News & Press: Legal Updates

Regulation & Legislation: 2012 Recap and Outlook for 2013

Wednesday, December 05, 2012  
Share |

 

Regulation & Legislation: 2012 Recap and Outlook for 2013

To date, 2012 has proved to be remarkably quiet from a legislative perspective as election season politics served as the primary focus in statehouses nationwide. However, several regulatory actions and lawsuits occurred this year that should be noted by CASRO members. We anticipate that with the election behind us, 2013 should prove to be more active. This article recaps the past year and looks at anticipated developments for next year.

Compete

This October, the FTC settled its unfair trade practice complaint against Compete, Inc., a subsidiary of Kantar that performs web analytics-based research, by entering into a Consent Order with Compete.

Specifically, the FTC’s complaint alleged that:

  • Compete’s software, which was installed on the computers of more than 4 million consumers, collected much more information than was disclosed in Compete’s privacy notices. While Compete stated that it would collect information regarding user "browsing behavior” and web page addresses viewed by the user, Compete actually collected information about all websites the user visited, all links followed and the advertisements displayed. The program also collected substantially more information about the user’s online behavior to the extent that Compete knew whether a user abandoned or completed a purchase after placing an item in an online shopping cart. Further, Compete also captured some information users communicated on secure web pages, such as credit card numbers, financial account numbers, security codes and expiration dates, usernames, passwords, search terms and Social Security numbers.

  • Compete failed to adequately filter personal information as it promised in its privacy notices. Specifically, Compete’s privacy policy stated that:

All data is stripped of personally identifiable information before it is transmitted to our servers. Our data collection techniques have been designed to purge personally identifiable information wherever we find it. In addition, as a member of Compete you are assigned a randomly generated user ID ensuring your anonymity.

On the other hand, the FTC found that the filters employed by Compete were too narrow and improperly structured to avoid collecting personal data and filtered other data only when it had been already been transferred to Compete’s servers.

  • Lastly, the FTC found that Compete failed to take reasonable security measures to protect the data it collected, such as by sending sensitive information from secure web pages.

The Consent Order between the FTC and Compete places a number of burdens on Compete’s ability to continue to use tracking technology moving forward. Specifically, Compete was forced to agree to:

  • Provide a separate and prominent disclosure before installation of any tracking agent that specifies all information that will be collected and how that information is to be used and shared. The consumer would then be required to expressly consent to the collection, use and sharing of that information. The FTC further required that Compete provide these disclosures (and receive affirmative consent) from existing users before it could continue to collect any further data from such users.

  • In addition, whether or not Compete intended to continue to collect information from its existing user base, Compete would be required to notify each user through several different mechanisms (including on the Compete website and in the user’s browser) that the user has a data collection program on his or her computer and specify that the software collects and transmits information about the user (including the specific categories of information that are or could be collected via the software). Further, the notice would need to provide instructions on how to uninstall the software and Compete must provide toll-free telephonic and electronic customer support to assist users to do so.

  • Provide a copy of the Consent Order to all current and future principals, officers and directors of the company and all current and future managers who have responsibilities relating to the subject matter of the order as well as any existing third parties with agreements with Compete in connection with its tracking software within 30 days and any third party entering into any contract with Compete in connection with its tracking software.

  • Create a comprehensive information security program ("CISP”) with appropriate administrative, technical and physical safeguards. This program would need to be audited by an approved third-party privacy professional every 2 years for 20 years.

  • Destroy all information collected prior to February 1, 2010.

The obligations under the order were to stay in place for a period of 20 years. While the requirements that the FTC placed on Compete are generally not materially "new,” for example, the disclosures are roughly the same as those required in the FTC’s Consent Order with Sears and the CISP and audit requirements mirror those found in Google’s Consent Order, this is the first time in our knowledge that a market research company and CASRO member has been directly targeted by the FTC for privacy-related unfair trade practice violations.

The requirements saddled on Compete constitute not only a public embarrassment for Compete, but also a burden on resources for 20 years. In addition, any breach of the Consent Order may lead to fines by the FTC. For example, Google recently was fined $22.5 million for breaching its own 2011 Consent Order with the FTC. If you are conducting tracking-based research, it is imperative that you regularly review your privacy disclosures and ensure that they are consistent with your actual data collection practices.

