Morris Manning & Martin, LLP

Making Sense of the New Affiliate Marketing Rule

11.03.2008

In October, the Federal Trade Commission (“FTC”) issued its long-awaited Affiliate Marketing Rule implementing amendments made to the Fair Credit Reporting Act (“FCRA”) by the Fair and Accurate Credit Transactions Act of 2003 (the “FACT Act”). The new rule, which has been a very long time in coming, has important consequences for the handling of consumer information by insurers and other providers of financial services.

The Affiliate Marketing Rule implements provisions of the FACT Act governing the use of certain consumer information shared among affiliated companies for the purpose of making marketing solicitations. The compliance date for the Affiliate Marketing Rule is October 1, 2008. Covered information shared among affiliates before that date may be used to make marketing solicitations without having to comply with the new rule.

The FTC refers to information covered by the Affiliate Marketing Rule as “Eligibility Information.” Generally speaking, the most important categories of Eligibility Information for insurers are (1) information about an individual collected on an application for personal insurance that is used to determine eligibility for coverage or rate risk and (2) information as to transactions and experiences between the insurer and the consumer, other than medical information. An example of information in Category 1 would be the marital status reported by an insured where this information is used to set rates for private passenger auto insurance. An example of information in Category 2 would be the claims history for a homeowner’s insurance policy.

A third category of information—consumer report information received from a third party—also is governed by the Affiliate Marketing Rule. Such information generally cannot be used to make marketing solicitations unless the consumer gives express consent before the consumer report is obtained.

The Affiliate Marketing Rule and related provisions of the FCRA are, to put it mildly, less than straightforward in their operation. Nevertheless, a few important points can be extracted from what is otherwise a pretty tangled regulatory thicket.

First, under the FTC’s interpretation of the FCRA, information that falls into Category 1 above may not be shared among affiliates for any purpose unless the consumer is given a reasonable opportunity to opt out of the sharing before it occurs. This is a longstanding interpretation of the FCRA by the FTC and is in effect now, even before the Affiliate Marketing Rule compliance date of October 1, 2008. In addition, if an affiliate wishes to use information in Category 1 that it receives from another affiliate to make a marketing solicitation, the consumer must either be given a reasonable opportunity to opt out of the marketing use by the affiliate or the affiliate using the information must have a “pre-existing business relationship” with the consumer. This limitation will become effective for information shared among affiliates on or after October 1, 2008.

Second, affiliates may freely share Category 2 information (“transaction and experience” data other than medical information) without offering an opt out. As a general rule, however, before an affiliate receiving such information may use it to make a marketing solicitation, it must either give the consumer a reasonable opportunity to opt out of the marketing use or have a “pre-existing business relationship” with the consumer. This limitation also will become effective for information shared among affiliates on or after October 1, 2008.

These are the general rules, but they ultimately may have little relevance to affiliate marketing programs because of a broad exception under what is known as “constructive sharing.” The following example illustrates how constructive sharing works: Life Affiliate establishes a set of criteria for consumers to whom it wishes to market life insurance. The criteria might include, for example, individuals who have a better-than-average claims history for auto insurance. Life Affiliate shares the criteria with Auto Affiliate. Auto Affiliate matches its insureds against the criteria and sends those who meet the criteria a solicitation inviting them to contact Life Affiliate if they are interested in purchasing life insurance. The practice described in this example is permitted under the Affiliate Marketing Rule for information in Category 2. It also may be permitted for information in Category 1 under certain circumstances.

In addition, as a general matter, constructive sharing is permitted where, using the example above, a service provider to Auto Affiliate matches the criteria provided by Life Affiliate with Auto Affiliate’s claims data and sends out marketing solicitations for life insurance. In this case, Auto Affiliate must have a contract with the service provider controlling the terms of access to information and requiring the service provider to establish reasonable policies and procedures concerning the terms of access. Note that the service provider may be an affiliate within the affiliated group of companies that includes Auto Affiliate and Life Affiliate.

The constructive sharing exception gives insurers and other companies considerable flexibility in the use of affiliate data for marketing purposes. Indeed, given the breadth of the exception, many companies may decide that there is no reason to provide an FCRA opt out concerning the use of shared data for marketing purposes. Insurers and other companies should keep in mind, however, that additional restrictions on the sharing and use of medical and other health-related information established by the FCRA, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and state laws also need to be considered when fashioning an affiliate marketing program.

Joe Holahan is Of Counsel in Morris, Manning & Martin’s Washington, D.C. office and is Director of the firm’s Terrorism Insurance Group. His areas of experience include privacy and data security, compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), state and federal insurance regulation, and managed care. He received his bachelor’s degree from University of Virginia and his law degree from Catholic University of America, J.D., 1990.