TABLE OF CONTENTS KEEPING OUR PRIVACY PROMISE TO CONSUMERS 3

TABLE OF CONTENTS KEEPING OUR PRIVACY PROMISE TO CONSUMERS 3 STEP ONE: TAKE RESPONSIBILITY 4 STEP TWO: KNOW THE RULES 4 PART 1. NOTICE 5 PART 2. HONORING OPT-OUT REQUESTS 9 PART 3. IN-HOUSE SUPPRESSION 10 PART 4. USE OF THE DMA PREFERENCE SERVICES 12 GENERAL COMPLIANCE QUESTIONS 14 STEP THREE: MAKE THE PLEDGE! 16 REVISED JANUARY 2007

KEEPING OUR PRIVACY PROMISE TO CONSUMERS In October 1997, the Direct Marketing Association s (DMA) Board of Directors made a Privacy Promise to American consumers. It was an important step for our industry, our customers, and for your individual organization. The Privacy Promise, which became effective July 1, 1999, is a public assurance that all members of DMA will follow certain specific practices to protect consumer privacy. Those practices were designed to have a major impact on those consumers who wish to receive fewer advertising solicitations. At the same time, we sought to make compliance with the Privacy Promise as easy as possible for our members. DMA's Guidelines for Ethical Business Practice, including privacy principles for all media can be found at www.the-dma.org/guidelines/ethicalguidelines.shtml. Specific online requirements are noted throughout this guide. In addition, relevant privacy requirements now mandated by federal law are also noted. With membership in the DMA, you will stand out in the marketplace as one of the trusted organizations that promises to abide by four traditional privacy protection practices: 1. Provide customers with annual notice of their ability to opt out of information exchanges. For online marketing, provide notice to both customers and prospects in each solicitation; 2. Honor customer opt-out requests not to have their contact information transferred to others for marketing purposes; 3. Accept and maintain consumer requests to be on an in-house suppress file for prospective customers to stop receiving solicitations from your company; and, 4. Use DMA s Preference Service suppression files. Why Should You Keep the Privacy Promise? By keeping the Privacy Promise, you will: further build consumer trust in your organization and our industry; protect our industry from burdensome regulation inhibiting our freedom to market; demonstrate that DMA members respect individual consumer privacy choices; and, show you support a self-regulatory solution to consumer privacy protection. 3

Step One TAKE RESPONSIBILITY Designate an executive to be responsible for your organization's compliance with the Privacy Promise. This will help with follow-up communications should there be a privacy issue for your organization to address. If you haven't already let the DMA know whom your company has chosen for this role, or if you're not sure whether your firm has designated a compliance contact, please contact DMA's Ethics and Consumer Affairs Department at ethics@the-dma.org or 202.861.2408. Step Two KNOW THE RULES Review the Privacy Promise requirements, and determine how they apply to your organization. DMA members include both business-to-consumer marketers and business-to-business marketers. The Privacy Promise applies only to business-to-consumer marketing (although business-to-business marketers are encouraged to abide by fair information practices as well, if practical). The Privacy Promise specifies requirements for businessto-consumer marketers performing such functions as: list user, list compiler*, list manager, list broker, list owner, service bureau and, supplier. (*List compilers do not need to provide consumer notice.) Some companies perform all of those functions and, therefore, need to understand the requirements of all functions. The requirements of the Privacy Promise are defined by your relationship to the consumer named on the list. Following are the Privacy Promise requirements: 4

Step Two Part 1. NOTICE Traditional Media If your organization is a business-to-consumer marketer that rents, sells, or exchanges lists of customers, you MUST give your customers notice that they have a choice NOT to have their contact information rented, sold, or exchanged. Online Media If your organization operates an online site, you must provide all visitors to your Web site (customers and prospects) notice about your information practices. If you send unsolicited commercial e-mail, you must provide notice to customers and prospects, in each solicitation, of both in-house suppress and opt-out opportunities. (The federal CAN SPAM Act also requires that such notice be provided.) Timing of Notice Traditional Media The first notice must take place when, or soon after, a "prospect" becomes a "customer." Online Media Online notice must be available prior to or at the time personally identifiable information is collected, either on a prominent place on your Web site's home page, or a place easily accessible from the home page. Definition of "Customer" A person is defined as a "customer" if that person: bought something from you, donated to you, is identified by you as a "customer" on a list that you rent or exchange with someone else, has inquired about your products, services or organization and/or, is a sweepstakes entrant (whether or not a purchase or donation has been made). Individuals cease to be "customers" when they indicate that they no longer wish to be treated as customers of that marketer or when they are no longer on the marketer's customer list. 5

