Regulation & Legislation: 2012 Recap and Outlook for 2013
Wednesday, December 05, 2012
Regulation & Legislation: 2012 Recap and Outlook for 2013
To date, 2012 has proved to be remarkably quiet from a
legislative perspective as election season politics served as the primary focus
in statehouses nationwide. However,
several regulatory actions and lawsuits occurred this year that should be noted
by CASRO members. We anticipate that
with the election behind us, 2013 should prove to be more active. This article recaps the past year and looks
at anticipated developments for next year.
This October, the FTC settled its unfair trade practice
complaint against Compete, Inc., a subsidiary of Kantar that performs web
analytics-based research, by entering into a Consent Order with Compete.
Specifically, the FTC’s complaint alleged that:
- Compete’s software, which
was installed on the computers of more than 4 million consumers, collected
much more information than was disclosed in Compete’s privacy
notices. While Compete stated that
it would collect information regarding user "browsing behavior” and web
page addresses viewed by the user, Compete actually collected information
about all websites the user visited, all links followed and the
advertisements displayed. The program also collected substantially more
information about the user’s online behavior to the extent that Compete
knew whether a user abandoned or completed a purchase after placing an
item in an online shopping cart.
Further, Compete also captured some information users communicated
on secure web pages, such as credit card numbers, financial account
numbers, security codes and expiration dates, usernames, passwords, search
terms and Social Security numbers.
- Compete failed to
adequately filter personal information as it promised in its privacy
notices. Specifically, Compete’s
All data is stripped of personally
identifiable information before it is transmitted to our servers. Our data collection techniques have been
designed to purge personally identifiable information wherever we find it. In addition, as a member of Compete you are
assigned a randomly generated user ID ensuring your anonymity.
On the other hand, the FTC found
that the filters employed by Compete were too narrow and improperly structured
to avoid collecting personal data and filtered other data only when it had been
already been transferred to Compete’s servers.
- Lastly, the FTC found that
Compete failed to take reasonable security measures to protect the data it
collected, such as by sending sensitive information from secure web pages.
The Consent Order between the FTC and Compete places a
number of burdens on Compete’s ability to continue to use tracking technology
moving forward. Specifically, Compete
was forced to agree to:
- Provide a separate and
prominent disclosure before installation of any tracking agent that
specifies all information that will be collected and how that information
is to be used and shared. The
consumer would then be required to expressly consent to the collection,
use and sharing of that information. The FTC further required that Compete
provide these disclosures (and receive affirmative consent) from existing
users before it could continue to collect any further data from such
- In addition, whether or
not Compete intended to continue to collect information from its existing
user base, Compete would be required to notify each user through several
different mechanisms (including on the Compete website and in the user’s
browser) that the user has a data collection program on his or her
computer and specify that the software collects and transmits information
about the user (including the specific categories of information that are
or could be collected via the software).
Further, the notice would need to provide instructions on how to
uninstall the software and Compete must provide toll-free telephonic and
electronic customer support to assist users to do so.
- Provide a copy of the
Consent Order to all current and future principals, officers and directors
of the company and all current and future managers who have
responsibilities relating to the subject matter of the order as well as any
existing third parties with agreements with Compete in connection with its
tracking software within 30 days and any third party entering into any contract
with Compete in connection with its tracking software.
- Create a comprehensive
information security program ("CISP”)
with appropriate administrative, technical and physical safeguards. This program would need to be audited by
an approved third-party privacy professional every 2 years for 20
- Destroy all information
collected prior to February 1, 2010.
The obligations under the order were to stay in place for a
period of 20 years. While the
requirements that the FTC placed on Compete are generally not materially "new,”
for example, the disclosures are roughly the same as those required in the
FTC’s Consent Order with Sears and the CISP and audit requirements mirror those
found in Google’s Consent Order, this is the first time in our knowledge that a
market research company and CASRO member has been directly targeted by the FTC
for privacy-related unfair trade practice violations.
The requirements saddled on Compete
constitute not only a public embarrassment for Compete, but also a burden on
resources for 20 years. In addition, any
breach of the Consent Order may lead to fines by the FTC. For example, Google recently was fined $22.5
million for breaching its own 2011 Consent Order with the FTC. If you are
conducting tracking-based research, it is imperative that you regularly review
your privacy disclosures and ensure that they are consistent with your actual
data collection practices.
