Congress-Rep. Ted Poe (R-TX) introduced H.R. 3131, which would make participation in the American Community Survey (ACS) voluntary except for four questions: Name, contact information, date of response and number of people living or staying at the same address. The ACS, a mandatory survey administered by the Census Bureau, is sent to 3 million households every year and covers many topics, including race, ethnicity, gender and education, and replaced the traditional Census long form four years ago. The Bureau tested a voluntary response option to the ACS and discovered that mail response rates dropped by more than 20 percentage points, overall response and completion rates tanked, and the survey's cost would increase by more than 30 percent. Although the possibilities for passage of H.R. 3131 are minute, CMOR is sufficiently concerned with the sentiments and goals of the legislation, particularly as it relates to potential boycotts of Census 2010 (see the September issue of Alert! Magazine for more information) that we will be working with the American Statistical Association to educate and inform Rep. Poe and others of the value of the ACS.
ME - Has enacted LD 1183 (the Prevent Predatory Marketing Practices Against Minors Act), which prohibits the collection of individually identifiable information about "minors" (under 18) without verifiable parental consent, if the information is used for marketing purposes. The new law, which goes into effect mid-September, applies to two types of minors' information: health-related information (health or physical condition, nutrition, medication, mental health and medical insurance) and personal information (last name with a first name or first initial, home or other physical address, social security number, driver's license or state identification card number, and information about a minor collected in combination with other personal information).
Marketing purposes is defined as "the purposes of marketing or advertising products, goods or services to individuals." Verifiable parental consent is defined as "any reasonable effort, taking into consideration available technology, including a request for authorization for future collection, use and disclosure described in the notice, to ensure that a parent of a minor receives notice of the collection of personal information, use and disclosure practices and authorizes the collection, use and disclosureâ€¦before that information is collected from that minor."
The Act also prohibits the sale, offer for sale, or transfer of health-related or personal information about a minor if: collected in violation of marketing provision; the minor is individually identifiable; or it will be used for predatory marketing purposes. The Act prohibits predatory marketing, which is defined as the "use of any health-related information or personal information regarding a minor for the purpose of marketing a product or service to that minor or promoting any course of action for the minor relating to a product."
The Act is enforced by the Maine Attorney General as an unfair trade practice, with penalties of $10,000-$20,000 for the first violation and at least $20,000 for subsequent violations and provides for a private right of action in Maine state court, including recovery for the greater of actual damages or $250 per violation (with the potential for trebling for willful or knowing violation), plus attorney's fees.
The new Maine law has far-reaching implications and is broader than the scope of the Federal Children's Online Privacy Protection Act (COPPA), which only applies to data privacy for children under the age of 13 online. Troubling for the profession is the provision prohibiting the transfer of personally identifiably information even if parental consent is provided when such information individually identifies the minor. Collecting such information for research purposes does not appear to be barred according to the act.
Survey research businesses engaged in the collection or use of data from minors under the age of 18 in Maine should be mindful of this new law and expect to be in full compliance by mid-September.
Data Security Breach Notification
MO - Has enacted H.B. 62, a new security breach notification law. The new law, taking effect on August 28, 2009, requires notice to individuals when their personal information has been compromised. The law, however, does not require a business to notify Missouri residents if, after an appropriate investigation or consultation with law enforcement authorities, the business determines that identity theft is not a likely result of the breach. A business is also not required to notify state residents if the personal information compromised was encrypted. This law applies to all business, including the survey and opinion research profession. Personal information previously included first name/initial and last name in combination of any of the following: social security number, driver's license number, financial account number, credit or debit card number with security/access code. H.B. 62 extended the definition to also include any unique electronic identifier, medical information and health insurance information.
NC - Gov. Perdue (D) has signed S.B. 1017 into law, amending North Carolina's security breach notification law. The amended law, taking effect October 1, 2009, now also requires notice to the attorney general anytime a business notifies North Carolina residents of a breach. Notices to individuals affected by a breach will now also be required to include: a telephone number for the business providing the notice and toll-free numbers, addresses and Web site addresses for the Federal Trade Commission and the attorney general's office along with a statement that the individuals can learn about preventing identity theft from these sources. Survey and opinion research businesses that conduct research with North Carolina residents should be mindful of these new requirements.
TX - Gov. Perry (R) has signed H.B. 2004 into law, amending the definition of sensitive personal information to include health care information and the definition of breach of system security to including breaches of information "if the person accessing the data has the key required to decrypt the data." The law was also expanded to public sector entities and nonprofit athletic and sports associations.
Congress - H.R. 3200, the big healthcare reform bill, was marked up by the Energy & Commerce, Ways & Means and Education & Labor Committees in July. It contains a version of the Physician Payment Sunshine Act, which would require public reporting of any doctors, pharmacists, health insurers, pharmacy benefit managers, hospitals, medical schools, CME sponsors, patient advocacy groups, disease-specific groups, biomedical researchers or healthcare professional organizations receiving payments over $5 from pharmaceutical, biologic, medical device or medical supply manufacturers or distributors. CMOR has been meeting with Congressmen and staff on this legislation and its counterpart in the Senate for some time now in search of an exemption for market research incentives.
PA - Rep. McGeehan has introduced H.B. 1877, which would regulate the use of automatic dialing-announcing devices for conducting political calls. The legislation would require a person or business conducting prerecorded or synthesized voice message political calls to register with the Office of the Attorney General at least 30 days prior to conducting the calls. The legislation also would create a do not call list for automatic political calls, exempting calls made on behalf of a political candidate, political party or political body made by an individual.
An automatic dialing-announcing device is defined as "a device that selects and dials telephone numbers and that, working alone or in conjunction with other equipment, disseminates a prerecorded or synthesized voice message to the telephone number called. An automatic political call is defined as "the use of an automatic dialing announcing device on behalf of any of the following: a candidate, a political committee, a political organization." The intent and scope of this definition is unclear. CMOR will be seeking clarification to determine if there are any implications for the survey and opinion research profession.
Congress-The Senate Commerce Committee passed the Truth in Caller ID Act (S. 30), which would make it "unlawful for any person within the United States [...] to cause any caller identification service to knowingly transmit misleading or inaccurate caller identification information with the intent to defraud, cause harm or wrongfully obtain anything of value." MRA always recommends researchers strive for "truth in caller ID," and S. 30's restrictions should pose no impediment to legitimate survey and opinion research practices.
Congress-Sen. Schumer (D-NY) has introduced S. 1536, which would require states to impose bans on the writing and sending of text messages while operating a motor vehicle within two years. The federal Transportation Department would set minimum penalties for drivers. States failing to meet the two year deadline would lose 25 percent of their annual federal highway funding. S. 1536 is expected to be wrapped into a bigger transportation bill either later this year or next year and has a very good chance of becoming law. Survey and opinion researchers should develop appropriate policy for contacting respondents on mobile devices before this passes.
OR - Has enacted H.B. 2377, sponsored by Rep. Tomei (D), prohibiting the use a mobile communication device while operating a motor vehicle on the highway without the use of a hand- free accessory, or in other limited exemptions. A mobile communication device is defined as "a text messaging device or a wireless, two-way communication device designed to receive and transmit voice or text communication." Survey and opinion researchers should develop appropriate policy for contacting respondents in motor vehicles accordingly.