The Marketing Research Association (MRA) has some serious concerns about the rules proposed in this Notice of Proposed Rulemaking (NPRM). While the existing Federal Communications Commission (FCC) rules restricting customer proprietary network information (CPNI) if expanded to broadband providers wouldn’t at first glance impinge on researchers outside of such companies, the short and long-term impact on research could be negative. The proposed rules restrict the collection, use and disclosure of all sorts of data by broadband providers, including for research purposes, while carving out some specific marketing purposes. As postulated by Kate Kaye, while unlikely, “theoretically, if every mobile user decided not to opt-in to data sharing, it would cut off a vast estuary of data streaming throughout the ecosystem at its source.”
In these comments, MRA will: (1) explain survey, opinion and marketing research; (2) recommend an alternative regulatory frameworks; (3) share our concerns about the expansive definitions of data covered by the proposed rules; (4) urge changes to the treatment of aggregated and de-identified data; and (5) propose an exemption for the collection, use and disclosure of data strictly for bona fide research purposes.
Survey, opinion and marketing research
MRA is a non-profit national membership association representing the survey, opinion and marketing research profession. MRA promotes, advocates for, and protects the integrity of the research profession, and works to improve research participation and quality.
Survey and opinion research is the systematic, objective investigation and analysis of the opinions, attitudes and behavior of a statistically-selected group of people. On behalf of their clients – including the government (the world’s largest purchaser), media, political campaigns, and commercial and non-profit entities — researchers design studies and collect and analyze data from small but statistically-balanced samples of the public. Researchers seek to determine the public’s opinion and behavior regarding products, services, issues, candidates and other topics. Such information is used to develop new products, improve services, and inform policy.
Survey, opinion and marketing research is thus sharply distinguished from commercial activities, like marketing, advertising and sales. In fact, MRA and other research associations prohibit and attempt to combat sales or fundraising under the guise of research (referred to as “sugging” and “frugging”), “push polls,” and any attempts to influence or alter the attitudes or behavior of research participants as a part of the research process. Quite to the contrary, professional research has as its mission the true and accurate assessment of public sentiment in order to help individuals, companies and organizations design products, services and policies that meet the needs of and appeal to the public.
Alternative regulatory frameworks
The NPRM references six proposed frameworks for handling online privacy, different from the FCC’s proposed rules. We have some affinity in particular for aspects of the Information Technology and Innovation Foundation (ITIF) Framework.
According to the NPRM, the ITIF Framework calls for the FCC declare broadband providers “noncommon carrier services” for privacy purposes, which would allow the Federal Trade Commission (FTC) “exercise jurisdiction over their privacy practices,” or to “limit rules to those which correspond as much as possible to the FTC’s past privacy enforcement in this area. ITIF suggests that any fines enforcing such rules be tied to actual consumer harm and amplified when the harm was intentional.”
The NPRM itself spends a lot of time exploring and extolling the FTC’s various initiatives, best practice recommendations, workshops and enforcement actions regarding online privacy. Until the FCC’s 2015 Open Internet Order (which reclassified broadband providers as common carriers under Title II of the Communications Act), the FTC had done a reasonable job protecting consumer privacy and data security in the broadband context, using its Section 5 authority focused on unfair or deceptive acts and practices. The NPRM presents no evidence to suggest otherwise. However, the Open Internet Order (advertently or inadvertently) required the FCC to take some kind of action on broadband privacy, because it shifted authority for it from the FTC to the FCC.
Like ITIF, MRA urges the FCC to either revert that authority back to the FTC (at least for privacy purposes), where the expertise and track record for online privacy regulation resides, or to approach privacy regulation in a similar fashion as the FTC does, with a limited focus on stopping unfair or deceptive acts and practices.
Definition of customer proprietary information
The NPRM proposes to define “customer proprietary information” to encompass both “customer proprietary network information” (pre-existing in the statute for telecommunications privacy) and “personally identifiable information (PII) a carrier acquires in connection to its provision of telecommunications service.” In turn, the term “personally identifiable information” or “PII” means “any information that is linked or linkable to an individual.”
Because the NPRM is so restrictive of what carriers can do with this data, how it can be disclosed to third parties, and how it must be secured, the scope of the definition is extremely important. Depending on who you ask, just about any piece of data could be “linked or linkable to an individual,” making everything PII.
The FCC certainly takes the broadest view possible of what constitutes PII. The NPRM proposes to include as PII almost any kind of data, sensitive and non-sensitive, including, but “not limited to: name; Social Security number; date and place of birth; mother’s maiden name; unique government identification numbers (e.g., driver’s license, passport, taxpayer identification); physical address; email address or other online contact information; phone numbers; MAC address or other unique device identifiers; IP addresses; persistent online identifiers (e.g., unique cookies); eponymous and non-eponymous online identities; account numbers and other account information, including account login information; Internet browsing history; traffic statistics; application usage data; current or historical geo-location; financial information (e.g., account numbers, credit or debit card numbers, credit history); shopping records; medical and health information; the fact of a disability and any additional information about a customer’s disability; biometric information; education information; employment information; information relating to family members; race; religion; sexual identity or orientation; other demographic information; and information identifying personally owned property (e.g., license plates, device serial numbers).”
Under these proposed rules, for instance, broadband providers would be required to notify customers of a breach of data security (even simple accidental access) within seven days for even the most mundane data, like MAC or IP addresses (which are generally public information). State and federal law ordinarily focuses on data which, when breached, could be subject to criminal abuse, like social security numbers and financial account information. The deluge of needless notices would render them effectively useless for consumers. Also, while most state and federal laws carve an exemption from breach notification for data that has been appropriately encrypted, the NPRM treats encrypted data the same as unsecured data.
