Legal Affairs
Join IA

Legal Affairs

Legal and compliance guidance for the insights industry—covering privacy, data security, AI, research operations, and emerging laws that affect how we collect, use, and protect data.

Legal Affairs

Resources

The Insights Association provides legal and compliance information—much of it members-only—on a wide range of issues impacting the insights industry. 

Topics include artificial intelligence (AI), consumer data privacy, data security and protection, the U.S. Data Security Program and the Protecting Americans Data from Foreign Adversaries Act, data broker laws, youth privacy, respondent incentives, polling issues, telephone/texting/fax rules, healthcare market research, Canada and other international laws, taxes, accessibility, business operations, and human resources (HR), along with model clauses, contracts, and forms.

Compliance Portals & Member Resources

IA maintains compliance portals for the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), and an ever-growing patchwork of comprehensive state privacy laws. IA also provides model clauses and contracts to support day-to-day compliance. 

Please note: only IA company/department members have access to the most current, expanded, “top-of-the-line” versions of IA’s model contracts and clauses.

Artificial Intelligence (AI)

Key AI laws, regulations, and guidance affecting the insights industry—organized by featured developments (Trump Administration positions on state preemption, as well as AI training and copyright, U.S. federal developments (FTC, PTO and other enforcement guidance), state laws (including transparency, chatbots, frontier AI, training disclosures, employment impact, pricing, discrimination, and more), international regulation (EU and Singapore), and practical compliance resources.

President Trump on AI Training and Copyrights
On July 23, 2025, President Donald Trump raised concerns about intellectual property (IP) and AI training—an issue largely absent from his AI action plan—and insights industry experts are responding.

White House Pushes Back on State AI Regulations
President Trump signed a new executive order (EO) on artificial intelligence (AI), aiming to preempt state laws and regulations on multiple fronts that may impact the insights industry in the U.S.

EU AI Act — Compliance Preparations Start Now
The EU AI Act took effect August 1, 2024, with staggered compliance deadlines. As with GDPR, organizations can be covered even without a physical EU presence.

FTC Warning on AI-Driven Changes to Privacy Policies
FTC warning focused on privacy-policy changes that could enable broad data “harvesting” to support AI.

FTC Guidance on Using AI Chatbot
Guidance for organizations developing and deploying AI-powered chatbots—relevant to many insights use cases.

U.S. Enforcement Agencies Issue Warning for Artificial Intelligence
Four federal agencies warned about discrimination and bias in AI and automated systems, and outlined enforcement approaches.

FTC Vows to Enforce Copyright Laws Regarding AI
FTC signaled it will use enforcement authority against deceptive or unfair AI-generated content practices that violate copyright law.

USPTO: Significant Human Contribution Needed for AI-Assisted Inventions
USPTO guidance indicates AI-assisted inventions may be patentable when a human “significantly contributed,” and non-human entities cannot be named inventors.

EU AI Act — Compliance Preparations Start Now
EU AI Act effective Aug 1, 2024 with staggered compliance deadlines; can apply beyond EU borders.

Singapore PDPC Guidance on Synthetic DataRegulatory guidance on synthetic data generation that may help insights organizations evaluating synthetic data approaches.

U.S. State Laws & Updates

S.B. 243 — Restricts lifelike “companion” chatbots; adds protocols, disclosures, reports.
A.B. 316 — AI is no legal defense for alleged harm.
S.B. 53 — Frontier AI safety disclosures; penalties for violations.
A.B. 2013 — Requires disclosures about generative AI training data.
S.B. 942 — AI transparency requirements; content ID tools; research restrictions; contracting rules.
A.B. 1008 — Complicates “personal information” definitions by capturing AI systems capable of outputting PI.S.B. 896 — State procurement/contractor considerations + AI content disclaimers.
A.B. 2885 — Defines “artificial intelligence” and cross-references other state laws.
(2019) — Older chatbot transparency law; generally not applicable to insights uses.
CA rules — Expand employment anti-discrimination to include AI-enabled discrimination.

