FEATURE27 April 2011

Adapting to a new era for privacy


Data security breaches and fears over web tracking are rarely out of the news, and as a result people are becoming more cautious about sharing their information with companies. How is research adapting? We spoke to GfK’s privacy officer David Stark to find out.


But consumers and politicians are also concerned about less nefarious activities, like online behavioural targeting and web tracking. How is research adapting to a world in which people are becoming more cautious about sharing their data with companies? Research spoke to GfK’s privacy officer David Stark to find out.

Research: This month saw the introduction of a new privacy bill in the US. What’s your take on how that might effect the research industry?
The Kerry-McCain bill is the latest in a series of efforts at the federal level to pass a baseline privacy law. The impact on firms in the research industry in part depends on how familiar they are with comprehensive data protection laws, such as those found in Europe, Canada, Argentina, Australia and Japan, to name a few markets. US-based research firms that operate globally, participate in the US-EU Safe Harbour programme or follow the Casro Code of Standards and Ethics should have no difficulty complying with the Kerry-McCain bill.

“We must recognise that when researchers conduct social media listening, they can potentially collect a lot of information. This is an area where industry guidance is needed”

There are many aspects of the bill that I like. For example, companies do not have to obtain explicit opt-in consent to collect personal information for fraud detection and prevention purposes. In addition, there are clauses that recognise the value of research. Permitted uses and disclosures of personal information include “collecting customer satisfaction surveys and conducting customer research to improve customer service information”. All of these I feel are quite positive.

There are also aspects of the bill that I feel could have been expanded on. It does not address security breaches or preempt security breach notification laws at the state level. It would be far easier for companies to deal with a single federal breach notification law than have to comply with 46 state laws should they ever find themselves in the uncomfortable position of experiencing a nationwide privacy breach affecting individuals’ sensitive personal data.

The Kerry-McCain bill and other legislative efforts are the result of mounting public concern about how much personal information is collected by companies, particularly online. Is this concern feeding through to research?
A lot of research is permission-based and so that helps us greatly. Also, researchers have a long and proud history of collecting and handling personal information responsibly and rendering data anonymous during processing. I think that these skillsets, combined with strong industry associations and codes of conduct, will continue to serve us well in the fast-moving digital age.

At the same time, we must recognise that when researchers conduct social media listening, they can potentially collect a lot of information, including comments made by consumers on news sites, blogs and social networks. Many comments are associated with screen names while others are linked with individuals’ real names. This is an area where industry guidance is needed. And so I am very pleased that Casro and Esomar are working on comprehensive guidelines for social media research that distinguish between public and private spaces online. We don’t want recurrences of PatientsLikeMe.com, where a research firm copied identifiable personal health information from private forums within the site, without the individuals’ or the website operator’s consent.

Interestingly, the Kerry-McCain bill addresses web data mining in a reasonable way, as it states that “covered information” does not include “personally identifiable information that is obtained from a forum (i) where the individual voluntarily shared the information or authorised the information to be shared; and (ii) that is widely and publicly available and contains no restrictions on who can access and view such information”.

As a privacy officer have you seen a rise in complaints or queries from members of the public about what data research agencies collect, how they store it and what they do with it?
No, I haven’t and I would like to think it is because our privacy policies are clear and transparent in explaining to members of the public how we collect, use and protect personal information.

Several research agencies noticed a rise in queries from the public a few years ago after do-not-call registries were established in the US and in Canada. Some consumers did not realise that market, opinion and social research calls are not covered under the telemarketing laws in both countries. Telephone interviewers still receive queries from consumers on the subject, but effective scripts can help assure people that we are only interested in their opinions and not in trying to sell them something.

“The role of the privacy officer demands keeping on top of social trends and rapid advancements in technology, especially technologies and techniques that researchers are using”

Sticking with the issue of data storage and protection, how much at risk are research agencies of data leaks like the recent Epsilon email hack?
Epsilon was an appealing target for hackers because it is an email marketing firm that stores millions of names and email addresses on its servers about customers of some of the largest banks and corporate brand names. Undoubtedly, the hackers will use or sell the data for targeted phishing attempts and try to dupe consumers into revealing private data that can be used to steal their identities. Other organisations that are appealing targets for hackers include retailers because they collect credit card data.

A sad fact, though, is that all types of organisations are at risk of being hacked, including research agencies, and so it is essential for firms to follow recognised standards and best practices to reduce the risk of bad guys infiltrating their networks.

What should research agencies do when events like that occur to ensure the security of the data they hold on individuals?
The Epsilon investigation is ongoing and so we don’t yet know exactly how the breach occurred. But there are lots of steps that firms can take to protect data. Here are just a few points that come to mind.

