With the media so full these days of discussions of do-not-call lists and growing resentment toward spam and other direct marketing intrusions, it’s hard not to worry about the impact our heightened sense of privacy may have on marketing research. Thanks in large part to sugging and other base misrepresentations of legitimate research, our industry is often lumped in with direct marketing in the minds of consumers and some lawmakers. As a result we’ve had to fight almost non-stop to avoid being adversely affected by the spate of laws and regulations designed to control various direct marketing scourges.


The good news is, industry organizations such as the Council for Marketing and Opinion Research (CMOR), the Council of American Survey Research Organizations (CASRO) and the Marketing Research Association have been up to the challenge, proactively working to plead our case before lawmakers and regulators and crafting a comprehensive array of standards and guidelines to help the industry police itself so that government doesn’t have to. CASRO in particular is planning this year to expand its Privacy Protection Program (CASRO 3P), through which it informs research companies and interested client-side researchers on the privacy laws in the U.S. and in Europe and how to work under the new rules.

To find out more about CASRO’s privacy education efforts and the state of the current regulatory scene, I checked in with Diane Bowers, the organization’s president, for a Q&A session.

Q: What are the main privacy-related issues facing marketing research firms today?
Diane Bowers: We in the industry always have had the sense that marketing research is not specifically targeted [by privacy legislation] and had either an implicit or explicit exemption. Well, I hate to be the bearer of bad news, but that has changed. We may not be specifically targeted — although that may occur relatively soon - but we get affected because we are collectors and disseminators of information, often of specific personal information and of data itself, and both of those areas are governed by national and international law. So privacy issues truly do affect research.

But we are in a lot of ways ahead of the game because it has always been a founding principle of legitimate marketing and opinion research that confidentiality, the privacy of respondents and protection from harassment are watchwords for our business. And that means that we have a good level of credentials when we talk to governments and potential regulators.

Having said that, the main areas now are in the realms of protection of personally identifiable data or personally identifiable responses that may be obtained in an interview. Even if a name isn’t given, if somehow an identity can be traced back, regulators are concerned that they err on the side of more restrictions, more security provisions.

[Privacy efforts] are becoming industry-specific, such as in the area of health care, where patients’ rights are preeminent and of great concern to all of us. And it has also extended itself into the financial arena. With the Gramm-Leach-Bliley Act [GLBA], which applies to financial institutions, the federal government acknowledged that financial institutions needed to be able to share information in order to provide better service but in so allowing, they also instituted major protections for the personal financial information that may be passed back and forth. There has to be security, and there has to be a way for people to be able to opt out of having information shared.

The government needs to be on top of this as well because so much government research involves personal information and the issues of privacy and protection of personal information also apply to intra-government communication.

Once it becomes industry-specific, no doubt we could progress to where it becomes third-party-provider-specific. Research itself could be targeted and CMOR and other organizations are working hard to not have that occur but we should be wary of it.

Q: What are the main privacy regulations, both here and in Europe, and what do they cover, from a marketing research standpoint?
The European Union Directive on Data Protection requires certain security and contractual obligations of firms in order to protect the privacy of personal information and the transmission of data within E.U. member states. And if you are not in an E.U. member state, then your own country has to have its own privacy protection. The U.S. didn’t have that kind of protection so a few years ago it created the U.S. Safe Harbor, which provides protection but in some instances may not be sufficient, depending on what your relationship is with the European entity for whom you are collecting or disseminating the personal data. So a company, on a case-by-case basis, needs to determine if it is sufficient for them to comply with U.S. Safe Harbor or if they need to comply with the E.U. Directive itself. The CASRO Privacy Protection Program has an E.U. handbook which helps a company make that determination.

Nationally, we have the Gramm-Leach-Bliley Act. We also have the Health Insurance Portability and Accountability Act [HIPAA], which deals with the health care industry and the privacy of patient information. And most recently there has been the FCC Telecommunications Privacy Rule, which deals with the privacy of telephone customers. So you can see that the industry-specific approach is becoming more prominent.

If you have a privacy policy and internal privacy procedures and privacy contracts with your clients and your contactors and subcontractors, you are covering yourself no matter what comes down the pike. It’s wonderful for the industry to be in that position because the U.S. government prefers that industries regulate themselves. We must demonstrate, for example, that not only do we have the CASRO Code Of Standards but we also have a written and publicly available privacy policy, and written and consistent contracts with our clients and our subcontractors.

