I recently visited the Web site of the Direct Marketing Association. I did all of my surfing in mid-January, so it is possible some things will have changed by the time this column appears. But I was not pleased with much of the privacy content that I found.
My initial purpose was to learn if a specific company was a DMA member. I wanted to know if a company that solicited me by direct mail was required to comply with the DMA’s notice and opt-out policy. I couldn’t find out from the DMA Web site. The DMA does not provide a public list of association members and a searchable directory. So, can the public determine if a marketer is a member and is required to comply with the DMA’s privacy policy?
Even more disturbing is the view of self-regulation that this omission reflects. How can privacy self-regulation work if the trade association enforcing the rules does not make its membership list readily available?
I decided to keep looking to see what else I could find. The DMA’s Web site includes a modest amount of material designed to help its members understand privacy and to develop their own policies. its’ privacy standards are significantly inadequate because they fail to meet fair-information practice standards. Nevertheless, the DMA deserves some credit for trying to help members develop privacy policies, no matter how inadequate its standards are.
The DMA even offers links to six companies whose privacy policies are “models.” Some of the models left something to be desired. For instance, at Omaha Steaks, www.omahasteaks.com, the home page does not include a privacy link. After surfing around Web site, I finally found a privacy link on the customer service page. Just for fun, I entered a contest on the site (using a fake e-mail address, of course). Only after entering was I told that my address would be added to an e-mail list. Opt-out instructions were provided, but no easy-to-click opt-out link was offered. Users have to copy the address and then send an e-mail. Not what I would call a model site.
I then tried the Disabled American Veterans, www.dav.org. Here too, there was no privacy policy on the home page. I went a step further, but no privacy policy appeared on the next page either. I finally found a privacy link on some pages but not on others.
The other four companies had a privacy link on their home pages. McGraw-Hill had a halfway-decent notice, but it failed to provide complete information on its use of consumer data.
Having a privacy policy is an essential requirement for a Web site, even under the DMA’s standards. A prominent link right on the home page would seem basic. However, DMA’s standards for a model policy are so weak that a home page link isn’t required.
DM News has reported on the confusion the DMA raised about member compliance with the privacy policy. Were any members really kicked out of the DMA for failing to comply with the privacy requirements? It’s been hard to tell. A clear disclosure of enforcement activity is a significant element of accountability, but the DMA remains cloaked in too much secrecy. The lack of a current membership list is telling here.
The problem of public notice and accountability goes beyond Web pages. How can a person receiving direct mail tell if a marketer is a DMA member? Why doesn’t the DMA require members to identify themselves to consumers in online or offline marketing activities? Why not?
I recently received direct mail that included a solicitation for Checks in the Mail, www.citm.com. I went to the Web site and found that the company proudly displayed the DMA logo on its home page. It even had a privacy link on that same page. So far, so good.
When I looked at the privacy policy, however, I found an incomplete disclosure about the sharing of customer information. The policy statement said: “Customer names are occasionally offered to other select organizations.” Does this mean that only names will be shared? How about addresses? Purchase information? Bank account numbers? Social Security numbers? In other places, the notice offers more detail, but on this essential point, the notice is deliberately vague and incomplete.
Even worse, the company offers no opt-out for marketing uses. This seems to be a direct violation of the DMA’s policy. The online marketing policy says that members “should” offer an opt-out. Either an opt-out is a firm requirement, or the DMA policy is deliberately weasel-worded.
One company not complying with the DMA’s privacy requirement is both too many and a bad example. However, it is impossible for anyone to undertake a more complete analysis without a list of members. How about it, DMA?
Next week: More from the DMA Web site.
I recently visited the Web site of the Direct Marketing Association. I did all of my surfing in mid-January, so it is possible some things will have changed by the time this column appears. But I was not pleased with much of the privacy content that I found.
My initial purpose was to learn if a specific company was a DMA member. I wanted to know if a company that solicited me by direct mail was required to comply with the DMA’s notice and opt-out policy. I couldn’t find out from the DMA Web site. The DMA does not provide a public list of association members and a searchable directory. So, can the public determine if a marketer is a member and is required to comply with the DMA’s privacy policy?
Even more disturbing is the view of self-regulation that this omission reflects. How can privacy self-regulation work if the trade association enforcing the rules does not make its membership list readily available?
I decided to keep looking to see what else I could find. The DMA’s Web site includes a modest amount of material designed to help its members understand privacy and to develop their own policies. its’ privacy standards are significantly inadequate because they fail to meet fair-information practice standards. Nevertheless, the DMA deserves some credit for trying to help members develop privacy policies, no matter how inadequate its standards are.
The DMA even offers links to six companies whose privacy policies are “models.” Some of the models left something to be desired. For instance, at Omaha Steaks, www.omahasteaks.com, the home page does not include a privacy link. After surfing around Web site, I finally found a privacy link on the customer service page. Just for fun, I entered a contest on the site (using a fake e-mail address, of course). Only after entering was I told that my address would be added to an e-mail list. Opt-out instructions were provided, but no easy-to-click opt-out link was offered. Users have to copy the address and then send an e-mail. Not what I would call a model site.
I then tried the Disabled American Veterans, www.dav.org. Here too, there was no privacy policy on the home page. I went a step further, but no privacy policy appeared on the next page either. I finally found a privacy link on some pages but not on others.
The other four companies had a privacy link on their home pages. McGraw-Hill had a halfway-decent notice, but it failed to provide complete information on its use of consumer data.
Having a privacy policy is an essential requirement for a Web site, even under the DMA’s standards. A prominent link right on the home page would seem basic. However, DMA’s standards for a model policy are so weak that a home page link isn’t required.
DM News has reported on the confusion the DMA raised about member compliance with the privacy policy. Were any members really kicked out of the DMA for failing to comply with the privacy requirements? It’s been hard to tell. A clear disclosure of enforcement activity is a significant element of accountability, but the DMA remains cloaked in too much secrecy. The lack of a current membership list is telling here.
The problem of public notice and accountability goes beyond Web pages. How can a person receiving direct mail tell if a marketer is a DMA member? Why doesn’t the DMA require members to identify themselves to consumers in online or offline marketing activities? Why not?
I recently received direct mail that included a solicitation for Checks in the Mail, www.citm.com. I went to the Web site and found that the company proudly displayed the DMA logo on its home page. It even had a privacy link on that same page. So far, so good.
When I looked at the privacy policy, however, I found an incomplete disclosure about the sharing of customer information. The policy statement said: “Customer names are occasionally offered to other select organizations.” Does this mean that only names will be shared? How about addresses? Purchase information? Bank account numbers? Social Security numbers? In other places, the notice offers more detail, but on this essential point, the notice is deliberately vague and incomplete.
Even worse, the company offers no opt-out for marketing uses. This seems to be a direct violation of the DMA’s policy. The online marketing policy says that members “should” offer an opt-out. Either an opt-out is a firm requirement, or the DMA policy is deliberately weasel-worded.
One company not complying with the DMA’s privacy requirement is both too many and a bad example. However, it is impossible for anyone to undertake a more complete analysis without a list of members. How about it, DMA?
Next week: More from the DMA Web site.
