name of presenter(s) or subtitle privacy laws and their impact on research david w. stark mria b.c....

Name of presenter(s) or subtitle

Privacy laws and their impact on research

David W. Stark

MRIA B.C. Chapter

November 2, 2005

Privacy laws and theirimpact on research

3©2005 TNS Canadian Facts

Agenda

Privacy legislation overview

• Canadian & U.S. laws

Compliance: is it working?

Industry implications

Helpful resources

Q&A

4©2005 TNS Canadian Facts

Privacy legislation overview

Freedom of Information Access

Privacy and Protection of Personal Data

1980 1998 2001-2004

Privacy A

ct - Canada

Access to In

fo. Act -

Canada

1985 1994

Privacy Legislatio

n - Quebec

EU Privacy D

irectiv

e

PIPEDA -

Canada

PIPA -

AB & B

C

1966 1974

Freedom of Inform

ation A

ct – U

.S.

Privacy A

ct – U

.S.

2000

Safe Harb

or – U

.S.

5©2005 TNS Canadian Facts

Canadian laws

Federal regulations

Competition Act (1985; rev. 1999 and 2001)

CRTC Telemarketing Rules (1994; rev. 2004)

PIPEDA (2001-2004)• Comprehensive law affecting all

industries in private sector

Bill C-37 (2005?)• Would establish a national do-

not-call registry

Anti-spam legislation (2006?)

6©2005 TNS Canadian Facts

Canadian laws

Provincial regulations

Personal information protection acts

• Quebec (1995)

• Alberta (2004)

• British Columbia (2004)

Personal health information acts

• Alberta, Saskatchewan, Manitoba and Ontario

7©2005 TNS Canadian Facts

U.S. laws

Federal Regulations

Telephone Consumer Protection Act (1991)

Telemarketing Sales Rule (1996)

Health Insurance Portability and Accountability Act (1996)

Financial Modernization Act (Graham-Leach-Bliley) (1999)

Children’s Online Privacy Protection Act (2000)

USA PATRIOT Act (2001)

CAN-SPAM Law (2003)

8©2005 TNS Canadian Facts

U.S. laws

Federal Regulations

Federal Trade Commission Act (Section 5)

• Obligation to abide by one’s posted privacy policies

Eavesdropping and Taping Laws (FCC)

• Telephone interviewing, focus groups

9©2005 TNS Canadian Facts

U.S. laws

State Regulations

Anti-spam laws

Do-not-call laws and lists

California’s Online Privacy Protection Act (CA OPPA)

• Must post privacy policy on website if collecting personally-identifiable information from CA residents.

California (Senate Bill 1386)• Must notify state residents of

actual or suspected breach of unencrypted data

10©2005 TNS Canadian Facts

U.S. laws

State Regulations

Other states passing legislation similar to California’s privacy laws

28 pending bills in 17 states that would regulate offshoring of personal information

• Offshoring of state contracts

• Disclosure of location and name of call centre

• Prohibition against sending PII to non-U.S. recipients

11©2005 TNS Canadian Facts

What’s driving consumer privacy laws?

Most privacy regulations enacted since early 1990s

Coincides with digital information age

• Databases of PII that can be manipulated and moved offshore at click of a button

Public opinion

Identity theft

• “fastest growing crime in the nation” - FTC

Outsourcing offshore

Compliance: is it working?

13©2005 TNS Canadian Facts

Compliance in Canada

Low awareness of PIPEDA and provincial privacy laws

Federal Privacy Commissioner has treated offending organizations with kid gloves

Commissioner’s Office understaffed

Still, in general, Canadian firms seem to be more privacy-conscious than their U.S. counterparts

14©2005 TNS Canadian Facts

Compliance in the United States

Patchwork of privacy laws difficult for organizations

Multinationals would prefer a national privacy law (similar to PIPEDA)

FTC names offending organizations on its website

Private right of action in many U.S. laws gives rise to class action suits

EU study suggests several U.S. firms on Safe Harbor list are not in compliance

Industry implications

16©2005 TNS Canadian Facts

Industry implications

Third-party disclosures

• Clients’ customer lists

• Sharing respondents’ personally-identifiable information with clients

• List brokers / sample providers

• Qualitative research: recruiter, moderator, facility

Online research

• Explicit opt-in consent

• ISP shutdowns

customer

research client

research supplier

17©2005 TNS Canadian Facts

Industry implications

Data security and retention

• Physical, electronic and organizational

• Minimum and maximum retention periods

International data flows

• U.S. state laws could impact Canadian call centres and data processing firms

• Main motive of these laws is protectionism (many U.S. jobs have been outsourced to low-wage countries)

18©2005 TNS Canadian Facts

Industry implications

Contracts with clients that include indemnities and privacy protection clauses

Increasing number of clients require completion of comprehensive privacy assessment forms

Research is becoming more difficult to conduct

Helpful resources

20©2005 TNS Canadian Facts

Helpful resources

Federal Privacy Commissioner’s website

• www.privcom.gc.ca

International Association of Privacy Professionals

• www.privacyassociation.org

Nymity (privacy consulting firm)

• www.nymity.com

MRIA Privacy Protection Handbook (formerly CAMRO)

21©2005 TNS Canadian Facts

Thank you

E-mail: david.stark@tns-global.com

Tel.: (416) 924-5751