S.B. 205 — Consumer disclosure for AI interactions; requirements for “high-risk” AI systems.

Delayed — Colorado has delayed the effective date of the state artificial intelligence (AI) law to June 30, 2026.

H.B. 3773 - Restricts the use of AI tied to discrimination risk in employment and hiring

Guidance on how New Jersey’s anti-discrimination law applies to “algorithmic discrimination” involving AI and related data-driven technologies.

RAISE Act — Proposed/aims to regulate cutting-edge systems via liability, safety protocols, notices, and fees.

S. 3008 — Safety + transparency for companion chatbots; notice requirements related to algorithmic pricing.

Attorney General guidance explains how multiple Oregon laws may regulate or restrict AI use.

TRAIGA (H.B. 149) prohibits intentional unlawful manipulation or discrimination via AI systems and restricts certain government agency uses.

Utah’s AI law requires companies/organizations to clearly disclose when someone is “interacting with generative artificial intelligence and not a human.” It launched a state program to study the risks of AI, in which participating companies could get licensed and receive temporary regulatory protections. It also added “synthetic data” to the definition of “deidentified data” in Utah’s comprehensive state privacy law.

Amended/extended: through July 1, 2027; narrows disclosures to consumer interactions; safe harbor for up-front and ongoing disclosures.

Core Legal Risk Topics

Potential Risks for Insights Industry in Generative AI - Overview of common legal pitfalls tied to generative AI/LLMs (e.g., chatbot deployments, data sourcing/training issues, output risks)

Compliance Resources

Generative AI Compliance Guide

How to begin building a generative AI compliance checklist.

AI in Market Research: Ethics & Regulation

Industry leaders align on a coordinated AI strategy

Model AI Disclaimers and Disclosures

This resource is available to IA company members only.

Emails

Short intro: Rules and best practices for email-based research communications.

  • CAN-SPAM and Sending Research Emails

  • The Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act, originally signed into law in 2003, regulates the sending of commercial electronic mail (and text messages). A single violation of CAN-SPAM can lead to a fine as high as $16,000.

Consumer Data Privacy

Guidance and laws affecting how insights organizations collect, use, share, and safeguard personal data.

FAQs on Collecting and Handling Race, Ethnicity, Sex and Other Sensitive Data
Frequently Asked Questions on legal compliance for sensitive data, relating to unique identifiers, disclosure, consent, sharing with third parties, and safeguards.

The Electronic Communications Privacy Act (ECPA) and Privacy in the Marketing Research Workplace
The Electronic Communications Privacy Act (ECPA) forbids intercepting wire, oral, or electronic communications while in transit, as well as accessing information that is stored electronically. The cost for non-compliance with the ECPA can potentially be enormous, with criminal penalties that may include jail time, and statutory civil damages that can easily reach into the millions.

FTC Warns That Hashing Data is Not Anonymization
The Federal Trade Commission (FTC) recently sent a reminder that “hashing” personal data is not as protective as companies may think.

Rights After Death: What Happens When a Respondent Passes Away?
Although no statute or set of regulations regarding privacy and other rights of the deceased directly affects market researchers, these questions can be particularly sensitive.

FAQ: Sharing Respondent Contact Info with the Client
My client wants to acquire the personal data from our most recent study so they can build a database for other research activities. I’m inclined to say no to such sharing, but is it OK since it is for research purposes?

Financial Privacy: Best Practices for Survey, Opinion and Marketing Researchers
The Gramm-Leach-Bliley (GLB) Act is a federal law concerned, in part, with privacy and security of consumer financial information.

Marketing Researchers and CPNI
“Customer proprietary network information,” or “CPNI” is the information a telecommunications company learns about its customers as a result of providing services to those customers. This may include how many calls a customer placed, the rate paid for those calls, and where and when calls were dialed and/or received.

