Editor's note: Duane Berlin, of Norwalk, Conn., law firm Lev & Berlin, P.C., serves as legal counsel to Port Jefferson, N.Y., research organization CASRO and is the principal author of CASRO's Privacy Protection Program. This article appeared in the December 6, 2010, edition of Quirk's e-newsletter.

CASRO's position on the Federal Best Practices Act of 2010 (H.R. 5777), introduced in July by Rep. Bobby Rush (D.-Ill.), differs significantly from the perspective presented by the Marketing Research Association (MRA) in MRA Director of Government Affairs Howard Fienberg's November 8 article, "Would the Best Practices Act end research as we know it?," in Quirk's e-newsletter.

Fienberg made the dire prediction that the bill would "cripple all but the largest marketing research companies," but based on our knowledge of the privacy regulatory scene both here and abroad, and our successful experience working with the Federal Trade Commission (FTC), CASRO believes that this bill is not harmful to research businesses. Rather, it is a positive step toward establishing U.S. privacy law.

CASRO's government and public affairs team hopes that the following observations about the proposed Act will address some of the concerns expressed by our colleagues at the MRA and lead toward more solidarity in our government-affairs voices across the industry.

While CASRO believes that Congress should better clarify the applicability of the bill to market research, we believe that, for the most part, the bill establishes requirements with which the market research industry will be able to comply without unreasonable difficulty. In fact, the provisions of this bill are largely consistent with existing requirements under CASRO's Code of Standards, the U.S. Safe Harbor principles and international data privacy and security laws.

Contrary to MRA's concern that the Act gives too much power to the FTC, CASRO supports the significant role that the FTC would have in rule-making and enforcement of this privacy law. In CASRO's 35 years of working on federal and state government affairs, the FTC has proven to be among the most receptive, reasonable and knowledgeable agencies with respect to the research industry. In addition, the FTC's rule-making process is among the most inclusive and transparent in the entire federal bureaucracy, which has consistently welcomed and often adopted CASRO's input.

The bill would create the first overarching federal privacy regime in the U.S., a framework sorely needed to eventually replace the patchwork of overlapping and inconsistent state and federal privacy laws with which research organizations must currently comply. Modeled in many respects on the highly successful European Union's Data Privacy Directive and similar international privacy regulations, the Act will help to align the U.S.'s approach to privacy with the rest of the world and seek to preempt the ever-expanding scope of state privacy laws.

In essence, the bill would enact what most research businesses already do. Specifically, it requires:

Notice
Companies that collect more than a specified level of personal data (which will include nearly all market research companies) must have a detailed privacy policy. FTC regulations will provide greater clarity on how companies will be required to display that policy. The bill will also codify the current case law requirement that an explicit opt-in is required from the data subject before material changes to the privacy policy can be applied to personal information that has been previously collected.

Choice
In general, the collection and use of generic personal data (defined as "covered information" under the bill) will require nothing more than providing the required privacy policy and an easy means for the data subject to opt-out of the data collection. Any opt-out preference expressed by the data subject would be permanent (unless the subject subsequently changes his or her mind). An explicit opt-in would be required to disclose personal information to third parties, except where an exception exists. For example, as in Europe, information may be transferred to service providers, so long as a contract is entered into between the parties that restricts the use of the personal information for the purposes required. An explicit opt-in would also be required to collect, use or disclose so-called sensitive data, which includes normal demographic information that is collected by market research companies, such as race and sexual orientation, as well as financial information and Social Security number. Lastly, the bill would codify the existing FTC requirement that an explicit opt-in be received before using hardware or software that would monitor a subject's browsing or computer activity.

Any opt-out preference would not apply to information that is collected and used for an "operational purpose," which may include some types of market research by specifically exempting, the "analy[sis of] data related to use of the product or service for purposes of improving the covered entity's products, services or operations." We believe that market research generally falls under the intent of the exception. Furthermore, the Act's distinction between operational information and other types of personally-identifiable information reflects longstanding practice in online survey research privacy policies. As discussed in greater length below, CASRO may take steps to try to improve this definition to more explicitly include market research.

An affirmative opt-in is not required for the sharing of generic, non-sensitive personal information, if a company joins an industry-sponsored, FTC-approved program to comply with the bill. Additional benefits of joining a so-called "Choice Program" include limitations on the right of data subjects to request access and that companies that participate in such a Choice Program would be granted a safe harbor from the private cause of action given to data subjects in the bill. Based on the current definition of sensitive information, it would seem that market research companies will still be required to receive an express opt-in from most panelists. While an affirmative opt-in may require some procedural changes by market research companies, the opt-in could readily be built into the panelist registration process.

Access and accuracy
In general, covered entities under the bill will be required to provide access, upon request, to data subjects and give the subject the ability to contest the accuracy or completeness of such information if the information is to be used for purposes that could result in an adverse decision against the individual. Where the information is not used for purposes that could reasonably result in an adverse decision against an individual, a covered entity can simply provide a general notice or representative sample of the type or types of information the entity collects. In addition, companies that join a Choice Program, as described above, would be exempt from the access requirement. Under the bill, covered entities are also required to establish reasonable procedures to assure the accuracy of information that they collect and maintain. FTC regulations to be adopted upon passage will provide greater clarity about the specific procedures that will be mandated.

Security
The bill requires each covered entity and service provider to establish reasonable administrative, technical and physical safeguards to protect personal information. Again, the FTC will be responsible for creating and implementing regulations. These requirements are similar to those already imposed by Gramm-Leach-Bliley and HIPAA as well as certain states' laws, such as Massachusetts. As a result, we expect that the FTC's regulations will be consistent with the safeguards already imposed and that many, if not most, market research companies will already be compliant with these requirements.

Aggregated and redacted information
Documents that include only aggregated information or where any personal information has been obscured or removed using appropriate methods such that the specific individual or device owned or used by a specific individual can no longer be identified are generally excluded from the bill entirely.

Enforcement
The FTC is the main enforcement entity under the Act. Each state's attorney general is also permitted to enforce the bill. Total damages allowed for any related series of violations are $5 million. In addition, the bill provides a private cause of action to individuals. The bill allows for actual damages in such private action of no less than $100 and no more than $1,000 per violation, punitive damages as a court may allow, as well as costs and reasonable attorneys' fees. As noted above, participation in an industry-sponsored Choice Program provides a safe harbor from this private cause of action.

Areas for potential improvement
Specific issues that the market research industry may want to address in revisions to the bill or any implementing regulations include: 1) clarifying that the definition of "operational purpose" includes research conducted by market research companies on behalf of their clients and 2) amending the definition of sensitive information so that it does not include basic demographic information or provide an exception to the opt-in requirements for the collection, use and disclosure of sensitive information for market research.

Encourage and assist

While the market research industry should encourage and assist Congress in clarifying certain provisions of the Best Practices Act, it is clearly a solid step toward a much-needed comprehensive federal privacy regime. Moreover, the bill's passage will likely allow the EU Data Commission to finally deem the U.S. as having an adequate data privacy regime, thereby facilitating the ability of U.S. research organizations to do business in the EU and eliminating the need for the U.S. Department of Commerce's Safe Harbor program.