Having and following a security and privacy policy:

  • Increases the trust and confidence respondents have in a research organization;
  • Helps distinguish a research organization from the competition; and
  • Provides a physical manifestation of your compliance with the law.

MRA encourages the application of the following privacy policy principles:

  • Craft “A Privacy Promise”: essentially a Privacy Mission Statement;
  • Detail exactly what information you’re collecting (and how);
  • Specify how the information will be used, shared, and/or transferred (e.g., Will third parties see the information? Will the data be aggregated? Might the data be transferred outside the U.S.?);
  • Provide a clear “opt-in” and/or “opt-out” policy;
  • Explain how data is protected and secured (and disclosed, if required by law);
  • Describe how a user can update or delete personal information;
  • Clarify how you will alert respondents to a change in your privacy policy;
  • Note whether the organization collects personal data from children, and any related policies;
  • Clearly state the organization’s address and contact information; and
  • Link the privacy policy from the organization’s homepage and any section where PII is collected.

What other questions should researchers ask in developing/modifying their privacy policy?

  • What personal information is collected?
  • Are “cookies” or other online behavioral tracking data used and for what purpose?
  • Who actually collects this information?
  • How long is this information archived or maintained?
  • What is the information used in connection with?
  • Is this information sold or shared with others?
  • Does personal information get transferred in cases of bankruptcy, merger or acquisition?
  • How will the Privacy Policy actually be displayed (online and in facilities)?
  • What security measures does the organization use to protect personal information?
  • What steps can practicably be implemented to further protect personal information?
  • Does the organization fall under the umbrella of any federal or state privacy regulations?
  • Does the organization do extensive business in Europe or Canada?
  • Will it be difficult or impossible to change or amend a contemplated policy to account for new business plans if the policy has been posted and/or distributed?

Compliance with a stated privacy policy: Please note: A privacy policy is a promise. Violating such a promise can be actionable under Section 5 of the Federal Trade Commission (FTC) Act as an unfair or deceptive trade practice or applicable state unfair and deceptive trade practice law. The FTC has already brought costly legal action under the FTC Act.

MRA members can also get more in-depth explanation and legal guidance from the members-only white paper, "Privacy Policies for Survey, Opinion and Marketing Researchers."

The information provided in this document is not intended and should not be construed as or substituted for legal advice. It is provided for informational purposes only. It is advisable to consult with private counsel on the precise scope and interpretation of any given laws/legislation and their impact on your particular business.