Editor's note: Howard Fienberg is director of government affairs for the Marketing Research Association, Glastonbury, Conn. This article appeared in the November 8, 2010, edition of Quirk's e-newsletter.
As introduced by Rep. Bobby L. Rush (D-Ill.) the Best Practices Act (H.R. 5777) is a comprehensive federal data privacy bill that, if enacted into law in its current form, would fundamentally alter the business and conduct of research in the United States, increasing regulatory compliance costs and potentially crippling all but the very largest marketing research companies (who are more likely to be able to meet the bill's requirements using preexisting resources).
This bill is the most significant federal legislation affecting the marketing research industry now visible on the horizon. While it does not appear to have been written ostensibly to regulate marketing research companies, its language can reasonably be interpreted as likely to achieve exactly that purpose. Given the substance of the bill, combined with the ambiguity of much of the language proposed, the unintended consequences for the marketing research industry - should it be enacted as introduced - also are uncertain and so cause for concern. Given also the European Union's movements in the privacy arena and the lack of a framework for U.S. privacy policy, some future derivative of the Rush bill may well be inevitable.
The Marketing Research Association (MRA) believes that the profession's challenge is to identify and effectively advocate policies which do the least possible harm to marketing research businesses of all types and sizes.
All uses of data
The stated goal of the Best Practices Act is, "To foster transparency about the commercial use of personal information, provide consumers with meaningful choice about the collection, use, and disclosure of such information, and for other purposes." Although the bill's stated concern is the "commercial" use of data, it actually focuses on all uses of data, including research purposes. Also, while most media coverage discussed the Act in terms of online privacy, it actually applies to collection, use and transfer in any medium or mode (including telephone, mail, in-person, mobile and online).
The Act would require almost all for-profit research companies and organizations to:
- provide extensive notice of their data privacy practices to individuals;
- offer opt-out from collection or use of most information (not just personally identifiable information);
- get participants' "affirmative express consent" for collection or use of "sensitive" information (which unfortunately includes some common demographic data) or for the transfer of most information to a third party (except for service providers);
- make sure the data they keep is accurate;
- set up and maintain data security systems and processes; and
- conduct periodic privacy assessments.
H.R. 5777 would be enforced by the Federal Trade Commission (FTC), state attorneys general and private lawsuits. While the FTC has no jurisdiction over not-for-profits and governmental entities,1 every link in the research chain would be impacted by the Best Practices Act. Few research organizations and departments operate completely independently.2 Most importantly, the real details of the legislation are effectively being left blank, with the FTC given broad power and authority to fill in the blanks.3
Numerous concerns
The MRA has numerous concerns with the legislation, including the following elements:
"Covered" and "sensitive" information
The Act has a very stringent definition of "covered information," which includes data as simple as someone's name or IP address. Information designated as covered requires the researcher to give the research participant an opt-out choice for collection and use.
Moreover, the bill also delineates some common research data as "sensitive information," such as race and income. Information designated as sensitive requires the researcher to give the respondent an opt-in choice for collection, use and transfer.
Notably, the Act grants an exception to these rules for publicly-available information, but to take advantage of that exception the researcher must make onerous background checks on the data.
Restrictions on information sharing and transfer
H.R. 5777 requires research participants' opt-in consent in order to transfer covered or sensitive information to third parties, which would hurt most research projects, since the definitions of covered and sensitive information are so broad.
The Act does allow for transfer without an opt-in if it is to a service provider, but the definition of a service provider has been left murky.4
Opt-out would be permanent
Under the Act, any research participant opting out of participating in a research study would be permanently opting out from all research studies from that company or organization. By comparison, federal regulations for telemarketers require that opt-outs last at least five years, while opt-out requests from unsolicited fax advertisements or commercial e-mail (spam) are also permanent.
Admittedly, research participants are becoming accustomed to having control over who may contact them, when and in what context, and for some time the MRA has recommended that all researchers maintain internal do-not-contact lists. However, the opt-out required by H.R. 5777 goes far beyond what most researchers ever offer.
The infrastructure necessary to implement it would likely require maintaining and linking far more across data sets and lists than firms and organizations do now, increasing the threat of, and impact from, a data breach.
A permanent opt-out could also swiftly put research firms out of business. New firms will pop up (experienced or not) who have not already been forbidden from collecting/handling data on a large number of individuals. Alternatively, research companies may be forced to fold and reorganize under new names in order to emerge without the hindrance of an existing opt-out list.
How do you ensure an individual has actually opted in?
The Act does not define how a researcher may obtain "express affirmative consent" (opt-in) and the details would be left to the FTC's discretion. These specifics are vital.5
Furthermore, after what we've seen come out of the Federal Communications Commission recently,6 researchers should consider that a simple spoken agreement would not be enough to satisfy the FTC. Would express affirmative consent need to be in written form, and how would that work for online, mobile or telephone research?
