Name of presenter(s) or subtitle

Name of presenter(s) or subtitle

Privacy one year laterCompliance and industry issues in Canada and the United States

David W. Stark

MRIA Alberta Chapter

January 20, 2005

Privacy one year later

3©2004 TNS - Confidential

Agenda

Privacy legislation overview

Compliance: is it working?

Industry implications

Helpful resources

Q&A


Privacy legislation overview

Freedom of Information Access

Privacy and Protection of Personal Data

1980 1998 2001-2004

Privacy A

ct - Canada

Access to In

fo. Act -

Canada

1985 1994

Privacy Legislatio

n - Quebec

EU Privacy D

irectiv

e

PIPEDA -

Canada

PIPA -

AB & B

C

1966 1974

Freedom of Inform

ation A

ct – U

.S.

Privacy A

ct – U

.S.

2000

Safe Harb

or – U

.S.


Canadian approach to privacy

Federal regulations

Competition Act (1985; rev. 1999 and 2001)

CRTC Telemarketing Rules (1994; rev. 2004)

PIPEDA (2001-2004)• Comprehensive law affecting all

industries in private sector

Bill C-37 (2005?)• Would establish a national do-

not-call registry

Anti-spam legislation (2005?)


Canadian approach to privacy

Provincial regulations

Personal information protection acts

• QC, AB, BC

Personal health information acts

• AB, SK, MB, ON

With PIPEDA and its provincial counterparts, Canada’s privacy frame-work is closer to Europe than U.S.


U.S. approach to privacy – sectoral

Federal regulations

Video Privacy Protection Act (1988)

Telephone Consumer Protection Act (1991)

Driver’s Privacy Protection Act (1994)

Telemarketing Sales Rule (1996)



Federal regulations

Health Insurance Portability and Accountability Act (1996)

Financial Modernization Act (Graham-Leach-Bliley) (1999)

Children’s Online Privacy Protection Act (2000)

CAN-SPAM Law (2003)



Federal regulations

Eavesdropping and Taping Laws (FCC)

• Telephone interviewing, focus groups

Federal Trade Commission Act (Section 5)

• Obligation to abide by one’s posted privacy policies



State regulations

Anti-spam laws

Do-not-call laws and lists

Telephone curfew laws

Eavesdropping and taping

California’s Online Privacy Protection Act (CA OPPA)

• Must post privacy policy on website if collecting personally-identifiable information from CA residents.


What’s driving consumer privacy laws?

Most privacy regulations enacted since early 1990s

Coincides with digital information age

• Databases of PII that can be manipulated and moved offshore at click of a button

Public opinion

• Greater intrusion into consumers’ lives – want to be left alone

Outsourcing offshore

Compliance: is it working?


Compliance in Canada

Low awareness of PIPEDA and provincial privacy laws

Federal Privacy Commissioner has treated offending organizations with kid gloves

Commissioner’s Office understaffed

Still, in general, Canadian firms seem to be more privacy-conscious than their U.S. counterparts


Compliance in the United States

Patchwork of privacy laws difficult for organizations

Multinationals would prefer a national privacy law (similar to PIPEDA)

FTC names offending organizations on its website

Private right of action in many U.S. laws gives rise to class action suits

EU study suggests several U.S. firms on Safe Harbor list are not in compliance




Third-party disclosures

• Clients’ customer lists

• Respondent PII shared with clients

• List brokers / sample providers

• Qualitative research: recruiter, moderator, facility

Online research

• Explicit opt-in consent

• Must not spoof message headers

• ISP shutdowns

customer

research client

research supplier


When research firm (RF) sends invitation from its domain…

From: RF on behalf of CLIENT <[email protected]>

To: Rebecca Smith <[email protected]>

Subject: Complete CLIENT’s survey and receive a special offer for your time

Date: Fri, 12 Nov 2004 10:51:10 -0500

From: CLIENT <[email protected]>

To: Rebecca Smith <[email protected]>

Subject: Complete CLIENT’s survey and receive a special offer for your time

Date: Fri, 12 Nov 2004 10:51:10 -0500

MUST NOT SPOOF MESSAGE!!



Data security and retention

• Physical, electronic and organizational

• Minimum and maximum retention periods

International data flows

• U.S. state laws could impact Canadian call centres and outsourcing overseas

• One motive of these laws is protectionism (many U.S. jobs have been outsourced to low-wage countries)



Contracts with clients that include indemnities and privacy protection clauses

Increasing number of multinational clients require completion of comprehensive privacy assessment forms

Research is becoming more difficult to conduct

Helpful resources


Helpful resources

Federal Privacy Commissioner’s website

• www.privcom.gc.ca

International Association of Privacy Professionals

• www.privacyassociation.org

Nymity (privacy consulting firm)

• www.nymity.com

CAMRO Privacy Protection Handbook


Helpful resources

CAMRO Privacy Protection Handbook

• CD-ROM Version 1.0 released October, 2003

• 40 sold to date

• Over 90 pages of advice

• Includes legal agreements prepared by privacy lawyer (Brian Bowman, Pitblado)

• Version 2.0 to be MRIA-branded and issued soon

• Includes expanded policy section and appendices unique to qual. research


Thank you

E-mail: [email protected]

Tel.: (416) 924-5751

Documents

Name of presenter(s) or subtitle