CASRO Code Change Internet Standards

1
CASRO Code Change - Internet Standards Wednesda
y, September 5, 2007
2
CASRO Code Revision Keeps Privacy Protection On
Pace With Internet Research Technology In
June, CASRO announced that its membership
overwhelmingly approved a revision to the
Internet Research section of the organizations
mandatory and enforceable Code of Standards and
Ethics for Survey Research. CASRO is being
proactive in its promotion of the self regulation
of our industry. Such standards are imperative to
ensure the continued effectiveness of online
surveys and the future success of our members.
3
CASRO Code Revision Webinar Todays
Presenters Diane BowersCASRO President Duane
L. Berlin, Esq.CASRO General Counsel (Lev
Berlin, P.C.) Peter MillaCASRO Online Research
Task Force (Survey Sampling International) Larry
PonemonCASRO Online Research Task Force and
CASRO GPA Director (The Ponemon Institute)
4
CASROs Revised Standards for Internet Research
The Legal and Regulatory Framework Duane L.
Berlin CASRO General Counsel Lev Berlin, P.C.
5
CASROS Self-Regulatory Strategy

• CASROS strategy has been to anticipate public
  and regulatory concerns.
• Work with regulators to insure they understand
  survey research and provide for appropriate
  treatment of our industry.
• Set an ethical framework for members that is
  consistent with current and potential regulations
  affecting survey research.

6
CASROS Original Internet Research Standards

• CASROS original internet research standards were
  promulgated about six years ago.
• Dealt exclusively with email invitations to
  participate in surveys.
• Predated the CAN-SPAM Act by several years.
• At that time, public reaction to and potential
  regulation of unsolicited email contact was the
  most apparent issue.

7
Evolving Issues

• Since then, the public, the media and the
  regulators have focused on many more issues
  related to the internet, many of which affect
  survey research.
• The new standards attempt to provide a mandatory
  ethical platform from which CASRO members can
  implement their own operational solutions to
  these issues.

8
The Current Regulatory Framework

• CAN-SPAM The primary US regulation dealing with
  unsolicited email contact.
• Designed to apply to email marketing (not
  research).
• The original CASRO standards for email
  invitations have been updated and generally
  require CASRO members to comply with CAN-SPAM to
  the extent reasonably practicable.

9
The Current Regulatory Framework

• Current State and pending data security and
  breach notification laws.
• CASROs GPAC is working with the federal congress
  to implement a unitary, federally preemptive set
  of rules.
• In the meantime, members must deal with 36
  different state laws
• The revised Code mandates reasonable security and
  data breach procedures by all members.
• Applies to all electronic data.

10
The Current Regulatory Framework

• COPPA- Regulates collection, use and storage of
  PII from children under 13.
• HIPAA- Governs use, disclosure and security of
  protected health information.
• Section 5 of Federal Trade Act- Prohibits unfair
  or deceptive trade practices, e.g., failure to
  follow your own privacy policy, or installing
  programs or code without permission (spyware).
• EU Data Directive Regulates all transmissions of
  PII to and from the EU- e.g., between a US
  research organization and an EU affiliate or
  subcontractor.

11
The Current Regulatory Framework

• CASROs revised standards for internet research
  provide members with a basis to implement these
  legal requirements in ways that are appropriate
  for survey research.

12

• Peter Milla, Co-Chair,
• CASRO Online Research Task Force
• Chief Information Officer, Survey Sampling
  International

13
CASRO Online Research Task Force
Duane Berlin (CASRO General Counsel) Terrence
Coen (Survey Sampling International) Steve Coffey
(The NPD Group) Hugh Davis (Greenfield
Online) George Harmon (TARP) Anne Hedde
(Lightspeed) Peter Milla, Co-Chair (Survey
Sampling International) Roseanne Luth (Luth
Research) Chuck Miller, (DMS Research) Larry
Ponemon, Co-Chair (Ponemon Institute)
14
CASRO Online Research Task Force Background

• CASRO Board established the Online Research Task
  Force to review and provide guidance on
• Internet and other technology developments
• Growing concerns about Internet data security and
  privacy issues
• The Task Forces work resulted in a
  recommendation and action to revise the Internet
  Section of the CASRO Code
• The resulting revisions have been overwhelmingly
  approved by CASRO Membership