Biometric Data Privacy Laws: Impact on Marketing Research
Laws in Texas and Illinois specifically address the collection, use, storage, and capture of biometric information. To what extent do they apply to (and restrict the activities of) marketing research?

New York City Law Prohibits Most Biometric Data Sharing
A 2021 law in New York City, enforced by private lawsuits, requires signage notifying consumers about biometric data collection at commercial establishments and prohibits the sale of biometric data.

FTC WARNINGS ON BIOMETRIC DATA PRIVACY
As part of the agency’s commitment “to combatting unfair or deceptive acts related to the collection and use of consumers’ biometric information and the marketing and use of biometric information technologies,” the FTC released an extensive policy statement on biometric privacy.

  • Florida Digital Bill of Rights Targets Big Tech
    Florida provides many of the usual consumer rights and protections, enforced by the state Attorney General, but only covers some of the biggest tech platforms and ad sellers.

  • Nevada Consumer Data Privacy Law in Effect
    A 2019 non-comprehensive Nevada law requires companies to offer consumers the right to opt out of the sale of their personal data.

  • The Delaware Online Privacy Protection Act
    The Delaware Online Privacy Protection Act (DOPPA) prohibits marketing or advertising certain products or services deemed harmful to children and requires internet service providers (ISPs) who collect personally identifiable information (PII) from Delaware residents for commercial purposes to conspicuously post a privacy policy on their website or application.

  • NEW YORK LAW PROHIBITS HEALTHCARE GEOFENCING - S. 4007
    A 2023 New York law prohibits geofencing around a health care facility

  • Texas DMV Records Restricted in Use for Marketing Research - S.B. 15 Now Law
    A 2021 Texas law curtails some of the access to driver and motor vehicle records for marketing research purposes.

  • Oregon: Not Abiding by Your Privacy Policy May Violate State Law
    Oregon has a specific law treating violation of a privacy policy as an unlawful trade practice. It also applies to violation of a consumer agreement. This predated Oregon's comprehensive privacy law.


  • Nebraska: Breach of Privacy Policy Could Be Violation of State Law
    Nebraska, with the Uniform Deceptive Trade Practices Act, was one of a few states specifically listing violation of a website’s privacy policy as a deceptive trade practice.


  • Pennsylvania: Not Abiding by Your Privacy Policy May Violate State Law
    Pennsylvania has a specific law treating violation of a privacy policy as a deceptive trade practice.

    • Miscellaneous Privacy-Related Laws
    A quick rundown of the Freedom of Information Act (FOIA), Privacy Act of 1974, Telemarketing and Consumer Fraud and Abuse Prevention Act, Telemarketing Sales Rule (TSR), Federal Trade Commission Act (FTC Act), Sarbanes-Oxley Act of 2002 (SOX), and the Human Subjects rule.

    Data Brokers

    Registration, disclosure, and security requirements that may apply to insights companies—particularly sample providers. (Be sure to review all relevant comprehensive state privacy laws.)

    Nevada S.B. 260 Now Law - Restricts Insights Companies as Data Brokers

    Nevada law broadens the restrictions in Nevada's privacy notice and opt out of sale laws for a lot of insights companies, who will be designated as “data brokers.”

    California Data Broker Registry is Now Online – Is Your Insights Company Registered?

    Marketing research and data analytics companies are listed in the California Attorney General’s new data broker registry. Should your company be listed?

    Vermont Adds Data Security and Regulatory Burden for Sample Providers

    Marketing research sample providers must comply with a new “data broker” law in the Green Mountain State.

    New Oregon Data Broker Registry Law Will Snare Some Insights Companies

    Oregon law requires some insights companies, particularly sample providers, to register as “data brokers” in the state’s new registry.

    TEXAS NOW REQUIRES DATA BROKER REGISTRATION AND SECURITY PROGRAMS

    A 2023 Texas law establishes a data broker registry and requires in-depth information security programs for data brokers.

