Privacy Policy for Surveys

Privacy Policy for Surveys

Surveys are useful business tools that can help you design products and services around your customers' preferences. However, surveys also collect personal information which means you must inform customers of your privacy practices and take precautions to protect data.

Even if you do not normally collect personal information in the normal course of your business, that changes when you start using surveys. Also, if you run a website or app that provides a platform for businesses to conduct surveys, you must consider privacy practices even further.

Foremost among all those considerations is drafting a strong Privacy Policy.

Simply put, if you use surveys, you'll need a Privacy Policy.


Why you need a Privacy Policy

There are two reasons you should have a Privacy Policy.

First, it's required by law in most jurisdictions.

Secondly, if you use a survey hosting platform, chances are the platform will recommend that you have one.

Privacy Laws

All surveys have the potential to collect personal information. You need to collect names and login information so you can verify that surveys are completed by people and not bots. Also, surveys frequently request demographic information that may help determine sales trends.

Canada, Australia, the UK, and the European Union all passed laws requiring protection of online data and a Privacy Policy. The Policy must make it clear which information you collect, what you use it for, and who receives it.

In the United States, there is no federal law, but California, Nevada, Delaware, and Illinois have passed their own laws with other states looking into following suit.

The laws have subtle differences, but they share many elements in common.

One is how they define personal information.

Email addresses, GPS locations, screen names, mailing addresses or general location (even if it is just a city name) are considered personal.

Note that If you delve into sensitive information, like sexual orientation, religion, ethnicity or political affiliations, your responsibilities for keeping that information safe increase.

Survey Hosting Platforms

Third party services that allow you to distribute apps or send mass emails generally require Privacy Policies. Survey hosting platforms don't require this, but they do tend to generally recommend it.

SurveyMonkey is a popular survey hosting site based in the UK. It has a Data Collection and Privacy Best Practices page that recommends you have a Privacy Policy. It also offers guidance on what users should include in those agreements.

Privacy Policies are called Privacy Statements in these rules.

SurveyMonkey starts by explaining what you should communicate in your statement:

SurveyMonkey’s Data Collection and Privacy Best Practices: Privacy Statements

These suggestions align closely with current privacy laws. Even basic Privacy Policies should include this information.

SurveyMonkey offers other guidance and suggestions about good privacy protections. These elements are often integrated into Privacy by Design plans that many corporations have already adopted to increase information security.

SurveyMonkey suggests that you only collect what personal information is necessary, keep the data secure, and know the privacy requirements of your home jurisdictions:

SurveyMonkey’s Data Collection and Privacy Best Practices: Privacy Protections

Another recommendation by SurveyMonkey is to include a consent statement. This assures your privacy terms are accepted and survey respondents understand that they are sharing personal data with you:

SurveyMonkey: Adding a Consent Statement or Privacy Policy

Drafting a Privacy Policy

When you draft a Privacy Policy to cover surveys, start by considering the presentation and placement of your Policy.

Many businesses conduct customer service surveys to evaluate their product. These surveys are a useful tool but they are not the primary purpose of the business.

However, surveys still collect personal information and give access to that information to third parties. Even if you solely conduct surveys as a way to gauge customers satisfaction, you still must mention them specifically in your Privacy Policy.

Start by including surveys as a type of personal information you collect and how you collect it.

Apple does this in its opening paragraph:

Apple

If you hire a third party to manage your surveys, you will need to mention them in a separate paragraph on service providers or among the third parties who see your data.

Here's another example from Apple:

Apple

These examples show how to integrate information about surveys into a general Privacy Policy.

Provisions relevant to surveys

Microsoft offers a survey toolkit to guide service providers that produce and manage surveys on its behalf. It even includes a template for a Survey Privacy Policy.

This template is similar to the suggestions SurveyMonkey provides. It also meets the requirements of most privacy laws.

The recommended provisions from Microsoft include:

  • The name of the survey
  • How information is collected
  • How information is used
  • Use of cookies
  • Processing and storage of data
  • Sharing information

Many of these sections are not much different from other Privacy Policies. However, there are subtle differences due to the unique circumstances presented by surveys.

Survey name

Microsoft advises that the survey name appear early in the policy. The Privacy Statement is specific to that one survey:

Microsoft Survey Toolkit: Privacy Statement Template

Companies that routinely manage surveys will introduce themselves early in the Privacy Policy rather than giving each survey a name.

