The Marketing Research Association filed comments with the Federal Trade Commission (FTC) recently regarding an enforcement action against a marketing research company. This was in response to an activist group proposal that would present serious consequences for the broader survey, opinion and marketing research profession.

The FTC proposed a consent agreement with Compete, Inc. on October 29, 2012  to settle alleged "charges that it violated federal law by using its web-tracking software that collected personal data without disclosing the extent of the information that it was collecting [and] allegedly failed to honor promises it made to protect the personal data it collected." The Electronic Privacy Information Center (EPIC) submitted comments on the Compete agreement on November 19.

MRA filed comments on December 21 in response to EPIC's proposals. MRA's comments were filed in support of the entire research profession. Because Compete is a research company, we are concerned that the changes to the Compete order sought by EPIC would pose a potential threat to all research companies in the U.S.

The consent agreement proposed by the FTC requires "Compete and its clients to fully disclose the information they collect and get consumers’ express consent before they collect consumers’ data in the future. In addition, the settlement bars misrepresentations about the company’s privacy and data security practices and requires that it implement a comprehensive information security program with independent third-party audits every two years for 20 years."

EPIC urged the FTC "to (1) strengthen the Order by requiring Compete to implement Fair Information Practices similar to those contained in the Consumer Privacy Bill of Rights; (2) make Compete’s independent privacy assessments publicly available; (3) clarify the scope of implicit deception in the context of privacy policies; and (4) develop a best practices guide for anonymization techniques." None of these four ideas would prove positive for the research profession.

Deception by omission
EPIC supported the FTC's "finding of deception by omission" in the Compete case and further called for the FTC to "explicitly categorize omissions impacting consumer privacy as deceptive under Section 5 [of the FTC Act].  This clarification will inform companies that they must notify consumers of all privacy policy changes, and that failure to do so will result in a finding of deception under Section 5."

The FTC targets deceptive omissions "if they significantly involve health, safety, or other areas with which the reasonable consumer would be concerned." That might be applicable to scenarios regarding data security protections for personally identifiable information subject to criminal abuse (e.g., credit information that could lead to identity theft) or other tangible harm.

However, while some survey, opinion and marketing research indicates that consumers, on average, are concerned about their privacy, notifying consumers of every minute privacy policy change could work counter to the interest of actually informing consumers, since over-notification and excessively lengthy privacy policies already may be causing consumers to stop paying close attention to their own privacy needs and wants and growing more careless in how they handle their own privacy.

Therefore, MRA opposes the explicit categorization of omission as a deception under Section 5 of the FTC Act.

De-identification
EPIC’s criticism of companies’ claims to "anonymize or de-identify personal information by aggregating it or assigning pseudonyms to it" runs up against an ongoing debate in the academic and policy arenas on whether or not data can ever be fully de-identified or anonymized. If it cannot, then pretty much any piece of data is ultimately personally identifiable.

EPIC noted that, "Given the problems associated with certain de-identification techniques, and the falsity of claiming that pseudonyms and aggregation necessarily render data anonymous, the Commission should issue a best practices guide to de-identification… greater clarification and standardization is needed."

While MRA feels there may be benefit to engaging the FTC in the broader public debate over de-identification, it is not at all clear that FTC-issued "best practices" would advance the debate at this point. Instead, it would be more likely to squelch the debate long before the issue gets properly hashed out.

Respondent access to and control over research data
EPIC felt that the FTC’s consent agreement with Compete should advance President Obama’s Consumer Privacy Bill of Rights proposal by requiring that consumers be able to exercise individual control over which types of information and for what purposes Compete intends to collect and disclose. EPIC’s comments also lament that, "the Order does not grant consumers a right to access and ensure accuracy of the data that Compete maintains."

The MRA Code of Marketing Research Standards already requires that researchers seek tailor-made approaches to transparency with regard to clients, research participants, and the public at large that are appropriate to different modes and methods of research. Research best practices require disclosure of what data is being collected and used, and for what purpose, and that participants be given the opportunity to opt out. Given that EPIC’s stated concerns focus on the sharing of data for advertising purposes, the proposed broad application of consumer control over research use of data makes no sense. In particular in such a case, research codes and best practices forbid the use of personal information from research studies for direct marketing and advertising back to research participants.

Such a demand of access to consumer data may make sense in contexts where such data (particularly if inaccurate) could adversely impact a consumer’s credit rating, personal or professional reputation, or likelihood of becoming a victim of identity theft or fraud. However, none of these conditions should reasonably be assumed to apply to survey, opinion and marketing research data. Participation in survey, opinion and marketing research is voluntary.

The cost of access and correction could potentially be quite onerous, especially for smaller research companies and organizations, given a potential deluge of frivolous or pointless inquiries. Since the research process is interested in broad groups, not individuals, compiling and tracking individual consumer data, by the individual, would require complex and expensive procedures and infrastructure not currently in use. Moreover, such tracking could lead to a much greater threat of harm from data leakage and empower the kind of consumer tracking that concerns both EPIC and the FTC (such as in the consent agreement with Compete).

The ability of companies to authenticate the identity of consumers requesting access is another serious concern. That kind of authentication would require collecting and checking even more data, which runs counter to EPIC and the FTC’s interest in data minimization and limited data retention.  Plus, necessary authentication procedures and processes would add to the cost in money and time on the part of research organizations.

The FTC pointed out in its Privacy Report that, "the extent of access should be proportionate to the sensitivity of the data and the nature of its use."  To that point, MRA stresses that the use of the data should matter, and survey, opinion and marketing research data should, in most cases, not be subject to access, especially given that consumer concern focuses on commercial data brokerage for marketing and credit purposes, not on research. MRA particularly wishes to avoid a steep slippery slope where most any kind or combination of data could be tied to a supposedly adverse outcome.

Making privacy audits public
EPIC has not made a reasonable case for why Compete's privacy audits should be publicized. The case that "similar audits containing extensive technical details have been released in their entirety, all without identifiable competitive harm" is not made because the support relies on references to non-research-related foreign cases  and identifying the "competitive harm" would likely require a sizeable window of close study.  These privacy audits will contain plenty of trade secrets and delicate information.

There are broader implications to making such information public, particularly for the survey, opinion and marketing research profession. It could potentially interfere with core research processes, such as the classification of information, impair the overall performance of research and hurt the research business. Therefore, MRA does not support making public the privacy audits in the FTC's consent agreement with Compete.

Conclusion
By explicitly categorizing ommission as a deceptive practice under Section 5 of the FTC Act, requiring the FTC to pre-emptively settle the unfinished de-identification debate, requiring that researchers grant respondents access and control over research data, and making the results of privacy audits public, MRA feels that the EPIC proposal would potentially compromise the form and function of survey, opinion and marketing research in the U.S.

MRA urged the FTC to reject EPIC's proposed additions to the Compete consent agreement.

(Read MRA's full comments to the FTC, responding to EPIC's proposal on the Compete consent agreement)