Information Security & Identity Theft
Anti-virus software, firewalls, employee training, and plain common sense can go a long way to protect your customer database and to protect consumers from loss and identity theft. But if you leave the door open, allowing personally identifiable information to be stolen or altered, you have not done your job as a privacy and security officer. And, you have compromised the trust between you and your customer. Lose that trust, and consumers will deny you the information you need to build a good marketing relationship. There could be legal ramifications as well.
- Do we have a written security plan that addresses all areas of our operations?
- Do we have policies appropriate to our size and complexity, our activities, and the sensitivity of the customer information we handle?
- Do we continually review our policies and practices? And have outside specialists to review our security system, perform risk assessments and audits, and help with compliance?
- Do we have a resolution system for disputes arising from security breaches or alleged misuse of personally identifiable information?
- Do we have a full-time, designated team to develop and implement information security throughout our organization?
- Do they have the resources and support they need to do the job right?
- Do they have effective and up-to-date training tools?
- Do they conduct regular security audits and response exercises?
- Do we keep records of information access and regularly monitor those records for unusual activity?
- Do we make sure all employees are aware of the penalties for security breaches?
- Do we define our security needs and use technology that meets those needs, point by point, specification by specification
- Do weInclude layers of complementary solutions to prevent and detect unauthorized use of information systems?
- Do we have a backup system in place to recover lost data and ensure uninterrupted continuity of information security?
- Do we have a system for shredding both paper and electronic data before dumping?
Inform Data Suppliers and Business Partners of their Responsibilities to Meet Your Security Specifications
- Do we inform business partners of their responsibilities to meet specific security standards?
- Do we ask potential business partners about their security practices before we share any information?
- Do we consider security ramifications before sharing data with business partners?
Identity theft is a growing problem for consumers and businesses alike. As marketers, we have a responsibility to protect the personal data we collect against unauthorized or illegal use. Although the information used to commit fraud and identity theft is often stolen directly from the consumer (not from marketers), marketers can assist consumers by educating them on how to prevent and correct harm caused by identity theft.
Awareness is one of the most powerful tools in the fight against identity theft, and thats where you can play an important role: The more your customers know how to protect their identities and what to do if a problem occurs, the harder it is for identity thieves to commit their crimes.
Do What You Do Best!
The Direct Marketing Association is calling on all of our members to partner with us in this important public education effort.
As direct marketers, you already have a wealth of channels for reaching out to current and potential customers. We want you to do what you do best get this relevant and important message to people who need to hear it.
The people you reach will have a better understanding of how identity thieves work, how to reduce their risk of identity theft, and what to do if they suspect a problem. They will appreciate your leadership and assistance.
Additional Resources for DMA Members
This customizable guide, prepared by the DMA Committee on the Environment and Social Responsibility (CESR), can be used by call/contact centers to address consumer questions about suspicious emails, e-commerce shopping cart concerns and suspect websites. It also has a section devoted to script guides for use in the event of an actual identity theft situation, so that you can give your customers accurate, timely information to help protect themselves. A preamble for managers of customer service representatives sets the stage for dealing with customers in such a charged, confusing atmosphere.
Please review this guide closely, and share it with internal stakeholders including your own customer service and communications staffs and legal counsel. Feel free to adapt it for optimal internal use in your organization.
- Call Script Guide (pdf, Word)
- Consumer Alert/Checklist on Phishing to Accompany Call Script Guide (pdf)
- Consumer Alert/Checklist on Pharming to Accompany Call Script Guide (pdf)
DMA International Safe Harbor Program for Businesses
For DMA Members Only
Please note that the DMA Safe Harbor Program is only available to DMA members. Please check to make sure that your company is a DMA member before applying for membership in the DMA Safe Harbor Program. If you would like to join DMA or have questions regarding membership then please contact us.
The DMA Releases its International Safe Harbor Report for 2013
The DMA has posted the International Safe Harbor Report for 2013.
The report covers the DMA Safe Harbor Program from January 2012 – August 2013, including:
· Number of participants in the DMA Safe Harbor Program,
· Complaint overview and statistics,
· Federal Trade Commission’s enforcement, and
· DMA actions regarding potential changes to the safe harbor framework.