Please note that the definition of customer and persons with whom you have an established business relationship differs under the Telemarketing Sales Rule. For more information visit us online at: www.the-dma.org/guidelines/tsr.pdf. Definition of "Prospect" A person is defined as a "prospect" if that person has not previously initiated contact with you, for example, purchased from or donated to you. A prospect has had no previous relationship with you. (For example, gift recipients are considered to be "prospects" because they have not purchased an item or requested information from you.) Annual Notice You should give follow-up notices at least once a year. (However, if you contact a customer less frequently than once a year, you need only give notice as frequently as you contact the consumer.) A separate communications piece for this notice is NOT required, except for financial institutions as defined by the federal Gramm-Leach-Bliley (Financial Modernization) law, which are required to provide notice initially to both customers and prospects and annually thereafter to their customers. (See www.thedma.org/government/grammleachblileyact.) You may include the notice in any routine customer communication. It should, however, be easy for the customer to find, read, understand, and act upon. Notice is required regardless of the medium you use to contact customers. Notice need not be in the same medium as the solicitation, but, again, it should be easy for customers to find, read and understand. List managers, compilers, brokers, owners and service bureaus must give notice only if they are communicating directly to the customer under their own company or organization name. Otherwise, where they have no direct relationship with the customer, their obligation is to request and encourage marketers to give notice to their customers, and to make list users aware of the Privacy Promise. The marketer directly contacting the consumer (or on whose behalf the consumer is contacted) has the responsibility for providing notice. Questions about Notice: My company has several distinct brands (or affiliates, divisions, or subsidiaries) under which it operates. Does each have to give notice? You should view this from the average customer's perspective. Each separate company or brand, as the customer is likely to perceive it, must offer notice and opt out. Where affiliates, divisions or subsidiaries market under different company or brand names, customers may believe they are all different entities. Therefore, each corporate entity or brand must offer its own independent notice. Where affiliates, divisions or subsidiaries market under a single company or brand name, customers are likely to believe they are all one organization. Therefore, unless you clearly specify otherwise, one notice applies to all. 6

If my organization does not sell, rent, or exchange names, must we give a notice stating that fact? No, unless you are marketing online. Though many companies believe it is beneficial to tell their customers that they do not share marketing information with others, it is not required under the Privacy Promise. Only those marketers who rent, sell or exchange information need to provide notice of a mechanism to opt out of information transfer to third party marketers. An online marketer must disclose its policy, even if the policy is not to transfer information to others. Does our notice have to include information other than our organization's list practices? Traditional Media The Privacy Promise requires that you inform customers of your policy concerning the rental, sale or exchange of data and of the opportunity to opt out of the marketing process. Online Media DMA's Online Marketing guidelines require a more detailed notice about what personally identifiable information is collected about visitors online and the types of uses your organization makes of such information. Specifically, online notices must include, among other things: the nature of personally identifiable information collected from visitors; the uses made of it; whether the information is transferred to third parties (and if so, a consumer choice mechanism must be disclosed); whether your agents receive consumer data from you; whether you use cookies and what you do with data gathered by them; whether you permit network advertisers to collect information on your site (and if so, who they are and a mechanism visitors can use to contact them to see their privacy policies and, if they want to, opt out); your accountability and enforcement procedures; and that you keep information secure. In addition, for all solicitations sent online, marketers must furnish individuals with a link or notice they can use to request that the marketer not send them future solicitations online, and request that the marketer not rent, sell or exchange their e-mail address for online solicitation purposes. The Online Marketing guidelines and Do the Right Thing commentary to assist you in complying with them are located at www.the-dma.org/guidelines/onlineguidelines.shtml. DMA's Online Privacy Policy Generator can assist you with developing your online privacy notice. See www.the-dma.org/privacy/creating.shtml. Additionally, a quick reference chart on the federal CAN SPAM can be found at www.thedma.org/antispam/e-mail_chart.pdf. 7

