- Incentives for Doctors
- Online Behavioral Tracking
- Data Security
- Political Calls
- Voice Recorded Polls
- Census Funding
Incentives for Doctors
MN - S.B. 3843, which would have banned all incentives to physicians (similar to Massachusetts S.B. 2660), has died. Under current law, such incentives are subject to aggregate reporting requirements. This bill was introduced rather late in the state session and died when the legislature adjourned. Unfortunately, MRA expects to see similar legislation in a future session and will diligently monitor and respond. Moreover, there are still battles on this issue in California, Massachusetts and New Hampshire, as well as at the federal level.
GA - S.B. 24 has been enacted into law. This new law prohibits persons from using Internet or electronic mail to induce a person to provide identifying information by falsely representing themselves to be a business, without the authority or the approval of the actual business that is being utilized. Though survey and opinion researchers do not engage in deceptive practices, researchers should be mindful of their email subject headings to avoid the appearance of phishing under this new Georgia law.
Online Behavioral Tracking
CT – H.B. 5765, which would have required conspicuous and thorough notice about data collection and usage policies for online "advertising delivery and reporting", and a complicated regime of opt in and opt out procedures, has died because Connecticut has adjourned for 2008. MRA diligently expressed our concerns to the sponsors of this bill and we expect to see it reemerge in 2009.
MRA continues to monitor similar bills in other states, including New York’s A.B. 9275. We expect a similar bill to be introduced in Massachusetts.
VA — Has become the 40th state to adopt a data breach notification law. S.B. 307 requires individuals or entities that own or license computerized data that includes personal information of Virginia residents to notify consumers, the Attorney General of Virginia, and, in certain situations, consumer reporting agencies, when unencrypted or unredacted personal information was or is accessed and acquired by an unauthorized person and causes, or it is reasonably believed that it has or will cause identity theft or another fraud to Virginia residents.
Individuals or entities must notify affected Virginia residents and the Office of the Attorney General of the breach “without unreasonable delay.” If notice must be provided to more than 1,000 persons at one time, the individual or entity is required to also notify ”without unreasonable delay” all consumer reporting agencies of the timing, distribution and content of the notice. Yet, individuals and entities that only maintain, but do not own or license the compromised data, are required to notify the owner or licensee of such data of the breach.
Survey and opinion research companies must comply with this law in the event of a security breach regarding unencrypted or unredacted data for Virginia residents and must fulfill the notification requirements imposed accordingly.
WV- Has become the 41st state to adopt a data breach notification law. S.B. 340 requires an individual or entity that owns or licenses computerized data that includes personal information to provide notice of any breach of the security of the system following discovery or notification of the breach of the security of the system to any resident of West Virginia whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any West Virginia resident.
Survey and opinion research companies must comply with this law in the event of a security breach regarding unencrypted or unredacted data that it reasonably believes could cause identity theft or other fraud to West Virginia residents.
SC - Has become the 42nd state to adopt a data breach notification law which also includes “non-breach” provisions such as security freeze language, Social Security number (SSN) usage restrictions and information disposal requirements. S.B. 453 applies to security breaches of data in any form, electronic or paper. The list of kinds of personal information covered by this law also is somewhat broader than most similar laws, as it applies not only to SSNs, credit card numbers and bank accounts, but also to “digital signatures,” “other numbers or information which may be used to access a person's financial resources” or “identifying documentation that defines a person other than the person presenting the document.”
The South Carolina law contains a specific “risk of harm” provision, so that notification is required only in certain situations. Under the South Carolina law, a covered business must give notice of a breach only where “illegal use of information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to the [South Carolina] consumer.” Where breaches require notice to more than 1,000 South Carolina residents, notice also must be provided to the Department of Consumer Affairs and the nationwide consumer reporting agencies.
Survey and opinion research companies must comply with this law in the event it is determined that illegal use of information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to South Carolina residents.
IA - Has become the 43rd state to adopt a data breach notification law. S.F. 2308 requires any person who owns or licenses computerized data that includes a consumer’s personal information to give notice of a breach of security. The law does not require notification if, after an appropriate investigation or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determined that no reasonable likelihood of financial harm to the consumers whose personal information has been acquired has resulted or will result from the breach.
Survey and opinion research companies must comply with this law in the event it is determined that there is a reasonable likelihood of financial harm to Iowa consumers from a data breach.
Canada - The Canadian government is proposing to leave it to companies to decide when to issue notice of data security breaches when the business determines there is a “high risk of significant harm … as soon as is reasonably possible after detection of a breach,” according to a recent legislative proposal from Industry Canada.
