Our Privacy, Litigation and Telephone Consumer Protection Act (‘TCPA’) practice groups are increasingly called upon to advise regarding sophisticated marketing campaigns involving text and e-mail solicitations. In some cases, there is a GPS element to the situation where communications via text or email are targeted to persons in range of the sender based upon GPS data from their phone. In other cases, there are issues associated with the use of an intermediary specializing in such programs.

We are often asked to address remedial action and/or defend litigation from the increasingly vigilant plaintiffs’ class action bar when something has or is alleged to have gone awry. We are also pleased to assist clients who are seeking to avoid such legal challenges. We are taking this opportunity to share some of what we have learned regarding the most helpful proactive steps concerning location-based targeted texts and emails. While as a formal matter, most of these steps are applicable to consumer communications, it is often difficult to properly distinguish B2B communications, and because the TCPA makes no distinction, even those intended for that space should be compliant with the following. 

Our observations fall into three major categories:

  • Need for prior express consent;
  • Proper disclosure of nature of solicitation and use of information; and
  • Allocation of responsibility between intermediary and client.

Prior express consent. Under laws such as the TCPA and as a practical matter, leaving aside certain exceptions which may be asserted in litigation, the CAN-SPAM act, sales or marketing communications via text, phone or e-mail must be preceded by express – not implied – consent of the recipient. This means proper disclosure of what is contemplated and who is making the request, followed by a putative recipient’s affirmative act, such as checking an I AGREE box. Actions such as making a purchase, downloading a phone app or even inaction such as failure to object when communications are received are prescriptions for trouble. The same is true of consent preceded by misleading communication as to who is involved or why the request is being made. If a request is intended to cover several members of an affiliated group of entities, this must be made explicit.

As a legal matter, the technical nature of a digital marketing campaign may have major implications. For example, different requirements will apply to solicitations sent through a phone app as opposed to direct text messages. Clients planning any sort of campaign in this space should consult with counsel at the design stage to address the best way to mitigate legal risk. However, it is normally prudent to obtain express prior consent to any sort of merchant-initiated solicitations, regardless of their technical nature. 

Those involved with design of computer systems should also take into account the need in formal proceedings to readily demonstrate to lay judges and jurors the provision of consent and the time this was done. 

Proper disclosure. As noted above, proper disclosure is critical. In the first instance, even actual consent is subject to challenge if the recipient did not properly understand what was being requested (possibly even if a reasonable person would have understood). Perhaps more importantly, even if the original consent is legally sufficient under the TCPA and CAN-SPAM laws, if consumers were not properly apprised of what is to be done with the information they expressly or implicitly provide, there will be problems under applicable privacy law and regulation, which are altogether separate from the TCPA and CAN-SPAM obligations. This is the case whether the issue is locational data through phone GPS functions or data created through online forms or even the fact of site visitation. For example, there is legal exposure if consumers properly gave consent to receipt of text messages pertaining to promotions, but were not told that the resulting information would be shared with data brokers or marketing ‘partners’. 

To facilitate compliance with this obligation, it is essential that privacy policies and terms of use posted electronically (on websites and through apps) and physically (disseminated on paper), properly indicate how material is to be used and be broad enough to cover not only what is happening today, but potential new practices. For example, a policy that truthfully at the time states that consumer information will not be shared with other companies, becomes a problem if there is a subsequent desire to start sharing such material. Of course, strict compliance with such policies is required as well. 

While this discussion is intended to address US obligations, those with any connection with the European Union or consumers located there – even absent a physical office – must be mindful of the dictates of the General Data Protection Regulation of the EU insofar as, among other things, specification of contact persons to deal with problems or objections and consumer rights to request changes in or deletion of files maintained by marketers.

Intermediary responsibility. Generally speaking, the use of a digital marketing service to conduct a campaign may not allow the marketer to avoid responsibility for failure to comply with applicable law. By the same token, an intermediary that runs afoul of legal obligations cannot simply point to its client as the ultimate decision-maker.  

However, the parties can negotiate formal contractual provisions governing handling of legal claims and related fines, fees and judgments, no matter where they initially fall as well as response and remediation procedures pertaining to potential wrongful access to data and/or defective communications, and insurance coverage potentially backstopping some of these commitments. Parties who are already subject to such agreements need to consult them when issues arise so that they maintain their rights by providing timely notice of claims and offering required cooperation. In incident response and/or legal proceedings proper negotiation of such provisions so that all concerned maintain a reasonable balance between risk and reward in each case is also called for.