In response to a report on online data privacy from the Department of Commerce, MRA submitted comments.
Read the pdf or the full text below:
The Marketing Research Association (MRA) hereby submits these comments in response to the Department of Commerce Green Paper, “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework.”
In our comments, we (B) explain survey and opinion research and how the research profession treats privacy and (C) respond to some of the questions raised by the Green Paper.
B. Survey and Opinion Research & Privacy
MRA, a non-profit national membership association, is the leading and largest association of the survey and opinion research profession. MRA promotes, advocates and protects the integrity of the research profession and strives to improve research participation and quality.
The research profession is a multi-billion dollar driver of the worldwide economy, comprised of pollsters and government, public opinion, academic and goods and services researchers, whose companies and organizations range from large multinational corporations to small or even one-person businesses. In fact, U.S. government entities like the Department of Commerce are, as a group, the single largest purchaser/user of research from the survey and opinion research profession.
Survey and opinion research is the scientific process of gathering, measuring and analyzing public opinion and behavior. On behalf of their clients -- including the government (the world’s largest purchaser), media, political campaigns, and commercial and non-profit entities -- researchers design studies and collect and analyze data from small but statistically-balanced samples of the public. Researchers seek to determine the public’s opinion regarding products, services, issues, candidates and other topics. Such information is used to develop new products, improve services, and inform policy.
Research information is not normally analyzed by individual answers. Instead, each person's answers are aggregated with the responses of many others reported as a group to the client who requested the survey. Moreover, most research companies destroy individual data records at the end of the study, and names and contact information of participants are separated from the answers if additional tabulation of the results is conducted. Again, all of the personally identifiable records are usually destroyed after the study is completed or the validation check has been made, and all of a respondent's personally identifiable information is kept strictly confidential. In fact, confidentiality is the bedrock of the research process (and the resultant industry codes and guidelines, like MRA’s). Legitimate survey and opinion researchers do not divulge the identity, personal information or individual answers of a research participant unless granted permission to do so by the participant.
Due to the nature of the survey and opinion research process, confidentiality is the bedrock of the research and the resultant industry codes and guidelines, like the MRA Code of Marketing Research Standards. Members of MRA are bound by their ethical obligation to protect the privacy and confidentiality of research participants and their data and obtain consent prior to sharing any personally identifiable information. MRA members work to uphold the Federal Trade Commission’s Fair Information Practice Principles and have numerous best practices on the handling of personal information.
Survey and opinion research is thus sharply distinguished from commercial activities, like marketing, advertising and sales. In fact, MRA and other research associations prohibit sales or fundraising under the guise of research (referred to as “sugging” and “frugging”) and any attempts to influence or alter the attitudes or behavior of research participants as a part of the research process. Quite to the contrary, professional research has as its mission the true and accurate assessment of public sentiment in order to help individuals, companies and organizations design products, services and policies that meet the needs of and appeal to the public.
C. Responding to Some of the Green Paper’s Questions
Should baseline commercial data privacy principles, such as comprehensive FIPPs, be enacted by statute or other means, to address how current privacy law is enforced?
Commercial data privacy principles should be the basis of self-regulation by the private-sector, not regulation by government. The privacy innovation demonstrated by the advertising industry’s new dynamic web icons and the development of do-not-track options built into new versions of Mozilla’s Firefox and Google’s Chrome web browsers could only emanate from the free market. It is a privacy model that revolves around the consumer and the marketplace, not government fiat.
How should baseline privacy principles be enforced? Should they be enforced by non-governmental entities in addition to being the basis for FTC enforcement actions?
Non-governmental entities, particularly trade and professional associations, are in a superior position to agree upon and enforce privacy principles in the private sector.
As regards the survey and opinion research profession, leading research practices widely adopted by members of various research associations are the best way to produce effective research while safeguarding research participants’ privacy. In addition to the many best practice guidelines promulgated by MRA, effective self-regulation can be seen in the codes and standards of MRA and other research associations. As well, long-standing privacy seal programs like TRUSTe and BBBOnLine, and the innovative privacy icons developed by advertising groups, demonstrate a keen commitment to transparency and consumer choice in the private sector.
