The Marketing Research Association today submitted detailed comments to Reps. Rick Boucher (D-VA) and Cliff Stearns (D-FL) on their draft comprehensive data privacy legislation.

MRA "noticed that the public discussion, and the released executive summary, focused only on online privacy -- and online advertising in particular," but "discovered that this draft bill is a broad data privacy bill, not an online privacy bill, and impacts far more than advertising and commercial enterprises." The association urged the Congressmen to take more time in developing the bill so that research practices and the bill's potential impact on them could be more fully explored and mitigated.

For example, the executive summary refers to “meaningful privacy protections for Internet users”, promoting “greater use of the Internet”, and “encouraging the trend toward cloud computing”, and notes that “Online advertising supports much of the commercial content, applications and services that are available on the Internet today without charge”. Press coverage followed that meme. This resulted in most people assuming that the draft bill only concerned online behavioral advertising, which has been the ongoing focus of the Federal Trade Commission (FTC) and others.

MRA expressed a particular concern with the definition in the draft privacy bill of "sensitive information" being too broadly constructed.

"This is, of course, one of the most contentious areas in any data privacy debate because the definition of “sensitive” is ultimately in the eye of the beholder. The draft bill heightens the tension by requiring opt in for the collection of sensitive information.Unfortunately, the definition of sensitive information in the draft bill is so broad that it includes “(B) race or ethnicity”, one of the most commonly used categories of demographic data in all research. While “(C) religious beliefs” and “(D) sexual orientation” are not as standard, they are still relatively common demographic questions in survey and opinion research."

While MRA said it understood medical privacy concerns, the definition of “(A) medical records, including medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional” could "be construed to mean far more than actual records of a doctor or hospital. If a telephone survey were to ask a research participant, 'Have you ever suffered from one of the following illnesses,' would the resulting data constitute a medical record according to your draft bill? How about responses to a question such as, 'How are you feeling today? Are you feeling better or worse than yesterday?' Such questions are quite common in research studies and would seem to run afoul of the draft bill’s restrictions on sensitive information."

MRA also requested clarification on the definition of “(E) financial records” in order to "ensure that it does not include data on a research participant’s individual or household income – again, one of the most common categories of demographic data in any research study."

The delivery of privacy notices as demanded by Sec. 3 (a) (2) (A) (ii) of the draft privacy bill would prove an "impossible challenge" to telephone research, MRA said. While MRA "recognizes and agrees with the need to provide some form of opt out and to have a privacy policy available for research participants -- indeed, research best practices include both," the draft bill test "would make research conducted over the telephone, or recruitment of research participants by telephone, extremely impractical. Making a copy of the privacy notice “available to an individual in writing before the covered entity collects any covered information from that individual” would mean mailing potential research participants a copy of the privacy notice in advance of contact. Even that action would require some data collection, because the researcher would need to know the individual’s name and mailing address in order to send the notice. This would dramatically increase the cost of a research study and the time required to complete it. Time-sensitive studies, like most political and public opinion polling, would be imperiled. In situations where timely data is as critical as accurate data, information will not be readily deliverable to companies, government agencies, and other entities that need to make swift decisions." MRA then recommended a minor amendment so that researchers could direct respondents to an online privacy policy or offer to mail them a copy of their privacy policy.

MRA also worried that Sec. 3 (b) of the draft bill would present "potentially serious difficulties for survey and opinion research business models." While the "exemption in subsection (A) (3) might possibly cover the sharing of covered information with unaffiliated parties for research purposes, but it would require further elucidation on the meaning of 'first party transaction,' which seems strictly limited to commercial transactions, either online or in a store."

"The only way to plausibly conduct research while complying with this part of the draft bill," MRA commented, "would be to conduct all aspects of a research study within one big all-inclusive research company. Unfortunately, very little research, whether conducted in person, over the phone, or online, is or can be conducted entirely within a single organization.Although no personally identifiable data is shared with the clients requesting a study without the consent of the research participants, identifiable data must be transferred between various companies involved in conducting the study in order to complete the work. The average research study requires multiple organizations that divide the labor: one company is hired by a client to conduct a study and it contracts with others to get the study completed. For instance, one company might do the recruitment of research participants or provide the “sample”, another would collect the data, yet another might translate any responses from foreign languages, one more would process and analyze the data -- all before the original hired company puts together the study results (presenting aggregate de-identified data) into a report for the client."

MRA suggested that this raised even more questions about Sec. 3 (b), such as, "once an individual has opted in to data transfer with unaffiliated parties, does each transfer after that original transfer require opt in? And who would be responsible for securing that opt in? Also, what are the obligations of “affiliates” in onward data transfer outside of the affiliation?"

 

 

 

 

 

As a result of this conundrum, MRA recommended an amendment to exempt research: "The consent requirements of this subsection shall not apply to the disclosure of covered information as part of a bona fide survey and opinion research3 study, provided that- (A) only aggregate information will be shared with the end user who requested or sponsored the study; and (B) all unaffiliated parties to whom covered information is disclosed agree to use such covered information solely for the purpose of conducting the bona fide survey and opinion research study and not to disclose the covered information to any other person."

 

 

Finally, MRA shared their concerns about the draft bill's impact on other laws: "It remains unclear how Sec. 10 on preemption will impact state laws on specialized kinds of data, such as student data or mental health data. It also remains unclear how data would be handled when it goes from being part of an activity covered by one of the other laws listed in Sec. 11, such as HIPAA, to being covered by this draft bill.A more specific and explicit explanation will be important moving forward."

MRA concluded that, since the draft Boucher-Stearns privacy bill "was presented publicly as targeting online privacy generally, and online advertising practices more specifically," the association looked forward to working with the Congressmen and their staff "to more appropriately tailor this draft legislation to protect individuals in the intended commercial contexts and prevent unintended consequences from impeding the conduct of bona fide survey and opinion research."