Page 10 - CCCA63_2012
P. 10
CCCA_V6No3_Dept-Ecommerce-FIN_CCCA_V1No2_Dept-Ethics.qxd 9/19/12 10:29 AM Page 10 E-Commerce Think twice before you ‘invite a friend’ Referral marketing is a great tool, but don’t forget about privacy issues. By Timothy M. Banks urrent customers are a valuable must demonstrate that its reliance was these categories. Family relationships were Csource of referrals. Search “invite based on reasonable due diligence. defined as connections by blood, mar- a friend,” “tell a friend” or “refer a Reasonable due diligence varies in the riage, common-law partnership, and adop- friend” online and you will find that circumstances. Leaving aside anti-spam tion. A personal relationship was defined this form of marketing is ubiquitous. requirements, the user should verify that to require an “in-person meeting” and a Typically, this web-based marketing the user knows the “friend” and that the two-way communication (such as phone tool involves the user inputting e-mail friend would not object to receiving the call) within the previous two years. addresses or allowing a website or invitation. Context will determine Although the final regulations may pro- mobile application to harvest the user’s whether this verification must be express vide greater latitude for “invite a friend” address book information to generate a or may be implied by drawing the user’s promotions, an organization should con- list of potential “friends” who will attention to these requirements. sider legal advice to determine whether it receive an electronic invitation (usual- The organization should also confirm is necessary to ask users to confirm that ly by e-mail) to visit a website or join whether the friend gave consent — the friend falls within the personal or the user in a social network or promo- express or implied — to the use of his or family relationship categories. An organi- tional site, game or activity. her e-mail address by the user. The friend zation must also be careful not to over- It is important, however, to take steps should have the opportunity to report collect, since this type of specific personal to avoid tripping over the privacy and anti- abuse or to easily opt out of further com- information will be sensitive and may spam compliance issues relating to the col- munications (essentially, to withdraw con- undermine the ability to rely on the lection and use of the “friend’s” personal sent). The friend should be able to add user to establish the friend’s consent. information during these promotions. himself or herself to a “do not contact” Organizations should be particularly care- Canadian privacy legislation requires list. Where abuse is reported, the organiza- ful not to mine this data without the con- that an organization obtain the express or tion should take action to demonstrate sent of the user and the friend. implied consent of the friend if it is acting that it was not wilfully blind to the abuse. Furthermore, the personal or family rela- as more than an e-mail delivery system. tionship exception may not apply to further Except in the most basic of “share a page” Anti-Spam Considerations communications (for example, reminder e- scenarios, an organization running an Once Canada’s anti-spam legislation is in mails) from the organization that are sent “invite a friend” promotion is likely using force, it will prohibit unsolicited commer- without the involvement of the user. To the friend’s personal information for a cial electronic messages, subject to certain obtain implied consent of the friend, the commercial purpose even if the invitation exceptions. A commercial electronic mes- friend should have clear and transparent is ostensibly “from” the user. sage is a message that it “would be reason- notice of such additional communications However, an organization may rely on able to conclude has as its purpose, or one (in the first contact) and be provided with the user to obtain consent from the friend of its purposes, to encourage participation an immediate opt-out mechanism. to the use of non-sensitive personal infor- in a commercial activity.” mation, such as an e-mail address. One of the exceptions involves Friend Profiles commercial electronic messages between Finally, an organization should avoid Due Diligence persons who have a personal or family building a profile of the friend, such as by Although an organization may rely on the relationship. Industry Canada draft regula- cross-referencing the user’s e-mail address VEER.COM user to obtain consent, the organization tions proposed narrow definitions for against other users’ address books or 10 CCCA Canadian Corporate Counsel Association FALL 2012