Ending literally years of anticipation and speculation, on Tuesday, October 23, 2007, the Federal Trade Commission (FTC) issued its final Affiliate Marketing Rule, 16 C.F.R. Parts 680 and 698 ("the Rule"). The Rule implements Section 624 of the federal Fair Credit Reporting Act (FCRA) (15 U.S.C. §1681s-3) ("the Statute"), which was added to the FCRA by the Fair and Accurate Credit Transactions Act of 2003. The Statute prescribes the conditions under which a company may use consumer report information gathered by an affiliate to market the company's own products or services to those consumers. Insurers must understand the nature and terms of these conditions not only in order to comply but also in order to take full advantage of the marketing activities permitted by the Statute, as implemented by the Rule.

While the final Rule is largely similar to the proposed rule issued by the FTC for comment in mid-2004, at least one modification, the inclusion of additional examples of what constitutes the "making" of a solicitation, significantly broadens the scope of affiliate marketing that may be undertaken without having to provide notice and an opportunity to opt-out. The FTC is careful to note that these two new examples do not alter in any way companies' obligations to comply with the affiliate sharing notice and opt-out requirement. Thus it will be important for insurers, as well as other companies, to have a clear understanding of the comparative workings of the affiliate marketing and affiliate sharing notice and opt-out requirements.

Affiliate Marketing v. Affiliate Sharing

In very general terms, the Statute prohibits the use for marketing purposes of certain information received from an affiliate unless the consumer has been given notice and an opportunity to opt out of such use, and has not opted out. There are six exceptions to the notice and opt-out requirement (view at www.wileyrein.com/affiliate_exceptions).

The FCRA's other notice and opt-out requirement arises if affiliated companies want to share "consumer report" information other than information about the companies' transactions and experience with consumers. If the companies notify consumers that they plan to share that information and give them an opportunity to opt out of such sharing, that information is excluded from the definition of "consumer report" and thus such sharing is exempted from regulation under the FCRA. See 15 U.S.C. §1681a(d)(2)(A)(iii). Because this affiliate sharing notice and opt-out requirement arises as a condition to exclusion, there are no exceptions to it.

The Rule gives the name "eligibility information" to the information governed by the Statute. "Eligibility information" is defined to include not just information within the FCRA's definition of "consumer report" but also information that would be a consumer report if the exclusions from the definition of consumer report did not apply. Thus, transaction and experience information, which is excepted from the FCRA's definition of "consumer report," as well as the other information that is excluded from that definition if notice and an opportunity to opt out are provided, qualify as "eligibility information."

While the affiliate sharing notice and opt-out information must be included in the Gramm-Leach-Bliley (GLB) Act privacy notice, the affiliate marketing notice may, but is not required, to be included. Insurers will need to carefully weigh the pros and cons of including the affiliate marketing notice with their GLB notices, which include streamlining of notice obligations, the strictures of the required language and form of the GLB notices, and, based on the discussion below concerning the "making" of solicitations, the potentially limited number of instances in which the affiliate marketing notice and opt out must be provided.

Limitations on Affiliate Marketing Notice and Opt-Out Requirements

Two exceptions to the notice and opt-out requirements, for "preexisting business relationships" and "service providers," along with the Rule's discussion of "solicitations," provide a framework upon which insurers can build flexible and beneficial marketing programs.

Preexisting Business Relationship Exception

The Statute does not apply to companies that use eligibility information received from an affiliate "to make a solicitation for marketing purposes to a consumer with whom the person [as well as the affiliate] has a preexisting business relationship." The Statute defines "preexisting business relationship" as "a relationship between a person, or a person's licensed agent, and a consumer." While the proposed rule omitted the italicized phrase, it was added back in to the final Rule, thus providing an important safe harbor for insurers who distribute their products primarily through exclusive agent networks. The relationship must be based on (1) a financial contract between the person and the consumer, (2) the purchase, rental, or lease by the consumer of the person's goods or services or a financial transaction (including a policy in force) between the person and the consumer during the 18 months immediately preceding the date a solicitation is sent, or (3) an inquiry or application by the consumer regarding a product or service during the three months immediately preceding the date the solicitation is sent.

Thus, for example, if a consumer has both an in-force automobile insurance policy with an insurer and a banking relationship with the insurer's affiliated bank, the insurer may use eligibility information received by the bank to market homeowners insurance to the consumer without providing notice and an opportunity to opt out. Both the insurer and its affiliated bank must have preexisting business relationships with the consumer for the insurer's marketing solicitations to the consumer to be within this exception. As discussed below, the concept of preexisting business relationships comes into play in determining whether certain marketing contacts are "solicitations" subject to the Statute.

Service Provider Exception 

The service provider exception permits a service provider, to use the eligibility information of a company having a preexisting business relationship with a consumer to send marketing solicitations on behalf of the company's affiliate that does not have a relationship with the consumer, so long as the affiliate would be permitted under the Statute to send the solicitation on its own behalf. In other words, the service provider can send a solicitation to the consumer on behalf of the affiliate only if the consumer has been given notice and an opportunity to opt out but has not done so. As with preexisting business relationships, the service provider exception comes into play in determining whether or not a solicitation has been made.

Solicitations

The preexisting business relationship exception sanctions use of an affiliate's eligibility information without requiring notice and opt-out only if both the company and its affiliate have preexisting relationships with the consumer. It does not, however, except from the notice and opt-out requirements sharing for marketing purposes between a company that does not have a relationship with a consumer and its affiliate that does. Similarly, the service provider exception eliminates the notice and opt-out requirements only if both the company and its affiliate have preexisting business relationships with the consumer. Where the company does not, the service provider can only send a marketing solicitation if notice and an opportunity to opt out have been provided to the consumer or some other exception applies.

