GDPR and marketing research
Editor’s note: Vivek Bhaskaran is founder and CEO of QuestionPro, a provider of online survey and research software.
Chances are good that you’ve heard of General Data Protection Regulation (GDPR), implemented by the European Union in 2018. If you are involved at all with an IT function, marketing or legal, you’re probably intimately familiar with it.
But if you’re a market research company that takes advantage of third-party, cloud-based research services, you may assume that GDPR compliance from those surveys is not your problem.
Guess again.
Earlier this year, Landgericht München's third civil chamber in Munich ruled that an unidentified website violated GDPR by including Google Fonts (hosted font) on its pages and passing the unidentified plaintiff's IP address to Google “without authorization and without a legitimate reason for doing so.”
In lay terms, the website page made the user's browser obtain a font from Google Fonts and disclosed the user’s IP address to Google in the process. While this kind of sourcing is quite common, the issue here is that the visitor didn't give specific permission for their IP address to be shared.
How big is the potential problem? Well, the Google font API is used by about 50 million websites worldwide, including content delivery networks used by pretty much all online survey providers. Which means you may be at risk of being sued if you are conducting surveys that take advantage of Google hosted fonts.
This is not a trifling matter: the German court threatened the offending website with €250,000 for each violation or up to six months in prison.
If your company/website is the front end or host for a survey that pulls Google fonts, you could be named in a lawsuit and be held liable for damages.
The good news is that there’s a relatively straightforward, if not time consuming, fix: self-hosting fonts. So it is important to ask if your online survey provider is aware of the issue or has taken steps to be fully GDPR-compliant.
Understanding data privacy laws
This ruling has set a precedent, and I believe we will see a landslide of similar lawsuits. It behooves you to make sure you’re not at risk.
Here are four questions to ask your online survey provider:
- Do they use any content delivery networks? If so, do those networks use the Google Font API?
- Do they host fonts on their own servers? Can they certify GDPR compliance to you?
- Does your contract with the provider indemnify you/hold you harmless if they are sued for noncompliance with regulations?
- Does your contract with the provider allow you to sue the provider if you are sued/suffer damages due to their noncompliance?
It’s also a good idea to check your own website and any other sites you host on behalf of clients to make sure that you are not violating GDPR by sourcing fonts from Google. Here’s a resource for how to check and protect your site.
As enforcement of GDPR expands, it is important to be prepared and understand the depth of data privacy protection for your clients, customers and yourself. Other countries and states that are expanding into adjacent if not identical regulation include Brazil with its General Data Protection Law LGPD as well as the state of California as it continues its pursuit of strengthening consumer protection.