Class action lawsuits were filed
this year against KISSmetrics, a web analytics company, and over 20 of its
customers (including Hulu) over claims that the way that the company’s tracking
software operated constituted an invasion of privacy. Specifically,
the lawsuits alleged that by using ETag technology, which allows for tracking
independently of HTTP cookies, KISSmetrics was able to track users even after
they deleted their cookies, thus making tracking more resilient to users’
efforts to protect their online privacy.
KISSmetrics settled the direct lawsuit against it last month for roughly
$500,000. The lawsuits against the
customers, including Hulu, to our knowledge remain active.
These types of suits are not new –
similar lawsuits were previously filed against QuantCast and Clearspring in
2010. While the ultimate success of
these lawsuits remains questionable given the lack of demonstrable actual
damages, these lawsuits can be very problematic. In our experience, customers regularly
require indemnification for these types of claims. As such, KISSmetrics will likely be forced to
expend large sums defending many of these claims on its customers’ behalf. In addition, KISSmetrics will be forced to
explain to its customers why they are being sued. We would strongly recommend never using
technology which "re-spawns” cookies after they have been deleted by the user.
Currently, there are at least 10 different proposals in
Congress to provide increased protection of individual privacy. None of these bills has made any notable progress
during the current Congress. It’s
unclear if any of these bills will gain any additional traction in the new
Congress given the continuing split of control between the House and Senate. We believe that the industry could work with
any of these proposals, although some may be more preferable.
Physician Payments Reporting
We also continue to wait on the Centers for Medicaid and
Medicare’s ("CMS”) final regulations implementing the transparency provisions
of the Affordable Care Act. CMS in its earlier
proposed regulations muddied the applicability of the research industry’s
exemption - specifically, that the statute does not require disclosure of
payments to physicians for participation in market research where a fair market
value payment from a research company is made to physicians in connection with
their participation in survey research, and the research client does not know the
identity of the respondents. Unfortunately, the regulations that CMS
proposed late in 2011, stated: "[W]e propose that
awareness of the identity of the covered recipient by an agent of the
applicable manufacturer will be attributed to the applicable
manufacturer.” While market research
organizations are not "agents” of manufacturers, we believe that risk-averse
compliance departments within some pharmaceutical manufacturers may require
reporting out of an abundance of caution.
CASRO submitted comments to CMS in an attempt to have the final
regulations comport with our original understanding of the statutory exclusion.
Expansion of TCPA Liability by the FCC
The Federal Communications Commission (the "FCC”) is
expected to issue a ruling in the next several months, which could greatly expand
liability under the Telephone Consumer Protection Act (the "TCPA”), to
include companies that employ call centers that make calls prohibited under the
Calls for market research are largely exempt under the TCPA,
because they are considered to be non-commercial. However, the use of
"automated telephone dialing systems” to any telephone number assigned to a
cell phone or any similar service for which the called party is charged for the
call is prohibited for all purposes (including survey research) unless prior
consent is obtained. The term "automatic
telephone dialing system” is defined in the TCPA as "equipment which has the
capacity— (A) to store or produce telephone numbers to be called, using a
random or sequential number generator; and (B) to dial such numbers.” The
penalties under the TCPA can be extreme – up to $1,500 per phone call.
To date, the FCC has issued conflicting statements regarding
whether liability under the TCPA extends only to the call center actually
making the prohibited calls or additionally to the call center’s client on
whose behalf the calls or other contacts were made. Several petitioners to the FCC requested
clarification regarding this point and, in turn, the FCC requested comments. The FCC is due to issue its ruling at any
time. While several commentators
believe that the contemplated expansion of liability is inconsistent with the
TCPA and may be successfully challenged in court, the inclusion of "on behalf”
liability nevertheless represents a concern for the market research
Research firms that employ call centers may now be exposed
to direct liability for violations of the TCPA by their call centers. Given the FCC’s revised position, members of
the very aggressive TCPA plaintiffs’ bar may also be emboldened to include
clients of call centers as defendants in their class action lawsuits. As a result, the importance of obtaining
indemnification for claims relating to violations of law from call center
vendors (backed by the vendor’s insurance) will be more important than
ever. In addition, research firms that
operate call centers should be especially careful with respect to calling cell
phones and may find their own clients asking for indemnification in the event
such prohibited calls are made.
