must provide a password before they can access their CPNI via telephone or online account services. The order also establishes carrier CPNI compliance requirements. Carriers must certify their compliance with these laws annually, explain how their systems ensure compliance and provide an annual summary of consumer complaints related to unauthorized disclosure of CPNI. 11.4.3 Entities Subject to CPNI Requirements The CPNI requirements apply to telecommunications carriers and voice-over-internet protocol (VoIP) providers that are interconnected with telephone service. 77 As of the writing of this book, the FCC does not regulate streaming video companies, referred to as over-the-top providers (OTT), when the content is provided over the internet or to mobile devices. 78 As discussed in more detail below, the CPNI requirements historically did not apply to broadband internet service providers (ISPs). In 2016, the FCC issued a detailed regulation that was designed to 15 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 11 – as of 03/11/2024 © IAPP regulate privacy for customers of broadband ISPs. This regulation was repealed under the Trump administration and new FCC leadership, and ISPs today are subject to the general CPNI requirements of Section 222. 11.5 The Cable Communications Policy Act of 1984 The Cable Communications Policy Act of 1984 regulates the notice a cable television provider must furnish to customers, the ability of cable providers to collect personal information, the ability of cable providers to disseminate personal information and the retention and destruction of personal information by cable television providers. 79 It also provides a private right of action for violations of the aforementioned provisions and allows for actual or statutory damages, punitive damages, and reasonable attorneys’ fees and court costs. 80 The act does not regulate the provision of broadband internet services via cable because the act defines a “cable service” as “one-way transmission to subscribers of... video programming or... other programming service, and... subscriber interaction, if any, which is required for the selection or use of such video programming or other programming service.” 81 At the time of entering into an agreement to provide cable services, and on an annual basis thereafter, cable service providers are required to give subscribers a privacy notice that “clearly and conspicuously” informs subscribers of (1) the nature of the personal information collected, (2) how such information will be used, (3) the retention period of such information, and (4) the manner by which a subscriber can access and correct such information. 82 The act further states that a cable TV service provider may only collect personal information that is necessary to render cable services or to detect the unauthorized reception of cable services. 83 The act limits cable service providers’ right to disseminate personal information without the “written or electronic consent” of the subscriber, unless the disclosure is subject to a specified exception. 84 A number of exceptions to this provision do exist. Specifically, disclosures may be made (1) to the extent necessary to render services or conduct other legitimate business activities, (2) subject to a court order with notice to the subscriber, or (3) if the disclosure is limited to names and addresses and the subscriber is given an option to opt out. 85 Although the act does not specify a schedule for data retention or destruction, it does mandate that personal information be destroyed when it is no longer needed for the purpose for which it was collected and there are no pending requests for access. 86 The provision allowing for disclosures of personal information subject to a court order with notice to the subscriber had been read as creating tension with the Electronic Communications Privacy Act of 1986 (ECPA), which allows such disclosures without notice to the consumer, as notice may negatively impact an ongoing investigation. 87 Courts have resolved this tension in favor of ECPA, due to its later enactment. 88 11.6 The Video Privacy Protection Act of 1988 The Video Privacy Protection Act of 1988 (VPPA) was passed in response to the disclosure and publication of then-Supreme Court nominee Robert Bork’s video rental records. 89 Although the records revealed that Judge Bork watched innocuous films, the disclosure was considered a gross invasion of his privacy. 90 16 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 11 – as of 03/11/2024 © IAPP The act applies to “video tape service providers,” who are defined as anyone “engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials” as well as individuals who receive personal information in the ordinary course of a videotape service provider’s business or for marketing purposes. 91 Videotape service providers are prohibited from disclosing customer personal information unless an enumerated exception applies. 92 Exceptions are provided for instances in which the disclosure (1) is made to the consumer themselves; (2) is made subject to the contemporaneous written consent of the consumer; (3) is made to law enforcement pursuant to a warrant, subpoena or other court order; (4) includes only the names and addresses of consumers; (5) includes only names, addresses and subject matter descriptions and the disclosure is used only for the marketing of goods or services to the consumers; (6) is for order fulfillment, request processing, transfer of ownership, or debt collection; or (7) is pursuant to a court order in a civil proceeding and the consumer is granted a right to object. 