The ARF last week released a Code of Conduct for which it should be congratulated. Developing an industry code of this scope -- focused on data privacy and usage in a rapidly evolving and complex digital data world -- is an extraordinarily tricky task. It will use a seal of approval to give some “self-regulatory teeth” to companies that comply. The use and interpretation of this code requires very careful review and assessment.
Despite its recognition of and references to an array of other codes in the data privacy and usage arena, this document raises many questions for all sides of the industry:
· Responsibilities to research participants.
· Responsibilities to clients.
· Responsibilities to the profession and the public.
Possibly the biggest issues are whether the major research providers on the ARF board recused themselves from the final approval process, and, whether the ARF “earned” a sign-off from any of the major consumer data protection groups, especially on key principles using “should” rather than “must.”
Take the codes. As an example, from “Responsibilities to the Profession and the Public”, “Contacted individuals should have an easy way to opt-out.”
Some would argue that “should” must be replaced by “must” or “shall” in the code’s sections covering “responsibilities to the profession and the public” and “contacted individuals should have an easy way to opt-out.”
The “easy way” needs to be framed in detail and “opt-out” needs to be suitably changed to “opt-in.”
We have all wrestled with so-called “easy ways” to “opt-out” on social media and had to give up.
In an environment rife with serious ongoing allegations and convictions regarding data abuse and misuse, the use of “Chain of Trust Principles” in this code could be considered naïve and out-of-touch at best, and irresponsible at worst.
A blue ribbon review board was involved in development of this code. This board expressed concerns regarding a wide array of the code’s elements, albeit many were echoes of other existing codes.
Making the seal anchored on self-regulation was a real concern. This should require communication of -- and point-of-contact for -- the code’s principles to everyone in an organization earning compliance. In addition, it should address their required responsibilities in explicitly identifying the code’s principles to partners and/or clients.
Will the removal of the ARF seal of compliance for companies breaching the code really affect any company’s decisions in any data usage chain? Hmm, I doubt it.
However, if such companies were also denied membership to the ARF, would that add “teeth” to compliance?
Big tech platforms and large research companies currently are prominent members of ARF. Several of them have positions on the ARF board. As such, this initiative provides these companies, the ARF and our industry, a unique opportunity to significantly raise the ethical principles embraced and acted on by the research supply chain that use and collect data.
The code’s principles will undoubtedly evolve. But to give it real teeth, it needs to immediately address compliance based on stricter processes and procedures than self-regulation.
Intentional or not, the current privacy mess is, in this writer’s opinion, a result of original and evolving design driven by company growth goals and their stock price, not common sense principles of industry ethics.
As a result, codes require detailed process and procedure regulations together with serious consequences for non-compliance to protect all parties.These issues, along with others hopefully will be explored during a public review of the code at the upcoming ARF Audience x Science Conference April 15 & 16 in Jersey City, NJ. The result? V2.0 soon?