Under the US-EU and US-Swiss Safe Harbor Frameworks, American companies must self-certify with the US Department of Commerce that they adhere to the seven core safe harbor principles and FAQs surrounding data collection, protection, choice, security and enforcement. Under this self-certification process, American companies that self-certify must also select a third-party dispute resolution mechanism to serve as a mediator regarding data privacy complaints that qualify under these frameworks. Members can choose to select DMA as their safe harbor dispute resolution mechanism.
The DMA Safe Harbor Program serves 62 participating member companies. This year 12 new companies joined our safe harbor program. To learn more & join, please email Lisa Shosteck at firstname.lastname@example.org.
In order to avoid potential disruptions in trade between the United States and the EU, the US Department of Commerce in consultation with the European Commission and the industry developed the safe harbor framework. This framework allows US companies a means of assuring European consumers that they will provide an adequate level of privacy protection, thereby satisfying the “adequacy” requirement of the European Directive on Data Protection.
US companies that wish to continue to receive personal information from the EU and who choose not to enter the Safe Harbor must find some other means to assure European authorities that such protection will be available through contractual terms, or the transfer of information must fall within one or more of the following exceptions:
1. The data subject has given his/her consent unambiguously to the proposed transfer,
2. The transfer is necessary for the performance of a contract between the data subject and the controller or for the implementation of precontractual measures taken in response to the data subject’s request,
3. The transfer is necessary for the conclusion or for the performance of a contract concluded in the interest of the data subject between the controller and a third party,
4. The transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defense of legal claims,
5. The transfer is necessary in order to protect the vital interests of the data subject, or
6. The transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case.
The US Department of Commerce has entered into a Safe Harbor framework with Switzerland. If your organization transfers data from Switzerland to the US and you would like it to be covered under the Safe Harbor framework then you would need to review the US-Swiss Safe Harbor principles and FAQs posted on the US Department of Commerce’s website at www.export.gov/safeharbor. It is important to note that the US-Swiss safe harbor principles are based on the US-EU safe harbor principles.
What are the key elements of the US-EU Safe Harbor Framework and the US-Swiss Safe Harbor Framework?
Participation by companies in either the US-EU or the US-Swiss safe harbor framework is completely voluntary. However, if your company decides to take advantage of the safe harbor framework, then you must:
- Comply with the seven safe harbor principles (notice, choice, onward transfer, access, security, data integrity and enforcement);
- Review the 15 frequently asked questions prepared by the U.S. Department of Commerce;
- Certify to the US Department of Commerce that you have implemented and comply with the safe harbor principles;
- Have in-house and third-party dispute and enforcement mechanisms in place to ensure your compliance; and
- Continue to adhere to the safe harbor principles for data collected while participating in the framework, even if your company decides to leave the framework at a later date. This information must always be protected by the safe harbor principles even if your company decides to no longer participate in the program.
It is important to note that the DMA Safe Harbor Program does not cover issues relating to the transfer of human resources data. However, the transfer of such data does fall under the safe harbor framework. For further clarification, please refer to the Department of Commerce’s FAQ #9 export.gov/safeharbor.
By adhering to the core principles of: notice, choice, onward transfer, access, security, data integrity and enforcement, your company is indicating that you place great value on data privacy protection and will make every effort to respect Europeans’ and/or Swiss’ requests regarding use of their personal information.
By adhering to the following principles as developed by the Department of Commerce and European Commission and the Department of Commerce and the Federal Data Protection and Information Commission of Switzerland, you will stand out in the marketplace as one of the trusted organizations that promises to meet the requirements of the safe harbor framework.
These safe harbor principles pertain to the personal information that your company transfers from the EU and/or Switzerland to the US. Personal information is defined as information that directly identifies an individual – name, address, telephone number and similar identifying information.
