A recent action by the New York State Attorney General Eliot Spitzer will change the way companies look at email marketing and privacy compliance. This case affects the manner in which companies conduct due diligence, and complete corporate or commercial transactions. This article analyzes this recent case and suggests measures to be taken by companies to reduce their exposure and liability.

New York State v. Datran

An investigation by the office of New York Attorney General Eliot Spitzer against Datran Media, LLC, a leading e-mail marketer, identified the improper disclosure of the personal information of more than six million American consumers.

Datran's primary business practice involved sending emails to consumers, promoting the products and services of its advertising clients. The email recipients were on marketing lists containing personally identifiable information (PII) that Datran obtained from list providers. These third parties gathered these lists through a variety of means.

The New York Attorney General's investigation of the provenance of marketing lists used by Datran revealed that some of Datran's list providers, on their own websites, had promised consumers they would NOT sell, rent, or share such information to or with third parties. The investigation revealed that Datran was aware of these promises when it purchased the lists. Datran, on the other hand, represented on its website that recipients of its email campaigns "have all requested to receive information about products and services from companies like yours".

The New York Attorney General objected to the practice as a violation of New York State's Deceptive Practices Act. In its March 2006 settlement, Datran agreed to pay $1.1 million as penalties, disgorgement, and costs; destroy the information illegally obtained from list sellers; and appoint a Chief Privacy Officer to oversee privacy compliance efforts.

Moreover, the settlement agreement requires that Datran avoid acquiring any personal information without first independently confirming that such acquisition is permissible under relevant seller privacy policies. Reliance on third party's representation or warranties is not sufficient.

More specifically, the settlement agreement prohibits Datran from purchasing, licensing, or using any PII unless it first:

• Independently reviews all applicable privacy policies governing the PII at the time the PII was collected;
• Independently confirms that such policies revealed to the consumers that the PII collected would or might be shared, or in the absence of such explicit terms, confirms, through first-hand investigation, that such consumers affirmatively opted-in to permit such sharing.

In addition, the settlement agreement provides that a written warranty from a list provider regarding the manner in which the marketing list was compiled or collected is not sufficient on its own to fulfill the obligation of an independent review.

Lessons Learned

The Datran case teaches several critical lessons:

• Conduct due diligence for all contracts and transactions.
• Make sure that the due diligence includes a thorough review and analysis of the co-contractor's or target's information privacy and security policies and practices.
• Do not rely on written representations and warranties.

These lessons apply to most corporate and commercial transactions. Even though Datran pertained to a licensing contract, the same rationale would apply to other types of contracts: from outsourcing and services agreements to asset purchases, and mergers and acquisitions.

Due Diligence

While companies routinely conduct due diligence in the context of a merger or acquisition, many do not take the same precautions - or are more casual - when entering into commercial transactions, such as outsourcing, licensing, or services agreements. These contracts, however, might be just as critical and company sensitive as a merger or an acquisition. Commercial contracts add value to the bottom line, and their success boosts the company's profile and performance, increases the sale of its products or services, and creates value for the shareholders.

In addition, too frequently, those who conduct due diligence, do not pay sufficient attention to the unique issues related to personal data protection. Contact information, purchase patterns, online behavior and other PII are extensively used and analyzed to identify new markets and generate revenues and profit for the company. These valuable databases are subject to a plethora of laws, regulations, and other restrictions in a fast-changing legal environment.

Before entering into a contract that involves the use, disclosure, sale, transfer or license of PII, a thorough due diligence is highly recommended. The due diligence must ascertain that all aspects of the privacy and security of the PII to be transferred, disclosed, or licensed are addressed adequately. It must ensure that the proposed transaction will be consistent and compatible with the pre-existing restrictions. The investigation and analysis must be completed by professionals with a thorough understanding of the legal issues at stake.

For example, first, review the company's privacy and security policies and procedures. Ask for both the current policies, and all those other policies that have been in use or published since the company started gathering the PII that is to be transferred or disclosed. These policies may restrict or prohibit the contemplated use of the PII.