However, another avenue permits, in certain circumstances, affiliate marketing solicitations to be made without the requirement of notice and an opportunity to opt out. The Statute regulates the making of "solicitations." A "solicitation" is defined as "marketing of a product or service initiated by a person to a particular consumer based on an exchange of [eligibility information] intended to encourage such consumer to purchase such product or service." Because the Statute does not describe what constitutes the "making" of a solicitation, the FTC provides guidance on that question in Section 680.21(b) of the Rule. Subsections (4) and (5) thereof describe two affiliate marketing scenarios that do not constitute solicitations subject to the Statute's requirements.

First, a company does not make a solicitation if an affiliate uses its own eligibility information to market the company's products for the company, or if the company directs its service provider to use the affiliate's eligibility information to market the company's products and the company does not communicate directly with the service provider concerning that use. 16 C.F.R. § 680.21(b)(4). The FTC considers such "constructive sharing" to be outside the definition of "solicitation," and thus not to require notice and opt out, for the following reasons: (1) there is in fact no sharing here; (2) the company itself does not use the eligibility information; (3) the affiliate that sends the marketing material has a preexisting business relationship with the consumer and thus is within that exception; (4) if the consumer responds, either the "consumer-initiated communication" exception or the preexisting business relationship exception (based on inquiry of consumer), or both, would apply.

The FTC believes the danger of not requiring notice and an opportunity to opt out in constructive sharing situations is ameliorated by the notice and-opt out requirement for sharing among affiliates of consumer information other than transaction and experience information. Insurers should note that the FTC has adopted a fairly wide view of when affiliate information sharing occurs: "A sharing of information occurs if a reference code included in marketing materials reveals one affiliate's information about a consumer to another affiliate upon receipt of a consumer's response." 16 C.F.R. Parts 680 and 698, n.13. The "core concept" here, according to the FTC, is that the affiliate that received the eligibility information in the first place controls the actions of the service provider using the information, and therefore the service provider's use should not be attributed to the company whose products or services will be marketed.

Second, in situations where affiliates share a common database, a company does not make a solicitation subject to the Statute if a service provider receives eligibility information from the company's affiliate and uses it to market the company's services or products, as long as the following five conditions are met: (1) the affiliate controls access to and use of its eligibility information by the service provider by written agreement with the service provider; (2) the affiliate establishes specific written terms and conditions under which the service provider may access and use the affiliate's eligibility information; (3) the affiliate and the service provider agree, by written contract, that the service provider will implement reasonable policies and procedures to ensure that it uses the information in accordance with the affiliate's written terms and conditions; (4) the affiliate is identified on or with the marketing materials provided to the consumer; and (5) the company does not directly use the affiliate's eligibility information. 16 C.F.R. § 680.21(b)(5). This applies to circumstances where the company whose products or services are being marketed by the service provider does communicate with the service provider by virtue of the fact that they both have access to the common database. It rests on the concept of control of a service provider to outline when the service provider is deemed to be acting on behalf of the affiliate that first obtained the eligibility information.

For example, an insurer that is part of a company group that uses a common database may develop selection criteria for a solicitation and provide those criteria, the marketing materials, and instructions to an affiliate. The affiliate may then review its consumers' eligibility information based on the criteria provided, select the consumers to receive the insurer's solicitation, and send the solicitation to those consumers. If this process is followed, there has been no solicitation subject to the Statute, and thus there is no obligation to provide notice and an opportunity to opt out of such use. The result is the same if the affiliate provides the insurer's criteria and marketing materials to its service provider and directs the service provider to undertake the review, selection, and sending of the solicitations. Similarly, there is no solicitation if the affiliated entities, including a service provider, place their eligibility information into a common database, so long as the five conditions set forth in the immediately preceding paragraph are met.

This, then, is the model for entities comprising multiple affiliates. An affiliated service provider that has access to all the information in the entity's common database may use another affiliate's eligibility information based on preexisting business relationships with its consumers to select consumers, based on criteria provided by a third affiliate, and send marketing solicitations on behalf of the third affiliate to the selected consumers. By so doing, none of the entities fall afoul of the Statute's notice and opt out requirements, so long as the required written agreements and procedures concerning control and use of eligibility information are in place. The rationale for permitting such marketing activities is that the Statute restricts the "use" of eligibility information, and so long as only the affiliate who received that information or its service provider actually uses it, even if they do so on behalf of a company that has no preexisting business relationship with the consumer, there has been impermissible invasion of the consumer's privacy. "Receipt" of affiliate eligibility information based on the information being placed in a common database accessible to all affiliated entities does not trigger the Statute's notice and opt-out requirements, because the Statute regulates only "use," not receipt, of affiliate eligibility information.

While insurers face significant challenges in complying with the Statute as interpreted by the Rule, the changes incorporated into the final Rule also permit a broader scope of affiliate marketing activities not subject to the Rule's notice and opt out requirements, as long as insurers comply fully with the conditions that make such activities permissible. In implementing affiliate marketing programs, insurers must also keep fully in mind the notice and opt-out obligations that adhere to the sharing of consumer information between affiliates. The Statute and the Rule are subject to the FCRA's private right of action provisions, and thus regulatory compliance is important not only in itself, but also as a defense against private litigation.