SAFE HARBOR PRINCIPLES
You must clearly inform customers in a timely manner about what information you are collecting, why you are collecting it, who you are forwarding it to, how its use can be limited and how the customer can contact you for additional information;
- Be easy to find, easy to read and easy to understand;
- Be provided to your customers at the time you collect the personal information or as soon thereafter as practicable – in any case, before you use the personal information for a purpose other than that for which it was originally collected or before you disclose it to a third party;
- Specify the types of information being collected;
- Specify the purposes and uses of information collection;
- Specify the types of third parties to which you are disclosing the information you collect;
- Provide the choices and means available to the customer to limit the use and disclosure of information; and
- Provide your company contact information for customer inquiries.
You must honor customers requests to opt-out of certain information uses and exchanges and opt-in if sensitive information is being used. You must provide customers with the ability to opt-out of certain information uses and exchanges. Where the information is sensitive, you must obtain opt-in consent. These choices should be clear and conspicuous, readily available and affordable.
Your company must offer customers the ability to opt-out of your disclosing their information to a third-party or using their information for a purpose incompatible with that for which it was originally collected.
In addition, the DMA Safe Harbor Program requires that your company accept and maintain consumer requests to be placed on your in-house suppression file to stop receiving solicitations from your company. The DMA also recommends that your company utilize European Preference Service Systems to update your list. If you need assistance in locating the appropriate European system, please feel free to contact DMA staff.
It is important to note that for “sensitive” information, consumers must be given the explicit ability to opt-in before you disclose that information to a third-party or use that information for a purpose different from that for which it was originally collected. You may not use or transfer this information unless the individuals have given affirmative or explicit “opt-in” choice.
Sensitive information includes personal information regarding a medical or health condition, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or sexual lifestyle. There are limited exceptions to the opt-in requirement. For further clarification, please refer to the Department of Commerce’s FAQ #1 at export.gov/safeharbor.
3. ONWARD TRANSFER
You must ensure that if information is disclosed to agents or subcontractors that they will agree to abide by the safe harbor principles. You should only transfer data to third parties consistent with the notice and choices you have given the consumers. Any agents of yours who handle or process your data, such as your service bureaus, must themselves either be subject to the EU Directive or be members of the safe harbor, or they must agree in writing to be bound by these principles. In all events, you must document your agreement with them as to their treatment of data.
You must provide customers the ability to access the personal information being maintained by the company and the ability to correct it where it is inaccurate (based on a sliding scale principle – the obligation to provide access to information increases where its use is more likely to significantly affect the individual). You must provide customers the ability to access the personal information being maintained by the company. This access should be provided to the individual unless there would be: (1) a disproportionate effort on the part of the company relative to the potential risk to the individual’s privacy, (2) the rights of others would be violated, or (3) the request by the individual is clearly vexatious or repetitious. Companies can meet this requirement by providing customers with a copy of the personal information that is being maintained about them or by addressing the individual’s concerns through the company’s customer service department. You do not have to give customers access to your database.
In addition, customers must be given the ability to correct, amend or delete their personal information if it is inaccurate. A reasonable fee can be charged to the individual for accessing information.
In general, expense and burden can be considered in providing access to personal information. However, access to certain information that is used to grant or deny a significant benefit or service must always be provided regardless of the expense and burden. The following are examples of important benefits: insurance, grants, mortgages, loans, college admission, employment applications and similar benefits or services.
Companies denying access to information citing disproportionate effort or cost should be in a position to substantiate their decision.
Take reasonable care in protecting the information you collect from loss, misuse, unauthorized access, disclosure, alteration and destruction. Your company should make every effort to use appropriate security measures to protect the information you collect from loss, misuse, unauthorized access, disclosure, alteration and destruction. Such measures should ensure an appropriate level of security given the nature of the data processed.
6. DATA INTEGRITY
Ensure that the customer’s personal information is reliable, accurate, complete, current and used for intended purposes. Your company should not process data that are not relevant to the purpose for which they were collected. Your company is responsible for ensuring that the customer’s personal information is reliable, accurate, complete, current and used for intended purposes. You should not use the information in a way that is incompatible with the purpose for which it was collected, unless subsequently authorized by the consumer.