    Texas Data Broker Law Updated by S.B. 1343 and S.B. 2121

    Recent amendments to Texas’ data broker registry law add to data broker’s notice requirements and clarify the definition of a data broker.

    CALIFORNIA DATA BROKER REGISTRY ADDS MASS DELETION BUTTON - S.B. 362 NOW LAW

    2023 California law updating the state data broker registry law and providing consumers a one-stop deletion request mechanism to which all data brokers will need to comply.

    California Law S.B. 361 Expands Data Broker Disclosure Requirements

    California expands disclosure requirements for registered data brokers and adds a time limit to one aspect of the upcoming centralized Data Removal and Opt-Out Platform (DROP).

    Accessibility

    Why Assess ADA Compliance?

    Websites are often treated as “places of public accommodation” under the ADA. Most organizations look to WCAG 2.1 AA as the benchmark for compliance.

    ADA Compliance for Digital Platforms

    DOJ guidance clarifies accessibility expectations for digital content, particularly for government entities, with growing implications for private businesses.

    European Accessibility Act (EAA)

    The EAA sets a unified accessibility standard across the EU, affecting digital platforms and online services—even those based outside Europe.

    Taxes

    Sales tax exposure, reporting obligations, and incentive-related tax rules affecting the insights industry.

    Sales Taxes, Software-as-a-Service (Saas) and the Insights Industry
    Increasingly, market research, data analytics, panel-sample providers, and in particular, any IA member that sells and markets what looks, feels, and/or can be characterized as, a Software-as-a-Service (SasS), will be subject to sales tax in an increasing number of states across the country.

    How State Sales Taxes May Impact Your Insights Business
    Depending on the type of insights services you provide (such as many of the online panels), your company’s services may be characterized as a Software as a Service (SaaS), a model where software is hosted in one place but licensed by subscription for use by customers who may be virtually anywhere. Several high-population states, such as Texas, New York, and Pennsylvania, tax SaaS services. Some states consider SaaS a service. So, if services are generally taxable in the state, then SaaS is considered taxable.
    New Jersey Tax on Information Services
    Information services are subject to New Jersey sales and use tax if delivered to customers/clients in New Jersey.

  • New Kentucky Sales Tax on Insights - H.B. 8
    Kentucky charges sales tax on a wide variety of services, including insights.

  • Washington State Tax on Ad Measurement and Effectiveness Research
    Washington levies a sales tax on digital advertising services that includes measurement and effectiveness research

    • West Virginia Tax Treatment for Research Services
    The sale of primary opinion research services in West Virginia may be exempt from the General Consumer Sales and Services Tax in certain situations.

  • Huge U.S. Tax Law Change: Reporting Threshold for Market Research Incentives Rising Dramatically
    President Trump’s big recently-enacted tax and budget law raises the 1099 tax reporting threshold for a research subject’s aggregate incentives from a single payer in 2026 to $2,000 from the current $600. It will be indexed to inflation every year afterwards.

  • Tax Reporting Obligations for Respondent Incentives
    For the survey, opinion and marketing research profession, payment information return obligations under Section 6041(a) of the Internal Revenue Code and Section 1.6041-1(a) of the Income Tax Regulations, require that every person engaged in a trade or business must make an information return for each person to whom payment is made for services in the course of his or its trade or business of amounts which aggregate at a certain level during that year.

    • FAQ: Does Survey, Opinion and Marketing Research Qualify for the Research & Development (R&D) Tax Credit?
    IRS details on whether market research services qualify for the federal R&D tax credit.

    Consumer Data Privacy

    Litigation and Enforcement Watch

    High-impact legal developments and enforcement trends shaping privacy risk.

    CIPA Lawsuits and the Research Industry

    Lawsuits alleging common online tools “intercept” communications without consent under California’s CIPA.

    LiveRamp Privacy Case Raises the Stakes for Transparency in the Insights Industry

    Highlights growing legal and reputational risk when personal data is collected/monetized without meaningful notice.

