By Angelique Carson, CIPP/US

Advances in technology, consumer complaints about privacy violations and regulatory action in 2012 have set the stage for 2013 to be a pivotal year for marketers and the rules that surround their profession.

Inside 1to1: PRIVACY asked four experts to weigh in on the topics marketers should pay attention to in the coming year and how to stay not only compliant with privacy rules but also a part of the conversation on how the rules will be shaped.

Mobile Apps

2013 is going to be the year of mobile, says Jamie Rubin, a partner at InfoLawGroup, LLP. That’s partly because of stirrings by regulators—including California’s Attorney General’s Office and the Federal Trade Commission (FTC)—who see the need for action when it comes to consumer protection and privacy.

California Attorney General Kamala Harris recently let companies know she was serious about enforcement when she tweeted at United Airlines, “Fabulous app, @unitedairlines, but where is your app’s privacy policy?” Harris has since filed a lawsuit against Delta Airlines for failure to post a privacy policy in connection with its mobile app.

Harris has sent letters to hundreds of companies with mobile applications asking similar questions, citing California’s Online Privacy Protection Act requiring all websites that collect information from California residents to post a privacy policy. Letter recipients have been given 30 days to post a policy in response or face enforcement action. Though app developers pushed back arguing the law doesn’t apply to apps, Harris claimed it does and maintained the right to sue over violations.

Rubin says this kind of enforcement is likely to accelerate in 2013.

“To the extent that any number of these companies don’t get their act in order, (Harris) will come down on them, and there are statutory fines included,” Rubin says.

Meanwhile, the FTC is expected to keep close watch on app developers. The commission issued layman’s advice for developers in September and just released a second report on kids and mobile apps. The FTC is not happy with the industry’s compliance efforts, Rubin sys. In addition, the FTC and is expected to soon release revisions to its “Dot Com Disclosures: Information About Online Advertising” guidance document, an update to its initial guidance in 2000 to reflect changes in technology. The commission sought input on the guidance from May to July.

Rubin says this guidance is highly anticipated because, to date, mobile advertisers have struggled with how to appropriately display privacy notices and advertising disclosures on the small screens of mobile devices. Meanwhile, Rubin says, the attitude at a recent FTC workshop on the matter seemed to be that if a marketer can’t disclose the required messages within such a space, perhaps they shouldn’t advertise in that space at all.

“It’s really kind of an unfortunate message to the marketer. It’s something a number of my clients are trying to get the FTC to understand—that while these offers are nuanced, you’re not going to able to say everything about an offer in a tweet or on a four-inch screen when a mobile app opens up. But we do want to get on the same page—that there will be a symbol or an agreed-upon link that means to the consumer, ‘Hey, there’s more to know here, don’t take action without reading more,’” Rubin says.

The updated FTC guidance will likely see “people scrambling in 2013,” he adds. “There may or may not be some regulatory action by the FTC surrounding those guidelines. It should make 2013 extremely interesting.”

When it comes to regulation versus self-regulation in the mobile space, a number of companies are moving to follow the Digital Advertising Alliance’s lead and trying to create their own icons to symbolize privacy practices and advertising disclosures. Rubin wonders whether a proliferation of icons from various industry groups for various purposes may cause consumer confusion.

“We’re already seeing what may be an arms race for who will be the main body for establishing these icon-based systems,” he says. “If something catches on, I think we’ll be in good shape. But if we have a thousand different symbols, the FTC will say ‘self-regulation isn’t working,’ so we need to have some level of understanding for what a particular symbol means. Is self-regulation possible here? Absolutely, but I fear for the battle of the icons.”

Other topics marketers should be on the lookout for include concerns surrounding unique device IDs (UDIDs) and the effect COPPA changes will have on mobile apps.


The FTC is expected to finalize its COPPA Rule by the year’s end, according to FTC Chairman Jon Liebowitz. The changes would prevent websites from installing cookies to track children’s web movements for targeted advertising, prevent children under the age of 13 from using social plugins such as “Like” features, and make it harder for operators to obtain verified parental consent, among other provisions.

If the proposed changes go into effect— though many advocates and stakeholders have weighed in against some—marketers serving behavioral ads on websites geared toward children will have to gain verifiable parental consent before serving behavioral ads, which “no one realistically is going to do,” says Shai Samet, CIPP/US, founder and president of Samet Privacy, which operates the kidSAFE Seal Program.

The FTC seems to be concerned most with behavioral advertising involving third-party tracking of children across multiple sites, Samet says, adding that it isn’t yet clear whether the FTC will forbid brands from tracking kids across several of its own sites.

“Many companies would like to believe it means different ‘unrelated’ websites, but the proposed law does not define ‘different,’ so we don’t know that for sure,” Samet says.

Marketers should also be concerned about the provision that would eliminate COPPA’s “e-mail-plus” consent mechanism, he says.

“They’re going to remove the most popular mechanism used today,” Samet says, meaning user-generated contests and the like will require another kind of verifiable parental consent, such as a credit card number, for example, before kids can engage.  That’s because the FTC is also proposing to consider photos and videos of children as “personal information.”

“If the changes go through, a lot of the campaigns and activities that kids love are going to be much tougher to implement and scale—which means more kids will end up on Facebook and sites not intended for them.  That’s a big area of concern.”

