The Intersection of Lead Generation and Consumer Privacy
What is Lead Generation?
Lead generation is the process of identifying and cultivating individual consumers that are interested in purchasing a product or service. The goal of lead generation is to connect companies with those consumers so that “leads” can be converted into sales. A lead can be any consumer that has indicated interest – directly or indirectly – in buying a product or service by taking some action.
Consumers typically submit personal information online via a website form, or on a telemarketing call. Personal information can consist of, without limitation, a consumer’s name and contact information. It can also consist of more sensitive consumer information, like Social Security and bank account numbers.
Privacy is at the Heart of Lead Generation Regulation
As the lead generation industry has become more sophisticated and data-intensive, regulatory scrutiny has increased. Federal and state investigations and enforcement actions typically arise in the lending, postsecondary education and insurance industries and often involve at least some component of consumer privacy and data security.
From a regulatory perspective and because the product is personal data, lead generators’ collection and sharing of personal information increase the risk of misuse and harm to consumers. Lead sellers should consult with an experienced FTC defense lawyer and take reasonable precautions to ensure that lead buyers only use information for authorized and lawful purposes and that lead purchasers have a legitimate need for the information.
All those in the lead generation ecosystem are potentially liable for unfair or deceptive practices, including publishers, affiliate networks and product/service providers. Thus, vetting prospective buyers, understanding how information is being used and monitoring lead sources for deceptive claims are amongst the most important pieces of the compliance puzzle.
Privacy policies and related disclosures relating to who you are and how information will be used must also comply with applicable laws, regulations and best practices. Given that privacy and data security are at the heart of any compliant lead generation campaign, the recent onslaught of related privacy legislation necessarily ups the compliance ante.
Recent Privacy and Data Security Legislation
While the European Union’s General Data Protection Regulation has garnered the majority of privacy-related attention in 2018, lead generators and other digital marketers must not overlook domestic legislative developments. For example, Vermont’s recently enacted groundbreaking data broker disclosure and security legislation. In short, the legislation regulates data brokers that buy and sell personal information.
“Data broker” is defined under the Vermont law as “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third-parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” “Brokered personal information” means one or more specifically enumerated data elements about a consumer, if categorized or organized for dissemination to third-parties.
Data brokers are required to register annually with the Vermont Attorney General. It also requires the implementation of appropriate written information security programs; the disclosure of data breaches and information pertaining to data collection, use and dissemination to third-parties; and the disclosure of opt-out protocols, amongst other information.
Colorado also made news earlier this year by enacting groundbreaking privacy and cybersecurity legislation. Covered entities are required to implement reasonable security procedures that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations. They are also required to dispose of documents containing confidential information properly, ensure that confidential information is protected when transferred to third-parties and notify affected individuals of data breaches in what is the shortest time frame in the nation. Covered entities should consult with privacy compliance counsel about the Colorado law’s provisions, including the implementation of written information security programs, vendor management controls and breach incident response plans.
Most recently, California passed the California Consumer Privacy Act of 2018, with some GDPR-like features. Major provisions include, but are not limited to, the right to know what personal information has been collected, where it came from, how it is being used, whether it is being disseminated and who it is being disseminated to. Consumers have a right to opt-out of allowing a business to sell their personal information to third-parties. Consumers under 16 years of age have the right to not to have their personal information sold unless they or their parents first opt-in. The CaCPA also include the right to delete of personal information and to receive equal treatment regardless of whether privacy rights are exercised.
Pursuant to the CaCPA, companies must make certain disclosures to consumers when personal data is collected, including, but not limited to, the categories of personal information collected, the purposes for which personal information is collected and the categories of personal information that it disseminated in the preceding 12 months. Notably, lead generators that disseminate consumer data to third-parties will be required to disclose that practice and provide consumers the ability to opt-out by supplying a link entitled “Do Not Sell My Personal Information” on the website’s home page.
The CaCPA will take effect in January 2020 and applies to for-profit businesses that collect and control California residents’ personal information, do business in the State of California, and: (a) have annual gross revenues in excess of $25 million; or (b) receive or disclose the personal information of 50,000 or more California residents, households or devices on an annual basis; or (c) derive 50% or more of their annual revenues from selling California residents’ personal information.
Preventive Compliance Measures
Lead generation and consumer privacy-related legal compliance issues are inextricably intertwined. Now, more so than ever, both regulatory agencies and lawmakers expect digital marketers to make consumer privacy and data security a priority. Lead generators, lead aggregators and lead purchasers should ensure that such considerations are built into marketing compliance protocols.