Do I have to give notice during telephone sales calls? No. You may, of course, if you choose to, but since it is time consuming and distracting to give notice over the phone, you may give notice to "customers" in future solicitations, fulfillment packages, bills or by any other means. Notice must be given soon after a prospect becomes a customer, however. If a "customer" doesn't purchase for a number of years, does he or she automatically become a "prospect" again and therefore not receive notice? A customer remains a customer as long as he or she is classified as such for list rental and exchange purposes. However, as indicated earlier, a customer ceases to be a customer, and therefore should not receive communications from the marketer or have his or her name rented or exchanged, when that customer indicates that he or she no longer wishes to receive such communications or to be a customer. Would a "customer" continue to be a "customer" even after a club membership or subscription lapses? Yes. Nothing prevents a marketer from renewing a completed membership or subscription that has simply lapsed or expired, or from offering that customer other goods and services. However, if a customer cancels a club membership or subscription, that person is no longer considered a customer. What actions should be taken if the marketer's privacy policy changes? If a marketer's privacy policy substantially changes, consumers should be informed of the change prior to the rental, sale or exchange of personally identifiable information and be offered an opportunity to opt out of the marketing process at that time. Below is sample language your company may choose to use or adapt in order to provide notice to customers, including when your policy has changed. Examples of Notice Language: 1. We make our customer information available to other companies so they may contact you about products and services that may interest you. If you do not want your name passed on to other companies for the purpose of receiving marketing offers, just tell us by contacting us at, and we will be pleased to respect your wishes. 2. We make portions of our customer list available to carefully screened companies that offer products and services we believe you may enjoy. If you do not want to receive those offers and/or information, please let us know by contacting us at. 3. Our privacy policy has changed as of (date); we now make our customer information available to carefully selected companies so they can contact you about their unique products. If you do not want us to pass your name and address to these other companies, please contact us at. Additional Online Examples: 8

4. We would like to continue to keep you up-to-date by sending you an e-mail notice when we have a special offer we think you might like. Please let us know by return e- mail if you do not wish to receive such notices. 5. Our Web site now uses cookies, which allows us to see what portions of our site are viewed by visitors. This helps us personalize your visits and improve our site. If you do not want information collected through the use of cookies to be shared with other marketers, please send an e-mail to us at. 6. To better serve you by making your online and retail experiences with us as seamless as possible, we plan to combine the information you have provided to us online with the information you provided in our retail stores. If you do not want us to combine the two, please opt out by (date) by clicking onto. Step Two Part 2: HONORING OPT-OUT REQUESTS All consumer marketers must honor individual requests to opt out of the sale, rental or exchange of contact information for marketing purposes. Questions about Honoring Opt-Out Requests: If selective or categorical choices are available, may I make individuals aware of them? Yes. For example, an individual may want to opt out of receiving solicitations from other marketers for home furnishings or sporting goods, but may want to receive clothing, food and specialty offers. If you have the capability of giving consumers those kinds of choices, you may offer them. Once a customer opts out of the list rental process, how long must a marketer honor that opt-out request? Unless the marketer indicates otherwise, a marketer must not rent that person's name for at least five years after the opt-out request. (The marketer could specify another length of time, which could be less or more than five years, or forever.) For telemarketing, federal law also requires maintaining and honoring a do-not-call request for five years (originally, the law mandated ten years). Is there a different requirement for honoring online opt-out requests? If you market online, and you have promised to honor an individual's choice for a specific time, and that time period expires, you should provide that online visitor with a new notice and choice opportunity. 9