    Handling Third-Party Document Production Requests

    Guidance for subpoenas and document requests: protecting client and respondent information and preparing ahead.

    Privacy & Security: Compliance Fundamentals and Practical Policies

    Operational building blocks that make privacy and data security compliance manageable.

    Privacy and Data Security Compliance Is Manageable When You Focus on These 5 Things
    Practical compliance perspective and priorities from IA outside counsel.
    Privacy Policies for Survey, Opinion and Marketing Research Companies
    How to craft a compliant privacy policy for an insights organization.
    Developing a Data Retention Policy

    Steps to develop and implement a strong data retention program.

    Best Practices to Involve Employees in Data Security Efforts

    Five ways to turn employees into data security assets.

    Push Polls & Polling

    Quick guidance on deceptive “push polls” and a snapshot of key state laws addressing political advocacy calls and polling disclosure requirements.

    "Push Polls" — Deceptive Advocacy Disguised as Polling

    The insights industry opposes “push polling,” which is political messaging or negative phone banking falsely presented as research. Legitimate polling can test messages; push polls deliver them.

    New Hampshire Push Poll Law

    New Hampshire restricts political advocacy telephone calls labeled “push-polling,” while explicitly excluding bona fide survey and opinion research after reforms signed April 23, 2014.

    Wisconsin Polling Disclosure Law

    Wisconsin requires political telephone pollsters to disclose who is funding the poll if a respondent asks, supporting transparency around sponsorship.

    U.S. Data Security Program & Protecting Americans’ Data from Foreign Adversaries Act (PADFAA)

    Restrictions on transferring or providing access to sensitive U.S. personal data to certain foreign countries and actors.

    New Rule Prohibits Bulk Sensitive Personal Data Transfer to and Access by U.S. Adversaries

    It prohibits transferring or sharing personal data (mostly sensitive, and mostly in bulk amounts) with countries of concern (China, Cuba, Iran, North Korea, Russia, and Venezuela), people located in such countries, or companies under significant control of those countries.

    DOJ Provides Compliance Guidance for Ban on Sensitive Data Transfers to Foreign Actors

    This rule is now referred to by the DOJ as the Data Security Program (DSP).

    U.S. Ban on Sensitive Data Sharing with Foreign Actors in Effect and Justice Department Will Enforce Compliance

    The U.S. Data Security Program rule took effect on April 8, 2025.

    Protecting Americans Data from Foreign Adversaries Act

    PADFAA is a 2024 law prohibiting some insights companies from sharing or selling some common market research and audience measurement data to/with the People’s Republic of China, Russia, North Korea or Iran, or any company based in, or under minimal control by, such countries. Compliance may be challenging.

    Canada

    Key privacy, anti-spam, and data security laws affecting market research activities involving Canadian residents or data.

    Market Research Email Compliance with Canadian Anti-Spam Law (CASL) (Bill C-28)
    Sweeping Canadian restrictions on electronic messages – Bill C-28, sometimes referred to as the Fighting Internet and Wireless Spam Act (FISA), but usually referenced as the Canadian Anti-Spam Law (CASL) – impact market research emails.
    PIPEDA and Other Privacy Laws Impacting Research in Canada
    A brief overview of the Personal Information Protection and Electronic Documents Act (PIPEDA), Privacy Act, and other Canadian legal issues for the insights industry.
    Canadian Date Security Reporting - Mandatory Regulations for Private Sector

    How should a company/organization handle a date security breach impacting someone in the frozen north?

    Canadian Regulation of Computer Programs and Software Downloads in CASL

    CRTC guidance clarifies that CASL requires express consent before installing software on a user’s device or sending certain electronic messages involving Canada.

    International

    Key global privacy, data security, and regulatory developments impacting cross-border research.

    GDPR Portal
    IA’s comprehensive resource for EU General Data Protection Regulation (GDPR) compliance.

    EU AI Act – Compliance Preparations Start Now
    The EU AI Act (effective August 1, 2024) introduces phased compliance obligations that may apply even without a physical EU presence.