Providing individuals access and dispute resolution
Upon request, H.R. 5777 would require providing "an individual with reasonable access to, and the ability to dispute the accuracy or completeness of, covered information or sensitive information about that individual if such information may be used for purposes that could result in an adverse decision against the individual, including the denial of a right, benefit or privilege." Whether this requirement would actually apply to researchers would be up to how the FTC defines such information, since this is written so broadly.
Any such requirements would likely require complex and expensive procedural and infrastructure changes for research companies and organizations.
Limits on self-regulation
H.R. 5777 provides some protection from the harshest restrictions and penalties in the bill to those entities that participate in a self-regulatory "Choice Program." Program participants would get a safe harbor from requirements for access to information (as discussed above) and express affirmative consent for data transfer to third parties. Participants would also be protected against private lawsuits. However, the researcher's program would be subject to the approval and review by the FTC.
Notice and consent for changing privacy policies
Providing notice (and getting some form of retroactive consent) for material changes to privacy policies is now standard case law. But while notice with an opt-out is a reasonable expectation, H.R. 5777 goes further and would require express affirmative consent retroactive changes. This would make it impossible for researchers to maintain information when necessary for research purposes (unless completely de-identified or aggregated).
This would be most debilitating for online panel companies and online communities (who keep huge rosters of participants) and focus group facilities (who maintain large lists of potential participants). It would likely be impossible to get express affirmative consent from millions of people before changing a policy or practice.
Private lawsuits
In addition to steep civil penalties from the FTC and state attorneys general, the bill allows for costly individual lawsuits. Such unrestrained private rights of action risk huge legal defense costs for the profession, encouraging a highly incentivized boon for ambulance-chasing attorneys seeking to assert claims under the Act.
Met with staff
The MRA has met with staff for Congressman Rush, Congressman Rick Boucher (D-Va.) and the Democrats on the House Energy and Commerce Committee (which held a hearing on the legislation in July) as well as staff for Committee ranking members Congressmen Cliff Stearns (R-Fla.) and Ed Whitfield (R-Ky.).
On the Senate side of the Capitol, Sen. John Kerry (D-Mass.) is leading the efforts to draft a similar data privacy bill for the Senate Commerce Committee. The MRA met with his staff this summer as well.
Finally, the MRA has raised concerns about this legislation with many of the new House and Senate candidates with whom we have been meeting the last few months, many of whom were elected this fall.
Next year looks rougher
The MRA does not expect the Best Practices Act to become law this year. Next year looks rougher for the Act as introduced: with Republicans likely to take control of the House of Representatives, no version of this bill will likely move forward in the next two years.
Unfortunately, the Best Practices Act sets a marker for Congress' interest in and position on data privacy and likely will be the starting point of all future discussions and debates. More importantly, it gives unofficial marching orders to a potentially eager FTC to start developing similar policies through its existing regulatory process. That is why the MRA considers the legislation a threat and is seeking researchers' involvement in meeting with their representatives and senators to explain the detrimental impact of the Act and why it must be either amended or killed.
The MRA has a decades-long and successful history of defining, promoting and enforcing best practices as they relate to data privacy. This has been done not only to ensure respondent privacy, but also to protect the integrity of marketing research, opinion surveying and related businesses and further the professional success of tens of thousands who work every day to improve our economy, nation and quality of life.
Footnotes
1 The U.S. Office of Management and Budget is now reviewing this legislation for fear that it could hinder government research. It would certainly restrict research sponsored by the government, just like research sponsored by anyone else. Moreover, agencies like the National Center for Health Statistics, which do most of their research in-house, must still rely on private sampling companies for their participant contact lists.
2 For example, the bill would be detrimental to sampling companies, precluding the ability to even provide a random-digit dial sample for anyone's use - let alone provide targeted samples for studies of a particular race or ethnicity, general income level or religious affiliation.
3 For instance, the FTC will determine what constitutes proper notice and consent, conduct further expansion of the definition of sensitive information, develop a short form of privacy notice, approve "self-regulatory" programs (thus defeating the purpose of "self-regulatory") and decide who constitutes a third party as opposed to who can be reasonably assumed to be part of the same company or organization.
4 For research purposes, when multiple entities collect and handle data, which one is the "covered entity?" It is unclear who in the traditional marketing research business chain would constitute the covered entity. Would it be the data collector or the full-service company or end user that hired the collector? This assumes that a contracted data collector would constitute a "service provider," even though it is disclosing the data to the covered entity and (as outlined in the Act) not the other way around. Otherwise, it would be extremely difficult for most research to be conducted.
5 For instance, would an online panel participant agree once at the start of their relationship with the panel company to the sharing of information with third parties? Would that agreement cover only sharing with specific third parties or could it be just by classes or types of third parties (i.e., beverage companies, pharmaceutical manufacturers, etc.)? Would that consent need to be received in every study in which the individual participates with that panel company?
6 Fienberg, H. (2010), "Calling cell phones - the FCC makes a bad regulation worse." Quirk's Marketing Research Review, July 2010, 18-20.