1.   Purpose

    • 1. This document establishes the minimum requirements for data privacy when collecting or using User information as part of external promotional campaigns for CEG Health (a FemTec Health Company) and its clients
    • 2. This SOP describes the appropriate handling of User data by CEG Health associates or partners during marketing-initiated internet based business activities. Digital media can include, but is not limited to, web site, web page, blog, vlog, social network, internet forum, chat room and health portal.

2.   Scope

    • 1. This Policy applies to all CEG Health employees and agents (including Partners), when generating marketing campaigns for CEG Health and its Clients.
    • 2. Implementation is in accordance with the Effective By Date. This Policy will be effective for U.S. operations on June 24, 2014. This Policy may be waived only if Client Policy dictates the use of Client Policies
    • 3. Failure to comply with this Policy or those of CEG Health clients may be grounds for discipline up to and including termination. Other penalties may apply for Partners.
      • The World Wide Web,
      • Electronic mail systems (email) internal and external to CEG Health networks
      • Client sponsored internet-based platforms that are accessible to CEG Health associates
      • External electronic bulletin boards and similar internet-based platforms such as newsgroups, social networking sites, weblogs and chat rooms
      • Any client internet site, internet based application which is available to an external audience where a client funds the site’s ongoing operation and/or controls editorial content and includes sites that are:
        • Managed by CEG Health for a client
        • Managed by CEG Health in partnership with another company e.g. Agency

1.   Important Definitions

Authentication Information Personal data used to verify a User (e.g., username, email address, password, mother’s maiden name etc.)
Commercial Email & Advertising Any Direct Marketing Communication that includes e-newsletters and other promotional materials specifically requested online by the User.
Demographic Information Includes age, gender, annual income, HCP specialty, areas of interest, spoken languages, education level, and other social statistics or market segment information (excluding Health Information).
Direct Marketing Communications (DMC) Any communication sent to a User for the purpose of marketing, advertising, promoting or attempting to solicit interest in a product or service. This does not include any message or communication that is sent for the primary purpose of providing a product or service to a User or otherwise managing the account of a User.
Geographic Scope The geographic location(s) of the audiences to which you are communicating. Examples would be U.S. Users only, global Users or country-specific audiences (i.e. Users in Canada, etc.)
Healthcare Professional (HCP) Doctors, nurses, pharmacists, lab technicians, and other health care providers.
Health Information Includes disease state, medical history, medications (including type, frequency, competitor products, etc.) and general lifestyle. Note that health information may be collected indirectly by virtue of a non-HCP User visiting a disease-oriented site or by making an inquiry about a particular product.
Opt-In Consent Providing affirmative , express consent (e.g., check a box, click an “I Agree” or “Yes” button. Providing an email address or other contact information is not the same as “Opt-In Consent” to Direct Marketing Communications.
Opt-Out A User’s request to stop receiving Direct Marketing Communications from CEG Health, its Partners or Clients in general. A User may also request to stop receiving Direct Marketing Communications from certain mediums (i.e. no more phone calls, no more emails, etc.)
Partners Third-party business associates, vendors, distributors, service providers, or those acting on behalf of CEG Health and/or its Clients
Sensitive Information Personal Data about any User’s racial or ethnic origin, religious or philosophical beliefs, trade union membership, political opinions, sexual life, physical or mental health or medical conditions, criminal record or history, unlawful or objectionable behavior, or other personal data considered to be sensitive in the relevant country. It also refers to Health Information about the User not provide by the User directly.
SPAM or spam Unsolicited commercial email. This term refers to any email (whether single email messages or or bulk mailings) this is sent without the recipient’s prior express permission for the purposes of marketing, advertising, promoting, conducting surveys, providing coupons or product samples, or otherwise attempting to solicit interest in CEG Health or its Clients.
User A natural person who is a customer, prospective customer, patient, HCP, caregiver, or website visitor.

 

1.   Requirements

  • 1. CEG Health or its Partners may collect and use User data via marketing campaigns only in accordance with this Policy and/or Client policies and operating procedures. User data may be collected from public information that Users have disclosed and use it to form advertising content and targeting strategies (e.g., to model and scale lookalike audiences) to drive website traffic etc. Similarly, if a Facebook Page or Twitter Page or such other online community (e.g., forum or blog etc.) has been created, the fans/followers of those Pages may also be modelled and scaled. Directly targeting the Users whose data was used for any content and/or targeting strategies is NOT permitted.