Take reasonable steps to ensure that any consumer privacy concern will be addressed by: (1) referring consumers to your customer service department or other in-house dispute resolution program; (2) subscribing to a third-party dispute resolution mechanism to address any unresolved in-house consumer data privacy complaints. (The DMA is pleased to offer members this service.); and (3) having appropriate monitoring, verification and remedy procedures in place.The Safe Harbor Principles require companies to:
1. Refer consumers to their customer service department or other in-house dispute resolution program;
2. Subscribe to a readily available and affordable independent third-party dispute resolution mechanism – The DMA is pleased to serve as your third-party dispute resolution mechanism to address unresolved in-house consumer data privacy complaints. (For a complete description regarding the DMA’s process for handling complaints and serving as your independent enforcement mechanism, please refer to The DMA Safe Harbor Program Complaint Procedure fact sheet on our web site at: www.dmaresponsibility.org/SafeHarbor.);
In addition, your company should consider offering consumer education packages in languages which reflect your European and/or Swiss customer markets.
- Are you a United States organization that receives or processes personally identifiable information directly from Europe and/or Switzerland?
- Are you a United States organization that gets these data indirectly from Europe and/or Switzerland?
- Are you a subsidiary or affiliated company that processes this information here in the United States? (The safe harbor framework covers personal information that is collected on-line or off-line and filed manually or electronically.)
- Do your company’s business practices fall under the jurisdiction of the Federal Trade Commission?
- Do your company’s business practices fall under the jurisdiction of the US Department of Transportation (e.g., air carriers, travel agents, airlines)?
If your company meets any one condition from each of these categories, then you should consider joining the safe harbor.
- Serve as your third-party dispute and enforcement mechanism. European and/or Swiss consumers, companies and governments can be assured that your company will adhere to the third-party dispute and enforcement requirements of the safe harbor framework. This will solidify Europeans’ and/or Swiss’ trust and confidence in your organization. (For a complete description regarding the DMA’s process for handling complaints and serving as your independent enforcement mechanism, please refer to the DMA Safe Harbor Program ComplaintProcedure fact sheet on our web site at: www.dmaresponsibility.org/SafeHarbor.)
- Provide technical assistance and educational materials to assist you throughout the process for meeting the safe harbor requirements. The DMA stands ready to assist your company in:
- meeting the US Department of Commerce’s registration requirements for safe harbor
- serving as your independent third-party dispute resolution mechanism, and
- addressing any other questions or concerns your company has regarding the safe harbor process.
- Provide a DMA Safe Harbor Program mark. This mark will provide consumers with an easily recognizable symbol that signifies and distinguishes your organization as being in compliance with the safe harbor enforcement principle.
THE DMA SAFE HARBOR PROGRAM THIRD PARTY DISPUTE RESOLUTION MECHANISM
The major component of DMA’s Safe Harbor Program is to provide businesses seeking to certify under the US-EU and/or US-Swiss Safe Harbor Framework with an independent third party dispute mechanism that complies with the Safe Harbor enforcement requirements.
The Safe Harbor requires that the dispute resolution mechanism be readily available to consumers, affordable, and be able to ensure compliance with the Safe Harbor privacy protections. The DMA’s Safe Harbor Program adheres to the belief that an independent dispute resolution mechanism should:
- provide a fair and unbiased redress of the consumer’s concerns;
- be visible so that consumers with concerns know where to turn for resolution of their problem;
- be accessible so that there are no barriers to the filing of a complaint, whether they be financial or otherwise;
- provide resolution in a timely manner;
- provide finality for the consumer by reaching an independent determination of the dispute in a fair and timely manner; and
- provide enforceability of the final conclusions in the determination of the consumer’s dispute.
To provide a mechanism that is fair, the DMA has created a Safe Harbor Program Committee that is comprised of respected experts from the direct marketing industry, and recognized consumer representatives. The Committee will have the power to hear both sides of a dispute, and provide a final determination. When businesses join the DMA’s Safe Harbor Program, they will be required to sign a Contract whereby they agree to abide by the decisions of the Committee. They will also be notified in the contract that the Committee will have the authority to issue certain sanctions as a result of their decision. The sanctions available to the Committee include, but are not limited to:
- Correction of actions found not to be in compliance with the Safe Harbor Principles, the EU Directives, or the Safe Harbor FAQ’s.
- Correction or deletion of inaccurate personal information.