15
Revisions to the Internet Section of the CASRO
Code

• The existing section on Email Solicitation was
  updated and expanded
• A section covering Active Agent Technology
  (defined as any software or hardware device that
  captures behavioral data about data subjects in a
  background mode) was added
• A section covering Panel/Sample Source
  Considerations was added
• A Personal Data Classification Appendix, (which
  categorizes the degree of sensitivity of personal
  data) was added

16
Revisions to the Internet Section of the CASRO
Code (continued)

• Based on the permission-based nature of the
  Internet
• Most comprehensive set of standards (not a
  guideline) in effect

17
Revisions to the Internet Section of the CASRO
Code Key Points

• (A) The existing section on Email Solicitation
  
• (1) Research Organizations are required to verify
  that individuals contacted for research by email
  have a reasonable expectation that they will
  receive email contact for research
• Pre-existing relationship exists
• Transparency
• Opt-in and opt-out (permission-based)
• (2) Research Organizations are prohibited from
  using any subterfuge
• (3) Use of false or misleading email addresses is
  prohibited. Compliance with all applicable laws
  and regulations a requirement.
• (4) Lists received from clients or sample
  providers must be verified for respondent
  permission

18
Revisions to the Internet Section of the CASRO
Code Key Points

• (A) The existing section on Email Solicitation
  (continued)
• (5) Practice of blind studies require disclosure
  if source of email not identified/apparent
• (6) Information about the CASRO code should be
  made available to respondents

19
Revisions to the Internet Section of the CASRO
Code Key Points (continued)

• (B) New section on Active Agents
• (1) Active agent technology is defined as any
  software or hardware device that captures the
  behavioral data about data subjects in a
  background mode, typically running concurrently
  with other activities
• Covers tracking software
• Cookies are NOT Active Agents

20
Revisions to the Internet Section of the CASRO
Code Key Points (continued)

• (B) New section on Active Agents (continued)
• (2) Unacceptable practices which are prohibited
• The following require respondent consent
  downloading software, types of information
  collected, respondent identification, use of
  keystroke loggers
• Installing software that modifies computer
  settings beyond whats required
• Disabling of anti-spyware, anti-virus or
  anti-spam software
• Installing software that seizes control or
  hijacks computer
• Failing to make commercially reasonable efforts
  to test for proper software operation
• Installing software that is hidden
• Installing software that is difficult to
  uninstall
• Installing software that delivers advertising
  content, with exception of ad tracking

21
Revisions to the Internet Section of the CASRO
Code Key Points (continued)

• (B) New section on Active Agents (continued)
• (2) Unacceptable practices which are prohibited
  (continued)
• Installing upgrades without notification
• Changing the nature of the Active Agent without
  notification
• Failure to notify users of privacy practice
  changes relating to software upgrades

22
Revisions to the Internet Section of the CASRO
Code Key Points (continued)

• (B) New section on Active Agents
• (3) Practices that should be adopted
• Transparency to the data subject
• Permission of data subject
• Disclosure of types of data collected/stored
• Easy software de-installation
• Personal information must not be used for
  secondary purposes without permission
• Voluntary nature of activity
• Support channel
• Periodic notification

23
Revisions to the Internet Section of the CASRO
Code Key Points (continued)

• (B) New section on Active Agents
• (3) Practices that should be adopted (continued)
• Data stewardship
• See Personal Data Classification Appendix
• Research Organizations must establish safeguards
  that minimize risks of data security/privacy
  threats to respondents
• Research Organizations must understand impact of
  their technology
• Research Organizations must make commercially
  reasonable efforts to ensure that their free
  products are safe and to not cause undue
  privacy/data security risks
• Research Organizations must be proactive in
  managing distribution of software
• If unethical practices are revealed, future
  dealings with partners involved must be
  terminated

24
Revisions to the Internet Section of the CASRO
Code Key Points (continued)
(C) New section on Panel/Sample Source
Considerations (1) Disclosure, permission,
maintenance of panel records (2) Transparency to
clients (3) Data stewardship (4) Opt-out (5)
Privacy policy (6) Measures to appropriately
limit respondent contact (7) Sample sources and
expectation for contact for research (8)
Quality-focus (9) and (10) Separation of research
and other activities (11) Respondent
confidentiality
25
ISO Access Panel Project

• Establishment of a quality standard for access
  panels (including online panels)
• Linked to ISO 20252 (MR quality standard)
• CASRO is ANSI representative
• Minimum 2 year process
• Meeting schedule
• Berlin, Spring 2006
• New York, Autumn 2007
• Madrid, Winter 2007
• Tokyo, Spring 2007
• Berlin, Autumn, 2007 (next meeting)
• Sydney, TBD

