In honor of SMS’s 20^th anniversary late last year and the MMA CBP’s 7^th edition we would like to provide you with some key information about mobile marketing compliance.

Regulatory background

Since the passing of the US CAN-SPAM Act of 2003, it has been widely believed that commercial SMS and MMS messages were subject to the same opt-out consent and unsubscribe requirements as commercial email. While the CAN-SPAM Act of 2003 authorizes the Federal Communications Commission (FCC) to consider mobile messages when developing guidelines, the FCC has taken the position that text messages sent by automated broadcast systems are ‘automated calls’ and are therefore best covered under the Telephone Consumer Protection Act (TCPA) of 1991. Under the original Act, implied consent through a pre-existing business relationship and not opt-in consent was the standard for commercial telephonic communications and robo-calls.

On February 15, 2012 the FCC amended the TCPA to remove any ambiguity surrounding consent requirements for SMS, making it mandatory for businesses to receive “prior express written consent” before auto-dialing or texting consumers.

Industry self-regulation background

In 2003 the MMA published its first set of ethical guidelines for mobile marketers. Now a global-facing document, the MMA Code of Conduct can be distilled into the following privacy principles:

1. Adequate notice.Whenever requesting a mobile phone number marketers should inform consumers that they will be receiving SMS messages from a concrete shortcode-based program.
2. Opt-in consent. Regardless of offline, online or handset-originating acquisition, consumers may not be automatically enrolled into an SMS program. Consumers must first give their express (opt-in) consent by knowingly volunteering their mobile number or using a handset-originating command to join the program. Submissions through online forms require a double opt-in.
3. Opting out. Users should also know the ways to opt-out of a program, how to get help from their handset and where to reference terms and conditions, as well as the fact that message and data rates may apply when participating in an SMS program.

While advocated, the Code was not enforced and there were no concrete rules it’s practical application. The shift to robust self-regulation came in 2007 when the Florida Attorney General’s Cybercrime Taskforce aggressively pursued affiliate networks and mobile carriers who enabled the proliferation of deceptive premium-rated mobile programs.[1] The AG’s actions resulted in a number of key settlements, the terms of which became the backbone of the MMA CBP and carrier-specific monitoring and enforcement playbooks. This self-regulatory schema has evolved steadily over the past 7 years and is currently administered by the custodians of US shortcodes, the CTIA. In 2012 the CTIA, in collaboration with wireless carriers and industry auditors, developed a consolidated Common Shortcode Monitoring Compliance Playbook for SMS marketers.

Regulatory win for consumer best practices

The FCC’s amendments to the TCPA resulted in unintended consequences for MMA-compliant senders who were subjected to threats of civil suits for alleged violations under the Act.[2] On November 30, the FCC clarified that MMA-prescribed confirmation messages were not in violation of the TCPA. According to FCC Commissioner Ajit Pai, “Hopefully, by making clear that the Act does not prohibit confirmation texts, we will end the litigation that has punished some companies for doing the right thing, as well as the threat of litigation that has deterred others from adopting a sound marketing practice.”

And while not an explicit endorsement, the FCC Commissioner’s comments in support of “sound marketing practices” should not be overlooked. Some marketers have already dealt with the consequences of breaking these rules by way of CTIA audits, program short codes being de-provisioned and private legal actions from consumers.[3] With the TCPA updated to better reflect the state of privacy and practice in the industry today, rogue senders now have more reasons to worry.

Michael Puffer, one of our mobile marketing experts at Experian Marketing Services, suggests you ask yourself the following questions when reviewing your mobile program: (HINT – If the answer is no, it might be time to take another look)

Here is a quick and easy reference guide by Experian CheetahMail to help you follow point of sale email acquisition best practices. Remember, best practices start before point of sale and continue after the transaction.

For more information on managing compliance, privacy and deliverability with in-store email acquisition, download our latest Point of sale email white paper.

As a consumer I was peeved with how casually my address was auto-consented into to the retailer’s email marketing program with nary a word at the register. As a compliance professional, I wondered if the retailer realized that it likely violated California’s Song-Beverly Credit Card Act of 1971.