- Reimbursement of actual, direct monetary damages incurred by the consumer.
- Removal from the DMA Safe Harbor Program and revocation of the company’s ability to display the DMA Safe Harbor Mark.
- Public notification of the decision and action taken by the Committee.
- Notification to the Department of Commerce of the Committee’s decision and a request for removal from the Safe Harbor Certification List due to failure to comply with the Safe Harbor Principles.
- Referral of the matter to the Federal Trade Commission or other appropriate governmental agency for enforcement action.
The lynchpin to any dispute resolution mechanism is that it be impartial. One way to assure impartiality is to assure openness of the results of the program by publishing the outcomes of the cases on a regular basis, and for DMA staff to be constantly vigilant that the results are fair and legal.
To assure accessibility, there will be no cost to the consumer, and businesses will be required to notify consumers of the availability of DMA’s Safe Harbor Program in an open and conspicuous manner and prominently display the DMA Safe Harbor Program Mark. The program will provide consumers an easy method to bring their disputes before the Committee. It is the goal of the Program to obtain a determination of all cases in a quick and timely manner, but in no case longer than 60 days.
THE DMA SAFE HARBOR PROGRAM COMPLAINT PROCEDURES
1. When a complaint is received, staff will verify that the complaint involves matters over which the DMA Safe Harbor Program Committee has jurisdiction.
2. Staff will verify that the business’ in-house complaint handling system has had a reasonable opportunity to address the consumer’s complaint.
3. Staff will write a letter to the business requesting that the complaint be reviewed and that a response be provided within 10 days.
4. After checking with the consumer, if the complaint has been resolved, the matter will be closed out. If the matter is still in dispute, the complaint (all written materials from both the consumer and the business) will be presented to the Committee for a determination (Initial Decision) on the matter. The meeting will take place by telephone conference call, unless the Committee decides that another meeting form is more appropriate.
5. A conference call will be set up for the Committee to review the case and make an Initial Decision. The Committee can either find no violation of the Safe Harbor Principles and close out the case, or find that a violation(s) of the Principles have occurred, and set a remedy that the Committee determines is appropriate.
6. The business and the consumer will be notified by letter of the Initial Decision of the Committee. Within ten (10) days of their notification, either the consumer or the business can request a Further Consideration Hearing before the Committee. The request must state the reason(s) why the Further Consideration Hearing is being requested. If no request by either party has been made within 10 days, then the Initial Decision automatically becomes the Final Decision. The case will be followed-up by staff to verify adherence to the remedies stated in the Committee’s decision.
7. If the matter is appealed within 10 days by either party, a Further Consideration Hearing will be set-up for the Committee by telephone conference call at a mutually agreed upon time for all the parties. Both the consumer and the business may submit any further informational materials for the Committee’s consideration, and both may take part in the Hearing via telephone conference call. After the Hearing, a Final Decision on the case will be made by the Committee. The consumer and the business will be notified by letter of the Committee’s Final Decision. Staff will provide any necessary follow-up to verify adherence to the Committee’s Final Decision.
8. The cost of the conference call will be the responsibility of the DMA. The DMA will provide a telephone language translation service at no cost to the consumer, if requested.
This panel of experts provides advice and direction in the development of The DMA Safe Harbor Program.
International Privacy Attorney
FEVAD (Federation des Entreprises de Vente a Distance)
This committee is responsible for reviewing data privacy complaints between European and/or Swiss consumers and participants in the DMA Safe Harbor Program. The committee represents a wide variety of consumer and business expertise.
Jennifer Barrett Glasgow
Global Privacy and Public Policy Executive
Vice President Privacy/ISP Relations, CIPP
Jane M. King
VP, Epsilon Targeting
DMA Environmental Resource Center
Part of responsible marketing is to ensure environmental sustainability. The DMA believes in fostering environmental stewardship across marketing channels. Our tools include:
- Recommending DMA’s green goals for continuous improvement
- “Green 15” toolkit
- “Recycle Please” campaign
- Environmental planning tool and policy generator
This website is specifically dedicated to highlighting all the activity around Green initiatives, Green campaigns, and other Green resources. Go to the site>>
The Green 15 Toolkit
This public recognition program asks direct marketers and suppliers to pledge to take certain steps to improve their eco-footprints.