More importantly for MRA’s members, the NPRM effectively proposes that research use of customer PI, or sharing of customer PI with third parties or affiliates for research purposes, would require opt in consent. The FCC proposes to require broadband “providers to give a customer the opportunity to opt out of the use or sharing of her customer PI prior to the BIAS provider (1) using the customer’s PI to market other communications related services to the customer; or (2) sharing the customer’s PI with affiliates that provide communications-related services, in order to market those communications-related services to the customer. We also propose to require BIAS providers to solicit and receive opt-in approval from a customer before using customer PI for other purposes and before disclosing customer PI to (1) affiliates that do not provide communications-related services and (2) all non-affiliate third parties.”
Aggregate and de-identified data
The NPRM recognizes that “aggregate, non-identifiable customer information can be useful to BIAS providers and the companies they do business with, and not pose a risk to the privacy of consumers.” It then proposes to curtail that usefulness.
The NPRM would allow broadband providers “to use, disclose, and permit access to aggregate customer PI if the provider (1) determines that the aggregated customer PI is not reasonably linkable to a specific individual or device; (2) publicly commits to maintain and use the aggregate data in a non-individually identifiable fashion and to not attempt to re-identify the data; (3) contractually prohibits any entity to which it discloses or permits access to the aggregate data from attempting to re-identify the data; and (4) exercises reasonable monitoring to ensure that those contracts are not violated. We also propose that the burden of proving that individual customer identities and characteristics have been removed from aggregate customer PI rests with the BIAS provider.”
The rationale for all these limitations appears to be that any aggregate data could be re-identified, which is a matter of long-running technical and academic debate.
Sensible exceptions for aggregate data generally also apply equally to de-identified data, but the NPRM asserts instead that de-identified “non-collective” data should receive no special treatment. That assertion appears to be made because the statute only discusses aggregate data, not de-identified data.
However, as Commissioner Michael O’Reilly points out in his statement dissenting to the NPRM, “Section 222(c)(3) makes clear that carriers “may use, disclose, or permit access to aggregate customer information.” The only condition on aggregate customer information is that it must be provided to other carriers or persons on reasonable and nondiscriminatory terms or conditions upon reasonable request, and that condition was included to address competitive concerns, not privacy. Therefore, the FCC has no authority to impose additional conditions on aggregate customer information, and certainly not ones related to privacy.”
Because the NPRM’s limitations on the use and disclosure of aggregate or de-identified customer PI do not appear to be based in the statute, and that such data can be of such great value to companies and consumers when used for research and analysis, MRA urges the FCC to not restrict such use and disclosure of aggregate and de-identified data.
Exemption for bona fide research purposes
Consumer privacy concerns, such as they exist, generally focus more on data use than its mere existence or collection. Certain types of data may be considered more sensitive than others, but even those are dependent both on an individual’s subjective judgment and the context in which those data are used.
MRA generally supports a privacy regulation model based on intended use – different protections and requirements for data privacy, depending on the uses to which that data will be put. Data collected, used and shared strictly for bona fide research should be held to a different standard than ordinary commercial or marketing use, which will differ from purely transactional use. Those uses should all be treated differently than data used for determining a consumer’s eligibility for things like health insurance, credit or a mortgage, or data used to prosecute crimes or prevent terrorism. Research purposes, unlike most of the other purposes, involve data collection, sharing and use of information about individuals only to understand broader population segments and demographic groups. Therefore, customer PI used and disclosed for research purposes should be subject to less stringent controls than many other purposes.
MRA urges the FCC to consider an exemption for bona fide research from the restrictions and limitations on customer PI use and disclosure in this NPRM.
In consultation with the broader research profession, MRA developed a legal definition of bona fide survey, opinion and marketing research: “the collection and analysis of data regarding opinions, needs, awareness, knowledge, views, experiences and behaviors of a population, through the development and administration of surveys, interviews, focus groups, polls, observation, or other research methodologies, in which no sales, promotional or marketing efforts are involved and through which there is no attempt to influence a participant’s attitudes or behavior.”
Should the FCC have concerns about how researchers would protect and secure customer PI, and be unsatisfied by self-regulation, we suggest that the agency require that recipients of the customer PI be contractually obligated to only use the data for bona fide research purposes, in order to protect the sanctity of the data and the whole research chain.
The proposed bona fide research exemption for use, and for disclosure to affiliates and third parties, would be essential to the research profession, because data is our lifeblood.
We operate in an environment of significant public apathy with respect to research participation, and falling research “response” rates, driving up the cost of and time involved in achieving the required number and strata of participants to reach viable representative samples for most research studies. That always informs MRA’s worries that any new regulatory impediments to research could make it harder to reach and involve research participants, increase non-response bias, make it more difficult to share and learn from data, and adversely impact the accuracy of research insights.
MRA urges the FCC to: (1) consider either deferring privacy regulatory authority in the broadband provider space back to the FC or adopting an alternative regulatory framework modeled on the FTC’s Section 5 unfair and deceptive acts and practices approach; (2) substantially rein in the overly-broad definition of customer personal information proposed by the NPRM; (3) allow for reasonable use and disclosure of both aggregated and de-identified data; and (4) exempt from the NPRM’s strictures the collection, use and disclosure of customer personal information for bona fide research purposes.