28 June 2019
Surveys are useful business tools that can help you design products and services around your customers' preferences. However, surveys also collect personal information which means you must inform customers of your privacy practices and take precautions to protect data.
Even if you do not normally collect personal information in the normal course of your business, that changes when you start using surveys. Also, if you run a website or app that provides a platform for businesses to conduct surveys, you must consider privacy practices even further.
First, it's required by law in most jurisdictions.
Secondly, if you use a survey hosting platform, chances are the platform will recommend that you have one.
All surveys have the potential to collect personal information. You need to collect names and login information so you can verify that surveys are completed by people and not bots. Also, surveys frequently request demographic information that may help determine sales trends.
In the United States, there is no federal law, but California, Nevada, Delaware, and Illinois have passed their own laws with other states looking into following suit.
The laws have subtle differences, but they share many elements in common.
One is how they define personal information.
Email addresses, GPS locations, screen names, mailing addresses or general location (even if it is just a city name) are considered personal.
Note that If you delve into sensitive information, like sexual orientation, religion, ethnicity or political affiliations, your responsibilities for keeping that information safe increase.
Third party services that allow you to distribute apps or send mass emails generally require Privacy Policies. Survey hosting platforms don't require this, but they do tend to generally recommend it.
Privacy Policies are called Privacy Statements in these rules.
SurveyMonkey starts by explaining what you should communicate in your statement:
These suggestions align closely with current privacy laws. Even basic Privacy Policies should include this information.
SurveyMonkey offers other guidance and suggestions about good privacy protections. These elements are often integrated into Privacy by Design plans that many corporations have already adopted to increase information security.
SurveyMonkey suggests that you only collect what personal information is necessary, keep the data secure, and know the privacy requirements of your home jurisdictions:
Another recommendation by SurveyMonkey is to include a consent statement. This assures your privacy terms are accepted and survey respondents understand that they are sharing personal data with you:
Many businesses conduct customer service surveys to evaluate their product. These surveys are a useful tool but they are not the primary purpose of the business.
Start by including surveys as a type of personal information you collect and how you collect it.
Apple does this in its opening paragraph:
If you hire a third party to manage your surveys, you will need to mention them in a separate paragraph on service providers or among the third parties who see your data.
Here's another example from Apple:
This template is similar to the suggestions SurveyMonkey provides. It also meets the requirements of most privacy laws.
The recommended provisions from Microsoft include:
Many of these sections are not much different from other Privacy Policies. However, there are subtle differences due to the unique circumstances presented by surveys.
Microsoft advises that the survey name appear early in the policy. The Privacy Statement is specific to that one survey:
Either approach will work.
If a survey handles especially sensitive information, you may want a Privacy Statement more specific to that survey and should take Microsoft's sensitive approach.
However, if your business model handles many of the same types of surveys and your information collection processes don't deviate often, taking the approach of SnapSurveys is sufficient.
Surveys are voluntary. But even then, you need to describe your information collection practices.
Foresee is a third party service provider that designs and provides surveys to solicit customer feedback for its customers. When it introduces itself, it makes that clear in the first paragraph.
After that, it describes the collection as voluntary:
Then it expands on that idea by explaining it conducts customer satisfaction surveys online and by telephone. This also explains what is collected -- mainly demographic information, age, gender, income bracket, and other items that are considered personal information:
Snap Surveys takes a similar approach. It describes information collection through online forms:
It makes your intentions clear and prevents misunderstanding.
Just as with any other collection of personal data, you must describe how you use information you collect from surveys.
Foresee describes its services but also indicates that the survey responses provide clients with information and may be used for Foresee's business purposes:
Client data is used to create surveys and process results. Repondent data is provided to the client and if there are questions, respondents should address them:
If you host surveys for others, consider this approach from Snap Surveys. Chances are, your data handling will be different for your client's information than for respondents. Making this clear maintains your compliance with relevant privacy laws.
The cookies clause describes what they are and explains how they analyze website trends:
Third party cookies typically involve advertising such as retargeting that work by tracking a user's browsing history. This needs to be disclosed:
Surveys may have cookies if the client requests them or if tracking needs to continue after the survey.
Foresee lets users know that these cookies only remain for a limited time and that they aren't used to collect personal data:
Data is often stored longer with surveys because it can take time to process. If you are a third-party provider, you may have to keep it safe for clients for awhile.
This means you need to reassure users that their data will be secure, and be clear about your storage and security measures.
ForeSee mentions its security and hosting centers. While it does not guarantee absolute security (because that's impossible), it definitely takes good and reasonable measures:
Snap Surveys also offers a detailed description of its security measures:
Share as much information about your security measures as you are comfortable with doing. Not only is this reassuring to your users, but it shows you've taken reasonable steps to prevent a security breach.
The difference between surveys and general web services is that surveys exist for the sole reason of collecting and sharing information.
In most survey Privacy Policies, provisions on information sharing often fall under use rather than a separate section on sharing with third parties.
You also need to describe reasons for sharing that do not fall within the surveys. These include mergers and acquisitions involving your company, responding to legal procedures, enforcing other online agreement, and business dissolution or bankruptcy.
Here's how Snap Surveys lets users know how personal information may be disclosed beyond for survey purposes:
Surveys are an important part of marketing, business analytics and getting to know your customer and user base in beneficial ways.
However, survey data is often personal or sensitive.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.