How “green” is your organization? More and more, that question is being asked by customers, donors, business partners and policymakers. From the largest company to the smallest, environmental responsibility is a key business concern – affecting your reputation, your daily operations, your efficiency and your bottom line.
For our individual member organizations, and for the direct marketing sector as a whole, DMA recognizes that making environmentally responsible decisions is increasingly important from a social, economic, and ethical perspective. Legal concerns are present as well. Policymakers are considering proposals that would regulate direct marketing, and direct mail in particular, with some advocates citing environmental concerns in their support for such regulation.
To underscore our commitment to help marketers understand and apply environmental considerations throughout the direct marketing processes, we have created an innovative environmental action program that includes new member encouragements and requirements, educational initiatives, and tools to help you communicate with customers and business partners about your environmental commitments.
Recycle Please Campaign
DMA’s “Recycle Please” campaign is a nationwide public education campaign that asks DMA members to display prominently the “Recycle Please” logo (click to view downloadable options) in their catalogs and direct mail pieces to encourage consumers to recycle them after reading them.
Through this campaign, DMA intends to overcome the lack of public awareness that catalogs and mixed paper can be recycled, and consequently, improve the overall recycling/recovery rate of used catalogs and direct mail in the US.
Environmental Planning Tool and Optional Policy & Vision Statement Generator
This practical and easy-to-apply tool was created by DMA’s Committee on Environment and Social Responsibility (CESR) for you, the members of the direct marketing community. It is intended to be used by your organization to:
- Assist in conducting an internal evaluation of environmental practices that affect aspects of your marketing process.
- Help you attain Direct Marketing Association “Green 15″ environmental performance compliance.
- Generate an environmental vision statement or policy for your organization to consider and adopt.
EVALUATION OF ENVIRONMENTAL PRACTICES
The planning tool provides you with a list of ideas and strategies to consider when developing internal environmental goals and/or policies. It empowers you to create and/or evaluate your internal policies and goals for continual environmental improvement, in balance with financial performance. Using the tool, you can consider your current practices and the environmental impact of your organization.
The tool is flexible. You may choose to focus on single areas in which to make improvement, set goals and build from there; or you may take a more comprehensive approach. At a minimum, the tool is designed to be educational. Using it gives you both a greater awareness of the breadth and complexity of environmental issues facing direct marketers and the means for addressing them in a practical, feasible manner.
ENVIRONMENTAL VISION STATEMENT OR POLICY
All responsible environmental stewards should develop internal environmental vision statements, goals, and/or policies. This tool makes it easy to do. Its “generator” function enables you to create and print your own statement or policy in draft form, which you can tailor to your company based on your indicated choices. You can even “personalize” it for your company further by using the “My Comments” box at the bottom of each section.
Be sure to check with counsel to understand any legal or ethical obligations prior to making your environmental policy or statement public. And please know that citations of third-party forest certification systems, and other programs and organizations within this tool do not constitute the DMA’s endorsement or sponsorship of these programs.
DMA is committed to Consumer Choice.
DMA does not sell consumer lists to marketers. DMA is a nonprofit trade association that helps consumers through our website dmachoice.org, a service for consumers who are seeking help in removing their names from marketing lists to reduce the amount of unwanted mail they receive in their mailbox. Learn more basic information about this site.
You may also send a $1 processing fee with the name and address you seek to remove to:
Direct Marketing Association
P.O. Box 643
Carmel, NY 10512
- This should prevent further unwanted mail from our members. You can submit names of the deceased, or if you are serving as a caretaker, you can reduce their unwanted mail by going to the site.
- For online ads, if you are seeking to reduce the online ads you are seeing, you can opt-out of online behaviorally targeted advertising by going to: youradchoices.com. This will ensure you no longer receive those types of ads, but you will receive other mass-generated ads that are sent generally on-line and do not go to a specific individual or computer device (examples are dating ads for a particular geography or political ads during election campaigns.)
