Name of presenter(s) or subtitle Privacy one year later Compliance and industry issues in  Canada and the United States Da...
Privacy one year later
Agenda <ul><ul><li>Privacy legislation overview </li></ul></ul><ul><ul><li>Compliance: is it working? </li></ul></ul><ul><...
Privacy legislation overview <ul><li>Freedom of Information Access </li></ul><ul><li>Privacy and Protection of Personal Da...
Canadian approach to privacy <ul><ul><li>Federal regulations </li></ul></ul><ul><ul><li>Competition Act (1985; rev. 1999 a...
Canadian approach to privacy <ul><ul><li>Provincial regulations </li></ul></ul><ul><ul><li>Personal information protection...
U.S. approach to privacy – sectoral <ul><ul><li>Federal regulations </li></ul></ul><ul><ul><li>Video Privacy Protection Ac...
U.S. approach to privacy – sectoral <ul><ul><li>Federal regulations </li></ul></ul><ul><ul><li>Health Insurance Portabilit...
U.S. approach to privacy – sectoral <ul><ul><li>Federal regulations </li></ul></ul><ul><ul><li>Eavesdropping and Taping La...
U.S. approach to privacy – sectoral <ul><ul><li>State regulations </li></ul></ul><ul><ul><li>Anti-spam laws </li></ul></ul...
What’s driving consumer privacy laws? <ul><ul><li>Most privacy regulations enacted since early 1990s </li></ul></ul><ul><u...
Compliance: is it working?
Compliance in Canada <ul><ul><li>Low awareness of PIPEDA and provincial privacy laws </li></ul></ul><ul><ul><li>Federal Pr...
Compliance in the United States <ul><ul><li>Patchwork of privacy laws difficult for organizations </li></ul></ul><ul><ul><...
Industry implications
Industry implications <ul><ul><li>Third-party disclosures </li></ul></ul><ul><ul><ul><li>Clients’ customer lists </li></ul...
When research firm (RF) sends invitation from its domain… <ul><li>From:  RF on behalf of CLIENT  <xxxxxx@RF.com> </li></ul...
Industry implications <ul><ul><li>Data security and retention </li></ul></ul><ul><ul><ul><li>Physical, electronic and orga...
Industry implications <ul><ul><li>Contracts with clients that include indemnities and privacy protection clauses </li></ul...
Helpful resources
Helpful resources <ul><ul><li>Federal Privacy Commissioner’s website </li></ul></ul><ul><ul><ul><li>www.privcom.gc.ca </li...
Helpful resources <ul><ul><li>CAMRO Privacy Protection Handbook </li></ul></ul><ul><ul><ul><li>CD-ROM Version 1.0 released...
Thank you <ul><ul><li>E-mail: david.stark@tns-global.com </li></ul></ul><ul><ul><li>Tel.:   (416) 924-5751 </li></ul></ul>
Upcoming SlideShare
Loading in …5
×

Name of presenter(s) or subtitle

664 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
664
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • FOIA – first law to establish legal right of access to federal government information Privacy Act – regulates collection, use and dissemination of personal information by federal executive branch agencies Quebec - 1st jurisdiction in N.A. to pass comprehensive privacy legislation affecting private sector EU Privacy Directive - the export of personal information from a European country to a country that does not offer adequate protection of such information is prohibited. Safe Harbor – Commerce Dept’s response to make it possible for U.S. firms to continue cross-border data flows with EU countries.
  • VPPA – Passed by Congress in response to controversy surrounding the release of Judge Robert Bork&apos;s video rental records during his failed Supreme Court nomination. The Act prohibits video tape service providers from disclosing customer rental records without the informed, written consent of the consumer. TCPA – Restrictions on unsolicited faxes (written opt-in effective 06/05); Restrictions on calling cell phones with auto-dialers; National do-not-call registry for telemarketers (07/03); Requirement for telemarketers to show caller I.D. (01/04); Telephone curfew at 9 p.m. DPPA - Congress enacted the Driver’s Privacy Protection Act after the murder of actress Rebecca Shaeffer. Her assailant had gotten her address from the California Department of Motor Vehicles. The Act generally prohibits states from disclosing personal information that their drivers submit in order to obtain driver’s licenses. TSR – Deceptive telemarketing practices, such as sugging, mugging and frugging, made illegal. Telephone curfew at 9 p.m.