KISSmetrics Lawsuits

Class action lawsuits were filed this year against KISSmetrics, a web analytics company, and over 20 of its customers (including Hulu) over claims that the way that the company’s tracking software operated constituted an invasion of privacy. Specifically, the lawsuits alleged that by using ETag technology, which allows for tracking independently of HTTP cookies, KISSmetrics was able to track users even after they deleted their cookies, thus making tracking more resilient to users’ efforts to protect their online privacy. KISSmetrics settled the direct lawsuit against it last month for roughly $500,000. The lawsuits against the customers, including Hulu, to our knowledge remain active.

These types of suits are not new – similar lawsuits were previously filed against QuantCast and Clearspring in 2010. While the ultimate success of these lawsuits remains questionable given the lack of demonstrable actual damages, these lawsuits can be very problematic. In our experience, customers regularly require indemnification for these types of claims. As such, KISSmetrics will likely be forced to expend large sums defending many of these claims on its customers’ behalf. In addition, KISSmetrics will be forced to explain to its customers why they are being sued. We would strongly recommend never using technology which "re-spawns” cookies after they have been deleted by the user.

 

2013 Forecast

Federal Legislation

Currently, there are at least 10 different proposals in Congress to provide increased protection of individual privacy. None of these bills has made any notable progress during the current Congress. It’s unclear if any of these bills will gain any additional traction in the new Congress given the continuing split of control between the House and Senate. We believe that the industry could work with any of these proposals, although some may be more preferable.

Physician Payments Reporting

We also continue to wait on the Centers for Medicaid and Medicare’s ("CMS”) final regulations implementing the transparency provisions of the Affordable Care Act. CMS in its earlier proposed regulations muddied the applicability of the research industry’s exemption - specifically, that the statute does not require disclosure of payments to physicians for participation in market research where a fair market value payment from a research company is made to physicians in connection with their participation in survey research, and the research client does not know the identity of the respondents. Unfortunately, the regulations that CMS proposed late in 2011, stated: "[W]e propose that awareness of the identity of the covered recipient by an agent of the applicable manufacturer will be attributed to the applicable manufacturer.” While market research organizations are not "agents” of manufacturers, we believe that risk-averse compliance departments within some pharmaceutical manufacturers may require reporting out of an abundance of caution. CASRO submitted comments to CMS in an attempt to have the final regulations comport with our original understanding of the statutory exclusion.

Expansion of TCPA Liability by the FCC

The Federal Communications Commission (the "FCC”) is expected to issue a ruling in the next several months, which could greatly expand liability under the Telephone Consumer Protection Act (the "TCPA”), to include companies that employ call centers that make calls prohibited under the TCPA.

Calls for market research are largely exempt under the TCPA, because they are considered to be non-commercial. However, the use of "automated telephone dialing systems” to any telephone number assigned to a cell phone or any similar service for which the called party is charged for the call is prohibited for all purposes (including survey research) unless prior consent is obtained. The term "automatic telephone dialing system” is defined in the TCPA as "equipment which has the capacity— (A) to store or produce telephone numbers to be called, using a random or sequential number generator; and (B) to dial such numbers.” The penalties under the TCPA can be extreme – up to $1,500 per phone call.

To date, the FCC has issued conflicting statements regarding whether liability under the TCPA extends only to the call center actually making the prohibited calls or additionally to the call center’s client on whose behalf the calls or other contacts were made. Several petitioners to the FCC requested clarification regarding this point and, in turn, the FCC requested comments. The FCC is due to issue its ruling at any time. While several commentators believe that the contemplated expansion of liability is inconsistent with the TCPA and may be successfully challenged in court, the inclusion of "on behalf” liability nevertheless represents a concern for the market research industry.

Research firms that employ call centers may now be exposed to direct liability for violations of the TCPA by their call centers. Given the FCC’s revised position, members of the very aggressive TCPA plaintiffs’ bar may also be emboldened to include clients of call centers as defendants in their class action lawsuits. As a result, the importance of obtaining indemnification for claims relating to violations of law from call center vendors (backed by the vendor’s insurance) will be more important than ever. In addition, research firms that operate call centers should be especially careful with respect to calling cell phones and may find their own clients asking for indemnification in the event such prohibited calls are made.

