“Ethics is knowing the difference between what you have the right to do and what is right to do.” Potter Stewart.
Market research analyzes opinions and human behavior. This is how, from the beginning, it has been an activity directly related to personal data. After all, as professionals we gather information from people. And this means collecting and, in some cases, storing personally identifiable information (PII) of those who participate in the research project.
As researchers we have to work ethically, according to the sector code of conduct, which in our case are the ESOMAR guidelines. But that is not all. We must also comply with legal obligations such as the GDPR, the European regulation on privacy and the processing of personal data. As well as local regulations, depending on the country where we conduct the investigation.
We recently did an internal research: we conducted an Online Panels Mystery Shopping which, among other things, allowed us to compare the privacy policies of 10 specialized panel companies in Latin America, including our own online access panel. With that goal, we created two fictitious profiles to understand in first person the experience of being part of each of the panels evaluated.
Keep reading, we will share with you some of the findings:
1. Types of data collected
2. Personal information shared with third parties
In Netquest, the data is shared with our different offices or subsidiaries, in order to provide better attention and experience to the panelist. Similarly, some of our suppliers (logistics and/or technical support) need access to this information. Of course, our suppliers are not authorized, under any circumstances, to disclose the data.
To our clients we deliver the opinions and behavior of the panelists through a 'unique identifier', which is assigned to each of our panel members. It is a code, composed of a sequence of letters and numbers. This identifier fulfills a double purpose.
The first one is precisely to identify the panelist in the online community. The second is to protect the identity of the person before third parties. In this way, we avoid revealing personal data, since the opinions and/or behavior are not linked to the real identity of the participant. This is known as "information disassociation".
3. Delegate of Data Protection (DPD)
Known as the Data Protection Officer (DPO), is the person or team specialized in the privacy and protection of personal data. It is not mandatory for companies to have it, it will depend on the type and amount of data that is collected.
But according to the European regulation GDPR, article 37, it is necessary to appoint this figure in organizations that are dedicated to the large-scale processing of personal data.
Six of the 10 panels analyzed have a person (or team) that fulfills this role. At Netquest, we have a specialized team. And if anyone wants to contact us, they can do it via email or by sending their correspondence to our postal address.
4. International data transfer
The Internet is a global network. And this section should explain if the data of the panelists are transferred internationally, even if it is just to be hosted in the cloud.
5. Data retention policy
The General Data Protection Regulation (GDPR), states in Article 15 that, if possible, the interested party should know the expected period of personal data retention or, if not possible, the criteria used to determine this term.
Only four of the 10 companies studied indicate how long they keep personal data collected in order to provide their services.
In Netquest’s case, once the participant leaves the panel, we keep the personal data indefinitely, so that the person does not register multiple times and the information is duplicated in more than one profile.
The data retained of the panelist who leaves the panel is blocked and not used.
If the panelist requests to delete its data, as we explained further in point 8, Netquest guarantees this right and deletes all its information. The data retention policy is closely linked with this right.
Cookies are small text files that a website can store on your device (PC, tablet or mobile) when you browse through it. To personalize your experience, when you return to the website (or another site in the same domain), it can read the information written in the cookie.
7. Right of data access and portability
Any user can access the data that the company collects about itself and request a copy in a file of electronic format. This is a right, guaranteed by Article 20 of the GDPR.
As a result of our internal investigation, we proved that six of the 10 online panels have this explicitly indicated in their privacy policies.
And for us, it is worrisome, because this is one of the most important rights that must be guaranteed to the panel participants.
8. Removal of personal data
As in the previous point, anyone can request to delete their personal data, in its entirety. This right is covered in article 17 of the GDPR. It is known as «the right to be forgotten».
The ten online panel companies analyzed have this possibility. In Netquest, panelists can leave the online community at any time. For this, they must enter their profile on the panel's website.
The last of the points evaluated is readability. And although it is listed in the last place, it is one of the main aspects to take into account.
Six of the ten companies analyzed meet this criterion. And it is crucial. Ensuring readability means to make sure that every user understands, what is published, what is done with their data and how they are protected.
It is a sign of transparency. An effort that must be carried out responsibly.
Finally, I know that many of us like to take risks. Although, in certain situations, too much can be lost. And this last scenario is the one for privacy. We risk the success or failure of the research and the quality of the data we deliver.
Always remember where the data you analyze and compare comes from. It is data provided by people, by citizens of the world. Just like you or me. And it is an ethical responsibility to act with transparency, out of respect for them. Caring for the participant and protecting their privacy is a matter of principle, which transcends privacy policies.
Surely you already have a much clearer idea about privacy policies and what they should contain. Do you want to know more about privacy in online panels? Download our ebook!