  • HIPPA – Confidentiality of health records. FMA – Regulates the sharing of personal information about individuals who obtain financial products or services from financial institutions. COPPA – Website operators must obtain verifiable parental consent before collecting personal information online from children under 13. CAN-SPAM – “Controlling the Assault of Non-Solicited Pornography and Marketing Act”
  • CA OPPA – significant because the law effectively applies to website operators in each of the 50 states. Law stipulates four requirements that must be included in an organization’s privacy policy: Categories of PII collected and third-party organizations with whom information may be shared; Right of access to personal information – must describe process how individual can review and request changes to his/her PII; Must describe how the organization notifies individual of material changes to his/her PII; Must identify effective date of the privacy policy. These are significant because CA’s law more closely resembles the European approach (comprehensive laws affecting all organizations in all sectors) than the U.S. sectoral approach.
  • Consumers want greater control over how their personal information is used by organizations Popularity of Do-Not-Call Registry: by Sept./2004, consumers had registered over 64 million phone numbers Outsourcing offshore: EU Privacy Directive is having an impact Lack of national privacy law in India Subcontractor threatened to post Americans’ PII on Internet over an unpaid invoice. Proposed legislation in the U.S. would require U.S. firms to disclose to consumers that their personal information may go offshore for processing Another proposed bill would require offshore call centers to tell Americans where they are calling from and give them the choice of speaking to someone in the U.S.
  • Customer lists for telephone and mail studies – ideally should be based on opt-out consent and such disclosures should be mentioned in client’s privacy policy. Customer lists for online studies – must be based on explicit, opt-in consent for third-party research firm to contact them. Same rules apply above for list brokers / sample providers. Database marketing – should get repsondents’ consent to link their personally-identifiable survey responses with their customer records. Online research carries too many risks if there isn’t opt-in consent (e.g. case of Harris Interactive, ISP shutdowns, CAN-SPAM).
  • Sender authentication systems: Microsoft – Bonded Sender Yahoo! – Domain Keys AOL – Sender Policy Framework Sender I.D. systems check for spoofing and could route such emails to bulk folder or append a warning message.
  • Data security and retention – what controls are placed on keeping data secure? Should institute minimum and maximum retention periods. Destroy personal information when it is no longer needed.
  • TNS Standard terms and conditions (includes clause regarding compliance with privacy) Privacy audit q’aires – receive about one per month
  • Name of presenter(s) or subtitle

    1. 1. Name of presenter(s) or subtitle Privacy one year later Compliance and industry issues in Canada and the United States David W. Stark MRIA Alberta Chapter January 20, 2005
    2. 2. Privacy one year later
    3. 3. Agenda <ul><ul><li>Privacy legislation overview </li></ul></ul><ul><ul><li>Compliance: is it working? </li></ul></ul><ul><ul><li>Industry implications </li></ul></ul><ul><ul><li>Helpful resources </li></ul></ul><ul><ul><li>Q&A </li></ul></ul>
    4. 4. Privacy legislation overview <ul><li>Freedom of Information Access </li></ul><ul><li>Privacy and Protection of Personal Data </li></ul>1980 1998 2001-2004 Privacy Act - Canada Access to Info. Act - Canada 1985 1994 Privacy Legislation - Quebec EU Privacy Directive PIPEDA - Canada PIPA - AB & BC 1966 1974 Freedom of Information Act – U.S. Privacy Act – U.S. 2000 Safe Harbor – U.S.
