CRM in an Age of Legislation

Direct mass marketing isn't the business it used to be, and the days of casting a wide net to catch a handful of customers are over. Several new laws and regulations have been put into place over the past decade that make it harder for marketers to get access to customer information, allow consumers to block unsolicited sales calls, and institute stiff penalties for companies that violate these statutes. As the mass marketing environment changes businesses must change the way they manage their prospects, as well as their established customers. But companies are finding that in complying with the new regulations they are rediscovering best practices for relationship care, and are carving out new competitive space. This looks like a job for CRM. The Party's Over Ask any reputable marketing firm and you'll hear that consumers have, in large part, rejected the deluge of random solicitations that marked the height (or, to most, the nadir) of an unrestricted marketing culture. "The new legislation we've been seeing, on top of the older rules, is part of the larger shift away from mass marketing," says Eric Anderson, director of agency services for Web marketing firm White Horse. "CAN-SPAM and DNC are consumer-driven efforts for individuals to control the environment in which they're marketed to." Other sections of these laws, as well as other legislative motions, address different aspects of information gathering. CAN-SPAM, DNC, and DNF all contain provisions that limit the sources from which a company can draw prospects, prevent the sharing of information without the consent of the consumer, and give consumers final say over who can and can't call them. The Health Insurance Portability and Accountability Act (HIPAA) prohibits the use of medical and insurance information for any unrelated purpose, and establishes security requirements to keep it out of the wrong hands in the first place. Other recent laws that may occasionally be issues for outbound callers and emailers include Sarbanes-Oxley, COPA, and Gramm-Leach-Bliley. Tactical Changes, New Opportunities The requirements of the various privacy and security laws have caused a shift in the approach to sales and marketing calls. According to Anderson, even Web advertising has changed due to this: Because consumers perceive possible annoyance and even danger from clicking on throbbing banner ads, less money is spent on them in favor of paying for better placement in search engines. In addition, "our clients have moved away from third-party email services, list rental, and similar approaches. It's had a chilling effect on the mass-marketing technique," Anderson says. Christa Heibel, CEO of CH Consulting, says this is good: "In telemarketing, for example, it wasn't just the bottom-feeders who were overcalling. These laws are enforcing responsible, more-thought-out, targeted marketing, instead of casting a wide net." For Rick Buck, director of privacy and ISP relations for email marketing services firm e-Dialog, compliance shouldn't be a big deal for first-rate companies. "From day one everything we've preached as best practices in marketing meets or exceeds current legislative requirements," Buck says, "and that's been the case since before the laws were enacted." Other companies, however, may simply be missing the point, Anderson says. "Clients haven't taken the time to understand CAN-SPAM. They just did a broad sweep to try and fix problems, so every week we see a prospect who is doing something screwy." One such prospect came to White Horse complaining of a recent email blast that had achieved almost zero delivery and he didn't know why. Anderson recalls, "They had rendered all the text as graphics in an attempt to get around spam filters, and had printed the opt-out message in white letters on a white background." These are immediate red flags for most filtering software, he says, "so, by trying to avoid tripping the spam filters they tripped them all." The issue in this case is like the old canard: If guns are outlawed, only outlaws will have guns. "Spammers have no problem getting their messages out," Anderson says, "because all they care about is beating filtering software. Real marketers are often the ones who are being blocked--even some opted-in customers never see the emails." To succeed, email marketing must be tied to relationships, interest, and segmentation. One place where White Horse has succeeded is with surveys. "We include a consumer survey with the opt-in message, enabling customers to choose what they want and don't want to see," Anderson says. "We can also run a promotion along with the survey, which boosts the response rate and grabs customer interest." Compliance can save you money, as well. Hewlett Packard had to dump its manual-sales document creation methods to comply with SarbOx regulations. Not only was the previous cut-and-paste system prone to errors (exposing HP to having a sale reversed if the errors created unrealistic expectations for the client), it tended to result in generic, inconsistent documents that didn't contribute to winning sales. The creation process was also long, averaging 40 hours per document. To rectify this the company turned to Pragmatech Software's Proposal Express to automate the process. Documents now take 10 to 20 minutes to create, saving HP 262,000 salesperson hours in one year, an estimated savings of between $15 million and $17 million. Another possible win for marketers is adding commercial messages to the transactional emails that are largely exempt from opt-out requirements. This can be compared with the marketing materials found in monthly credit card statements, but without the associated cost of printing and postage. White Horse designed an email statement for Country-wide Financial to replace its paper statements, with space included for contextual cross-selling. "Countrywide is allowed to use its own data on existing customers to offer them products and services they might be interested in," Anderson says. "Based on mortgage data, for instance, [the company] can offer customers refinance opportunities." The changes required are not always easy or quick, according to Lou Caputo, director of sales operations for Moody's KMV. "For data security and privacy in our CRM system, which was provided by Saratoga Systems, we need to make sure that only appropriate users have access. Any person who gets a license to access customer information needs approval and a documented reason for use," Caputo says. "Compliance issues touch not only our sales reps, but presales workers, the finance department--probably about fifty percent of our personnel. We need to run monthly reviews on user license approvals, and we even have to check the formatting and code of individual cells in our spreadsheets. We have to have some kind of process in place for security, and this has definitely saved us money and trouble--but compliance still takes a big chunk of time out of our day." Whether the solution is easy or difficult, there are opportunities to be found in getting your company up to spec on compliance issues. Buck touts the public relations benefit of being able to claim compliance. "If you can go to your customer base and say, 'We're Gramm-Leach-Bliley compliant, so your financial information is safe with us,' you enhance the credibility and perceived value of your relationship," Buck says. "Forget laws and standards--you need to send the right message to the right person at the right time." Contact Senior Writer Marshall Lager at mlager@destinationCRM.com The Laws and Their Penalties Following are the laws and their penalties, summarized from www.ftc.gov: "Federal Trade Commission for the Consumer"

Health Insurance Portability and Accountability Act of 1996 (HIPAA): Summary: Security provisions from Title II of HIPAA include requirements that a health care clearinghouse have policies and security procedures that isolate its information processing activities to prevent unauthorized access by its parent company or a nonrelated business unit. Anyone who maintains or transmits health information must employ reasonable and appropriate administrative, technical, and physical safeguards to ensure the integrity and confidentiality of the information, and protect against any reasonably anticipated threats or hazards to the security or integrity of the information, including unauthorized uses or disclosures. Penalty: Not more than $100 for each such violation, except that the total amount imposed for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.

Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM): Summary: CAN-SPAM establishes requirements for those who send commercial email. Among these provisions are: 1. a ban on misleading header information (an email's "From," "To," and routing information must be accurate and identify the person who initiated the email); 2. a prohibition of deceptive subject lines (the subject line cannot mislead the recipient about contents or subject matter); 3. a requirement for an opt-out method for recipients (you must provide a return email address or other means that allows a recipient to ask you not to send future email messages to that email address, and you must honor the request within 10 days of receipt); 4. a requirement that because it's illegal to sell or transfer the email addresses of people who choose not to receive your email--even in the form of a mailing list--the addresses are transferred so the list recipient can comply with the law; and 5. a requirement that commercial email be identified as an advertisement and include the sender's valid, physical postal address. Penalty: Each violation of the above provisions is subject to fines of up to $11,000. Deceptive commercial email also is subject to laws banning false or misleading advertising. Additional fines are provided for commercial emailers that harvest email addresses from Web sites or Web services that prohibit the transfer of email addresses for the purpose of sending email, generate email addresses using a dictionary attack (combining names, letters, or numbers into multiple permutations), or use scripts or other automated ways to register for multiple email or user accounts to relay commercial emails through a computer or network without permission. The law allows the Department of Justice to seek criminal penalties, including imprisonment, for commercial emailers whose behavior meets certain conditions.

Do Not Call Registry (DNC): Summary: Enacted in 2003 as an amendment to the Telemarketing Sales Rule of 1995 (TSR), DNC establishes a national registry of consumer phone numbers that telemarketers may not call without meeting certain criteria. These include having an existing business relationship with the consumer within the past 18 months, receiving a request for information from the consumer within 90 days, or having the consumer opt-in to receive communications from the company. DNC does not necessarily prevent a call, but it makes it easier for consumers to reduce the number of unwanted telemarketing sales calls they get by filing complaints. Penalty: Violating the National Do Not Call Registry subjects telemarketers to civil penalties of up to $11,000 per violation. Some violators of the DNC Registry also engage in fraud or other law violations, including attempts to profit from the Registry by purporting to register consumers for do-not-call services for a fee. In these cases, the penalties can include injunctions against future violations, consumer redress, and disgorgement of profits.

Do Not Fax (DNF): Summary: Similar to DNC, but DNF is part of the Telephone Consumer Protection Act of 1991. DNF states that businesses cannot fax an unsolicited advertisement unless they have an established business relationship with the recipient, as defined above. All faxes must carry identifying information (including company name, phone number, and date and time sent) on the cover page and/or the margin of each page. Penalty: Up to $11,000 per violation, again similar to the provisions of DNC.

Gramm-Leach-Bliley Financial Modernization Act of 1999 (GLBA): Summary: GLBA requires all financial institutions to disclose policies and practices for protecting the privacy of non-public personal information of customers. The disclosure provided to customers at the time of establishing the relationship--and at least annually thereafter--allows customers to opt-out of information sharing arrangements with nonaffiliated third parties. Financial institutions may only share personal customer information among affiliates within a holding company. It is now a criminal offense for any person, including firm employees, to attempt to obtain customer information relating to another person from any financial institution by making a false or fraudulent statement to an employee of that financial institution. This information includes all individually identifiable information relating to customers or any person receiving services; past, present, or future financial information, services, or payment for services; and demographic data collected by financial institutions. Penalty: The basic penalty is $100,000 to financial institutions, and a further $10,000 to any officers and directors involved. Other violations may earn prison sentences of up to 5 years, revocation of FDIC insurance, fines of $1 million for individuals or institutions, and being barred from working in the banking industry.

Sarbanes-Oxley Act of 2002 (SarbOx, SOX): Summary: This is an extremely complex law, suitable to the industry it was created to regulate--accounting, financial, and consulting services. In brief, the relevant provisions include maintaining clear, up-to-date transaction records; communicating accurate reports on earnings and activities to all shareholders; separation of accounting and financial services business units from any advisory or consultancy units; and strict controls on the quality of information used to sell products and services to customers. SarbOx is not easy to understand, so consult a corporate attorney for specifics. Penalty: Violations of SOX securities fraud laws result in jail time of up to 10 years, and a schedule of fines. Additionally, existing white-collar crime laws have had their penalties enhanced: mail and wire fraud now carries a sentence of up to 10 years as well, and willfully and knowingly falsifying a financial report can result in a $500,000 fine and up to 5 years in jail.

Child Online Protection Act of 1998 (COPA): Summary: COPA makes it a crime to communicate harmful commercial information to a minor by means of the World Wide Web, with further criminal provisions for intentionally violating the act. Penalty: Up to $50,000, imprisonment of no more than 6 months, or both. Intentional violators are subject to a fine of $50,000 for each violation, with each day of violation constituting a separate violation. In addition, violators may be subject to a civil penalty of not more than $50,000 for each violation. --M.L.