Editor’s note: Abby Devine is director of government and public affairs for CASRO, Port Jefferson, New York.
To many, a privacy policy is a tiny link hiding out in the footer of a Web site or a pop-up screen you blankly stare at before clicking accept. For companies engaged in market research, privacy policies are an essential document – one that can provide valuable assurances to research participants and an effective shield against regulation.
Transparency and accountability are crucial in establishing any relationship. In the business of social, opinion and market research, maintaining these principles is vital to forging strong connections with research participants. A comprehensive, well-worded privacy statement provides the transparency participants need and lays the groundwork for appropriate accountability. The motto behind your company’s privacy policy should be: Say what you do and do what you say.
Your company’s privacy policy should be prominently placed on your Web site and inform participants about how you handle their personal information. It will establish a benchmark that regulators and business partners use to hold you accountable. The most effective policies are written using clear, simple language and speak directly about your business practices.
Your privacy statement should:
- Tell participants what information you collect about them, why you collect it and how you share it.
- Tell participants about the choices they have to limit the collection or sharing of their information.
- Tell participants how they can access their information to review it or change it.
- Tell participants how you protect their information.
- Explain your commitment to maintaining relevant, accurate and complete information for only the outlined purpose.
- Tell participants how to contact you with a complaint.
If your Web site is directed at children under the age of 13 or you know that children under the age of 13 are submitting information through your site, you also need to comply with the Children’s Online Privacy Protection Act (COPPA).
If you collect personally identifiable information about Californians, you must comply with the California Online Privacy Protection Act (CalOPPA). CalOPPA requires you to post a distinctive and easily-found link to your privacy policy and requires your policy to detail the kinds of information gathered, how the information may be shared and, if such a process exists, the process participants can use to review and make changes to their stored information. It also must include an effective date and a description of any changes since then.
If you receive personal information from citizens of the EU, you must be complying with the EU Data Protection Directive in one of four acceptable ways:
- by obtaining consent to transfer the data from participants;
- by using the model clauses to cover each transaction;
- if the transfer is intra-company, by using binding corporate rules; or
- by self-certifying to the Safe Harbor.
If you self-certify to the Safe Harbor you must clearly state this in your privacy policy, provide contact information that allows participants to contact you directly with privacy complaints and provide the details about what dispute resolution service you engage.
Having an effective privacy policy is about more than posting a clear statement on your Web site. You must be committed to privacy from the inside out. Take time to educate your entire staff about the various privacy-related mechanisms in place and about the overall importance of privacy. Be sure to define, document, communicate and assign accountability for each procedure outlined in the policy and then monitor compliance and address any privacy-related complaints.
Don’t just talk the talk – stand behind the words by ensuring the promised procedures are being implemented in your day-to-day operations. This doesn’t just matter in the eyes of participants, it’s the law. This year the Federal Trade Commission has increased enforcement against companies that don’t keep the promises made in their privacy statements. Don’t risk getting caught in this wider net. And don’t simply set it and forget it. Privacy statements are not static. As your company embraces new technology, be sure to update your privacy policy to align with any changes to the way you capture and protect consumer information.