The Federal Trade Commission (FTC) finalized an enforcement order and settlement with Compete, Inc., a marketing research company, today, on "charges that it violated federal law by using its web-tracking software that collected personal data without disclosing the extent of the information that it was collecting [and] allegedly failed to honor promises it made to protect the personal data it collected."

The order "requires Compete, Inc. to obtain consumers’ express consent before collecting any data from its software downloaded onto consumers’ computers, delete or anonymize the use of the consumer data it already has collected and provide directions to consumers for uninstalling its software." It also "bars misrepresentations about the company’s privacy and data security practices and requires that it implement a comprehensive information security program with independent third-party audits every two years for 20 years."

The Marketing Research Association (MRA) filed comments with the FTC on December 21, 2012, in response to proposals from an activist group, the Electronic Privacy Information Center (EPIC). The MRA's comments were filed in support of the entire research profession, not in defense of Compete. Because Compete is a research company, we were concerned that the changes to the Compete order sought by EPIC would pose a potential threat to all research companies in the U.S.

In finalizing the Compete settlement today, the FTC appears to have accepted points made by the MRA and rejected EPIC's proposals to modify the settlement. In their letter responding to EPIC, the FTC concluded that, "the public interest would best be served by issuing the Decision and Order in final form without any modifications."

On the FTC's mission -- enforcement or policy-making?
While the MRA sometimes questions FTC actions and regulation in various respects, the agency's enforcement action against Compete may be a great example of how the agency properly executes its authority and responsibility: by combating bad behavior and working with possible offenders in order to remedy such behavior and keep it from happening again. Activist groups, such as EPIC, seem eager to turn the FTC into a policy-making body instead of an enforcement agency. We commend the FTC for staying focused on their primary mission: enforcing the law in order to protect American consumers.

Deception by omission
EPIC had called for the FTC to "explicitly categorize omissions impacting consumer privacy as deceptive under Section 5 [of the FTC Act]. This clarification will inform companies that they must notify consumers of all privacy policy changes, and that failure to do so will result in a finding of deception under Section 5."

While some research indicates that consumers, on average, are concerned about their privacy, notifying consumers of every minute privacy policy change could work counter to the interest of actually informing consumers, since over-notification and excessively lengthy privacy policies already may be causing consumers to stop paying close attention to their own privacy needs and wants and growing more careless in how they handle their own privacy. That is why the MRA opposed the explicit categorization of omission as a deception under Section 5 of the FTC Act.

The FTC seems to have agreed with the MRA's concerns, noting that the agency "has challenged material deceptive omissions in a number of privacy-related cases" and has set forth the FTC's "general approach to deceptive acts or practices with respect to all types and aspects of business activities." The agency "endeavors to provide more specific guidance as to particular subjects" through mechanisms like policy reports and warning letters and feels that is still appropriate for this topic.

Anonymization and de-identification
EPIC noted that, "Given the problems associated with certain de-identification techniques, and the falsity of claiming that pseudonyms and aggregation necessarily render data anonymous, the Commission should issue a best practices guide to de-identification… greater clarification and standardization is needed."

While the MRA felt there might be benefit to engaging the FTC in the broader public debate over de-identification, it is not at all clear that FTC-issued "best practices" would advance the debate at this point. Instead, it would be more likely to squelch the debate long before the issue gets properly hashed out.

The FTC appears to have agreed.

The agency replied that, "generally, the Commission does not provide specific technical guidance in areas like this, which are constantly changing. It is a company's responsibility to keep abreast of and select the technology that it believes best meets its needs and requirements while appropriately protecting consumer privacy." The FTC also points out that their March 2012 report on consumer privacy noted that, "as a policy matter... what qualifies as reasonable measures to ensure that data is de-identified is not an absolute standard, but instead depends upon the particular circumstances, including the available methods and technologies, the nature of the data at issue, and the purposes for which it will be used."

Making privacy audits public
EPIC insisted in their comments to the FTC that Compete's privacy audits should be publicized.

According to the MRA, EPIC did not make their case convincingly that, "similar audits containing extensive technical details have been released in their entirety, all without identifiable competitive harm" because EPIC's support relies on references to non-research-related foreign cases and identification of "competitive harm" would likely require a sizeable window of close study.  MRA pointed out that the privacy audits would contain trade secrets and delicate information.

There are broader implications to making such information public, particularly for the survey, opinion and marketing research profession. It could potentially interfere with core research processes, such as the classification of information, impair the overall performance of research and hurt the research business. That was why the MRA opposed making public the privacy audits in the FTC's consent agreement with Compete -- and the FTC seems to have agreed.

The FTC responded to EPIC's proposal, noting that "compliance reports and assessments may contain trade secrets or other confidential commercial or financial information, or information about consumers or other third parties, that the Commission may not publicly disclose... An analysis of what may be disclosed pursuant to the law will depend upon the facts of each situation."

Respondent access to and control over research data
EPIC contended that the FTC’s consent agreement with Compete should advance President Obama’s Consumer Privacy Bill of Rights proposal by requiring that consumers be able to exercise individual control over which types of information, and for what purposes, Compete intends to collect and disclose. EPIC’s comments also lament that, "the Order does not grant consumers a right to access and ensure accuracy of the data that Compete maintains."

The MRA Code of Marketing Research Standards already requires that researchers seek tailor-made approaches to transparency with regard to clients, research participants, and the public at large that are appropriate to different modes and methods of research. Research best practices require disclosure of what data is being collected and used, and for what purpose, and that participants be given the opportunity to opt out.

According to the MRA, EPIC's proposals to require access and correction rights could potentially be onerous and costly, especially for smaller research companies, given a potential deluge of frivolous or pointless inquiries. Since the research process is interested in broad groups, not individuals, compiling and tracking individual consumer data, by the individual, would require complex and expensive procedures and infrastructure not currently in use. Moreover, such tracking could lead to a much greater threat of harm from data leakage and empower the kind of consumer tracking that concerns both EPIC and the FTC (such as in the agreement with Compete). The ability of companies to authenticate the identity of consumers requesting access was another serious concern identified by the MRA. That kind of authentication would require collecting and checking even more data, which runs counter to EPIC and the FTC’s interest in data minimization and limited data retention.  Plus, necessary authentication procedures and processes would add to the cost in money and time on the part of research organizations.

The FTC did not respond to EPIC on the specific concerns with consumer access and control highlighted by the MRA. However, the agency did reject the EPIC proposal more broadly, stating that, "a settlement agreement is designed to address specific conduct alleged in a complaint, and may not impose additional obligations that are not reasonably related to such conduct or preventing its recurrence."

How should the research profession respond to the FTC's Compete case? Due diligence.
As with any FTC enforcement matter involving privacy and data security, members of the survey, opinion and marketing research profession should take this opportunity to review where the subject of the order (in this case, Compete) went wrong in compliance with law, regulation and ethics -- and make sure that your companies and organizations are not falling afoul of the same errors. MRA members should keep abreast of research best practices and consult their own attorneys about such matters.

Meanwhile, as always, the MRA will advocate for the research profession's interests in privacy and data security matters here in Washington, DC, and around the country, to protect research respondents AND researchers.