 

  • 2. User Data That May Be Collected
    • Authentication Information
    • Contact Information
    • Demographic Information
    • Health Information only provided by the User directly or indirectly by a caregiver
    • User data that is essential to CEG Health and its Clients immediate business purposes

 

  • 3. Define and Maintain a Geographic Scope

Only information from Users inside of an established Geographic Scope can me collected. All content must be appropriate to maintain the established Geographic Scope

  • Implement preventative technological measures to avoid information collection from visitors outside the geographic scope
  • Include an appropriate pop-up message containing any necessary geographic disclaimers. For example – We’re sorry, but this site does not seek to collect information from visitors outside of [insert name of country/region]

 

  • 4. How User Data May Be Collected

User data may be collected from the following sources:

  • Company websites
  • Unbranded, disease related websites
  • Toll-free numbers (inbound User calls, as well as outbound calls to Users, as appropriate)
  • Business Reply Cards (BRC)
  • Conferences & Trade Shows
  • Coupons, Sweepstakes, or Other Promotions
  • Publicly-available websites
  • CEG Health Partners that provide user data that agree in writing that the intended recipients have provided Opt-In Consent (and have not subsequently withdrawn consent) to
    • The disclosure of their data to CEG Health and its Clients
    • CEG Health and its Clients use of that data for CEG Health and its Clients own direct marketing purposes
    • The type of communications CEG Health and its Clients plan to send (e.g., about a product, a category of issues generally, etc.) and
    • Receive those messages from CEG Health and its Clients via a particular communication (email, postal mail, fax, telephone, home or work).

The Partner has complied with all applicable laws and regulations, including those related to privacy and data protection.

  • 5. Secure and Validate Opt-In Consent for User Data

Prior to sending any DMC to a User, Opt-In Consent must be obtained. However, when marketing to HCP Users, prior Opt-In Consent is not required.

  • Opt-In Consent must be located next to where the data is collected
  • Scope of Opt-In Consent must include a description of the:
    • Means of communication (email, postal mail, fax, telephone; home or work)
    • Source of communication (CEG Health, its Partners or Clients or Clients Partners
    • Type of communication (e.g., about a product, a brochure etc.)
  • Mark what is required and optional
  • Format of collection: When requesting User data, use appropriate security measures to prevent a data breach
  • Maintain an auditable history by:
    • Appropriately identifying the visitor (e.g., ask the visitor to provide at least one key element, such as an email address or phone number),
    • Recording the source of the User data (e.g., particular BRC, website URL, etc.),
    • Time- and –date stamping the collected User information and opt-in consent.

Records of Opt-In Consent should be maintained per CEG Health Data Retention Policy.

Check registration/permit obligations for non-US jurisdictions: Prior to beginning any marketing campaign, ensure that all required authorizations and permits are in place. Also, when required by local data protection authorities or equivalent regulatory bodies, register CEG Health and its Client’s intent to collect and process User information.

  • 1. How User Data May Be Used

User data can only be used within the stated scope of the current Opt-In Consent as established in Section 4.5 above.

Prior to each marketing campaign, check Users against CEG Health and its Clients opt-out lists, as well as externally available do-not-market lists, to ensure that Users being marketed to have opted-in and have not subsequently opted-out.

Externally maintained do-not-market lists include, but are not limited to:

  • National Do-Not-Call registry (donotcall.gov)
  • Do-Not-Mail Preferences Service (maintained by the Direct Marketing Association)
  • Do-Not-Fax list (www.fcc.gov)
  • 2. Data Storage

Keep User information in personally identifiable form only as long as necessary for the purpose specified at the time of collection. Delete or de-identify the information once it is reasonably appropriate to do so.

Sensitive Information requires a higher level of protection that User information to be appropriately stored.

2.   Other Requirements

  • 1. Partners who provide services may be used to assist with the preparation, transmission, processing, or tracking of DMC sent via email or postal mail provided that:
    • All Partners agree in writing to:
      • Use and disclose User information only for purposes of providing services,
      • Proper security and safeguards to protect the security of User information,
      • Proper protections to address restrictions on the cross-border transfer of User information, and
      • Allow Clients to monitor and audit CEG Health business practices for accordance with its contractual obligations
    • CEG Health may not disclose to any Partner the contact information (e.g., email address) or other User information for Users included on the do-not-market list.
  • 2. Children: CEG Health and its clients may market to parents or guardians of children under the age of 18, but may not collect personally identifiable information directly from children who are under the age of 18 without prior written approval of Client’s Legal, Regulatory & Compliance departments.
  • 3. Any privacy language making assurances about User information must be consistent and upheld across the marketing campaign (i.e., do not include the following terms or phrases in any privacy language: never, always, guarantee, promise that anything will be secure or completely or strictly confidential).

3.   Acknowledgment

Every CEG Health Employee or Approved Contractor who engages in Social Media Activities on behalf of CEG Health or a Client thereof is personally responsible for ensuring understanding and adherence with this Policy or any other applicable policy, law, guidelines, or regulation.