Snap Surveys, which offers survey production software, identifies itself as the data controller early in its Privacy Policy. It clearly indicates that it is responsible for complying with data privacy acts and includes contact information:

Snap Surveys Privacy Policy intro

Either approach will work.

If a survey handles especially sensitive information, you may want a Privacy Statement more specific to that survey and should take Microsoft's sensitive approach.

However, if your business model handles many of the same types of surveys and your information collection processes don't deviate often, taking the approach of SnapSurveys is sufficient.

How collection occurs

Surveys are voluntary. But even then, you need to describe your information collection practices.

Foresee is a third party service provider that designs and provides surveys to solicit customer feedback for its customers. When it introduces itself, it makes that clear in the first paragraph.

After that, it describes the collection as voluntary:

Foresee

Then it expands on that idea by explaining it conducts customer satisfaction surveys online and by telephone. This also explains what is collected -- mainly demographic information, age, gender, income bracket, and other items that are considered personal information:

Foresee

Snap Surveys takes a similar approach. It describes information collection through online forms:

Snap Surveys Privacy Policy: Information collected clause

Even if all your information collection is voluntary from your users and you get consent from the respondent first, you still need to cover this information in your Privacy Policy.

It makes your intentions clear and prevents misunderstanding.

How information is used

Just as with any other collection of personal data, you must describe how you use information you collect from surveys.

Foresee describes its services but also indicates that the survey responses provide clients with information and may be used for Foresee's business purposes:

Foresee

Snap Surveys Privacy Policy clause covering this topic has two sections--one for client data and the other for respondent information.

Client data is used to create surveys and process results. Repondent data is provided to the client and if there are questions, respondents should address them:

Snap Surveys Privacy Policy: clause about Use of survey data for clients and respondents

If you host surveys for others, consider this approach from Snap Surveys. Chances are, your data handling will be different for your client's information than for respondents. Making this clear maintains your compliance with relevant privacy laws.

Cookies

Survey sites may use cookies the same way as other sites. These tools can make managing surveys easier, but you will need to keep clients and users informed of their presence.

Snap Surveys explains that it uses cookies to track analytics but also to recognize users on the website. It also offers instructions on disabling the cookies:

Snap Surveys Privacy Policy: Cookies and other Tracking Technologies clause

ForeSee has several sections on cookies, each describing a different type. You may want to take this approach if you heavily use cookies as they definitely affect data security and sharing.

The cookies clause describes what they are and explains how they analyze website trends:

Foresee Privacy Policy: Cookies on our Site clause

Third party cookies typically involve advertising such as retargeting that work by tracking a user's browsing history. This needs to be disclosed:

Foresee Privacy Policy: Third Party Cookies clause

Surveys may have cookies if the client requests them or if tracking needs to continue after the survey.

Foresee lets users know that these cookies only remain for a limited time and that they aren't used to collect personal data:

Foresee Privacy Policy: Cookies in Our Surveys clause

Processing and storage of data

Data is often stored longer with surveys because it can take time to process. If you are a third-party provider, you may have to keep it safe for clients for awhile.

This means you need to reassure users that their data will be secure, and be clear about your storage and security measures.

ForeSee mentions its security and hosting centers. While it does not guarantee absolute security (because that's impossible), it definitely takes good and reasonable measures:

Foresee Privacy Policy: Data Security and Integrity clause

Snap Surveys also offers a detailed description of its security measures:

Snap Surveys Privacy Policy: Storage and Security clause

Share as much information about your security measures as you are comfortable with doing. Not only is this reassuring to your users, but it shows you've taken reasonable steps to prevent a security breach.

Information sharing

The difference between surveys and general web services is that surveys exist for the sole reason of collecting and sharing information.

In most survey Privacy Policies, provisions on information sharing often fall under use rather than a separate section on sharing with third parties.

You also need to describe reasons for sharing that do not fall within the surveys. These include mergers and acquisitions involving your company, responding to legal procedures, enforcing other online agreement, and business dissolution or bankruptcy.

Here's how Snap Surveys lets users know how personal information may be disclosed beyond for survey purposes:

Snap Survey Privacy Policy: When personal information may be disclosed clause

Surveys are an important part of marketing, business analytics and getting to know your customer and user base in beneficial ways.

However, survey data is often personal or sensitive.

For that reason, you need to have a Privacy Policy that includes surveys. This will keep your surveys in legal compliance and maintain transparency between you and your customers.

Jocelyn M.

Jocelyn M.

Former civil litigation attorney. Content legal strategist.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.