Additionally, the current COPPA proposal would define social plugins on children’s websites as website “operators” because they collect personal data. As such, they would not be permitted to collect data without verifiable parental consent, and the child-directed site would be punishable by “strict liability”—meaning they’d automatically be held directly responsible for a COPPA violation.

While some have voiced concerns that COPPA’s revision expands the scope of those covered under the rule currently, Samet clarifies that this isn’t necessarily true. Rather, the existing version of COPPA applies, as it always has, to online services previously not understood to be covered, such as mobile apps.

“The people who may not realize they are going to be affected most are going to be mobile app developers, particularly small app developers.”

Samet predicts the proposals will be scaled back somewhat before a final rule is handed down but “perhaps not as much as companies are hoping for.” He says marketers should give the FTC feedback as much as possible; be aware of the potential changes; wait to do anything drastic to their websites’ registration procedures until the changes are officially handed down, and assess their current practices by doing a COPPA audit to see if they comply with the existing rules.

EU & Canada

If they aren’t already, it’s going to become imperative for the average marketer to start thinking about data governance in 2013, says Dennis Dayman, CIPP/US, CIPP/IT, chief privacy and security officer for Eloqua. Marketers are no longer solely data collectors and analyzers, Dayman says. Today, marketers must be an integral part of a privacy team who understand technology and, when creating marketing programs, look at data governance and Privacy-by-Design principles.

Marketers should treat the data they collect with the same reverence they would treat their mothers’, he says. That’s both for morality’s sake and because legislators are increasingly on the watch.

“It’s not the same game as 10 or 12 years ago; it’s a completely different game,” Dayman says. “And marketers must be a part of that discussion and not fear privacy and security, but be a part of it. It’s not going to hurt them. It’s not going to add time to marketing campaigns. Once you learn it, it becomes part of your normal day-to-day activities.”

Additionally, Dayman says, if marketers treat data right, regulators might back off a bit.

In order to comply with rules like the cookie directive, marketers should be asking questions of software providers such as, “If I needed to do x, y or z, like get affirmative consent, do you support that?”

“Hopefully the software provider can say, ‘Yes, we can do that, and we have the ability to do it so granularly that we can do it country-by-country, or by user or IP address,’” Dayman says, adding that kind of granular capability will be important because of varying rules from one jurisdiction to another.

Dayman suggests marketers keep on their radar Canada’s anti-spam law, Bill C-28, which will require consumers to give affirmative consent to receive unsolicited e-mails. Businesses may face fines of up to $10 million for violations, while individuals could face fines of up to $1 million. The bill was slated to go into effect at the end of last year but is now expected in early 2013.

Under the bill, entities that had been marketing to individuals in Canada but do not currently have their affirmative consent will have two years to obtain it and come into compliance.

This is sure to be a headache for companies with vast databases, Dayman said.

“You can imagine a marketer that had two million e-mail addresses,” Dayman says. “What we’re telling marketers is, ‘This regulation is gonna happen. Instead of waiting for it to come into effect and then obtaining permission, take the additional time of three or four years, starting now, and attempt to get consent for that individual.’”

For most marketers, though, Dayman says, “If you’ve been doing the right things, you really shouldn’t have to worry about this. I think the only enforcement we’ll see around this, if at all, will be against guys who’ve been egregiously trying to get around regulations.”

In the name of being proactive, Dayman suggests marketers “keep their ears to the tracks and start asking questions. I think a lot of companies with a lot of skin in the game are not playing in the game by either not involving their privacy folks or using coalitions like the Digital Marketing Association and the IAPP to gain recognition to make comments if need be.”

Tracking, targeting, self-regulation

Perhaps the most significant revelation to come to light in 2012 is that privacy is an international issue. That’s according to Fran Maier, founder of TRUSTe, who says that while there’s been “real progress” when it comes to adoption of self-regulatory programs and allowing consumers to opt out of targeted advertising, there isn’t yet international collaboration, and that’s a necessary component.

When it comes to data collection, advertisers need to think about three major steps. First, what they are collecting, from whom and for what purpose?

“That sounds very simple, but it’s really difficult to do,” Maier says, adding there are now services emerging that can help companies to assess their inventory and how their data is used.

Second, once an inventory is completed, companies “better make sure their privacy policy is in concert with that,” she said, and third, the compliance program should be consistent with the privacy policy.

From that point, companies must decide on their international approach.

“One of the questions we get asked all the time is, ‘Do I have one privacy policy or does it depend on brand location?’ And I think answering that question is a very good exercise,” Maier says, adding that having a single, strict policy may mean some business impacts and lack of flexibility, but multiple policies may result in potential confusion on behalf of both the brand and the consumer.

In terms of self-regulation when it comes to behavioral targeting, Maier says she wishes more companies would engage but understands “it’s complicated” and takes time.

“I think we’re still at the stage where many companies are starting to think about the need to implement and are testing their way through,” she says, adding, Europe’s regulation style is motivating compliance in the U.S.

Looking ahead to 2013, companies should also look at their mobile strategies, Maier says. With California’s Harris leading the way on enforcing mobile policies, Maier says companies should be proactive in establishing or reviewing theirs.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»