    China’s Personal Information Protection Law (PIPL)
    A comprehensive and strict privacy law creating significant compliance challenges for organizations handling data of Chinese residents.

    Data Security Risks in Dealing with China
    DHS advisory highlighting cybersecurity and data risks for U.S. businesses.

    Telephone Market Research in the UK
    MRS-adapted guidance on conducting telephone research in the United Kingdom.

    U.S. Prohibition on Providing Insights Services to Russia
    Treasury restrictions (effective June 7, 2022) limit most insights services to Russia.

    Russia’s Data Localization Law
    Requires certain personal data of Russian citizens to be stored locally.

    Restrictions on E-mail and Telephone Contact for Research
    Laws limiting certain electronic messages, including automated calls, emails, faxes, and SMS.

    Turkey’s LPPD Data Privacy Law
    Overview of Turkey’s Law on the Protection of Personal Data (LPPD), similar in structure to GDPR.

    Minors: Privacy Issues for Children & Teenagers

    Privacy rules affecting research involving children and teens. (Be sure to review all applicable comprehensive state privacy laws.)

    COPPA: Best Practices for Marketing Researchers
    The Children’s Online Privacy Protection Act (COPPA) governs the collection of personal information from children under 13.

    Student Privacy (FERPA & PPRA)
    Federal laws protecting student education records and regulating certain survey and research activities in schools.

    Arkansas Children and Teens’ Online Privacy Act Requires consent to collect personal data from teens (13–17) and parental consent for children under 13.

    California Age-Appropriate Design Code Act (A.B. 2773)
    Broad restrictions on products and services likely to be accessed by minors under 18, expanding beyond COPPA.

    Maryland Age-Appropriate Design Code (Maryland Kids Code)
    Restricts online data collection and processing for individuals under 18 and requires child-centered design standards.

    New York Child Data Protection Act (NYCDPA)
    Limits collection, use, and sharing of personal data for individuals under 18 by child-directed services.

    Nebraska Age-Appropriate Online Design Code Act
    Limits collection and retention of minors’ personal data for certain online services.

    Vermont Age-Appropriate Design Code Act
    Restricts collection, retention, and disclosure of minors’ personal data.

    Human Resources

    Employment law developments affecting insights companies, including non-competes, worker classification, and pay transparency requirements.

    Independent Contractor Tests: A State-by-State Assessment
    Overview of the “ABC” and common law tests used nationwide to determine employee vs. independent contractor status.

    FTC Non-Compete Ban Struck Down
    Federal court blocks the FTC’s proposed nationwide non-compete ban.

    California Bans Non-Competes (A.B. 1076 & S.B. 699)
    Broad prohibition on non-compete agreements, including some signed out of state.

    Wyoming Bans Most New Non-Competes (2025)
    Applies to agreements entered on or after July 1, 2025.

    Minnesota Restricts New Non-Competes
    Prohibits most new non-compete agreements as of July 1, 2023.

    Virginia Expands Ban on Non-Competes
    Prohibits non-competes for low-wage employees.

    Washington State Restricts Non-Competes
    Limits enforceability for lower-wage workers and adds disclosure requirements.

    Florida CHOICE Act
    Expands Non-Competes Allows broader enforcement for higher-wage employees under qualifying agreements.

    Washington, DC Restricts Non-Competes
    Imposes significant limits on employee non-compete agreements.

    Non-Compete Agreements in the Insights Industry
    Industry-specific considerations for non-competes, NDAs, and non-solicits.

    Non-Compete Do’s and Don’ts for Marketing Researchers Practical guidance on protecting business interests while complying with evolving laws.

    Disclaimer: This information is not intended and should not be construed as or substituted for legal advice. It is provided for informational purposes only. It is advisable to consult with private counsel on the precise scope and interpretation of any laws/regulation/legislation and their impact on your particular business.

    • Back to top