The U.S. District Court for the Central District of California noted that the Act’s main purpose is to address the misuse of personal information for marketing purposes and that it was “specifically passed with a brick-and-mortar merchant environment in mind.”¹

If you collect email addresses at Point of Sale (POS) in California, here is what you should know about this historic consumer protection law:

1. Song-Beverly prohibits businesses from collecting “personal identification information” during credit card transactions.
2. The law defines PII as “information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number²” ‘Not limited to’ opens the window for ZIP codes³ and email addresses being covered under the law.
3. California’s Supreme Court ruled⁴ that the statute does not apply to vending kiosks and online transactions involving credit cards, supporting the District Court’s assessment that the law focuses on in-store, non-cash PII collection.
4. The statute gives private right of action to credit card users with civil penalties of up to $250 for the first violation and $1,000 for each subsequent violation plus costs and legal fees.

As it is often the case, risk mitigation begins with staff education and customer perception management, and flows into a smart approach to deliverability. It IS possible to collect PII at the counter in California given the following:

1. Decouple PII collection from the credit card purchase. Ask the customer for their email address before taking their credit card or after they sign off on the purchase. Create a script for your sales associates to follow when requesting PII at the register.
2. Consider using the credit card terminal or other touchpad device for customers to enter their email and NOT use the sales associate. The device should first prompt the customer to consent to receiving an in-store eReceipt and/or marketing communications ideally before proceeding with the transaction, but it could be after as well.
3. Be transparent about the commercial intent. A consumer who feels misled is more likely to complain and to seek redress under the state’s Song-Beverly or potentially other consumer protection laws. If following different scripts is a challenge, apply the same disclosure/request script for both credit and cash transactions.
4. Send a welcome permission pass. Don’t assume that the customer wants anything more than an in-store eReceipt even if you can legally claim to have this right. You are looking for a loyal customer, not a courtroom victory. Let the customer make an informed decision at the counter or in a subsequent email. For example:
   • If the customer consents to the in-store eReceipt AND opts into your marketing messages at the register, send an ‘opt-out permission pass’ welcome email shortly after delivery of the e-Receipt to confirm their subscription status and to outline benefits of your email program. Be sure to include a clear and easy unsubscribe mechanism as well as a prominent link to your privacy policy.
   • If the customer ONLY consents to the in-store e-Receipt, send an ‘opt-in permission pass’ e-Receipt where you include a “subscribe to our marketing communications” link, button, or banner along with a link to your privacy policy.

Beyond risk of exposure in California, you should also be aware of related compliance considerations:

1. CAN-SPAM: Requires senders to obtain affirmative (aka; opt-in) consent from consumers who have previously unsubscribed from their commercial emails. If affirmative consent is not recorded at the point of collection, the address would need to be scrubbed against the appropriate unsubscribe list and suppressed.
2. Primary Purpose: My in-store e-Receipt did not have an unsubscribe mechanism, postal address, or even a link to a privacy policy. Fortunate for the marketer, the email also did not contain any promotional content in the subject line or in the body copy so they qualified under the CAN-SPAM Act ‘transactional or relationship’ message exemption. Yet, the message could have easily been considered ‘primarily commercial’ under the FTC’s Final CAN-SPAM Act Rule if it contained any solicitous content in the subject line or if it was overwhelmed by up-sells, cross-sells or other commercial content.

With the above in mind, we can now clearly see what went wrong during my Grant Avenue shopping experience. The associate asked for PII during the credit card transaction and did not provide notice of marketing intent before or after the request. There was no transition from in-store e-Receipt to newsletter in the form of a welcome email permission pass and no efforts made to solidify the pre-existing business relationship.

I can appreciate the challenge in honoring both the spirit and letter of privacy laws at the register. We believe that following privacy best practices in respect to training, transparency, and permission management can make POS collection a fruitful practice, even in California. I welcome any comments, questions, or suggestions on this topic at privacy@cheetahmail.com.
¹Saulic v. Symantec Corporation, 596 F. Supp. 2d 1323 (C.D. Cal. 2006)
²CALIFORNIA CIVIL CODE SECTION 1747.08(b).
³Reverse appending ZIP codes to postal information was determined by the California Supreme Court to be PII in Pineda v. Williams-Sonoma Stores, Inc., 51 Cal.4th 524 (Cal. 2011)
⁴ Pineda v. Williams-Sonoma Stores, Inc.