Protect Yourself

All businesses that collect and handle consumers’ personal information — including those that do sweepstakes — need to be aware of applicable laws and identify steps they can take to reduce their exposure to legal action without interruption to their businesses.

Promotions marketers are usually diligent about monitoring legal developments relating to sweeps and contests to ensure their marketing practices are lawful.

But for all the efforts, many companies often overlook developments that affect less obvious practices, including how they handle personal information collected from consumers during a promotion.

This may be because most promotions marketers don’t see themselves as the type of company that stores a lot of data or is susceptible to data breaches. In reality, though, promotions marketers collect, store, share and dispose of more personal data about consumers than they realize, and thus, are subject to various data security laws.

typical scenario

Typically, promotions sponsors collect contact information, such as an entrant’s name, address, telephone number and e-mail address, on entry forms. Some also collect other data, such as a date of birth or gender. And once winners have been selected, a sponsor may collect a winner’s Social Security Number for tax reporting purposes.

All of this data is considered personally identifiable information, which triggers privacy and data security obligations on the part of the company that collects the information, as well as on the part of third parties with whom the information is shared.

This information may be retained for marketing purposes to respond to inquiries from regulators, or to comply with legal requirements. The information may be shared with other companies. For example, many promotions involve the efforts of multiple parties, including sponsors, promotions agencies and prize providers. Each of these parties may have access to some or all of the information collected from entrants, may use that information for various purposes, and may store that information indefinitely.

In the past several years, the Federal Trade Commission (FTC) has settled 14 cases over inadequate data security practices by companies that handle consumer information. In addition, state attorneys general and private litigants have challenged companies when breaches have compromised this information.

Common among all of these cases are claims that a company failed to have a reasonable information security program, and failed to reasonably protect personal information within its control. While data security requirements are expressly set forth in laws that apply to financial institutions under the Gramm Leach Bliley Act, the FTC has taken the position that these same requirements apply to all businesses subject to the FTC’s jurisdiction — which includes promotions marketers — pursuant to the FTC Act’s requirement that business practices must not be deceptive or unfair.

reducing risks

Putting aside whether the FTC’s untested theory is correct, from a risk exposure perspective, all businesses that collect or handle personal information should be mindful of these obligations and assess whether they comply.

These efforts include having a comprehensive information security plan describing the business’s program to protect personal information collected from consumers.

The plan must have physical, technical, and administrative safeguards designed to:

1. ensure the security and confidentiality of the personal information

2. protect against any anticipated threats or hazards to the security or integrity of such information

3. protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to a consumer.

Businesses can also dramatically reduce their risks by safely disposing of personal information they no longer need, and collecting only the information necessary to perform the business objective.

For promotions marketers, this should not be difficult: sensitive personal information is not required to execute a promotion.

The business can limit its collection to just essential contact information. Where a Social Security number is required for tax purposes, that information should be protected, subject to limited access, and promptly disposed of after it’s no longer needed.

If third parties are involved, contracts with those parties should expressly address the types of usage allowed for the personal data, and the parties’ obligations to protect such data in accordance with privacy and data security laws.

These steps can make a significant impact in reducing your business’s data security risks going forward.

Gonzalo Mon and Alysa Zeltzer are attorneys with the law firm of Kelley Drye Collier Shannon in Washington, DC. They can be reached at [email protected] or [email protected].