A new breed of data

Privacy and compliance in digital market research

GfK’s market research is focused on privacy

By David W. Stark

Technology is changing the way we work, communicate and spend our leisure time. Virtually every organization in every sector has been affected to some degree by rapid technological advancements in recent years. The market research industry is witnessing two broad trends:

In quantitative research, there is a shift from the use of probability-based samples to working with convenience samples. The most obvious example of this is the growth of internet-based interviews as a data collection method. Virtually non-existent 15 years ago, the total estimated worldwide spend on online research in 2010 was nearly 4.6 billion US dollars, up 9% from 2009. A significant proportion of online research is conducted using panels and online communities.
There is also an increase in observational research and passive data collection. Whether it is conducting ethnographic research, experimenting with neuroscience, monitoring what people are saying in the blogosphere and on social networking sites, or measuring online ad impressions through the use of cookies – to name but a few examples – traditional survey questionnaires are not necessary for a growing amount of research that is conducted today.

At the heart of both trends are innovative technologies, Web 2.0 and in particular social media.

GfK plays a leadership role

The legal and privacy issues associated with the new ways that market research is conducted today have to be considered very carefully. Talented, knowledgeable professionals throughout each market research firm are needed, who can help to ensure that the projects undertaken for their clients comply with pertinent laws and recognized industry codes of conduct. ESOMAR’s code predates many privacy laws, as do the codes of other long-established industry associations. Market research organizations have a long and proud history of treating respondents’ privacy with great care in accordance with industry guidelines. They know how to collect and process information responsibly and render it in an anonymous form. This strong foundation should help the industry maintain a positive climate for research as legislators and regulators take stock of the new ways researchers collect data today. However, even reputable research firms can make mistakes in fast-changing environments where industry guidelines and laws do not squarely address technological developments and new business models.

At GfK, in-house lawyers and compliance professionals provide privacy advice to their business colleagues both at local and international levels. In addition, a number of employees are making significant contributions to prominent industry associations and committees that are focused on the development of industry guidelines in new areas of research, including social media, mobile interactive, and online behavioral advertising and web tracking research.

The advancement of new industry association guidelines in which GfK is actively involved is informed by a strong desire to protect respondents. Tracking cookies, device identification and web scraping are among the topics that are being addressed in industry guidelines. Data privacy regulators are also focusing on these and other technologies.

Taking a bite out of cookies

Cookies are small text files websites set on users’ computers for a variety of purposes, including analyzing web traffic, recognizing prior visitors and accommodating their preferences. Online advertising networks use cookies to track consumers’ movements across multiple websites in order to display relevant advertising. This is known as behavioral advertising and it is commanding regulators’ scrutiny. Concerns have been expressed over whether the information gathered from consumers’ browsing activity is truly anonymous and whether they have sufficient tools at their disposal to be able to opt-out of being tracked. In market research, tracking cookies can be used to measure ad impressions or specific website content, which can be linked with attitudinal and demographic data collected in surveys and reported anonymously. Clear notice and informed consent are required, though, and respondents should be given the option of opting-out of receiving tracking cookies.

Device identification

Regulators are also grappling with other methods of tracking consumers’ movements online. Device identification, also known as digital fingerprinting, is used by research firms, online banks and e-merchants to detect and prevent fraud. When a computer visits a website that uses the technology, a variety of browser and operating system configurations are examined. Enough variations exist in computer settings – such as software and plug-ins installed, date and time information, and default fonts and languages – that the technology can produce a unique alpha-numeric ID for each machine. However, companies have now emerged that use device IDs to track consumers’ visits across multiple websites for marketing purposes. Unlike cookies, which can be blocked, filtered or deleted, PC and smartphone users cannot prevent device IDs from being collected, through browser settings or other means. It remains to be seen whether consumer complaints will arise over the use of device identification for marketing or advertising purposes and how regulators will respond.

Web scraping

Web scraping uses software to extract information from websites, typically unstructured data that is transformed into structured data for analysis. In research, the technology is often used to measure what consumers are saying and feeling about brands. However, not all online conversations appear in the public domain. Many people have an expectation of privacy when they participate in chat rooms that require usernames and passwords to enter. They post comments for the benefit of other chat room users and do not necessarily expect third parties to copy their remarks, without consent, for commercial or research purposes.

Last October, The Wall Street Journal reported on such a case. Nielsen’s BuzzMetrics had scraped comments from PatientsLikeMe.com’s private online forums where people exchange deeply personal stories about diseases that affect them. Upon discovering the activity, the website alerted community members and sent a cease and desist letter to BuzzMetrics. Since then, a Nielsen spokesperson has stated that scraping PatientsLikeMe was a bad legacy practice that the firm does not do anymore.

ESOMAR’s guideline on passive data collection, observation and recording states that views expressed in internet areas that are "walled gardens” should be treated as private and the researcher should announce his presence and purpose and seek cooperation. A new ESOMAR guideline on social media research due to be published later this year will provide researchers with further advice, such as reviewing websites’ terms of use, many of which contain clauses that address intellectual property rights.

Privacy by design in GfK solutions

GfK’s product development teams, legal counsel, data protection officers and its partners in the digital space are focused on privacy. Here are a few examples:

GfK NIS’s anonymization process for mobile web data has been meticulously developed with input from legal and technical experts, including remarks from regulatory bodies, such as the Austrian Regulatory Authority for Broadcasting and Telecommunications and the Commission nationale de l’informatique et des libertés, the data protection authority in France.
Working closely with its subsidiary and online research expert, nurago, GfK developed clear privacy statements for consumers who choose to download a browser plugin and participate in its own online panels.
GfK also developed a template privacy policy, rules of participation and terms and conditions for market research online communities that GfK operates in conjunction with technology vendors.
GfK is exploring arm’s length privacy certifications, such as TRUSTe in the USA and EuroPriSe in Europe.
GfK is building a global compliance program that will feature internal and external training programs on privacy, information security, GfK’s Code of Conduct and several other topics.

Future challenges

International Data Corporation (IDC) predicts that the amount of digital information created and replicated in the world will be 44 times bigger by 2020 than it was in 2009. Put another way, in 2009, digital data amounted to 800,000 petabytes, roughly a stack of DVDs reaching from the earth to the moon and back. By 2020, IDC says that the hypothetical stack of DVDs will reach halfway to Mars. With this explosive growth in data, we will see a proliferation of government and industry rules about records retention and information privacy. Keeping on top of these rules and managing data that grows roughly 50% per year will undoubtedly keep GfK’s legal, compliance and IT professionals quite busy.

Set bookmark/Recommend

Data protection

As internet companies, online advertisers and market research firms embrace Web 2.0 and new business models, data privacy regulators are weighing in to ensure consumers’ privacy rights are respected. GfK is at the forefront of this issue. It understands the trends in the digital space and transforms its knowledge into best-in-class privacy and data protection practices.

The author

David W. Stark
serves as GfK’s Compliance and Privacy officer for the Americas and is based at GfK Research Dynamics in Toronto, Canada. He is an instructor of Canada’s Marketing Research and Intelligence Association’s Ethical Issues and Privacy course. Additionally, he is a member of ESOMAR’s Professional Standards and Legal committees and is certified by the International Association of Privacy Professionals.
Contact