Whose responsibility is it to ensure that opt out is offered and honored? It is the list owner's responsibility to see to it that opt out is offered and honored. Any business partner -- such as a vendor or partner in a joint marketing venture -- that receives an opt-out request from a consumer has the responsibility to pass the opt-out request on to the list owner(s). Step Two Part 3. IN-HOUSE SUPPRESSION List owners and list users must honor individual requests for no future contact from both customers and prospects. Online marketers must give notice of in-house suppress. Questions About In-House Suppression: Must list owners and list compilers honor individual requests not to be contacted if an individual asks them directly? Yes. Both customer and prospect requests must be honored. A "prospect" contacted my company and requested not to receive our promotions any more. But this prospect is not in my database - the prospect's name was part of a rented list. What must I do? Establish an in-house suppression file of all individuals who do not want to receive your promotions. Use this in-house suppression file on all prospect lists you rent or exchange from others to ensure you do not continue to send material to someone who has asked not to receive it. A "customer" contacted my company to request not to receive promotions from my company any more. What must I do? Marketers must stop soliciting those individuals and flag them as do-not-solicit names in their customer file. That can be achieved by removing them from your active customer lists and adding them to your in-house suppress file to ensure that you do not send them material, even if they are on lists rented from others. How should in-house suppression be handled for separate affiliates/brands/subsidiaries? As in the case of "Notice," you should look at this from the average consumer's point of view. For company affiliates/brands/subsidiaries, the rule is the same: if affiliates, etc. market under a single name, and therefore consumers are likely to perceive them as one, a request for no future contact applies to all of them. Where related affiliates, etc. 10

market under different names, and therefore are likely to be perceived as separate, each affiliate or brand should have its own in-house suppression option. The federal Gramm-Leach-Bliley Act has separate requirements concerning company affiliates for financial institutions subject to the Act. (See www.thedma.org/government/grammleachblileyact.shtml and consult legal counsel to ensure compliance with legal requirements. The DMA also has a special privacy generator to help you meet the notice and opt-out requirements of this law: www.thedma.org/privacy/glbppg.shtml.) Can a marketer offer selective suppression? For example, could a magazine publisher offer suppression from a specific magazine title, or type of magazine? Yes. Nothing in the Privacy Promise prevents you from giving the consumer a categorical choice of in-house suppression options. When a consumer asks to be removed from a publisher's list, it would be appropriate to ask, for example: "Would that be from all of our magazines, or only those on health (or home decorating or travel) subjects?" Once an individual customer or prospect is on an in-house suppression file, how long must a marketer refrain from contacting that person again for solicitation purposes? Unless a marketer indicates otherwise, a marketer must not contact that person for at least five years after that individual makes a request not to be contacted in the future. In the case of telemarketing, the Telephone Consumer Protection Act and the Telemarketing Sales Rule used to require that individuals who ask not to be called again be placed on your in-house suppression file for ten years. However, that requirement is now also five years. Companies who wish to provide notice of in-house suppression could use or adapt the following language. Notice of in-house suppression is not required by the Privacy Promise (except, as noted, for online marketers). Examples of In-House Suppress Language: 1. If you decide you no longer wish to receive our catalog, send your mailing label with your request to. 2. We would like to continue sending you information only on those subjects of interest to you. If you don't wish to continue to receive information on any of the following product lines, just let us know by. 3. If you would like to receive our catalog less frequently, let us know by. 4. To be removed from this e-mail list, reply to this e-mail with unsubscribe in the subject line, or Click here for unsubscribe options. 11

