Tuesday, November 7, 2000
WAA GUIDELINES ON PRIVACY AND SPAM

WAA Privacy Committee WAA General Assembly

New York, NY - November 7, 2000 - The Wireless Advertising Association (WAA) seeks to establish voluntary guidelines for member organizations that set acceptable standards for using PII (Personally Identifiable Information) and for responsible advertising, marketing, and mobile e-commerce (commonly referred to as "m-commerce") in the emerging wireless medium. These guidelines address the creation of a privacy policy, notification of data collection and usage, choice and consent, Wireless Spam, data security, and access.

In short, these guidelines put members of the WAA on record in favor of enabling wireless subscribers to control their PII. WAA members wish to ensure that the wireless medium operates in a climate of trust that allows consumers to have confidence in the treatment of their privacy by carriers, advertisers, publishers, and others in the wireless arena. This will enable companies in the wireless industry to provide robust and diverse content and service to consumers.

The following principles and guidelines apply to PII only. The WAA intends to address notification and consent issues related to non-PII, including location-based advertising and or content, in a future version of this policy.

These principles and guidelines were developed with input from WAA members that include publishers, carriers, device makers, and advertising networks. They were guided by the fundamental principles of fair information practice, as articulated by the Online Privacy Alliance, the Network Advertising Initiative, and the Internet Advertising Bureau (parent organization of the WAA), and are intended to be consistent with Federal Trade Commission policy on privacy. The WAA guidelines also recognize the considerable previous experience of Internet advertisers, marketers, and network advertisers (companies that provide ad serving, hosting, and sales services to Web sites), particularly in the area of permission e-mail.

While the WAA guidelines are often similar to those created by the organizations named above, in some cases, they require a higher level of permission from consumers, particularly for wireless "push" marketing.

II. WAA Privacy and Spam Definitions

A. Personally Identifiable Information (PII) is defined as data which can be used to identify or contact a person uniquely and reliably, including but not limited to name, address, telephone number, and e-mail address.
B. Non-Personally Identifiable Information (Non-PII) is defined as data not uniquely and reliably linked to a particular person, including but not limited to activity on a wireless network such as location or log files related to Web browsing activity on a mobile device.
C. Wireless Push Advertising and/or Content (Push Messaging) is defined as any content sent by or on behalf of advertisers and marketers to a wireless mobile device at a time other than when the subscriber requests it. Push Messaging includes audio, short message service (SMS) messages, e-mail, multimedia messaging, cell broadcast, picture messages, surveys, or any other pushed advertising or content.
D. Wireless Pull Advertising and/or Content (Pull Messaging) is defined as any content sent to the wireless subscriber upon request shortly thereafter on a one time basis. For example, when a customer requests the local weather from a WAP-capable browser, the content of the response, including any related advertising, is Pull Messaging.
E. Standard Opt-In is defined as a process that requires active choice on the part of the wireless subscriber to express permission.
F. Confirmed Opt-In is defined as a process of verifying a subscriber's permission in order to ensure that Push Messaging and/or Content is not accidentally or maliciously sent to the subscriber's wireless mobile device. For example, after receiving permission from a subscriber, an advertiser or marketer may send a message to the subscriber to which s/he must positively reply in order to confirm permission to start receiving Push Messaging.
G. Wireless Spam is defined as (Push Messaging) that is sent without Confirmed Opt-In.
H. Opt Out is defined as means by which the wireless subscriber takes action to withdraw permission.

III. General Principles

A. WAA members should adopt a privacy policy regarding PII that is readily available to consumers at the time that PII is collected and encourage business partners to do the same.
B. WAA members should notify wireless subscribers of how PII is being used.
C. WAA members should give users notice and choice regarding the use of PII, and they should not use PII for purposes other than those for which it was collected without explicit consent. Such consent shall be obtained by Confirmed Opt-in.
D. The WAA does not condone Wireless Spam.
E. WAA members shall make every effort to ensure that PII is accurate and secure, and where reasonable and appropriate, allow wireless subscribers access to correct or delete such information.

