What are the top legal issues with which you, as a survey, opinion and marketing research professional, will have to grapple in 2014? We’ve got your top seven. Keep in mind that this does not include the many laws and regulations that are not research-specific, such as state and federal tax laws which impact everyone.
As always, MRA recommends that you consult with your own legal counsel about the application of any law or regulation to your specific circumstances.
7. European Union (EU) Data Directive
In an increasingly globally-linked world, you are probably involved in research or business with people in Europe, which works differently than the U.S. The 1998 European Commission’s Directive on Data Protection (“the Data Directive”) prohibits the transfer of “personal data” to non-EU nations that do not meet the European “adequacy” standard for privacy protection. The U.S. is not considered to be “adequate.” Each EU member nation implements and enforces the Data Directive differently. The Data Directive places significant restrictions on the collection, use and disclosure of personal data that prove taxing for many researchers.
If you don’t want to abide directly by the Data Directive, you can either adopt binding corporate rules or self-certify to the U.S.-EU Safe Harbor. By self-certifying to the U.S. Department of Commerce that you comply with the seven Safe Harbor principles – Notice, Choice, Onward Transfer (to Third Parties), Access, Security, Data Integrity and Enforcement – you can at least have some mechanism for data transfer. While it is a self-certification, the Federal Trade Commission (FTC) enforces compliance with the Safe Harbor.
Aside from proving an impediment to U.S. research companies doing business in Europe, the Data Directive makes the list for 2014 because at the same time EU authorities have been working to rewrite it, prominent EU officials have threatened to revoke the Safe Harbor or negotiate it out of existence as part of a trade deal with the U.S.
- European Union Data Directive: Best Practices for Survey, Opinion and Marketing Researchers
- Understanding the U.S.-European Union (EU) Safe Harbor for Data Transfer
- U.S.-EU Trade Deal: Data privacy threats and opportunities for the marketing research profession in transatlantic trade negotiations
At the state level, misclassification of respondents can trigger payment of state unemployment insurance premiums (and other benefits) which – as they are rarely actually paid – represent a meritless but potentially lucrative source of state government funding. At the federal level, this misclassification could require research companies to pay respondents overtime wages as well as the federal minimum wage, and subject them to restrictions on youth participation and extensive paperwork.
Several such cases seem to arise every year, forcing the research profession to play whack-a-mole. Usually, cases develop out of labor division audits focused on unemployment payments and spiral from there. We’ve seen misclassification cases at the federal level and in Pennsylvania, Wisconsin, New York, and Texas. The cases are usually winnable, but can be quite costly in time, reputation and money.
The continuing risk of regulators misclassifying respondents was MRA’s motivation to create and introduce the Research Fairness Act of 2012 (H.R. 5915) in Congress, which would clarify in federal labor law that respondents are independent contractors instead of research company employees.
Unfortunately, state and federal legislators have not exhibited much of an appetite to deal with this problem for us.
- Model Clauses for Informing Respondents Receiving Incentives That They Are Independent Contractors
- Independent Contractor Tests: A State-by-State Assessment
- Legislation Introduced to Protect Marketing Research Companies from Unfair Labor Department Actions
The law does not require that do not track requests be honored, nor does it specify how the requests should look or be transmitted. That is an ongoing controversy being fought out on technical and policy grounds in a working group of the World Wide Web Consortium (W3C), with federal legislators and regulators waiting in the wings. However, California’s law will require greater disclosure of online tracking, including for research purposes, and researchers will need to adjust their policies (and potentially, their practices) accordingly.
- California Moves Ahead with Do Not Track
- No Matter Where You Are, You May Be In Violation of California Law RIGHT NOW
The letter and spirit of the law exclude marketing research incentive payments to health care professionals from the public reporting requirements, so long as researchers’ routine policies and conventions are followed so that such respondents are paid by a research firm and respondent identities remain unknown to the manufacturers sponsoring the research. Unfortunately, the case example used by the regulator to illustrate the marketing research exemption confused the issue with a reference to double-blind studies, and manufacturers’ compliance departments have more questions than answers.
- Answers to Frequently Asked Questions
- Joint regulatory alert from CASRO, MRA and PMRG
- A 1-page position paper to share with manufacturers
While traditionally the responsibility and liability have focused on covered entities, changes over the last few years have made business associates directly (rather than just contractually) liable for data privacy and security protections, dramatically increasing the threshold of responsibility for research companies. The threat of that liability is also more serious, as HIPAA enforcement has grown more vigorous and violators have been punished more severely.
The privacy rules have also expanded, such that consumers must be granted greater access and control over their data and data collection and storage must be minimized.
Researchers operating as business associates have a lot of compliance work to do, such as: creating or updating HIPAA security and privacy policies; conducting a security risk analysis; preparing a risk management plan; working out amended business associate agreements with their covered entities to reflect the business associates’ new direct liability and to determine who will be responsible for consumer requests for access or control; and added or improved record keeping, which will be required in case of an audit.
We’ve seen an uptick in TCPA litigation in the last few years, especially class action lawsuits. In fact, a major research company found itself subjected to a TCPA class action in summer 2013.
Court cases have wrestled with such issues as: whether or not a consumer offering their cell phone as a contact number actually gives the receiving company the necessary express prior consent to call that number with an autodialer; whether the entity making the calls is responsible for violations, or if the sponsor is responsible; or when a dialing system actually qualifies as an autodialer subject to the TCPA.
The Federal Communications Commission (FCC), which is responsible for this part of the TCPA, is even considering a number of petitions to clarify or change its interpretations of the rules. Until that happens, researchers should be extremely wary. It is a mistake to assume you have the requisite express prior consent to call someone on a cell phone, including if the calling list was provided by a client.
The FCC has usually taken an expansive view of the definition of automatic dialing, which is why MRA continues to recommend that the only certain method to ensure TCPA compliance, in the absence of express prior consent, is to manually dial cell phone numbers (where a human being physically touches the buttons on the phone to dial the number). Even having a computer dial the number for you, after you manually enter it on a keyboard, might pose a hazard.
- Calling Cell Phones: Best Practices
- TCPA Restrictions on Using Autodialers to Call Cell Phones
- New TCPA Rules for Autodialer Calls and Robocalls Take Effect Soon
Why does this matter? The FTC intensely scrutinizes companies’ privacy and data security practices and seeks to bring them into compliance with sometimes vague standards through complex and costly settlements. The FTC has a sophisticated team arming up to consider the costs and benefits of Big Data, data brokers, the Internet of Things and other emerging concerns in privacy and data security.
The agency has already demonstrated its not-so-friendly interest in the research business in its investigation of and costly settlement with marketing research company Compete, demonstrating that the FTC’s statutory authority in the realm of “unfair or deceptive” practices are being interpreted in the broadest of fashions. We also understand that the agency has more than a few other investigations of research companies underway.
These not-so-hypothetical scenarios are why we expect tangling with the FTC to be the top legal issue facing the research profession in 2014.