By Angelique Carson, CIPP/US

Advances in technology, consumer complaints about privacy violations and regulatory action in 2012 have set the stage for 2013 to be a pivotal year for marketers and the rules that surround their profession.

Inside 1to1: PRIVACY asked four experts to weigh in on the topics marketers should pay attention to in the coming year and how to stay not only compliant with privacy rules but also a part of the conversation on how the rules will be shaped.

Mobile Apps

2013 is going to be the year of mobile, says Jamie Rubin, a partner at InfoLawGroup, LLP. That’s partly because of stirrings by regulators—including California’s Attorney General’s Office and the Federal Trade Commission (FTC)—who see the need for action when it comes to consumer protection and privacy.

California Attorney General Kamala Harris recently let companies know she was serious about enforcement when she tweeted at United Airlines, “Fabulous app, @unitedairlines, but where is your app’s privacy policy?” Harris has since filed a lawsuit against Delta Airlines for failure to post a privacy policy in connection with its mobile app.

Harris has sent letters to hundreds of companies with mobile applications asking similar questions, citing California’s Online Privacy Protection Act requiring all websites that collect information from California residents to post a privacy policy. Letter recipients have been given 30 days to post a policy in response or face enforcement action. Though app developers pushed back arguing the law doesn’t apply to apps, Harris claimed it does and maintained the right to sue over violations.

Rubin says this kind of enforcement is likely to accelerate in 2013.

“To the extent that any number of these companies don’t get their act in order, (Harris) will come down on them, and there are statutory fines included,” Rubin says.

Meanwhile, the FTC is expected to keep close watch on app developers. The commission issued layman’s advice for developers in September and just released a second report on kids and mobile apps. The FTC is not happy with the industry’s compliance efforts, Rubin sys. In addition, the FTC and is expected to soon release revisions to its “Dot Com Disclosures: Information About Online Advertising” guidance document, an update to its initial guidance in 2000 to reflect changes in technology. The commission sought input on the guidance from May to July.

Rubin says this guidance is highly anticipated because, to date, mobile advertisers have struggled with how to appropriately display privacy notices and advertising disclosures on the small screens of mobile devices. Meanwhile, Rubin says, the attitude at a recent FTC workshop on the matter seemed to be that if a marketer can’t disclose the required messages within such a space, perhaps they shouldn’t advertise in that space at all.

“It’s really kind of an unfortunate message to the marketer. It’s something a number of my clients are trying to get the FTC to understand—that while these offers are nuanced, you’re not going to able to say everything about an offer in a tweet or on a four-inch screen when a mobile app opens up. But we do want to get on the same page—that there will be a symbol or an agreed-upon link that means to the consumer, ‘Hey, there’s more to know here, don’t take action without reading more,’” Rubin says.

The updated FTC guidance will likely see “people scrambling in 2013,” he adds. “There may or may not be some regulatory action by the FTC surrounding those guidelines. It should make 2013 extremely interesting.”

When it comes to regulation versus self-regulation in the mobile space, a number of companies are moving to follow the Digital Advertising Alliance’s lead and trying to create their own icons to symbolize privacy practices and advertising disclosures. Rubin wonders whether a proliferation of icons from various industry groups for various purposes may cause consumer confusion.

“We’re already seeing what may be an arms race for who will be the main body for establishing these icon-based systems,” he says. “If something catches on, I think we’ll be in good shape. But if we have a thousand different symbols, the FTC will say ‘self-regulation isn’t working,’ so we need to have some level of understanding for what a particular symbol means. Is self-regulation possible here? Absolutely, but I fear for the battle of the icons.”

Other topics marketers should be on the lookout for include concerns surrounding unique device IDs (UDIDs) and the effect COPPA changes will have on mobile apps.

COPPA

The FTC is expected to finalize its COPPA Rule by the year’s end, according to FTC Chairman Jon Liebowitz. The changes would prevent websites from installing cookies to track children’s web movements for targeted advertising, prevent children under the age of 13 from using social plugins such as “Like” features, and make it harder for operators to obtain verified parental consent, among other provisions.

If the proposed changes go into effect— though many advocates and stakeholders have weighed in against some—marketers serving behavioral ads on websites geared toward children will have to gain verifiable parental consent before serving behavioral ads, which “no one realistically is going to do,” says Shai Samet, CIPP/US, founder and president of Samet Privacy, which operates the kidSAFE Seal Program.

The FTC seems to be concerned most with behavioral advertising involving third-party tracking of children across multiple sites, Samet says, adding that it isn’t yet clear whether the FTC will forbid brands from tracking kids across several of its own sites.

“Many companies would like to believe it means different ‘unrelated’ websites, but the proposed law does not define ‘different,’ so we don’t know that for sure,” Samet says.

Marketers should also be concerned about the provision that would eliminate COPPA’s “e-mail-plus” consent mechanism, he says.

“They’re going to remove the most popular mechanism used today,” Samet says, meaning user-generated contests and the like will require another kind of verifiable parental consent, such as a credit card number, for example, before kids can engage.  That’s because the FTC is also proposing to consider photos and videos of children as “personal information.”

“If the changes go through, a lot of the campaigns and activities that kids love are going to be much tougher to implement and scale—which means more kids will end up on Facebook and sites not intended for them.  That’s a big area of concern.”