93 The act requires that personal information be destroyed “as soon as practicable, but no later than one year from the date the information is no longer necessary for the purpose for which it was collected and there are no pending requests or orders for access to such information.” 94 The act affords a private right of action for violations and allows for actual or statutory damages, punitive damages, and reasonable attorney’s fees and court costs. 95 Statutory damages are set at $2,500. 96 There has been active class-action litigation under the VPPA, and several cases, including those against Blockbuster, Netflix and Redbox, suggest that the private right of action extends only to disclosure-related violations and not violations based merely on improper retention. 97 Additionally, the VPPA does not preempt more protective state laws, which may give rise to stricter penalties. 98 Significant changes to the landscape of video delivery have occurred since the law was enacted in 1988. Netflix, which was founded nearly a decade after the enactment of the VPPA, sought to amend the law in 2011 to address the concept of social media integration for users— a prime example of which was a Facebook feature that would allow Netflix users to share their movieviewing information with social media friends. 99 To address this concern, Congress adopted the Video Privacy Protection Act Amendments Act of 2012 that allowed for one-time consumer consent that was valid for up to two years, replacing the contemporaneity requirement. 100 Despite this amendment, numerous federal courts have held that the disclosure of an individual’s online streaming history along with personal information can be viewed as a potential violation of VPPA. 101 Companies continue to call for a more comprehensive overhaul of the law to address changes in technology—such as social media and streaming video. 102 Privacy professionals should be alert to possible legislative change in this area. 11.8 Digital Advertising As discussed in Chapter 5, digital advertising, which is composed of desktop/laptop, mobile, and connected TV advertising, is an integral part of marketing. 103 By 2025, spending on all digital advertising in the United States is expected to exceed $300 billion—with approximately threefourths of all advertising spending on digital advertising compared with less than one-fourth of all spending on print and television advertising. 104 In 2022, the estimated spending on mobile 17 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 11 – as of 03/11/2024 © IAPP advertisement was approximately $170 billion — which accounts for about seventy percent of digital advertising spending. 105 The discussion here focuses on three areas: (1) state laws concerning digital advertising, (2) selfregulatory codes for digital advertising, and (3) digital advertising ethics. Chapter 3 describes the technical side of the digital advertising ecosystem in more detail. 11.8.1 State Laws Concerning Digital Advertising For decades, states have adopted a variety of laws related to restrictions on digital advertising. The specific topics of these laws vary from protections for consumers who did not want to receive ads to protections for consumers who did not want to be tracked for advertising purposes to protections related to children being targeted for digital adverting. This section examines both state laws that have a specific focus concerning digital advertising and state comprehensive laws that encompass regulation of digital advertising. 11.8.1.1 State Specific Laws Related to Digital Advertising As there are numerous state laws with restrictions related to digital advertising, this review focuses on two examples of these laws from California – as this state has often been a leader in enacting consumer protection. In 2003, California passed the California Online Privacy Protection Act (CalOPPA) - the first law in the nation to require operators of commercial websites, including mobile apps, to “conspicuously post” a privacy policy if they collect personally identifiable information (PII) from those living in California. In 2013, the law was amended to require privacy policies to include information on how the operator responds to Do Not Track signals or similar mechanisms. The law also requires privacy policies to state whether third parties can collect PII about the site’s users. 106 In 2022, California became the first state in the U.S. to enact a law to adopt age-appropriate design requirements - the California Age-Appropriate Design Code Act. The law requires online platforms to consider the “best interest” of child users and to set defaults to protect these users’ privacy. 107 The law prohibits behaviors such as using a child’s personal information in a manner that is detrimental to the child. Also, the law prohibits a company from collecting, sharing, or selling a child’s location by default. 