“Ethics is knowing the difference between what you have the right to do and what is right to do.” Potter Stewart.
Market research analyzes opinions and human behavior. This is how, from the beginning, it has been an activity directly related to personal data. After all, as professionals we gather information from people. And this means collecting and, in some cases, storing personally identifiable information (PII) of those who participate in the research project.
As researchers we have to work ethically, according to the sector code of conduct, which in our case are the ESOMAR guidelines. But that is not all. We must also comply with legal obligations such as the GDPR, the European regulation on privacy and the processing of personal data. As well as local regulations, depending on the country where we conduct the investigation.
The philosophy of a company regarding the treatment of personal data can be known just by reading its privacy policy. And in the case of online access panels, reading this we can understand how the information of the participants is collected and used.
We recently did an internal research: we conducted an Online Panels Mystery Shopping which, among other things, allowed us to compare the privacy policies of 10 specialized panel companies in Latin America, including our own online access panel. With that goal, we created two fictitious profiles to understand in first person the experience of being part of each of the panels evaluated.
Keep reading, we will share with you some of the findings:
1. Types of data collected
A privacy policy should indicate what type of data is collected from the participant. In the case of an online access panel, it must explain what type of personal information the panelist shares with the company at the time of registering and participating in their surveys or other research methods.
Nine out of the ten panels evaluated detail what types of data they collect in their privacy policy.
2. Personal information shared with third parties
The privacy policy must indicate if the personal data of the participants of the online panel is shared with other companies. Eight of the ten panels analyzed have this section explicitly indicated. The other two panels may be sharing the data, but they do not inform it in their privacy policy.
In Netquest, the data is shared with our different offices or subsidiaries, in order to provide better attention and experience to the panelist. Similarly, some of our suppliers (logistics and/or technical support) need access to this information. Of course, our suppliers are not authorized, under any circumstances, to disclose the data.
To our clients we deliver the opinions and behavior of the panelists through a 'unique identifier', which is assigned to each of our panel members. It is a code, composed of a sequence of letters and numbers. This identifier fulfills a double purpose.
The first one is precisely to identify the panelist in the online community. The second is to protect the identity of the person before third parties. In this way, we avoid revealing personal data, since the opinions and/or behavior are not linked to the real identity of the participant. This is known as "information disassociation".
3. Delegate of Data Protection (DPD)
Known as the Data Protection Officer (DPO), is the person or team specialized in the privacy and protection of personal data. It is not mandatory for companies to have it, it will depend on the type and amount of data that is collected.
But according to the European regulation GDPR, article 37, it is necessary to appoint this figure in organizations that are dedicated to the large-scale processing of personal data.
Six of the 10 panels analyzed have a person (or team) that fulfills this role. At Netquest, we have a specialized team. And if anyone wants to contact us, they can do it via email or by sending their correspondence to our postal address.
4. International data transfer
The Internet is a global network. And this section should explain if the data of the panelists are transferred internationally, even if it is just to be hosted in the cloud.
In Netquest, many of the clients and suppliers are international companies, based in different countries. The privacy policy indicates that certain data is transferred, and clarifies that we only work with companies that have an adequate level of security.
Only half (5 out of 10) of the companies included in the analysis specify in their privacy policy whether or not they do international data transfer.
5. Data retention policy
The General Data Protection Regulation (GDPR), states in Article 15 that, if possible, the interested party should know the expected period of personal data retention or, if not possible, the criteria used to determine this term.
Only four of the 10 companies studied indicate how long they keep personal data collected in order to provide their services.
In Netquest’s case, once the participant leaves the panel, we keep the personal data indefinitely, so that the person does not register multiple times and the information is duplicated in more than one profile.
The data retained of the panelist who leaves the panel is blocked and not used.
If the panelist requests to delete its data, as we explained further in point 8, Netquest guarantees this right and deletes all its information. The data retention policy is closely linked with this right.
6. Cookies
The privacy policy should clearly indicate whether the website uses cookies or not, which ones, what are they for and how they can be deactivated. And this is for all companies, not just the online panels.
Cookies are small text files that a website can store on your device (PC, tablet or mobile) when you browse through it. To personalize your experience, when you return to the website (or another site in the same domain), it can read the information written in the cookie.
Nine of the 10 companies analyzed explain whether or not they record cookies in their privacy policy.
7. Right of data access and portability
Any user can access the data that the company collects about itself and request a copy in a file of electronic format. This is a right, guaranteed by Article 20 of the GDPR.
Netquest guarantees the exercise of this right and this is made clear in the privacy policy of its online access panel.
As a result of our internal investigation, we proved that six of the 10 online panels have this explicitly indicated in their privacy policies.
And for us, it is worrisome, because this is one of the most important rights that must be guaranteed to the panel participants.
8. Removal of personal data
As in the previous point, anyone can request to delete their personal data, in its entirety. This right is covered in article 17 of the GDPR. It is known as «the right to be forgotten».
It may seem obvious. Even so, only half of the companies analyzed (5 out of 10) specify this possibility in their privacy policy. And this it is alarming, because it is a right recognized by the GDPR, which to date is the highest standard in terms of data protection worldwide.
9. Unsubscribe
All online panels must allow the user to unsubscribe from the service, and also leave it explicitly stated in their privacy policy.
The ten online panel companies analyzed have this possibility. In Netquest, panelists can leave the online community at any time. For this, they must enter their profile on the panel's website.
10. Legibility of the privacy policy
The last of the points evaluated is readability. And although it is listed in the last place, it is one of the main aspects to take into account.
It is a duty to ensure the correct readability of the privacy policy. It is essential that besides being public, it can be easily found (and read). This means that they need to be written using a clear and simple language, capable of being understood by any person, avoiding generalities and ambiguous expressions.
Six of the ten companies analyzed meet this criterion. And it is crucial. Ensuring readability means to make sure that every user understands, what is published, what is done with their data and how they are protected.
It is a sign of transparency. An effort that must be carried out responsibly.
Finally, I know that many of us like to take risks. Although, in certain situations, too much can be lost. And this last scenario is the one for privacy. We risk the success or failure of the research and the quality of the data we deliver.
Beyond being a commitment or a legal requirement, the privacy policy shows what type of company you can work with and whether or not they care about the data seriously. It is also true that one thing is what is written, and another thing is what is actually done. The privacy policy is vital, but even more important is that it is correctly applied in the management and operation of the panel companies.
Always remember where the data you analyze and compare comes from. It is data provided by people, by citizens of the world. Just like you or me. And it is an ethical responsibility to act with transparency, out of respect for them. Caring for the participant and protecting their privacy is a matter of principle, which transcends privacy policies.
Surely you already have a much clearer idea about privacy policies and what they should contain. Do you want to know more about privacy in online panels? Download our ebook!