A number of interesting bills have been introduced in Tennessee, Oklahoma, New York, Hawaii, Virginia and Georgia on issues of data sharing, data security, healthcare data privacy, data retention, and location privacy.
Data sharing restrictions
In Oklahoma, Rep. Mike Jackson (R-40) introduced H.B. 2853, which would require that, “No business shall share or sell personal information obtained from its clients to another business.” Definitions:“Business” is defined to include any entity or organization, whether for-profit or non-profit. “Client” means “an individual who is a resident of this state and who provides personal information to a business during the creation of, or throughout the duration of, an established business relationship if the business relationship is primarily for personal, family, or household purposes”. “Personal information” is defined as “any information that identifies, relates to, describes, or is capable of being associated with a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Personal information shall not include publicly available information that is lawfully made available to the general public from federal, state or local government records.” H.B. 2853 exempts sharing the information, “if it is necessary … in order to conduct normal business operations as long as the business informs the client in writing and receives written permission from the client prior to sharing the necessary information with another business.” Conclusion: H.B. 2853 might make it more difficult to for a company to have an outside research company conduct research on its own clients, such as customer satisfaction research. MRA would appreciate feedback from the research profession on how this legislation could potentially impact survey and opinion research.
In New York, Sen. Eric Adams (D-20) introduced the “New York Consumer and Worker Protection Act” (S.B. 3713), which would require disclosure to consumers that a company or organization offshores jobs or services and forbid the sale, sharing, transfer or disclosure of personal data to third parties outside the U.S. Under the Act, companies and organizations “licensed to do business” in New York would have to disclose "to any consumer doing business with such entity” if they are “involved in the practice of outsourcing jobs or services to foreign locations”. Such companies and organizations would have to "conspicuously post the disclosure required … in the places of business of such entities and distribute a written disclosure to consumers." Further, the Act would require that, "no corporation or other business entity shall sell, share, transfer or otherwise disclose nonpublic personal information to or with any nonaffiliated third parties which are located outside the United States or its territories without the prior written consent of the consumer to whom the nonpublic personal information relates." Definitions: S.B. 3713 defines “outsourcing jobs” as relocating or moving “employment, jobs, or positions from the state of New York or the United States or its territories to an outside locality." The Act defines “nonaffiliated third party” as “any entity that is not an affiliate of, or related by common ownership or affiliated by corporate control with, the financial institution, but does not include a joint employee of that institution and a third party.” S.B. 3713 also defines “consumer” as “an individual resident of this state, or that individual's legal representative, who obtains or has obtained from a financial institution a financial product or service to be used primarily for personal, family, or household purposes. For purposes of this section, an individual resident of this state is someone whose last known mailing address, other than an armed forces post office or Fleet post office address, as shown in the records of the financial institution, is located in this state.” The Act defines “nonpublic personal information” as “personally identifiable information (i) provided by a consumer or (ii) resulting from any transaction with the consumer or any service performed for the consumer.” That definition excludes “publicly available information where there is a reasonable basis to believe that such information is lawfully made available to the general public from federal, state or local government records, widely distributed media or disclosures to the general public that are required to be made by federal, state or local law.” Nonpublic personal information will “include any list, description or other grouping of consumers, and publicly available information pertaining to them, that is derived using any nonpublic personal information other than publicly available information, but shall not include any list, description or other grouping of consumers, and publicly available information pertaining to such consumers, that is derived without using any nonpublic personal information.” Conclusion: Because S.B. 3713 would require written opt in for any data sharing to non-affiliated third parties offshore – and disclosures to respondents about offshoring that could either discourage respondent cooperation or bias their responses to research questions – MRA will seek to amend or defeat this legislation.