The inquiry should also attempt to ascertain the source and origin of the information in the third party's database. How and where was it collected or obtained? Were the individuals whose information was collected made sufficiently aware of the collection and anticipated uses of their PII? How were they informed? How did they consent? Was the information obtained by lawful means? Consider the effect of the CAN SPAM Act prohibition on the use of automated harvesting and dictionary attacks to obtain lists of email addresses.

Evaluate the third party's policies and procedures for the handling of opt-out, opt-in and unsubscribe requests in order to ensure compliance with the CAN SPAM Act or other applicable law on unsolicited commercial electronic messages. Conduct spot tests to verify that the third party's practices are consistent with its policies and procedures. Review and analyze, as well, the third party contracts and other use restrictions, upstream and downstream. These contracts may prohibit, limit, or affect the use, handling, or security of the PII.

Contract Provisions

Once the due diligence is satisfactorily completed, the contracts that materialize the purchase of third parties' lists, joint marketing campaigns, or other service or license agreement that will use the PII should be structured and drafted to take into account the contemplated uses of the PII. The contracts should address the numerous aspects of privacy and information security related to these PII. In addition to the clauses that are found in typical contracts for the sale or license of products or services, several other provisions are necessary to address the unique issues that are associated with handling personal information.

In a service or license agreement, for example, the client or licensor should require a scope of services or scope of use provision that specifies the permitted or required use of the PII, and how the PII should be handled. In a transfer or license agreement, the contract should define specific measures for ensuring that the use of the PII and distribution lists will not violate the restrictions that are attached to the PII. As appropriate, incorporate the company's privacy and security policies to the contract.

Audits of the third parties procedures, and performance reviews clauses are necessary to create a framework for supervising compliance during the life of the contract. Negotiate the right to conduct audits of the third party's practices and facilities, as applicable.

In both license and transfer agreements, obtain adequate representations and warranties with respect to the PII and related assets that are sold, transferred, or licensed. Consider, for example, a warranty that the lists do not contain email addresses or other PII of individuals who have objected to the transfer or use of their information. Or, a warranty that the permission provided by individual recipients has not expired and has not been rescinded since received from the individual. Remember, however, that these representations and warranties are not an absolute shield from liability. Current jurisprudence - such as Datran - provides that a party cannot rely only on representations made by the co-contracting party.

Detailed warranty provisions also help raise issues, and force the parties to identify potential problems. Once these are identified, it is much easier to draft limitation of liability clauses that take into account the actual risks. The parties should negotiate as applicable, contract provisions that allocate the risks and liabilities, such as indemnification, limitation of liability and insurance, if relevant.

Conclusion

To compete and survive in today's markets, all companies have the same need for leads, prospects, and customers. Their success is tied to control over, and use of PII that allow establishing and maintaining contract with the decision makers. How this information is handled and used is critical to keeping the company's goodwill stellar and reducing exposure to liability. To protect these fragile relationships, a business must invest the resources necessary to ensure that at all times customers and prospects' personal information is treated in a manner that is consistent with the current data protection laws and jurisprudence, and other relevant restrictions. When relying on third parties to provide services or information, it is critical to ensure that the databases they use on the company's behalf, or those that they sell or license to the company, have been created and maintained, and are used in a manner that is consistent with increasingly restrictive privacy and information security laws and jurisprudence.

While representations and warranties as to the origin of databases or their transferability are a necessary component to a sound contract, they are not sufficient. The Datran case establishes a higher standard. Businesses that acquire a database or purchase services associated with the handling of personal information must first conduct a thorough, independent, due diligence that verifies that the use or transfer of this PII is actually permitted. To achieve such a complex endeavor requires great attention to details. There must be a complete investigation of the target or co-contractor's practices. It is essential, as well, to have a thorough and deep understanding of the current data privacy and security laws, and related jurisprudence. Complex legal issues are involved. They cannot be solved by the mere use of a generic representation or warranty in a contract.