26
ISO Access Panel Project (continued)

• CASRO workgroup has been reviewing and providing
  input
• Issues for CASRO companies include
• How the final standard (including the relevant
  sections of the main ISO MR standards) impact
  their business
• How CASRO/CASRO companies address the audit
  requirement

27

• Larry Ponemon, Co-Chair,
• CASRO Internet Task Force
• Chairman, Ponemon Institute LLC

28
Why are Code Changes Important?

• CASRO membership is a privilege advancing the
  reputation of member companies is vital to the
  research community and the marketplace we serve
• Enabling technologies and emerging global
  regulatory frameworks for privacy and data
  protection require us to adapt and change
• The publics trust requires CASRO and its members
  to pursue
• Transparency in research practices
• Stewardship of information assets
• Mitigation of present and future harms to data
  subjects
• The revised Code is all about achieving practical
  business goals while meeting or exceeding the
  publics expectations

29
Other Considerations

• Please keep in mind that the revised Code will
  require each member company to
• Spend the time necessary to read and review the
  revised Code
• Ensure that others within your organization are
  fully aware of these changes
• Step back and consider how the revised Code may
  impact your companys business or research
  operations
• Ask questions if you dont have a clear
  understanding, contact CASRO immediately
• Be vigilant make sure that substantial
  compliance is maintained

30
Now Its Your TurnQuestions Answers

• Please note You can submit your questions
  via the chat window or e-mail them to
  art_at_casro.org.
• Any questions that are not answered during
  todays webinar will be replied to via e-mail and
  posted on our website with a recap of this event.
  

31
Now Its Your TurnQuestions Answers

• CASRO Code Section 3A
• (5) The practice of blind studies (for sample
  sources where the sponsor of the study is not
  cited in the email solicitation) is permitted if
  disclosure is offered to the respondent during or
  after the interview. The respondent must also be
  offered the opportunity to opt-out for future
  research use of the sample source that was used
  for the email solicitation.

32
Now Its Your TurnQuestions Answers

• CASRO Code, Section B.3.a.4
• "When receiving email lists from Clients or
  Sample Providers, Research Organizations are
  required to have the Client or Sample Provider
  verify that individuals listed have a reasonable
  expectation that they will receive email contact,
  as defined, in (1) above."

33
Now Its Your TurnQuestions Answers

• CASRO Code, Section B.3.a.6
• "Information about the CASRO Code of Standards
  and Ethics for Survey Research should be made
  available to respondents."

34
Now Its Your TurnQuestions Answers

• CASRO Code, 3A1(c.)
• Survey email invitations clearly communicate
  the name of the sample provider, the relationship
  of the individual to that provider, and clearly
  offer the choice to be removed from future email
  contact.

35
Now Its Your TurnQuestions Answers

• CASRO Code, Section 3A
• (1) Research Organizations are required to verify
  that individuals contacted for research by email
  have a reasonable expectation that they will
  receive email contact for research. Such
  agreement can be assumed when ALL of the
  following conditions exist
• a. A substantive pre-existing relationship exists
  between the individuals contacted and the
  Research Organization, the Client supplying email
  addresses, or the Internet Sample Providers
  supplying the email addresses (the latter being
  so identified in the email invitation)

36
Now Its Your TurnQuestions Answers

• CASRO Code, Section 3B
• Active Agent Technology
• (1) Active agent technology is defined as any
  software or hardware device that captures the
  behavioral data about data subjects in a
  background mode, typically running concurrently
  with other activities.

37
Now Its Your TurnQuestions Answers

• CASRO Code, Section 3C
• (2) Upon Client request, the Research
  Organization must disclose
• a. Panel composition information (including
  panel size, populations covered, and the
  definition of an active panelist).b. Panel
  recruitment practice information.c. Panel member
  activity.d. Panel incentive plans.e. Panel
  validation practices.f. Panel quality
  practices.g. Aggregate panel and study sample
  information (this information could include
  response rate information, panelist participation
  in other research by type and timeframe, see
  Responsibilities in Reporting to Clients and the
  Public).h. Study related information such as
  email invitation(s), screener wording, dates of
  email invitations and reminders, and dates of
  fieldwork.

38
CASRO Code Change - Internet Standards Thank
you for participating!