In Hawaii, Senator Brickwood Galuteria (D-12), the Majority Leader, introduced S.B. 2389, and Rep. Ken Ito (D-48) introduced H.B. 2047, companion bills which would require “every business that maintains personal information shall implement a comprehensive, written policy and procedure to prevent identity theft. The policy and procedure shall include administrative, technical, and physical safeguards for the protection of personal information. In addition, the policy and procedure shall be designed to: (1) Ensure the security and confidentiality of personal information and medical, educational, and financial records; (2) Protect against any anticipated threats or hazards to the security or integrity of personal information and medical, educational, and financial records; and (3) Prevent the occurrence of any security breach.” Businesses would also have to train all employees in implementing the policies and procedures and they would have to “sign a form acknowledging receipt of training”. Each violation would result in a fine of “not more than $100 for each violation”, in addition to any other “remedies or penalties available under all other laws of this State.” MRA generally supports this concept, since we would expect survey and opinion research organizations to maintain sensible privacy and data security policies and practices. However, as testified to by the Hawaii Bankers Association, it does not make sense to require every employee to be trained, since many employees should never be expected to come into contact with personal information. Even in a research organization, personnel like janitors are not likely to interact with personal information – and if they do, it is only as a result of multiple failures on the part of multiple other personnel. Moreover, as testified to by the Retail Merchants of Hawaii, “All the guidelines that businesses need to protect both employees’ and consumers’ personal identification already are in place”, at the state and federal level. MRA will monitor these bills closely.
Healthcare data privacy
Also in Hawaii, Rep. Ryan I. Yamane (D-37) introduced H.B. 1957 and Sen. Josh Green (D-03) introduced S.B. 2098, companion bills to clarify that persons and entities governed by HIPAA, who use or disclose individually identifiable health information consistent with HIPAA regulations, shall be deemed to be in compliance with Hawaii's privacy laws and rules. MRA supports this legislation.
In Tennessee, Rep. David Shepard (D-69) and Senator Roy Herron (D-24) introduced the “Electronic Privacy Act of 2012” (H.B. 3408 and S.B. 3723), which would require businesses to delete personal information provided by a consumer upon the consumer's written request unless the business is required to retain the information by law. Further, the Act requires that, “Within sixty (60) days of receipt of the written request… a business entity shall delete the provided personal information from all records, electronic or otherwise, unless the retention of such personal information is otherwise required by law. If the business entity is required by law to retain the provided personal information, then the business entity shall communicate such reason for retention of the personal information in writing to the person within thirty (30) days of receipt of the written request”. Violations of the Act would be punishable “by a fine of not less than five hundred dollars ($500) nor more than five thousand dollars ($5,000).” Definitions: Most concerning to MRA, Rep. Shepard and Sen. Herron do not define “personal information” in the Act, and while associated parts of the Tennessee Code define "identifying information" (Tenn. Code Ann. § 47-18-5202 (2012)) and "personally identifiable information" (Tenn. Code Ann. § 47-18-2203 (2012)), the Code does not define "personal information" either. Conclusion: Absent a definition, MRA is concerned that the Act is too broad and will seek to amend or defeat H.B. 3408 and S.B. 3723.
In Georgia, Rep. Billy Mitchell (D-88) introduced “The Interception and Disclosure of Geolocation Information Protection Act” (H.B. 674), which would amend existing law relating to invasion of privacy by making it unlawful, without consent, for any person to intentionally intercept any geolocation information pertaining to another person; to intentionally disclose to any other person geolocation information pertaining to another person, and to intentionally use--or endeavor to use--any geolocation information. Violations would be punishable with civil and criminal penalties. Two important things remain unclear in H.B. 674: what would be the impact of this broadly-constructed bill on telephone monitoring for survey and opinion research; and (2) what kind of individual consent would be required? Pursuant to the decision of the MRA Government Affairs Committee, MRA has taken the position that location privacy demands an opt opt with a fair and appropriate transparency of the tracking activity. We will also be recommending opt in as the best practice of the research profession. Conclusion: MRA will encourage Rep. Mitchell to clarify the Act's definition of “consent”, to ensure that it requires an opt out, not an opt in. We will also seek to clarify how this legislation might impact telephone monitoring.