    5. 5. Canadian approach to privacy <ul><ul><li>Federal regulations </li></ul></ul><ul><ul><li>Competition Act (1985; rev. 1999 and 2001) </li></ul></ul><ul><ul><li>CRTC Telemarketing Rules (1994; rev. 2004) </li></ul></ul><ul><ul><li>PIPEDA (2001-2004) </li></ul></ul><ul><ul><ul><li>Comprehensive law affecting all industries in private sector </li></ul></ul></ul><ul><ul><li>Bill C-37 (2005?) </li></ul></ul><ul><ul><ul><li>Would establish a national do-not-call registry </li></ul></ul></ul><ul><ul><li>Anti-spam legislation (2005?) </li></ul></ul>
    6. 6. Canadian approach to privacy <ul><ul><li>Provincial regulations </li></ul></ul><ul><ul><li>Personal information protection acts </li></ul></ul><ul><ul><ul><li>QC, AB, BC </li></ul></ul></ul><ul><ul><li>Personal health information acts </li></ul></ul><ul><ul><ul><li>AB, SK, MB, ON </li></ul></ul></ul><ul><ul><li>With PIPEDA and its provincial counterparts, Canada’s privacy frame-work is closer to Europe than U.S. </li></ul></ul>
    7. 7. U.S. approach to privacy – sectoral <ul><ul><li>Federal regulations </li></ul></ul><ul><ul><li>Video Privacy Protection Act (1988) </li></ul></ul><ul><ul><li>Telephone Consumer Protection Act (1991) </li></ul></ul><ul><ul><li>Driver’s Privacy Protection Act (1994) </li></ul></ul><ul><ul><li>Telemarketing Sales Rule (1996) </li></ul></ul>
    8. 8. U.S. approach to privacy – sectoral <ul><ul><li>Federal regulations </li></ul></ul><ul><ul><li>Health Insurance Portability and Accountability Act (1996) </li></ul></ul><ul><ul><li>Financial Modernization Act (Graham-Leach-Bliley) (1999) </li></ul></ul><ul><ul><li>Children’s Online Privacy Protection Act (2000) </li></ul></ul><ul><ul><li>CAN-SPAM Law (2003) </li></ul></ul>
    9. 9. U.S. approach to privacy – sectoral <ul><ul><li>Federal regulations </li></ul></ul><ul><ul><li>Eavesdropping and Taping Laws (FCC) </li></ul></ul><ul><ul><ul><li>Telephone interviewing, focus groups </li></ul></ul></ul><ul><ul><li>Federal Trade Commission Act (Section 5) </li></ul></ul><ul><ul><ul><li>Obligation to abide by one’s posted privacy policies </li></ul></ul></ul>
    10. 10. U.S. approach to privacy – sectoral <ul><ul><li>State regulations </li></ul></ul><ul><ul><li>Anti-spam laws </li></ul></ul><ul><ul><li>Do-not-call laws and lists </li></ul></ul><ul><ul><li>Telephone curfew laws </li></ul></ul><ul><ul><li>Eavesdropping and taping </li></ul></ul><ul><ul><li>California’s Online Privacy Protection Act (CA OPPA) </li></ul></ul><ul><ul><ul><li>Must post privacy policy on website if collecting personally-identifiable information from CA residents. </li></ul></ul></ul>
    11. 11. What’s driving consumer privacy laws? <ul><ul><li>Most privacy regulations enacted since early 1990s </li></ul></ul><ul><ul><li>Coincides with digital information age </li></ul></ul><ul><ul><ul><li>Databases of PII that can be manipulated and moved offshore at click of a button </li></ul></ul></ul><ul><ul><li>Public opinion </li></ul></ul><ul><ul><ul><li>Greater intrusion into consumers’ lives – want to be left alone </li></ul></ul></ul><ul><ul><li>Outsourcing offshore </li></ul></ul>
    12. 12. Compliance: is it working?