Firms should design their information security architecture and policies to ensure that they are consistent with a recognised, international standard, such as ISO/IEC 27001. Penetration testing and vulnerability scans should be performed regularly with any identified weaknesses corrected swiftly. Intrusion detection systems should be in place. Files and databases containing individuals’ names, email addresses and other personal information should be encrypted when in motion and at rest. And information security awareness training for all employees should be conducted at least annually.

How is the role of privacy officer evolving in the research industry, not only in response to wider concerns about personal privacy, but as research techniques become more potentially intrusive – web tracking, social media monitoring etc.?
The role of the privacy officer demands keeping on top of social trends and rapid advancements in technology, especially technologies and techniques that researchers are using. I’m on Facebook, LinkedIn and Twitter, download apps for my iPad like everyone else, and I enjoy all these technologies a lot. It would be unfortunate if I didn’t like them because I feel strongly that privacy officers at research firms need to have experience with social media and technology so as to be able to give their colleagues good advice.

A common feature in many legislative proposals today is that privacy considerations must be part of the development of new technologies and services. Known as privacy by design, the concept means that privacy officers have an important role to play working closely with application and product developers early in the product lifecycle.

Keeping on top of legislative and regulatory changes is another important role for privacy officers for which there is no shortage of draft bills and new legislation to review.

“If filter lists become popular with consumers and they include research domains, then our industry stands to be adversely affected”

Is there a danger that personal privacy could be compromised by research agencies’ own efforts to ensure their respondents are who they say they are? The verification of identities using offline data sources, the use of machine IDs to uniquely identify respondents – are there any privacy risks inherent in these technologies that researchers need to be mindful of?
I think the use of these technologies and services for fraud prevention, authentication and survey data quality are necessary and proportionate, but I believe that agencies need to be transparent with respondents and mention how they collect and use their personal information.

Obviously, the explanation doesn’t have to provide a lot of detail – indeed regulators think that privacy notices today are too lengthy and abstruse – but a respondent has a right to know that when she participates in surveys, a fingerprint of her browser or device will be rendered so that she is not invited to participate in the same survey again. Likewise, a prospective panellist should be told in the panel privacy policy that his name and address information will be disclosed to an identity verification service.

Do you envisage any real legislative threats that could severely disrupt the work of the market research industry?
Legislative threats to the industry usually occur when politicians try to deal with a problem in another profession and an unintended consequence is that research is affected. This happened recently in Germany when amendments to its data protection law intended to regulate direct marketing activities would have restricted research were it not for the German trade associations’ interventions. A similar situation occurred in Canada many years ago when proposed telemarketing regulations would have undermined telephone research. Again, the industry responded and research was spared.

One potential threat on the horizon concerns browser-based do-not-track tools and regulators’ response to them. When consumers adjust their browser settings to signal to websites that they do not want to be tracked, what do they mean? Do they want to opt out of receiving online behavioural advertisements or all data collection including for research or website analytics purposes?

Filter lists are another browser tool or add-on that consumers can use to block domains from running tracking scripts. When members of a research panel explicitly agree to allow their online activities to be tracked, including tracking certain ads that they see or web pages that they visit, the research firm typically rewards panellists for their participation. Now what happens when some of those panellists download filter lists prepared by privacy advocacy organisations that block nearly every domain that runs a tracking script, including research domains? If filter lists become popular with consumers and they include research domains, then our industry stands to be adversely affected.

Clarity on the scope of do-not-track is needed. Fortunately, the World Wide Web Consortium (W3C) is holding a workshop this week to work through the issues. I helped develop Casro and Esomar’s position paper for the event and I will be participating in this very important event.

Do you think the industry has established an adequate level of trust with respondents so that they feel confident in sharing information with research agencies, or is more effort needed in this area?
As long as I have been in this industry – 17 years and counting – a common topic at research conferences and an ongoing focus for industry associations are what can we do to staunch the flow of declining response rates. There are many reasons for people choosing not to share information with researchers. We are very busy today and time is precious. Some of the questionnaires respondents complete are poorly designed, far too long and deadly boring. In addition, high-profile security breaches, as well as phone and internet scams such as phishing and sugging, have naturally caused consumers to be more careful with their data.

Despite the challenges, overall I do think that the industry continues to enjoy a good level of trust with respondents in which they feel rewarded for their participation. But we cannot rest on our laurels. Maintaining trust and instilling confidence requires constant attention and effort.

David Stark is GfK’s vice president, compliance and privacy, for the Americas. Based in Toronto, he is a member of Esomar’s Professional Standards Committee, Legal Committee and the Social Media Research and Online Research project teams. He is also a past-president and former standards chair of Canada’s Marketing Research and Intelligence Association.