108 11.8.1.2 State Comprehensive Privacy Laws Impact on Regulation of Digital Advertising As of the writing of this chapter in January 2023, five states in the U.S. – California, Colorado, Connecticut, Utah, and Virginia – have adopted laws that comprehensively address the regulation of personal data. This section examines the implications of these laws for digital advertising, again focusing on California’s approach as it was the first state to adopt such a law. The discussion here focuses on digital advertising aspects of the state laws. In Chapter 6, state comprehensive privacy laws are examined in detail. For these state laws, an initial consideration is whether a company involved in digital advertising is regulated by these state comprehensive laws. Because the definition of a business may be quite broad in at least some of the state laws, companies that are involved in the collection of data about consumers or that benefit from such collection may need to consult an attorney to determine if they are subject to a particular state comprehensive privacy law. For example, California has passed both the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), which expands and modifies the CCPA. Under the California framework, one of the determining factors for a company being covered under the law is whether it collects personal 18 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 11 – as of 03/11/2024 © IAPP information on California residents or whether such collection is undertaken on behalf of the company. The California framework also looks at whether the company meets a minimum annual gross revenue, uses the personal information of a minimum number of consumers, or derives at least half of its annual revenue from selling or sharing consumers’ personal information. 109 A next step for determining the impact of these laws on covered companies that engage in digital advertising is to assess the types of practices related to personal data that are regulated. The California framework, for example, protects a broad category of network activity information that is defined to include browsing histories and search histories. In addition, the California framework regulates inferences drawn from personal information used to create profiles. The California framework also restricts cross-device behavioral advertising, defined as targeting of advertising based on the consumer’s information obtained across websites, services, or applications. 110 11.8.2 Self-Regulation for Digital Advertising Realizing the privacy concerns raised by the tracking associated with digital advertising, many companies involved in desktop/laptop advertising and mobile advertising have voluntarily agreed to be bound by self-regulatory principles. Two prominent examples are the Digital Advertising Alliance (DAA) Self-Regulatory Principles for Online Behavioral Advertising and the Network Advertising Initiative (NAI) Code of Conduct. 111 The DAA is a nonprofit organization that collaborates with businesses, public policy groups and public officials to establish and enforce “responsible privacy practices across industry for relevant digital advertising, providing consumers with enhanced transparency and control.” The selfregulatory principles include guidelines for interest-based advertising in the desktop/laptop environment and the mobile environment as well as for cross-device use of data. An important feature of these principles and related self-regulatory initiatives from the DAA is the consumer management of opt-outs. 112 The NAI is a nonprofit self-regulatory association comprised exclusively of third-party digital advertising companies. The NAI Code of Conduct is a list of self-regulatory principles that all NAI members agree to uphold. The Code requires notice and choice with respect to interest-based advertising, limits on the types of data that member companies can use for advertising purposes, and a number of substantive restrictions on member companies’ collection, use, and transfer of data used for online behavioral advertising. 113 Both sets of principles have enforcement mechanisms. For DAA’s Self-Regulatory Principles, the Council of Better Business Bureaus and the Direct Marketing Association provide independent oversight and enforcement. 114 The NAI’s Code of Conduct is enforced by its board, and sanctions may include revocation of membership and referral of matters to the FTC. 115 For the wide range of industries engaging in digital advertising, the DAA and NAI requirements can be an important area for careful compliance attention—for companies that have agreed to such codes, a violation is considered an “unfair and deceptive” practice that can lead to FTC and state attorney general enforcement actions. It is important to note that companies also choose to constrain their practices in response to public sentiment. One prominent example centers on third-party cookies. 116 In 2020, Apple blocked all third-party cookies from their browser. 117 In 2021, Google also announced it planned to phase out third-party cookies in the near future. 118 19 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 11 – as of 03/11/2024 © IAPP 11.8.3 Digital Advertising Ethics As discussed in more detail in Chapter 4, the issue of ethics can play a significant role in how a company chooses to act in regard to potentially controversial practices related to digital advertising. Because ethics can be thought of as a set of principles that govern a company’s behavior, compliance with legal requirements is a starting point in discussions of how a company should act. The next step in ethical decision making, which often involves the company’s CPO, is how such a company should act when many advertising practices, at least in the U.S., are legal but may not be advisable for companies. 11.8.3.1 Overview Ethical advertising focuses on honesty, accuracy, and fairness in the content of the messaging, the advertising environments that are chosen for the placement of the advertising, and the potential for bias in analysis related to ads. 119 According to Edelman’s Trust Barometer, ethics are more important in creating consumers’ trust of a company than competence. 