While not as much fun as spring cleaning, the start of a new year is a great time to audit your legal and regulatory compliance so that you can hopefully avoid any lawsuits or enforcement measures in 2015. Start by reevaluating your terms of use and privacy policy.[1] Make sure they are as clear and transparent as possible, and reflective of your current practices.

While the Federal Trade Commission (FTC) is not saying so explicitly, the chief U.S. regulator for the marketing research profession is keeping a jaundiced eye on you and your activities. FTC workshops and enforcement actions are zeroing in on Big Data analysis, data brokerage and insufficient privacy and data security protections.

Working mostly from hypothetical scenarios and hyperbole, the FTC is worried about the negative discriminatory impact from data analysis and segmentation with the ultimate presumption that discrimination could appear and harm consumers in any Big Data context, including research. FTC recommendations for Big Data privacy protection make for relevant MR guidance, particularly the call for “reasonable precautions to ensure that downstream users of their data do not use it for eligibility determinations or for unlawful discriminatory purposes.”

The FTC defines data brokers as “companies whose primary business is collecting personal information about consumers from a variety of sources and aggregating, analyzing, and sharing that information, or information derived from it.” For now, the agency’s primary focus is on data brokers who do this for marketing, identity verification and fraud prevention. However, the FTC’s definition clearly includes the average research company; Commissioners and staff have refused to rule MR out of their scope, and the broad area of marketing analytics has already been lumped in with marketing.

Say what you do, do what you say

This year, comScore had to settle a huge class action lawsuit relating to their data privacy practices. According to MRA’s outside counsel, Stuart Pardau, in addition to paying money, comScore agreed “to alter its privacy policies and end user license agreements to bring its disclosures in line with its data collection practices.”[2] Make sure that you have aligned your organization’s promises with how you actually behave instead of having to go to court over it in the future, like comScore did.

One of the key insights Pardau took from the comScore case: even “full disclosure” to consumers about how a research company handles personal information might not protect the company from regulatory or legal action. “The disclosures, especially those regarding areas that may be deemed to involve more invasive data collection methods, should be clear and conspicuous and not “buried” in the terms of use or your privacy policies,” Pardau said.

Research companies must meet a higher standard than ordinary businesses to maintain research ethics (like MRA’s Code) and ensure respondent cooperation and earn the trust of research participants, regardless of the law. FTC Commissioner Julie Brill agreed in remarks at an event on Big Data innovation this fall,[3] observing that meeting and respecting “norms and consumer expectations” can be as important or more important than just following the law. When consumers trust a company, in her opinion, they will use their services without understanding every “jot” of their privacy practices. Violating that trust will ruin the relationship; trust takes a long time to build but “you can lose it in a minute,” she said. “This requires constant effort as risks to consumer information constantly shift.”

Speaking of risk…

Data security presents perhaps the most tangible of risks to a research department, company or organization. Data breaches seem to happen regularly. The most recent Ponemon Institute “Cost of Data Breach Study” pegged the cost-per-record-stolen at $201 in the U.S.[4] As class action lawsuits grow in response to breaches, that figure will presumably rise.

The easiest way to avoid a data breach is to not collect it in the first place, so carefully determining what data you need for any given research study is a good way to start. Once the use for that data is complete, you need to dispose of it properly. It will limit your risk and will help you comply with the law (including a new one in Delaware that came into effect on January 1[5]).

Again, the FTC plays a big enforcement role here with over 50 cases under its belt. Even small companies[6] can find themselves pursued, either by the FTC or state Attorneys General, for such breaches. The FTC can go after your company for failing to provide “reasonable” data security, but has not quite defined what that means. And Judge Douglas H. Ginsburg of the U.S. Court of Appeals for the District of Columbia Circuit has identified significant business confusion “about the best data security practices.”[7] That confusion drove Wyndam Hotels and Lab MD to fight the FTC cases against them in court. Stuart Pardau has drafted a helpful analysis of those cases for MRA members, with extensive guidance to help secure your data infrastructure and operations.[8]

Don’t just take refuge in safe harbor

The European Union’s (EU) Data Directive places significant restrictions on the collection, use and disclosure of personal data that prove taxing for many researchers. The Directive also prohibits the transfer of “personal data” to non-EU nations that do not provide what the EU considers “adequate” privacy protection. The U.S. is not considered to be “adequate.”

The main route for U.S. researchers to legally export is by signing on to the U.S.-EU Safe Harbor for data transfer. Research companies can register with (and pay a fee to) the Department of Commerce to do so. That certification requires that your company adhere to the seven Safe Harbor principles: Notice, Choice, Onward Transfer, Access, Security, Data Integrity and Enforcement. Failing to maintain and enforce a compliant privacy policy while claiming to consumers that you are “Safe Harbor Certified” can be punished by the FTC as a deceptive trade practice.[9]

However, the biggest tripwire for most companies right now, for which the FTC punished dozens of companies large and small in 2014, is simple failure to renew the company’s certification. Many of these companies were claiming adherence with the Safe Harbor, and were arguably compliant in their policies and practices, but had forgotten to re-file their paperwork. Some, of course, simply claimed adherence and had never registered before.

The FTC can fine companies up to $16,000 per day for any of these violations, which should be helpful motivation for any company to avoid such mistakes.

Conduct and buy telephone research safely

The Telephone Consumer Protection Act (TCPA) restrictions on research calls to cell phones is an anachronism—as relevant to 2015 as using a buggy whip to drive a Tesla in an era where 57.1 percent of American households are either wireless-only or wireless-mostly—but the Federal Communications Commission (FCC) is clinging to its interpretation that just about any automation or computer involvement in dialing equates to an automatic telephone dialing system and requires prior express consent. Class action lawsuits hit with increasing regularity (RTI International being one of the most recent targets) and courts, while not necessarily agreeing with the FCC’s interpretation, are rendering plenty of conflicting decisions.[10]

An article in the last issue of Alert! explored different ways that research companies attempt to comply with the TCPA.[11] While some of those methods are better than others (hitting a button on your computer system to have it dial for you is not necessarily a safe bet while actual, manual dialing is the safest), there are two important steps you can take to better protect your company if you’re a telephone researcher: (1) take care in the purchase and provision of telephone sample to avoid accidentally dialing a cell phone user; and (2) keep copious records of your dialing, which may be able to help dismiss or win an erroneous TCPA case against your company.

Finally, if you purchase telephone research, keep in close contact with your provider to ensure that they are conducting the work as carefully as possible since liability may ultimately be shared by you as well. 

[2]  “Harris v. comScore Class Action Settlement and the MR Impact.” By Stuart Pardau. August 11, 2014.

[11]  “Compliance and the True Cost of Cell Phone Dialing.” By Mary McDougall. Alert! Magazine 4th Quarter 2014.

Get the PDF of this article.