Privacy one year later Compliance and industry issues in Canada and the United States David W. Stark Name of presenter(s) or subtitle MRIA Alberta Chapter January 20, 2005

Privacy one year later

Agenda Privacy legislation overview Compliance: is it working? Industry implications Helpful resources Q&A

Privacy legislation overview Freedom of Information Access Privacy and Protection of Personal Data Freedom of Information Act – U.S. Access to Info. Act - Canada Privacy Legislation - Quebec Privacy Act - Canada Privacy Act – U.S. FOIA – first law to establish legal right of access to federal government information Privacy Act – regulates collection, use and dissemination of personal information by federal executive branch agencies Quebec - 1st jurisdiction in N.A. to pass comprehensive privacy legislation affecting private sector EU Privacy Directive - the export of personal information from a European country to a country that does not offer adequate protection of such information is prohibited. Safe Harbor – Commerce Dept’s response to make it possible for U.S. firms to continue cross-border data flows with EU countries. EU Privacy Directive PIPEDA - Canada Safe Harbor – U.S. PIPA - AB & BC 1966 1974 1980 1985 1994 1998 2000 2001-2004

Canadian approach to privacy Federal regulations Competition Act (1985; rev. 1999 and 2001) CRTC Telemarketing Rules (1994; rev. 2004) PIPEDA (2001-2004) Comprehensive law affecting all industries in private sector Bill C-37 (2005?) Would establish a national do-not-call registry Anti-spam legislation (2005?)

Canadian approach to privacy Provincial regulations Personal information protection acts QC, AB, BC Personal health information acts AB, SK, MB, ON With PIPEDA and its provincial counterparts, Canada’s privacy frame-work is closer to Europe than U.S.

U.S. approach to privacy – sectoral Federal regulations Video Privacy Protection Act (1988) Telephone Consumer Protection Act (1991) Driver’s Privacy Protection Act (1994) Telemarketing Sales Rule (1996) VPPA – Passed by Congress in response to controversy surrounding the release of Judge Robert Bork's video rental records during his failed Supreme Court nomination. The Act prohibits video tape service providers from disclosing customer rental records without the informed, written consent of the consumer. TCPA – Restrictions on unsolicited faxes (written opt-in effective 06/05); Restrictions on calling cell phones with auto-dialers; National do-not-call registry for telemarketers (07/03); Requirement for telemarketers to show caller I.D. (01/04); Telephone curfew at 9 p.m. DPPA - Congress enacted the Driver’s Privacy Protection Act after the murder of actress Rebecca Shaeffer. Her assailant had gotten her address from the California Department of Motor Vehicles. The Act generally prohibits states from disclosing personal information that their drivers submit in order to obtain driver’s licenses. TSR – Deceptive telemarketing practices, such as sugging, mugging and frugging, made illegal. Telephone curfew at 9 p.m.

U.S. approach to privacy – sectoral Federal regulations Health Insurance Portability and Accountability Act (1996) Financial Modernization Act (Graham-Leach-Bliley) (1999) Children’s Online Privacy Protection Act (2000) CAN-SPAM Law (2003) HIPPA – Confidentiality of health records. FMA – Regulates the sharing of personal information about individuals who obtain financial products or services from financial institutions. COPPA – Website operators must obtain verifiable parental consent before collecting personal information online from children under 13. CAN-SPAM – “Controlling the Assault of Non-Solicited Pornography and Marketing Act”

U.S. approach to privacy – sectoral Federal regulations Eavesdropping and Taping Laws (FCC) Telephone interviewing, focus groups Federal Trade Commission Act (Section 5) Obligation to abide by one’s posted privacy policies

U.S. approach to privacy – sectoral State regulations Anti-spam laws Do-not-call laws and lists Telephone curfew laws Eavesdropping and taping California’s Online Privacy Protection Act (CA OPPA) Must post privacy policy on website if collecting personally-identifiable information from CA residents. CA OPPA – significant because the law effectively applies to website operators in each of the 50 states. Law stipulates four requirements that must be included in an organization’s privacy policy: Categories of PII collected and third-party organizations with whom information may be shared; Right of access to personal information – must describe process how individual can review and request changes to his/her PII; Must describe how the organization notifies individual of material changes to his/her PII; Must identify effective date of the privacy policy. These are significant because CA’s law more closely resembles the European approach (comprehensive laws affecting all organizations in all sectors) than the U.S. sectoral approach.