    13. 13. Compliance in Canada <ul><ul><li>Low awareness of PIPEDA and provincial privacy laws </li></ul></ul><ul><ul><li>Federal Privacy Commissioner has treated offending organizations with kid gloves </li></ul></ul><ul><ul><li>Commissioner’s Office understaffed </li></ul></ul><ul><ul><li>Still, in general, Canadian firms seem to be more privacy-conscious than their U.S. counterparts </li></ul></ul>
    14. 14. Compliance in the United States <ul><ul><li>Patchwork of privacy laws difficult for organizations </li></ul></ul><ul><ul><li>Multinationals would prefer a national privacy law (similar to PIPEDA) </li></ul></ul><ul><ul><li>FTC names offending organizations on its website </li></ul></ul><ul><ul><li>Private right of action in many U.S. laws gives rise to class action suits </li></ul></ul><ul><ul><li>EU study suggests several U.S. firms on Safe Harbor list are not in compliance </li></ul></ul>
    15. 15. Industry implications
    16. 16. Industry implications <ul><ul><li>Third-party disclosures </li></ul></ul><ul><ul><ul><li>Clients’ customer lists </li></ul></ul></ul><ul><ul><ul><li>Respondent PII shared with clients </li></ul></ul></ul><ul><ul><ul><li>List brokers / sample providers </li></ul></ul></ul><ul><ul><ul><li>Qualitative research: recruiter, moderator, facility </li></ul></ul></ul><ul><ul><li>Online research </li></ul></ul><ul><ul><ul><li>Explicit opt-in consent </li></ul></ul></ul><ul><ul><ul><li>Must not spoof message headers </li></ul></ul></ul><ul><ul><ul><li>ISP shutdowns </li></ul></ul></ul>customer research client research supplier
    17. 17. When research firm (RF) sends invitation from its domain… <ul><li>From: RF on behalf of CLIENT <xxxxxx@RF.com> </li></ul><ul><li>To: Rebecca Smith <rsmith@yahoo.com> </li></ul><ul><li>Subject: Complete CLIENT’s survey and receive a special </li></ul><ul><li> offer for your time </li></ul><ul><li>Date: Fri, 12 Nov 2004 10:51:10 -0500 </li></ul>From: CLIENT <surveys@CLIENT.com> To: Rebecca Smith <rsmith@yahoo.com> Subject: Complete CLIENT’s survey and receive a special offer for your time Date: Fri, 12 Nov 2004 10:51:10 -0500   MUST NOT SPOOF MESSAGE!!
    18. 18. Industry implications <ul><ul><li>Data security and retention </li></ul></ul><ul><ul><ul><li>Physical, electronic and organizational </li></ul></ul></ul><ul><ul><ul><li>Minimum and maximum retention periods </li></ul></ul></ul><ul><ul><li>International data flows </li></ul></ul><ul><ul><ul><li>U.S. state laws could impact Canadian call centres and outsourcing overseas </li></ul></ul></ul><ul><ul><ul><li>One motive of these laws is protectionism (many U.S. jobs have been outsourced to low-wage countries) </li></ul></ul></ul>
    19. 19. Industry implications <ul><ul><li>Contracts with clients that include indemnities and privacy protection clauses </li></ul></ul><ul><ul><li>Increasing number of multinational clients require completion of comprehensive privacy assessment forms </li></ul></ul><ul><ul><li>Research is becoming more difficult to conduct </li></ul></ul>
    20. 20. Helpful resources
    21. 21. Helpful resources <ul><ul><li>Federal Privacy Commissioner’s website </li></ul></ul><ul><ul><ul><li>www.privcom.gc.ca </li></ul></ul></ul><ul><ul><li>International Association of Privacy Professionals </li></ul></ul><ul><ul><ul><li>www.privacyassociation.org </li></ul></ul></ul><ul><ul><li>Nymity (privacy consulting firm) </li></ul></ul><ul><ul><ul><li>www.nymity.com </li></ul></ul></ul><ul><ul><li>CAMRO Privacy Protection Handbook </li></ul></ul>
    22. 22. Helpful resources <ul><ul><li>CAMRO Privacy Protection Handbook </li></ul></ul><ul><ul><ul><li>CD-ROM Version 1.0 released October, 2003 </li></ul></ul></ul><ul><ul><ul><li>40 sold to date </li></ul></ul></ul><ul><ul><ul><li>Over 90 pages of advice </li></ul></ul></ul><ul><ul><ul><li>Includes legal agreements prepared by privacy lawyer (Brian Bowman, Pitblado) </li></ul></ul></ul><ul><ul><ul><li>Version 2.0 to be MRIA-branded and issued soon </li></ul></ul></ul><ul><ul><ul><li>Includes expanded policy section and appendices unique to qual. research </li></ul></ul></ul>
    23. 23. Thank you <ul><ul><li>E-mail: david.stark@tns-global.com </li></ul></ul><ul><ul><li>Tel.: (416) 924-5751 </li></ul></ul>

    ×