European Union - The European Data Protection Supervisor (EDPS), an independent supervisory authority, has expressed support for an EU-wide data security breach notification law currently being considered by the European Commission.
Russia – The Rossvyazokhrankultura (the Russian Mass Media, Communications and Cultural Protection Service) has reinterpreted current Russian law to hold that users must register any electronics that use the frequency involved in Wi-Fi communications. Aside from public hotspots, the registration requirement also applies to home networks, laptops, smart phones and Wi-Fi-enabled PDAs.
In addition to extensive extra paperwork and permissions required to maintain any Wi-Fi network or device in Russia, this poses a potential security risk to research organizations maintaining any personally identifiable information connected to a wireless network in Russia, giving the government access to such networks as it deems necessary.
Congress - The President signed the Genetic Information Non-discrimination Act (H.R. 493) into law. This new law prohibits the improper use of genetic information in health insurance and employment. Because the law does not alter the treatment of forms of personally identifiable information for research purposes, H.R. 493 should have no measureable impact on the survey and opinion research profession.
OH - Rep. Yuko (D) introduced H.B. 533, which would prohibit sending an advertisement to a fax device unless the sender has received prior permission from the owner or has a pre-existing business relationship with the owner. While legitimate survey and opinion research would not normally be considered an “advertisement”, MRA is concerned that H.B. 533’s definition of advertisement -- “any message or material promoting the availability or quality of any goods, property or services” -- is so vague that essentially any fax could be deemed an advertisement, including faxes sent by survey and opinion researchers for respondent recruitment purposes. MRA will contact the sponsor of the legislation and follow up as necessary to ensure that legitimate research practices are excluded from this bill.
KY - H.B. 90, a high priority bill that would have prohibited using automated calling equipment for conducting polls or soliciting information, has died, because the state legislature has adjourned. MRA will monitor for any future legislative efforts in this area and will again respond timely and effectively to shield the profession.
LA - Sen. Neil Abramson (D) introduced H.B. 1044 on March 21, 2008, a bill drafted by MRA, which would combat so-called “push polls” while protecting legitimate survey and opinion research (including message testing). H.B. 1044 has already passed the House and is awaiting action in the Senate & Governmental Affairs Committee as of April 17, 2008. H.B. 1044 and its advancement would not have been possible without the dogged efforts of a grassroots volunteer member of the MRA State Capitol Network.
MO - Had several bills during the course of this legislation that MRA considered high priority concerns. Thankfully, the legislature has adjourned for 2008 without acting upon any of the potentially detrimental bills.
H.B. 2154, H.B. 1547 and H.B. 1606, which would have amended the definition of telephone solicitation to include explicitly polling for a political candidate, are likely to re-appear in the 2009 legislative session. MRA will follow any post-session reports and platforms on this issue and will respond accordingly with the same success achieved during this legislative session.
Recorded Voice Polling
CT - S.B. 407, which would have prohibited the use of all automated dialing announcing devices and recorded voice polls, died with the adjournment of the legislature. MRA anticipates similar legislation in Connecticut in 2009 and stands ready to educate, inform and advocate on behalf of the research profession.
Congress – The House and Senate are expected to pass a supplemental “emergency” appropriations bill by early June, which would include $210 million in immediate funding for the 2010 Census. Because of technological problems with the hand-held computer system that was scheduled for use in non-response follow-up, the Census Bureau says it needs several hundred million more dollars to prepare and deploy a paper-and-pencil system. The Administration requested these funds but would have paid for them by cutting items from other programs. MRA continues to advocate for a properly-funded decennial Census, recently sending a letter to the Director of the Office of Management and Budget (OMB) requesting this supplemental funding.
Canada - Sen. Yoine Goldstein has introduced the Anti-Spam Act, which would create new form and content requirements for sending commercial electronic messages in Canada, as well as establish prohibitions on common spamming techniques.
The content requirements include the need to identify clearly the sender of the message, provide accurate “header” information, avoid misleading subject lines and include information on how recipients can contact the sender directly. Commercial email senders must also establish a functional unsubscribe facility that enables recipients easily to opt-out of future messages.
The Act also would establish a broad prohibition against “the sending of a commercial electronic message unless the recipient has consented to receive the message.” This opt-in provision contains several key exemptions, including for political parties, charities, not-for-profit businesses, survey and opinion research companies, educational institutions and any business with a prior business relationship. All such entities can presume they have the necessary consent unless recipients expressly “opt-out.” The Anti-Spam Act also would add tough civil and criminal penalties and incentives for ISPs to cut off spamming activity. The ASA has reached second reading in the Senate and awaits committee hearings.