Unlike government legislation and regulation, professional codes and standards are developed by the practitioners themselves, flexible in the face of technological and business innovation, and easier to improve and perfect over time.
As policymakers consider baseline commercial data privacy legislation, should they seek to grant the FTC the authority to issue more detailed rule?
The most recent privacy legislation in Congress, Rep. Bobby Rush’s “Best Practices Act” (H.R. 5777), would have given the FTC enormous power and authority. For instance, the FTC would have determined what constitutes proper notice and consent, conduct any further expansion of the already-too-broad definition of sensitive information, develop a short form of notice, approve “self-regulatory” programs (thus defeating the purpose of “self-regulatory”), and decide who constitutes a third party. MRA is concerned that delegating the real decision-making to an unelected government body would ill-serve consumers and industry – and would constitute the dodging of difficult decisions on consumer and data privacy by Congress.
Should baseline commercial data privacy legislation include a private right of action?
No. Unrestrained private rights of action would be a disaster. This would result in a cottage industry for “ambulance-chasing” attorneys seeking to assert claims under the law. Primarily thanks to broad interpretation of Section 5 of the FTC Act, the FTC already has extensive authority to enforce and fix data privacy violations.
Costly individual (or class action) lawsuits would be counterproductive, especially if an aim of privacy innovation is simplified and transparent privacy practices and choices. Fear of lawsuits is one of the prime motivations behind the legalization of privacy policies, turning simple statements of principle into fifty page legal treatises.
What is the best way of promoting transparency so as to promote informed choices? The Task Force is especially interested in comments that address the benefits and drawbacks of legislative, regulatory, and voluntary private sector approaches to promoting transparency.
The best way to promote transparency is via innovation and self-regulation on the part of different industries and professions. Government agencies and policymakers cannot design a one-size-fits-all approach to privacy, particularly since certain industries and processes, such as survey and opinion research, bear so little resemblance to more commonly understood processes like e-commerce and marketing.
MRA already requires that researchers seek transparency with regard to clients, research participants, and the public at large while trying not to micromanage that transparency, given that different modes and methods of research will require tailor-made approaches.
Are purpose specifications a necessary or important method for protecting commercial privacy?
Purpose specification is certainly key to protecting privacy in the context of survey and opinion research. MRA supports a privacy model based on intended use – different protections and requirements for data privacy, depending on to what uses that data will be put. Just as the FTC and the Green Paper consider data collection, use and transfer for transactional purposes to be subject to different standards, data to be collected, used and transferred strictly for bona fide survey and opinion research should be held to a different standard than ordinary commercial uses.
MRA, in consultation with the broader research profession, has developed a legal definition of bona fide survey and opinion research: “the term “bona fide survey and opinion research” means the collection and analysis of data regarding opinions, needs, awareness, knowledge, views, experiences and behaviors of a population, through the development and administration of surveys, interviews, focus groups, polls, observation, or other research methodologies, in which no sales, promotional or marketing efforts are involved and through which there is no attempt to influence a participant’s attitudes or behavior.”
MRA encourages the Department of Commerce, the FTC, and policymakers to utilize this definition in excluding data collection, use and transfer for bona fide survey and opinion research purposes from most potential restrictions under consideration.
Currently, how common are purpose specification clauses in commercial privacy policies? Do industry best practices concerning purpose specification and use limitations exist? If not, how could their development be encouraged?
Purpose specification clauses are common in survey and opinion research privacy policies, because such specification is required by research codes and standards. Research association codes and standards already forbid the mixing of marketing, advertising, sales, or other forms of influence with the research process and that research participants know for what purpose their data will be used.
How can the Commerce Department best encourage the discussion and development of technologies such as “Do Not Track”?
It is not clear that there is a need for the Commerce Department to do anything at this point. Some consumers have registered an interest and the makers of Internet browsing software are responding.