Step Two Part 4. USE OF THE DMA S PREFERENCE SERVICES Marketers that contact consumers are required to use Mail Preference Service (MPS), Telephone Preference Service (TPS)* or e-mps on all consumer prospecting campaigns. In addition, marketers must suppress names of deceased individuals, which are flagged on MPS, TPS*, and e-mpa, or by using the separate Deceased Do Not Contact (DDNC) list. *Please note that DMA began to gradually phase out the Telephone Preference Service (TPS), referenced throughout this section. New consumer registrations for TPS are no longer being accepted. However, DMA members must continue to suppress prospective customers listed on TPS through December 31, 2011 (thus honoring TPS registrant requests for five years). DMA now only accepts TPS registrations for consumers living in the states of PA, ME and WY, because TPS serves as those states official lists. Other consumers who wish to decrease the amount of unsolicited telemarketing calls they receive should register with the Federal Trade Commission s National Do Not Call Registry at: www.donotcall.gov or by phone 1-888-382-1222. NOTE: Marketers are NOT required to use MPS, TPS* or e-mps on their own customer files before contacting their own customers. In addition, e-mps need not be used when individuals have given affirmative consent to the marketer directly. The list user is the one responsible for using the appropriate preference service before soliciting prospects. Usage by either the list owner or the list user, however, will satisfy the requirement. The goal is to ensure that prospects' choices not to receive mail, telephone, or e-mail solicitations are respected, and that solicitations are not sent to those individuals names listed on DMA s Deceased Do Not Contact list. List owners and users may wish to specify whose obligation it is in the list rental contract. For example, a list owner or manager may require by contractual obligation that a list user must use the DMA s Preference Services. Example of Contract Language Specifying MPS/TPS*/e-MPS/DDNC Responsibility: [List User] hereby acknowledges and agrees that as a condition of using [List Owner's] list, in accordance with the terms and conditions of this Agreement, [List User] will, prior to such use, remove and refrain from contacting all names that appear on DMA's MPS, TPS*, e-mps, or DDNC files except those individuals who are already a customer of [List User]. (E-MPS also need not be used when individuals have given affirmative consent to the marketer directly.) Although list brokers, compilers, and managers are not the parties responsible for using MPS, TPS*, e-mps, or the DDNC list, DMA members that are list brokers, compilers, and managers must advocate their use to business partners and clients. They could fulfill this requirement by including a paragraph encouraging this use in their sales material. 12

Example Language Promoting the Privacy Promise to Business Partners: [List Broker] strongly endorses the use of DMA's Preference Service files and requests that every list owner, manager and user use those files in accordance with the industry's Privacy Promise. For more information, see www.the-dma.org/preference. Questions About the Use of DMA's Preference Services: Do business-to-business marketers have to use the name-removal files? No. DMA s Preference Services were created for consumers who receive solicitations at home. They do not include business addresses. However, if a business-to-business marketer is using a hybrid list of business and consumer names, it must process the consumer portion of the list using MPS, TPS*, e-mps, or DDNC. How often are the MPS, TPS*, e-mps, and DDNC files updated, how frequently must I use them, and where do I obtain them? The MPS, TPS*, and DDNC files are updated monthly, and can be sent to you on either a monthly or a quarterly basis. As a minimum standard for complying with the Privacy Promise, the most recent quarterly release should be used whenever contacting prospects. To ensure that consumers who requested name suppression see results as quickly as possible, monthly processing is recommended. The e-mail Preference Service is updated continuously and monthly reports are available. All subscription information is available at http://preference.the-dma.org, including file formats and options for customization. Marketers can also contact the Preference Services Manager at 212.768.7277. Why did DMA develop the DDNC list? DMA established the Deceased Do Not Contact list in October 2005 to address the concerns of consumers receiving mail addressed to deceased family members. MPS, TPS*, and e-mps also contain the former contact information of deceased individuals, and this information is flagged on each file. However, members can use the DDNC file instead. It is important to note that the DDNC file is comprised of information reported to DMA by family and friends of deceased consumers. DMA does not compile information on deceased individuals from public information or in any other way. Why was TPS* discontinued, and what are my obligations with regard to using TPS and other Do Not Call lists? DMA decided that its Telephone Preference Service was no longer necessary in view of the federal Do Not Call list. All mail and most online consumer registrations for TPS were discontinued as of November 2006; Consumers are now referred to the Federal Trade Commission s Do Not Call Registry (which includes most state lists, as well). Online registrations will continue to be taken for consumers in the states of Maine, Pennsylvania, and Wyoming, however, because TPS remains the official Do Not Call list for Maine and Wyoming, and TPS includes the Pennsylvania Do Not Call registry. Because consumer names remain on TPS for five years, DMA members will be required to honor this part of the Privacy Promise by using TPS until December, 31 2011. 13

