Entities should operate in accordance with applicable laws and regulations, including those of the Consumer Financial Protection Bureau, the Federal Communications Commission, the Federal Reserve Board, the Federal Trade Commission, and other applicable federal, state, and local laws governing advertising, Marketing practices, and the transaction of business. Transfers of Personally Identifiable Data should not be permitted for any Marketing that is in violation of any of DMA’s Guidelines or state or federal laws. In addition, where applicable, entities should comply with self-regulatory codes related to DMA’s mission and adopted by DMA, such as the codes developed by the Digital Advertising Alliance (“DAA”), of which DMA is a member organization.
In General. Where applicable, entities should comply with the Health Insurance Portability and Accountability Act (“HIPAA”). In addition:
- Data Gathered Outside the Individual-Covered Entity Relationship. Individually identifiable health-related data volunteered by individuals, and gathered outside of the relationship between individuals and covered entities (a health plan, or a health care clearinghouse, or a health care provider), should be considered sensitive and personal in nature. Such data should not be collected, maintained, used, allowed access to, and/or transferred for Marketing unless those individuals receive, at the time the data is collected, a clear notice of the entity’s intended uses of the data, whether the data will be transferred to third parties for further use, the name of the collecting entity, and the opportunity to opt out of transfer of the data. Such data includes, but is not limited to, data volunteered by individuals when responding to surveys and questionnaires. The notice should be easy to find, read, and understand.
- Inferred Data. Individually identifiable health-related determinations inferred about individuals, gathered outside of the relationship between individuals and covered entities, should be treated as sensitive. Entities that use or transfer such health-related determinations should provide notice of such practice and an opportunity to exercise choice with respect to such use or transfer.
- Appearance and Nature of Solicitations. The text, appearance, and nature of solicitations directed to individuals on the basis of their health-related data should take into account the sensitive nature of such data.
- Fundraising. Entities are allowed to use or disclose to a business entity or institution or institutionally-related foundation limited protected health data (demographics and dates of care) about an individual for that entity’s fundraising without a prior written authorization. However, the fundraising entity must ensure its fundraising material includes an opt-out notice that is clear and conspicuous, and if it is over the phone, an opt-out disclosure must be made. If the individual opts-out, no more fundraising communications across all Marketing channels may be made.Opt-Out Notice:
- The opt-out notice must be included in each fundraising communication.
- The opt-out method must be free.
- The entity cannot condition the treatment or services on an individual’s choice to receive fundraising communication.
Aggregate Data. Nothing in these Standards is meant to prohibit research, Marketing, or other uses of health-related data which are not personally identifiable, and which are used in the aggregate because there are no restrictions on the use of de-identified health data.
In General. Where applicable, entities should comply with the Children’s Online Privacy Protection Act (“COPPA”). In determining the suitability of a communication with children online, via wireless devices such as a mobile phone, or in any other medium, or by providing a commercial website or other online services directed to children under 13, entities should first determine whether the collection and use of the child’s data for Marketing or the sending of Marketing material to the child is permitted under federal law, such as COPPA, or state law. Where Marketing to children is permitted by law, entities should ensure the Marketing is suitable for the child taking into account the age range, knowledge, sophistication, and maturity of their intended audience. When an entity directs a site at a certain age group, it can expect that the visitors to that site are in that age range.
Parental Responsibility and Choice. Parents must be provided the choice of consenting to the operator’s collection and internal use of a child’s data. Such data may never be disclosed to third parties (unless the disclosure is integral to the site or service, in which case that must be made clear to the parent).
Collection and Use of Data from or about Children:
- Entities should limit the collection, use, and dissemination of “personal information,” as defined in COPPA, collected from or about children to that data that is required for the promotion, sale, and delivery of goods and services; the provision of customer services; conducting market research; and engaging in other appropriate Marketing activities.
- Entities should effectively explain that the data is being requested for Marketing. Data not appropriate for Marketing should not be collected.
- Entities should implement the strictest security measures to ensure against unauthorized access, alteration, or dissemination of the data collected from or about children, and should provide data regarding such measures upon request to the parent or guardian of the minor.
- Operators of websites and online services must provide a privacy notice with clear and concise description of their data policies and practices. This notice should be easy to read on smaller screens (e.g., mobile devices) for parents and allow them to provide verifiable consent.
- Entities should not knowingly collect, without verifiable prior parental consent, “personal information,” as defined in COPPA, online or via a wireless handset or device from children that would permit any offline contact with the child.
- Entities should not knowingly distribute to any third parties, without verifiable prior parental consent, data collected from a child that would permit any contact with that child.
- Entities should take reasonable steps to prevent the online publication or posting of data that would allow a third party to contact a child offline unless verifiable prior parental consent has been obtained.
- Entities should not make a child’s access to website or mobile content contingent on the collection of “personal information,” as defined in COPPA. Only online contact data used to enhance the interactivity of the site is permitted.