Should the FTC be given rulemaking authority triggered by failure of a multi-stakeholder process to produce a voluntary enforceable code within a specified time period? At what point in the development and of a voluntary, enforceable code of conduct should the FTC review it for approval? Potential options include providing an ex ante “seal of approval,” delaying approval until the code is in use for a specific amount of time, and delaying approval until enforcement action is taken against the code.
Any “voluntary” code of conduct subject to review by a government entity would no longer constitute “self-regulation.”
What factors should breach notification be predicated upon (e.g., a risk assessment of the potential harm from the breach, a specific threshold such as number of records, etc.)?
MRA supports reasonable data security measures and breach procedures. We seek data security legislation that distinguishes between sensitive personally identifiable information and more mundane data in how data is to be secured and data breaches to be responded to. We are concerned by conflicting data security laws and breach notification laws in many states and support a national standard that pre-empts state law so that companies and organizations know what policies to apply and laws to follow.
There are costs and unintended consequences of data breach notification. If consumers receive notices in cases that don’t actually pose a risk of identity theft, it needlessly harms the businesses involved and cause consumers to take real breaches less seriously. MRA therefore advocates notice obligations based on the real level of risk of identity theft, not on arbitrary thresholds like the number of records breached.
Moreover, MRA believes that the Department of Commerce would be a good location for such an Office, because the Department would be most likely to weigh the costs and benefits of policies in the deepest possible fashion, since it is concerned with the economy and American competitiveness as well as consumer welfare. Such an Office would be able to gather or commission extensive data and research on privacy and bring a holistic approach. The Commerce Department’s strength and ability in this area is best exemplified by the successful negotiations with the European Union that resulted in the 2000 Safe Harbor agreement.
Unduly burdening bona fide survey and opinion research with the same restrictions bandied about for commercial activities would jeopardize that research and further hinder commerce. It would ultimately result in higher costs for research -- costs which would be passed on to the individuals the government is trying to protect, in the form of:
- higher prices for goods and services;
- lengthier time before new or better goods and services are brought to the marketplace;
- delayed introduction of new or better public policies; and
- a decreased amount of research ordered by companies, who might then bring less well-tested and researched products and services to market, harming consumers in the end because the goods and services did not fulfill consumer expectations or needs.
These challenges would also pose a threat to the American economy, with domestic companies weakened in the global marketplace by attempts to use intuition and guess-work in place of tested research methods.
MRA applauds the Department of Commerce for their efforts in grappling with online commercial privacy and seek to help and participate however we can. However, we question the wisdom of conflating concerns about online commercial activities to any supposed problems in non-commercial activities online, such as survey and opinion research. Any such attempts could have significant negative consequences for the survey and opinion research profession, and strangle many possible new methods of research – methods that could better serve consumer choice and privacy than current methods – before they’ve even been conceived. That would not serve innovation in the economy, research or privacy.
 For instance, in the MRA Code, Part A of the Preface describes the purpose of code in providing fairness, confidence in research, and ethics towards research participants. In the Code itself, item 3 requires disclosures for public-release research; item 7 requires that research be reported accurately and honestly; item 12 forbids researchers from misrepresenting their qualifications and experience; item 21 forbids representing a non-research activity to be research; item 25 requires that research participants are informed at the outset if interviews/discussions are audio/video recorded; item 31 demands that researchers make factually correct statements, whether verbal or written, to secure cooperation and honor promises made during the interview to research participants; item 54 requires researchers to provide access to their privacy policies; and item 55 obliges researchers to provide participants the choice with each survey to be removed (opt-out) from future Internet invitations.
 For instance, item 21 of the MRA Code says that members, “Will not represent a non-research activity to be opinion and marketing research”. Point 22 says that members, “Will identify surveys and other methods of data collection as such and not attempt to collect data through casual or conversational means other than for bona fide mystery shopping assignments.” Item 37 declares that they, “Will ensure that information collected during any study will not be used for any sales, solicitations or Push Polling.” Item 40 requires that members, “Will not permit use of respondent contact information for re-contacting a respondent unless the respondent has been informed of this possibility at the time of the original research, and given their consent to be contacted.”