Do You Own Your SaaS Website? Part 3 - Your Opt-In and Customer Lists
Copyright © 2009 Chip Cooper
Stop and think about your website for a minute. Think about ownership.
You're probably thinking of the typical website elements - web pages, content, and background software. Possibly even your domain name. Right?
Have you ever considered that your opt-in and customer lists may be worth more than all of the typical website elements combined?
You should. And a purchaser of your website business probably will. Have you protected and enhanced the value of these lists?
Two Fundamental Questions
What rights do you have in the data that's in your opt-in and customer lists? The key to the answer depends on 2 issues that center on your Privacy Policy:
* do you have the basic right to transfer your opt-in and customer lists to a purchaser of your website business?, and
* if "yes", then what are the limitations on use and sharing that will bind the purchaser?
The Basic Right To Transfer Your Lists - The Toysmart Case
Toysmart stated in its Privacy Policy that that the company would not share personal information of customers with any third party, with no exceptions. Based on this representation, Toysmart collected numerous names and other personal information of its customers.
A year later, Toysmart attempted to sell its customer list to generate funds for creditors as part of a bankruptcy action. The Federal Trade Commission (FTC) filed a "deceptive practice" lawsuit under Section 5 of the FTC Act. Several state attorneys general concurred. The FTC argued that Toysmart should be required to strictly comply with it Privacy Policy. Essentially, no sharing means exactly that - no exceptions.
The lesson of the Toysmart case is that your Privacy Policy should reserve the right to transfer your opt-in and customer lists as part of any merger, acquisition, or sale of the company and/or its assets, as well as in the unlikely event of insolvency, bankruptcy, or receivership. If it does not, then you won't be able to transfer the lists at all - and the sale of your website will fall through.
Limitations on Collection and Sharing - The Gateway Learning Case
Collection and sharing of collected information are really two sides of the same coin.
First, you're required to specify in your Privacy Policy all of the categories of personal information you collect through your site. You should be careful to reserve rights to collect all the personal information you need to operate your online business. For example, a typical SaaS website that has an opt-in list and a customer list might reserve the right to collect the following: name, physical address, an email address, phone number, and credit card information including credit card number, expiration date, and billing address.
Second, you're required to disclose how you may share the personal information you collect. The Gateway Learning case teaches a valuable lesson regarding your right to share personal information.
Gateway Learning Corporation promised in its Privacy Policy to not rent consumers' personal information to others. Later, contrary to this promise, Gateway started renting personal information to marketers for use in direct marketing activities. When Gateway personnel remembered its promise to not rent personal information, Gateway amended its Privacy Policy, believing that the amendment would take effect retroactively.
The FTC promptly brought suit against Gateway alleging that personal information collected prior to the Privacy Policy amendment was not authorized by customers for sharing. The FTC claimed that Gateway's sharing of unauthorized personal information constituted a "deceptive practice" under Section 5 of the FTC Act.
The lesson of the Gateway Learning case is that you must ensure that any personal information that is shared with others is authorized by clear Privacy Policy notices which were in the Privacy Policy at the time the personal information was collected. Amendments regarding the sharing of personal information are not effective retroactively.
With this lesson in mind, you should carefully consider what sharing rights to reserve in two steps:
* First, what sharing rights do you absolutely need to operate your website business? These rights will be related to your existing marketing policies. By all means, reserve these rights in your Privacy Policy.
* Second, what sharing rights might you need in the future as you expand your marketing activities? It's strongly recommended that you reserve these rights also, even though you don't plan to exercise them in the near future.
This list of sharing rights for personal information is not exhaustive, but it's a good start:
* "purchasers" of your website business as part of such merger, acquisition, sale, or other change of control (this is the basic right to transfer your opt-in and customer lists as discussed above),
* service providers who have access to the internals of your website (e.g. hosting, SEO, site maintenance service providers),
* your affiliates (not marketing affiliates, but affiliated entities (e.g. a parent or subsidiary entity),
* transferees in the event of our bankruptcy, insolvency, reorganization, receivership, or assignment for the benefit of creditors,
* transferees for purposes of satisfaction of legal obligation or to provide site security, and
* third party marketers for purposes of their direct marketing (this relates to list sharing with others and should reflect your current and contemplated future marketing plans and activities).
In addition to the sharing of personal information, consider reserving these rights:
* right to serve 1st party behavioral ads (you use anonymous information collected at your site to serve targeted ads at your site, but you do not share such information with 3rd parties),
* right to serve 3rd party behavioral ads (your site collects and then sells or shares anonymous information collected at your site with third parties for purposes of behavioral advertising, or participates in a network that collects data at your site for purposes of behavioral advertising; e.g. Google's AdSense), and
* right to use web analytics services provided by 3rd parties that serve cookies (e.g. Google Analytics). Conclusion Your opt-in and customer lists may be your website's most valuable elements.
In order to protect and enhance their value for the possibility of a profitable sale of your site, careful planning is required at an early stage in the development of your marketing plans for your site.
Your plans must be clearly implemented in the form of specific reservations of rights in your Privacy Policy - and to be effective, these reservations must be made prior to the collection of the personal information.
This article is provided for educational and informative purposes only. This information does not constitute legal advice, and should not be construed as such.