FTC "Nutrition Labels”
The FTC revealed at a recent conference that it is
developing a "nutrition label”-styled template that will permit companies to
disclose their privacy practices to consumers in a concise and standardized
way. These "labels” would be based on
examples from the food and beverage industry as well as the model privacy form
used by financial institutions under the Gramm-Leach-Bliley Act. Jon Leibowitz, the FTC’s Chairman, stated at
the conference that the agency is attempting to identify the "five essential
terms” that should be incorporated into these "labels.”
The proposal raises several questions. Will the notice form apply across all modes
of data collection or is the "label” form only intended for areas such as
mobile applications where brevity is required? In addition,
it is unclear whether the "label” form would be intended to supersede or solely
to complement existing privacy policies.
For example, would the label be required on the home page for a
Based on the FTC’s past statements in its Privacy Reports,
we believe it is most likely that the FTC intends for the "label” to largely
and other instances where space is limited.
This effort by the FTC could be very helpful for the research industry,
because at the very least the FTC’s expectations for the contents of privacy
policies will presumably be better defined.
Also, in its efforts to make privacy policies more concise, it is possible
that the FTC would determine that certain privacy practices are "fair” and
therefore no longer need to be disclosed.
For example, companies may no longer need to include the ability to
share data in connection with a corporate transaction or as required by law in
their privacy policies.
Lastly, the FTC will likely finalize a substantial revision
to its Children’s Online Privacy Protection Rule (the "Rule”) in
2013. The Rule promulgated by the FTC
under the Children’s Online Privacy Protection Act ("COPPA”) has not
been substantially revised since COPPA first became effective in 2000. In late 2011, the FTC first introduced
proposed amendments and this summer the FTC requested further comments
regarding additional proposed revisions.
While the revisions are not yet final, we believe that research
companies should start preparing for numerous changes in how they collect and
use the personal information of children.
The FTC’s proposed amendments include the following
revisions and clarifications:
- The FTC seeks to clarify that COPPA applies not
only to traditional websites, but also to other technologies that could be
considered "online services,” such as mobile applications, network-connected
games and potentially certain text messaging services. In addition, the FTC seeks to clarify that
"plug in”/cookie operators embedded within a website are also considered
- Originally, the FTC sought to include a much
broader definition of "personal information” in the Rule, which would include
not only traditional data points (name, address, e-mail address, etc.), but
also IP addresses, device identifiers, internal customer ID numbers (such as a
panelist ID), and geolocational information.
Under the newer proposed revisions to the Rule, the FTC now suggests
that only identifiers that rise to the level of "online contract information”
such as a screen user name or instant messenger code would fall under the
revised definition as it could be used to track children across multiple
- Streamlining and clarifying the notices that
companies must provide about their information collection practices to parents
and where links to those practices must be placed.
- Eliminating the "email plus” verification method
for obtaining parental consent, while proposing several new methods.
companies to ensure that third party service providers to whom they disclose
personal information have reasonable security safeguards in place.
We continue to believe that research companies will be able
to comply with most of these revisions with only minor tinkering to their
notices and procedures, the removal of the "email plus” parental consent
mechanism may necessitate broader changes.
"Email plus” allows a company to request consent from a parent in an
email message, and then to follow-up to confirm that it was, in fact, the
parent who provided consent. That
follow-up can occur through either requesting in the initial email that the
parent provide a phone or fax number so that the company can use one of those
mechanisms to confirm consent or after allowing a reasonable time delay sending
a second e-mail to the parent to confirm consent. The FTC wants to phase out this "email plus”
mechanism, because it is extremely easy for a child to defeat. For example, the child could just give their
own e-mail address. While we understand
that other research trade groups may have taken an aggressive stand against the
FTC’s elimination of the "email plus” mechanism, we disagree. There are other, more reliable, affordable
means of obtaining parental consent available on the market and "email plus”
has indeed acted as a deterrent to companies using those better methods.