- Learn about Online Behavioral Advertising
- Manage Your Email Preferences
- Manage Your Mail Preferences
- Learn About the Do-Not-Call-Registry
As a consumer, if you believe that a member of DMA has employed a questionable marketing promotion or practice, please file an online complaint. Our committee will review your complaint and contact you if follow-up information is needed before referral of the case to the
Committee on Ethical Business Practice.
If you seek to file a complaint about a marketing offer or fundraising solicitation, you may file a complaint by clicking here:
File a General Ethics Complaint
If you seek to file a complaint about an unwanted online ad that you believe has been sent as an online behavioral ad, you can click here:
File an Online Behavioral Advertising (OBA) Ethics Complaint
Direct Marketing Association
Corporate & Social Responsibility (CSR) Department
1615 L St. NW
Washington, DC 20036-5624
DMA’s Resource Center for Consumers
For DMA Members Only
Please note that generating Privacy Policies is only available to DMA members. If you would like to join DMA or have questions regarding membership then please contact us.
Online Behavioral Advertising (OBA)
Learn more about OBA in our section: Self Regulatory Program for Online Behavioral Advertising (OBA)
Learn more about Children’s Online Privacy in our section: Children’s Online Privacy Protection Rule (COPPA) [PDF]
Learn more about Financial Data Privacy in our section: Gramm-Leach-Bliley Act of 2000
Learn more about Health Insurance Portability and Accountability Act (HIPAA) in our section: Privacy Provisions of HIPAA
Digital Advertising Alliance’s (DAA) Self-Regulatory Program for Online Behavioral Advertising:
Ethics & Compliance
DMA has, for decades, been a leader in establishing comprehensive self-regulatory guidelines for its members on all facets of direct marketing. In our experience, self-regulatory guidelines are the most effective way to address ongoing changes in technology, changes in markets, and new business practices. They provide members with generally accepted principles of conduct, prevent unnecessary regulation, and are flexible and adaptable.
Our goal is to keep all direct channels open, safe and productive for business and consumers, helping the DMA to advance and protect responsible data-driven marketing.
As part of its mission to advance and protect responsible data-driven marketing, the DMA requires its members to follow best practices and ethical business guidelines for marketing across channels to build trust in the marketing process. DMA guidelines are provided in this section for your review. Compliance tools and guidelines are developed by the DMA’s Ethics Policy Committee and its membership to ensure the latest in best practices are addressed. DMA’s Ethics Operating Committee reviews consumer complaints regarding marketing and issues its case findings in the annual case report. See reports section below.
DMA staff may be reached via email@example.com for questions or concerns.
DMA Guidelines on Ethical Business Practice [PDF]
File a General Ethics Complaint
File an Online Behavioral Advertising (OBA) Ethics Complaint Become a Compliance Officer for your Organization
Comprised of 17 executives from DMA member organizations, the Ethics Operating Committee examines promotions and practices that may violate DMA’s self-regulatory Guidelines for Ethical Business Practice. The Committee works with both member and non-member companies to gain voluntary cooperation in adhering to the guidelines and to increase good business practices for direct marketers. Although cooperation with the Committees is voluntary, it is in everyone’s best interest to work together to ensure that high standards are maintained and consumer confidence in direct marketing is enhanced.
The DMA Guidelines for Ethical Business Practice have been applied to hundreds of direct marketing cases concerning deception, unfair business practices, personal information protection, and other ethics issues. In order to educate marketing professionals on acceptable marketing practices, a case report is regularly issued which summarizes questioned direct marketing promotions and how cases were administered. The report also is used to educate regulators and others interested in consumer protection issues about DMA’s self-regulatory guidelines and how they are implemented.
The Ethics Operating Committee is also responsible, along with the Ethics Policy Committee, for reviewing and revising The DMA Guidelines for Ethical Business Practice as necessary to keep the guidelines timely, specific, and meaningful in relation to DMA’s stated broad corporate responsibility objectives.