Additionally, the current COPPA proposal would define social plugins on children’s websites as website “operators” because they collect personal data. As such, they would not be permitted to collect data without verifiable parental consent, and the child-directed site would be punishable by “strict liability”—meaning they’d automatically be held directly responsible for a COPPA violation.

While some have voiced concerns that COPPA’s revision expands the scope of those covered under the rule currently, Samet clarifies that this isn’t necessarily true. Rather, the existing version of COPPA applies, as it always has, to online services previously not understood to be covered, such as mobile apps.

“The people who may not realize they are going to be affected most are going to be mobile app developers, particularly small app developers.”

Samet predicts the proposals will be scaled back somewhat before a final rule is handed down but “perhaps not as much as companies are hoping for.” He says marketers should give the FTC feedback as much as possible; be aware of the potential changes; wait to do anything drastic to their websites’ registration procedures until the changes are officially handed down, and assess their current practices by doing a COPPA audit to see if they comply with the existing rules.

EU & Canada

If they aren’t already, it’s going to become imperative for the average marketer to start thinking about data governance in 2013, says Dennis Dayman, CIPP/US, CIPP/IT, chief privacy and security officer for Eloqua. Marketers are no longer solely data collectors and analyzers, Dayman says. Today, marketers must be an integral part of a privacy team who understand technology and, when creating marketing programs, look at data governance and Privacy-by-Design principles.

Marketers should treat the data they collect with the same reverence they would treat their mothers’, he says. That’s both for morality’s sake and because legislators are increasingly on the watch.

“It’s not the same game as 10 or 12 years ago; it’s a completely different game,” Dayman says. “And marketers must be a part of that discussion and not fear privacy and security, but be a part of it. It’s not going to hurt them. It’s not going to add time to marketing campaigns. Once you learn it, it becomes part of your normal day-to-day activities.”

Additionally, Dayman says, if marketers treat data right, regulators might back off a bit.

In order to comply with rules like the cookie directive, marketers should be asking questions of software providers such as, “If I needed to do x, y or z, like get affirmative consent, do you support that?”

“Hopefully the software provider can say, ‘Yes, we can do that, and we have the ability to do it so granularly that we can do it country-by-country, or by user or IP address,’” Dayman says, adding that kind of granular capability will be important because of varying rules from one jurisdiction to another.

Dayman suggests marketers keep on their radar Canada’s anti-spam law, Bill C-28, which will require consumers to give affirmative consent to receive unsolicited e-mails. Businesses may face fines of up to $10 million for violations, while individuals could face fines of up to $1 million. The bill was slated to go into effect at the end of last year but is now expected in early 2013.

Under the bill, entities that had been marketing to individuals in Canada but do not currently have their affirmative consent will have two years to obtain it and come into compliance.

This is sure to be a headache for companies with vast databases, Dayman said.

“You can imagine a marketer that had two million e-mail addresses,” Dayman says. “What we’re telling marketers is, ‘This regulation is gonna happen. Instead of waiting for it to come into effect and then obtaining permission, take the additional time of three or four years, starting now, and attempt to get consent for that individual.’”

For most marketers, though, Dayman says, “If you’ve been doing the right things, you really shouldn’t have to worry about this. I think the only enforcement we’ll see around this, if at all, will be against guys who’ve been egregiously trying to get around regulations.”

In the name of being proactive, Dayman suggests marketers “keep their ears to the tracks and start asking questions. I think a lot of companies with a lot of skin in the game are not playing in the game by either not involving their privacy folks or using coalitions like the Digital Marketing Association and the IAPP to gain recognition to make comments if need be.”

Tracking, targeting, self-regulation

Perhaps the most significant revelation to come to light in 2012 is that privacy is an international issue. That’s according to Fran Maier, founder of TRUSTe, who says that while there’s been “real progress” when it comes to adoption of self-regulatory programs and allowing consumers to opt out of targeted advertising, there isn’t yet international collaboration, and that’s a necessary component.

When it comes to data collection, advertisers need to think about three major steps. First, what they are collecting, from whom and for what purpose?

“That sounds very simple, but it’s really difficult to do,” Maier says, adding there are now services emerging that can help companies to assess their inventory and how their data is used.

Second, once an inventory is completed, companies “better make sure their privacy policy is in concert with that,” she said, and third, the compliance program should be consistent with the privacy policy.

From that point, companies must decide on their international approach.

“One of the questions we get asked all the time is, ‘Do I have one privacy policy or does it depend on brand location?’ And I think answering that question is a very good exercise,” Maier says, adding that having a single, strict policy may mean some business impacts and lack of flexibility, but multiple policies may result in potential confusion on behalf of both the brand and the consumer.

In terms of self-regulation when it comes to behavioral targeting, Maier says she wishes more companies would engage but understands “it’s complicated” and takes time.

“I think we’re still at the stage where many companies are starting to think about the need to implement and are testing their way through,” she says, adding, Europe’s regulation style is motivating compliance in the U.S.

Looking ahead to 2013, companies should also look at their mobile strategies, Maier says. With California’s Harris leading the way on enforcing mobile policies, Maier says companies should be proactive in establishing or reviewing theirs.