I received a call in late September from Howard Fienberg, director of government affairs for the Marketing Research Association. He was interested in submitting an article about the threat to marketing research posed by a federal data privacy bill that was introduced earlier this summer. We were prepping the November issue and I told him that if he could get the article completed in a few days, I would try my hardest to wedge it into the November issue.
As he has in the past, Fienberg nailed the deadline and submitted an outstanding 2,000-word piece. The trouble is, the only available real estate in this issue ended up being right here in my Trade Talk column, and my allotted space usually maxes out at around 1,300 words.
So we’re going to do something a bit unusual here.
The article frankly scared the heck out of me and as the bill is something the entire industry should be aware of, rather than wait until the December issue to publish the story, I’m going to offer up excerpts from Fienberg’s article below, as many as space will allow, and then we will publish the entire article in the November 8 edition of our e-newsletter.
As introduced by Rep. Bobby L. Rush (D-Ill.) the Best Practices Act (H.R. 5777) is a comprehensive federal data privacy bill that, if enacted into law in its current form, would fundamentally alter the business and conduct of research in the United States, increasing regulatory compliance costs and potentially crippling all but the very largest marketing research companies (who are more likely to be able to meet the bill’s requirements using preexisting resources).
This bill is the most significant federal legislation affecting the marketing research industry now visible on the horizon. While it does not appear to have been written ostensibly to regulate marketing research companies, its language can reasonably be interpreted as likely to achieve exactly that purpose.
All uses of data
The stated goal of the Best Practices Act is, “To foster transparency about the commercial use of personal information, provide consumers with meaningful choice about the collection, use, and disclosure of such information, and for other purposes.” Although the bill’s stated concern is the “commercial” use of data, it actually focuses on all uses of data, including research purposes. Also, while most media coverage discussed the Act in terms of online privacy, it actually applies to collection, use and transfer in any medium or mode (including telephone, mail, in-person, mobile and online).
The Act would require almost all for-profit research companies and organizations to:
• provide extensive notice of their data privacy practices to individuals;
• offer opt-out from collection or use of most information (not just personally identifiable information);
• get participants’ “affirmative express consent” for collection or use of “sensitive” information (which unfortunately includes some common demographic data) or for the transfer of most information to a third party (except for service providers);
• make sure the data they keep is accurate;
• set up and maintain data security systems and processes;
• and conduct periodic privacy assessments.
H.R. 5777 would be enforced by the Federal Trade Commission (FTC), state attorneys general and private lawsuits. While the FTC has no jurisdiction over not-for-profits and governmental entities, every link in the research chain would be impacted by the Best Practices Act.
For example, the bill would be detrimental to sampling companies, precluding the ability to even provide a random-digit dial sample for anyone’s use - let alone provide targeted samples for studies of a particular race or ethnicity, general income level or religious affiliation.
Numerous concerns
The MRA has numerous concerns with the legislation, including the following elements:
“Covered” and “sensitive” information
The Act has a very stringent definition of “covered information,” which includes data as simple as someone’s name or IP address. Information designated as covered requires the researcher to give the research participant an opt-out choice for collection and use.
Moreover, the bill also delineates some common research data as “sensitive information,” such as race and income. Information designated as sensitive requires the researcher to give the respondent an opt-in choice for collection, use and transfer.
Notably, the Act grants an exception to these rules for publicly-available information, but to take advantage of that exception the researcher must make onerous background checks on the data.
Restrictions on information sharing and transfer
H.R. 5777 requires research participants’ opt-in consent in order to transfer covered or sensitive information to third parties, which would hurt most research projects, since the definitions of covered and sensitive information are so broad.
The Act does allow for transfer without an opt-in if it is to a service provider, but the definition of a service provider has been left murky.
Opt-out would be permanent
Under the Act, any research participant opting out of participating in a research study would be permanently opting out from all research studies from that company or organization. By comparison, federal regulations for telemarketers require that opt-outs last at least five years, while opt-out requests from unsolicited fax advertisements or commercial e-mail (spam) are also permanent.
The opt-out required by H.R. 5777 goes far beyond what most researchers ever offer. The infrastructure necessary to implement it would likely require maintaining and linking far more across data sets and lists than firms and organizations do now, increasing the threat of, and impact from, a data breach.
A permanent opt-out could also swiftly put research firms out of business. New firms will pop up (experienced or not) who have not already been forbidden from collecting/handling data on a large number of individuals. Alternatively, research companies may be forced to fold and reorganize under new names in order to emerge without the hindrance of an existing opt-out list.
How do you ensure an individual has actually opted in?
The Act does not define how a researcher may obtain “express affirmative consent” (opt-in) and the details would be left to the FTC’s discretion. These specifics are vital.
Providing individuals access and dispute resolution
Upon request, H.R. 5777 would require providing “an individual with reasonable access to, and the ability to dispute the accuracy or completeness of, covered information or sensitive information about that individual if such information may be used for purposes that could result in an adverse decision against the individual, including the denial of a right, benefit or privilege.” Whether this requirement would actually apply to researchers would be up to how the FTC defines such information, since this is written so broadly.
Any such requirements would likely require complex and expensive procedural and infrastructure changes for research companies and organizations.
Notice and consent for changing privacy policies
Providing notice (and getting some form of retroactive consent) for material changes to privacy policies is now standard case law. But while notice with an opt-out is a reasonable expectation, H.R. 5777 goes further and would require express affirmative consent retroactive changes. This would make it impossible for researchers to maintain information when necessary for research purposes (unless completely de-identified or aggregated).
This would be most debilitating for online panel companies and online communities (who keep huge rosters of participants) and focus group facilities (who maintain large lists of potential participants). It would likely be impossible to get express affirmative consent from millions of people before changing a policy or practice.
Next year looks rougher
The MRA does not expect the Best Practices Act to become law this year. Next year looks rougher for the Act as introduced: with Republicans likely to take control of the House of Representatives, no version of this bill will likely move forward in the next two years.
Unfortunately, the Best Practices Act sets a marker for Congress’ interest and position on data privacy likely will be the starting point of all future discussions and debates. More importantly, it gives unofficial marching orders to a potentially eager FTC to start developing similar policies through its existing regulatory process. That is why the MRA considers the legislation a threat and is seeking researchers’ involvement in meeting with their representatives and senators to explain the detrimental impact of the Act and why it must be either amended or killed.