120 Because trust of a company is linked to purchase decisions, each company has a financial incentive to engage in ethical advertising practices. 121 The Institute for Advertising Ethics (IAE) encourages the use of ethical principles to build a more trusted digital marketplace. 122 Principles include: - “Advertising, public relations, and all marketing communications professionals have an obligation to exercise the highest personal ethics in the creation and dissemination of commercial information to consumers.” - “Advertisers should treat consumers fairly based on the nature of the audience to whom the ads are directed, and the nature of the product or service advertised.” - “Advertisers should never compromise consumers’ personal privacy in marketing communications, and their choices as to whether to participate in providing their information should be transparent and easily made.” As discussed above, numerous industry groups have enacted Codes of Conduct that focus on operationalizing practices and behaviors associated with ethical concerns in digital advertising. 123 11.8.3.2 Areas of Concern With regard to the ethics of digital advertising, much concern has been raised regarding targeting of digital advertising: how are consumers targeted, why are they targeted, and what groups should be excluded from targeting. Effective targeting of online ads either at certain groups or particular individuals inherently involves collecting data from these people that will later be used to tailor the placement of advertising. Targeting is central to several specific areas of concern for digital advertising: the use of online behavioral advertising; the manipulation of consumers by “dark patterns,” and advertising directed at children. 11.8.3.2.1 Online Behavioral Advertising There have been persistent criticisms of online behavioral advertising, which is “advertising that is targeted at individuals based on the observation of their behavior over time.” 124 Shoshana Zuboff, for instance, criticizes such advertising for being part of what she calls “Surveillance Capitalism.” 125 The tailoring of the advertising to the individual person is accomplished by tracking the person across the Internet, compiling a profile on the individual, and then using that profile to target 20 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 11 – as of 03/11/2024 © IAPP advertising. In many instances, consumers are not aware of the tracking that occurs from website to website. In addition, consumers typically have no access to the profiles created about them and no ability to correct inaccuracies in these profiles. 126 Ethical questions for behavioral advertising focus primarily on whether data should be collected for advertising directed at individuals and how should data be used. Particularly, should companies engage in advertising practices that track users’ online activities, often without the consumer’s knowledge, and then target ads specifically to that person based on categories such as gender, age, political beliefs, sexual orientation, and medical conditions? 11.8.3.2.2 Dark Patterns Dark patterns are defined as “practices that trick or manipulate users into making choices they would not have made and that may cause harm.” 127 For digital advertising, dark patterns may include advertising content that appears to be independent or impartial, such as resembling a news story, or manipulative tactics that appeal to a particular demographic. 128 Ethical questions for dark patterns focus on how data should be used. One issue is how should companies consider targeting ads at certain groups to encourage or discourage certain behaviors? For example, should a company discourage certain groups from voting? Should a certain group be encouraged to engaged in higher-risk behaviors (using tobacco-related products or gambling)? 11.8.3.2.3 Advertising Directed at Children Ethical concerns exist concerning targeting ads to children who by their very nature are not developmentally mature. 129 In his 2022 State of the Union Address, President Biden stated that the U.S. should “ban targeted advertising to children.” 130 Ethical questions focus on whether there are groups of people, such as children, who should not have data collected for advertising and should not be targeted with ads. Age variations within the broad category of children can impact a company’s decision. Ages 6-12 is often viewed as distinct from ages 13-18. 11.9 Conclusion This chapter examined the legal rules that apply to important channels for marketing by telephone, fax, text and commercial email. It then considered the rules governing how telecommunications companies can use personal information generated in the course of communications activities. Along with the VPPA, special statutes or proposals have long applied to telephone and cable companies, and more recently to broadband internet providers, based on their potential access to individuals’ detailed communication and viewing information. Current law places significant limits on how these infrastructure companies can use and disclose personal information that flows through their systems. The chapter ends by discussing topics of digital advertising. 1 Chapter 13 examines rules for government access to the communications, under wiretap and other statutes, that provide lawful access for the government to that data, subject to search warrants and other restrictions. 2 Restatement of the Law, Second, Torts, § 652B, https://cyber.law.harvard.edu/privacy/Privacy_R2d_Torts_Sections.htm (accessed November 2017). 3 Restatement of the Law, Second, Torts, § 652B. 21 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class.