IV. Notice and Disclosure

Privacy policies should be easy to find, read and understand. The policy must be available prior to or at the time that PII is collected or requested. The policy must be accessible on a wireless device, when technically feasible, and available elsewhere, including but not limited to Web sites. Furthermore, WAA members should notify consumers of any changes to the privacy policy for any reason, including changes related to the sale of the organization. Members should also take steps that foster the adoption and implementation of effective online privacy policies by business partners, technology providers, and marketing other partners, etc.).

The policy must state clearly the following:

A. What information is being collected
B. Policy on data storage, including whether any PII is stored persistently.
C. The choices available to an individual regarding collection (e.g. optional vs. mandatory)
D. The use of that information, including possible third-party distribution of that information
E. The presence of any third party collection of information, including that by profiling and "ad serving organizations."
F. A statement of the organization's commitment to data security
G. What steps the organization takes to ensure data quality and access by the consumer to their PII.
V. Choice and Consent

WAA members shall give wireless subscribers the opportunity to exercise choice regarding how their PII is used. Consent for use or third party distribution should also be able to be obtained through indigenous technological tools mechanisms available for wireless media.

A. WAA members shall not use PII for a purpose unrelated to the purpose for which the information was collected without explicit consent, which shall be obtained through Confirmed Optin.
B. These guidelines are intended to complement and supplement the notice and choice provisions of the "Self-Regulatory Principles for Online Marketing for Network Advertisers" endorsed by the Federal Trade Commission and the Department of Commerce on July 27, 2000.

VI. Wireless "Spam" (Push Messaging without permission)

The WAA does not condone Wireless Push Advertising and/or Content (Push Messaging) intentionally or negligently sent to any subscriber's wireless mobile device without explicit subscriber permission and clear identification of the sender.

A. Subscriber permission must be verified through Confirmed Opt-In. It is considered the highest level of subscriber permission for e-mail marketing. The WAA expects Confirmed Opt-In to be the baseline for wireless subscriber permission.
B. Wireless subscriber permission is not transferable to third parties without explicit permission from the subscriber.
C. Clear instructions on how to avoid future Push Messaging must be readily available to all recipients for all Push Messaging, and all such requests must be honored.
D. The following practices are intentionally misleading or otherwise inappropriate under the guidelines for Push Messaging:
  1. Forging of a message originator.
  2. Intentionally misleading subscribers as to the content of wireless push advertising.
  3. Online research practices that obscure the true purpose and use of the research results.
  4. Forwarding or otherwise propagating "chain letters."
  5. Commercial messages masquerading as conventional voice phone calls.
  6. Malicious wireless push advertising, including "mailbombing," i.e., flooding a wireless subscriber, carrier, or service with large and/or numerous messages that can reasonably be expected to overwhelm facilities.

VII. Data Security

WAA members creating, maintaining, using or disseminating PII should take appropriate measures to assure its reliability and should take reasonable precautions to protect it from loss, misuse or alteration. They should take reasonable steps to assure that third party recipients of such information are aware of these security practices, and that the third parties also take reasonable precautions to protect transferred information.

VIII. Data Quality and Access

WAA members who are creating, maintaining, using or disseminating PII should take reasonable steps to assure that the data are accurate, complete and timely for the purposes for which they are to be used. This includes making reasonable efforts to ensure that they are obtaining data from reliable sources.

Members should also establish appropriate processes or mechanisms so that inaccuracies in PII, such as account or contact information, may be corrected. These processes and mechanisms should be simple and easy to use, and provide assurance that inaccuracies have been corrected. The WAA also recommends that members honor requests from wireless subscribers to delete their PII in the event they change carriers or devices or simply unsubscribe from service.
Other procedures to assure data quality may include use of reliable sources and collection methods, reasonable and appropriate consumer access and correction, and protections against accidental or unauthorized alteration.

Contact:

Marla Nitke IAB
212-380-4714
[email protected]