What’s driving consumer privacy laws? Most privacy regulations enacted since early 1990s Coincides with digital information age Databases of PII that can be manipulated and moved offshore at click of a button Public opinion Greater intrusion into consumers’ lives – want to be left alone Outsourcing offshore Consumers want greater control over how their personal information is used by organizations Popularity of Do-Not-Call Registry: by Sept./2004, consumers had registered over 64 million phone numbers Outsourcing offshore: EU Privacy Directive is having an impact Lack of national privacy law in India Subcontractor threatened to post Americans’ PII on Internet over an unpaid invoice. Proposed legislation in the U.S. would require U.S. firms to disclose to consumers that their personal information may go offshore for processing Another proposed bill would require offshore call centers to tell Americans where they are calling from and give them the choice of speaking to someone in the U.S.

Compliance: is it working?

Compliance in Canada Low awareness of PIPEDA and provincial privacy laws Federal Privacy Commissioner has treated offending organizations with kid gloves Commissioner’s Office understaffed Still, in general, Canadian firms seem to be more privacy-conscious than their U.S. counterparts

Compliance in the United States Patchwork of privacy laws difficult for organizations Multinationals would prefer a national privacy law (similar to PIPEDA) FTC names offending organizations on its website Private right of action in many U.S. laws gives rise to class action suits EU study suggests several U.S. firms on Safe Harbor list are not in compliance

Industry implications

Industry implications Third-party disclosures Clients’ customer lists Respondent PII shared with clients List brokers / sample providers Qualitative research: recruiter, moderator, facility Online research Explicit opt-in consent Must not spoof message headers ISP shutdowns customer Customer lists for telephone and mail studies – ideally should be based on opt-out consent and such disclosures should be mentioned in client’s privacy policy. Customer lists for online studies – must be based on explicit, opt-in consent for third-party research firm to contact them. Same rules apply above for list brokers / sample providers. Database marketing – should get repsondents’ consent to link their personally-identifiable survey responses with their customer records. Online research carries too many risks if there isn’t opt-in consent (e.g. case of Harris Interactive, ISP shutdowns, CAN-SPAM). research supplier research client

When research firm (RF) sends invitation from its domain… From: RF on behalf of CLIENT <xxxxxx@RF.com> To: Rebecca Smith <rsmith@yahoo.com> Subject: Complete CLIENT’s survey and receive a special offer for your time Date: Fri, 12 Nov 2004 10:51:10 -0500  MUST NOT SPOOF MESSAGE!! From: CLIENT <surveys@CLIENT.com> To: Rebecca Smith <rsmith@yahoo.com> Subject: Complete CLIENT’s survey and receive a special offer for your time Date: Fri, 12 Nov 2004 10:51:10 -0500 Sender authentication systems: Microsoft – Bonded Sender Yahoo! – Domain Keys AOL – Sender Policy Framework Sender I.D. systems check for spoofing and could route such emails to bulk folder or append a warning message. 

Industry implications Data security and retention Physical, electronic and organizational Minimum and maximum retention periods International data flows U.S. state laws could impact Canadian call centres and outsourcing overseas One motive of these laws is protectionism (many U.S. jobs have been outsourced to low-wage countries) Data security and retention – what controls are placed on keeping data secure? Should institute minimum and maximum retention periods. Destroy personal information when it is no longer needed.

Industry implications Contracts with clients that include indemnities and privacy protection clauses Increasing number of multinational clients require completion of comprehensive privacy assessment forms Research is becoming more difficult to conduct TNS Standard terms and conditions (includes clause regarding compliance with privacy) Privacy audit q’aires – receive about one per month

Helpful resources

Helpful resources Federal Privacy Commissioner’s website www.privcom.gc.ca International Association of Privacy Professionals www.privacyassociation.org Nymity (privacy consulting firm) www.nymity.com CAMRO Privacy Protection Handbook

Helpful resources CAMRO Privacy Protection Handbook CD-ROM Version 1.0 released October, 2003 40 sold to date Over 90 pages of advice Includes legal agreements prepared by privacy lawyer (Brian Bowman, Pitblado) Version 2.0 to be MRIA-branded and issued soon Includes expanded policy section and appendices unique to qual. research

Thank you E-mail: david.stark@tns-global.com Tel.: (416) 924-5751