In addition to using TPS*, state and federal Do Not Call registries must be used. Information on how to obtain other state lists is available at www.thedma.org/government/donotcalllists.shtml, and information on obtaining the federal register is available from the Federal Trade Commission at www.ftc.gov. Are MPS and TPS* corrected by the U.S. Postal Service's National Change of Address (NCOA) file? Yes. MPS and TPS are run against National Change of Address (NCOA), Address Standardization, and ZIP correction systems. In addition, TPS is run against the Area Code Correction file. General Compliance Questions My business is small and keeping the Privacy Promise is time consuming and expensive for such a small operation. Must we adhere? It is important for DMA to be able to assure the public that all of our members follow the rules. DMA members in the unique circumstances of contacting so few prospects each year as to make using the Preference Services and the other requirements of the Privacy Promise burdensome and unduly expensive may apply to DMA for assistance or a possible exemption. It is important to note that any relaxation of the obligations under the Privacy Promise may be granted only by DMA s Committee on Ethical Business Practice. To contact the Committee, write to DMA s Department of Ethics and Consumer Affairs, 1615 L Street, NW, Suite 1100, Washington, DC 20036 or ethics@the-dma.org. What is the role of suppliers in this process? If you are a supplier, you must take steps to encourage compliance with the Privacy Promise. That might include inserting special statements in contracts encouraging compliance: [Supplier] strongly endorses the use of DMA's MPS, TPS*, e-mps, and DDNC files and requests that every list owner, manager and user use those files in accordance with the industry's Privacy Promise. For more information, contact the DMA's Washington, DC office at 202.955.5030. You must also document your efforts in encouraging your clients to comply. For example, a supplier might obtain statements from non-member clients who do not wish to follow the Privacy Promise: [List User] acknowledges that [Supplier] explained the Privacy Promise in detail and has requested [List User] to satisfy the Privacy Promise by using DMA's Preference Services and by providing [List User's] customers (Web site visitors, in the case of online marketing) with notice and the opportunity to opt out, but that [List User] refuses to do 14

so. Signed: Date: Officer of [List User] Can I do business with non-dma members that are not bound to follow these rules? Yes. But DMA member list owners, managers, users, brokers and suppliers should exercise their own independent business judgment as to whether to adopt contractual provisions such as those offered in this compliance guide. What are the rules for co-marketing ventures where both companies have access to customer data? DMA members should see to it that all their business ventures satisfy the Privacy Promise. Similarly, DMA members should take all reasonable steps to assure that customer data generated by a co-marketing venture with a non-dma member are used in accordance with the Privacy Promise. Do resident/occupant/saturation mailers have to follow the Privacy Promise? Since such mailers do not have personally identifiable information about individual consumers, but deliver to every home on a mail route much like a neighborhood newspaper, significant privacy concerns are not affected. Therefore, saturation mailers are not part of the Privacy Promise. What happens if a DMA member does not follow the Privacy Promise? If DMA s Committee on Ethical Business Practice determines that a member appears not to be in compliance with the Privacy Promise, the company will be contacted and asked for immediate compliance. The member will then need to come into immediate compliance and/or demonstrate to the Committee that its practices are consistent with the Privacy Promise. (DMA Ethics and Consumer Affairs staff attempt to gain compliance before an individual matter is referred to the ethics committee. An ongoing monitoring program is also in place to ensure member compliance with the Privacy Promise.) Any unanswered Committee question or unmet Committee request will be referred to the DMA Board for appropriate action, which may include censure, suspension or expulsion from the DMA, and publicity to that effect. Must I follow the Privacy Promise when communicating to consumers in other countries? Although the Privacy Promise is made to American consumers, DMA encourages those marketing to consumers in other countries to follow the principles of notice and opt out. If appropriate, the use of DMA's Foreign Mail Preference Service (F-MPS), which includes the MPS files of Belgium, the United Kingdom, the Netherlands and Germany, is encouraged. Information on F-MPS can be found at http://preference.the-dma.org. 15

Step Three MAKE THE PLEDGE As a DMA member you agree to follow the Privacy Promise promptly as a condition of membership. All DMA members sign a statement, as part of their membership agreement, to certify that they follow the Privacy Promise and Guidelines for Ethical Business Practice at the time of acceptance into DMA membership. Each company identifies a Privacy Promise contact person, and provides full contact information for that person, who is responsible for assuring compliance. Companies also reaffirm their compliance each year as part of the annual membership renewal process and re-confirm or appoint a new compliance contact person. Any questions may be addressed to DMA's Ethics and Consumer Affairs staff at privacypromise@the-dma.org, ethics@the-dma.org, or phone: 202.955.5030 or fax: 202.955.0085. 16