Case Handling Procedures/Confidentiality Policy
The DMA Corporate Responsibility team and Ethics Operating Committee receive promotions for review in a number of ways: from consumers, member companies, non-members, or, sometimes, consumer protection agencies. The Committee reviews most of the matters that are received by the DMA concerning possible violations of the ethics guidelines; however, it is not possible for the Committee to review all complaints or inquiries received. The most important criteria for accepting cases to be reviewed include the following: the magnitude of the promotion or practice brought to DMA’s attention; the possible damage or economic harm to consumers; a pattern of complaints received by the DMA; and complaints that are the subject of media and/or government attention. Complaints referred to the Committee are reviewed against the Guidelines for Ethical Business Practice and if a majority of Committee members believe there is a potential violation, the company is contacted. Most companies work with the Committees to cease or change the questioned practice. Case proceedings are kept strictly confidential. However, if a member company does not cooperate and the Committees believe there are ongoing guidelines violations, the Committees can recommend that action be taken by the Board of Directors and can make case results public. Board action could include censure, suspension or expulsion from membership, and the Board may also make its actions public. If a non-member or a member company does not cooperate with the Committees and the Committees believe violations of law may also have occurred, referral of the case is generally made to federal and/or state law enforcement authorities for their review; such referral may be made public.
General Online Ads:
Advertising seeks to target the right products to the right audience, and makes possible low-or no-cost content and services. Most online ads aren’t matched to you as an individual, but to data categories — such as demographics, interest groups, or location. The web sites you visit work with online advertising companies to provide you with advertising that is as relevant and useful as possible, and the ads are placed according to this criteria.
Interest-Based Online Ads: What is online behavioral advertising?
Online behavioral advertising — which is also sometimes called “interest-based advertising” — uses information collected across multiple web sites that you visit in order to predict your preferences and to show you ads that are most likely to be of interest to you. Many companies engaged in OBA will indicate their adherence to ethical best practices for OBA by providing an Advertising Icon to indicate their participation in the self-regulatory program and should be responsive to your concerns and choice requests. The Icon will also be labeled — Ad Choices.
The self-regulatory program requires the participants to:
- Provide you with consumer control over whether data is collected and used or transferred to third parties for OBA purposes through use of a consumer choice mechanism that you can use to opt-out of such activity by the organization. Were you able to opt-out easily?
- Obtain your consent before a material change is made to its practices regarding OBA data collection and use policies, limiting the collection of sensitive data. What is the policy stated by the company regarding use of sensitive data (such as health, financial information)?
If you have not already done so, please visit aboutads.info to learn more about OBA, compliance principles and the opt-out choices you can make for OBA ads.
To submit a potential case for Committee review, complete the form below. Be sure to provide a copy of the promotion, an example or description of the practice that is of concern. We will review the issues you have raised to determine if your concerns warrant a formal ethics investigation. In some cases, the issues can be resolved without Committee action.
We will not be able to review a matter without supporting documentation in hard copy or via email proof (see bottom of page for mailing address and contact information).
Thank you for your assistance with this important self-regulatory program for online behavioral advertising! Please Note: If, after review, the Committee believes there are potential violations of the Guidelines for Ethical Business Practice specific to Online Behavioral Advertising, the organization will be contacted and asked to revise or discontinue the promotion and/or practice. The case handling process is confidential. Names of companies under review are not released publicly unless the issues are not resolved, or DMA’s records become the subject of legal process.
DMA handles complaints about member and non-member marketers. DMA’s Committee on Ethical Business Practice compares marketer practices to DMA’s ethics guidelines and asks companies to come into compliance.
- Members who don’t comply with the requests of the Committee face public DMA Board censure, suspension or expulsion.
- Non-members that do not cooperate are referred to law enforcement agencies and their cases are publicized.
Reports on Ethics Committee Findings [PDFs]
Complete the form and designate the appropriate individual(s) at your company to serve as our key contact(s).
Companies/Organizations Not In Compliance with DMA Requirements
- Bankers Healthcare Group, Inc. (non-member)
- Hearing Health Associates (non-member)
- Intercontinental Capital Group (non-member)
- National Publication Billing Services (non-member)
- Republican National Committee (non-member)
- Resource Stock Advisor (non-member)
- Union Workers Credit Services (non-member)
- SRC Lists, North Miami Beach, FL, removed from membership
Direct Marketing Association
Corporate & Social Responsibility (CSR) Department
1615 L St. NW
Washington, DC 20036-5624