FTC "Nutrition Labels”

The FTC revealed at a recent conference that it is developing a "nutrition label”-styled template that will permit companies to disclose their privacy practices to consumers in a concise and standardized way. These "labels” would be based on examples from the food and beverage industry as well as the model privacy form used by financial institutions under the Gramm-Leach-Bliley Act. Jon Leibowitz, the FTC’s Chairman, stated at the conference that the agency is attempting to identify the "five essential terms” that should be incorporated into these "labels.”

The proposal raises several questions. Will the notice form apply across all modes of data collection or is the "label” form only intended for areas such as mobile applications where brevity is required? In addition, it is unclear whether the "label” form would be intended to supersede or solely to complement existing privacy policies. For example, would the label be required on the home page for a website?

Based on the FTC’s past statements in its Privacy Reports, we believe it is most likely that the FTC intends for the "label” to largely replace the current privacy policy concept, especially for mobile applications and other instances where space is limited. This effort by the FTC could be very helpful for the research industry, because at the very least the FTC’s expectations for the contents of privacy policies will presumably be better defined. Also, in its efforts to make privacy policies more concise, it is possible that the FTC would determine that certain privacy practices are "fair” and therefore no longer need to be disclosed. For example, companies may no longer need to include the ability to share data in connection with a corporate transaction or as required by law in their privacy policies.

COPPA Revisions

Lastly, the FTC will likely finalize a substantial revision to its Children’s Online Privacy Protection Rule (the "Rule”) in 2013. The Rule promulgated by the FTC under the Children’s Online Privacy Protection Act ("COPPA”) has not been substantially revised since COPPA first became effective in 2000. In late 2011, the FTC first introduced proposed amendments and this summer the FTC requested further comments regarding additional proposed revisions. While the revisions are not yet final, we believe that research companies should start preparing for numerous changes in how they collect and use the personal information of children.

The FTC’s proposed amendments include the following revisions and clarifications:

- The FTC seeks to clarify that COPPA applies not only to traditional websites, but also to other technologies that could be considered "online services,” such as mobile applications, network-connected games and potentially certain text messaging services. In addition, the FTC seeks to clarify that "plug in”/cookie operators embedded within a website are also considered "operators.”

- Originally, the FTC sought to include a much broader definition of "personal information” in the Rule, which would include not only traditional data points (name, address, e-mail address, etc.), but also IP addresses, device identifiers, internal customer ID numbers (such as a panelist ID), and geolocational information. Under the newer proposed revisions to the Rule, the FTC now suggests that only identifiers that rise to the level of "online contract information” such as a screen user name or instant messenger code would fall under the revised definition as it could be used to track children across multiple websites.

- Streamlining and clarifying the notices that companies must provide about their information collection practices to parents and where links to those practices must be placed.

- Eliminating the "email plus” verification method for obtaining parental consent, while proposing several new methods.

- Requiring companies to ensure that third party service providers to whom they disclose personal information have reasonable security safeguards in place.

We continue to believe that research companies will be able to comply with most of these revisions with only minor tinkering to their notices and procedures, the removal of the "email plus” parental consent mechanism may necessitate broader changes. "Email plus” allows a company to request consent from a parent in an email message, and then to follow-up to confirm that it was, in fact, the parent who provided consent. That follow-up can occur through either requesting in the initial email that the parent provide a phone or fax number so that the company can use one of those mechanisms to confirm consent or after allowing a reasonable time delay sending a second e-mail to the parent to confirm consent. The FTC wants to phase out this "email plus” mechanism, because it is extremely easy for a child to defeat. For example, the child could just give their own e-mail address. While we understand that other research trade groups may have taken an aggressive stand against the FTC’s elimination of the "email plus” mechanism, we disagree. There are other, more reliable, affordable means of obtaining parental consent available on the market and "email plus” has indeed acted as a deterrent to companies using those better methods.


Community Search
Member Log In


Forgot your password?

Not A CASRO Member?

Calendar

10/24/2016 » 10/27/2016

Annual Conference

Latest News
Website Underwriters