If we can continue to comport ourselves in a very forthright, non-deceptive way, that goes a long way to keeping the regulatory wolf from our door. That isn’t to say there aren’t problems and issues. The important thing to note here is, we are looking at privacy in the framework of traditional, confidential custom survey research. When you add to that picture the wonderful opportunities that the research industry has moving into the areas of customer satisfaction research, Internet research, CRM, and database mining, you have to look at privacy in a different way, because the same privacy regulations that relate to custom research probably will not relate to CRM. And we need to be able to transform ourselves. We need to have standards that apply to the various services that research businesses offer in a very legitimate and professional way.

Q: Are the privacy laws currently in place highly restrictive, or do they allow enough latitude for marketing research to be conducted?
If you have permission from the respondent - forthright, transparent permission - a lot of the issues that we are concerned about regarding privacy and the transmission of data become moot, because the respondent has agreed to it. In some instances that must be in writing; it depends on the country and the situation you’re dealing with but that’s why you have to start with a framework and a foundation and policy statements that are publicly available.

So “highly restrictive” is relative. Sure research can be conducted, but may it be conducted in a blind situation where clients aren’t identified and respondents aren’t informed? That is becoming more and more difficult and I want to be pretty blunt about that.

Clearly in Internet research, CASRO standards are already exceedingly stringent to protect the interests of our Internet respondent public, who have dictated that they don’t want to be spammed and they are suspicious of cookies and they want to know what it is you are trying to contact them about.

CASRO’s Internet Standards truly demonstrate how an industry can self-regulate. We don’t allow spam. You have to identify the client; if the source of permission from the respondent is not identified, then you can’t conduct the research — meaning that if the source of permission is a customer database from a client, then the client has to be so identified. Or you need to contact them by some other means to get permission to contact them to conduct research by e-mail.

Research can’t dictate whether it is in [the respondent’s] self-interest to participate in research. Oftentimes respondents say, “You may be different from telemarketing but I don’t want you to call me,” or, “I would like to tell you when to contact me” or, “I would like to be compensated for my time.” And we need to take the bull by the horns and look at all of these separate issues and understand where we can compromise and adjust our industry so that it truly does meet both the client’s need for more and better information and the respondent’s privacy needs.

Q: Are there privacy-related issues that client companies should be aware of when they are working with or hiring marketing research providers? For example, are there types of questions that can’t be asked now or kinds of information that can’t be obtained due to new privacy regulations?
On the financial and health care side, some client organizations are very much aware of how Gramm-Leach-Bliley and HIPAA apply to them. With HIPAA, there are a lot more restrictions. Each health care institution could make separate and different demands on a third-party provider like a research company to make sure it has invested in appropriate data security protection. The CASRO 3P will hopefully provide a consistent, reliable and verifiable resource so that all health care institutions would be able to turn to a CASRO company that has a privacy policy and all the necessary safeguards in place and be assured that they meet the privacy tests for third-party providers.

You can imagine the enormity of the expense for a research company if one client company asks them to do X and another firm in the same industry requires another system, even though one system would adequately meet the privacy requirements of these laws. So we would like to have a consistent industry response. That includes in-house research departments at client companies as well because they also think of their end user as a client.

It’s good to adjust our mindset, because there are a lot of similarities between research firms and in-house research departments at client companies. We both have the goal of making the research as useful, consistent and cost-efficient as possible. That common ground helps us wade through these privacy issues together. And that is why we are reaching out to the client side as well to make sure they know what we are doing. A lot of corporate research departments aren’t as privy to these privacy regulations and we are open to informing them if they are interested.

Q: What are the goals behind the CASRO privacy briefings?
This isn’t an area that people can approach with glib certainty, thinking that they have everything down pat. We try to get them comfortable enough so that they know how to proceed. We try in the briefings to talk specifically about the national and international laws, GLBA, HIPAA, the Children’s Online Privacy Protection Act, and we talk about the documents we have prepared to address them. Companies need to have policy statements and programs but they can’t just be words; they have to be instituted and made public. We also look at the specific contracts that are applicable with contractors and subcontractors that address certain privacy issues. And also the language companies use to allow respondents to opt in or opt out of research.

The meatiest part of the briefings is not the exposition of the laws and how the Program addresses them, it is looking at what the true implications are. For example, how do you make the changes in your company? What systems are available for security? How much change do you need to make in terms of personnel? How do you designate a privacy officer? What kind of documentation do you need to certify that you are in compliance? We also get into the whole question of whether CASRO’s Code is sufficient to show that you are in compliance. We also show the ways that CASRO can help them and the resources that are out there to help.

Q: Are there more restrictive privacy policies on the horizon or do you envision things staying the way they are? Will research companies have to continue to battle for the right to ask consumers legitimate marketing research-related questions?
We can go a long way to anticipate without knowing specifically what’s coming. The research industry is more than just a provider of custom traditional research. We have to start taking the adjectives off and maybe looking at ourselves as just “research,” or “information analysis.” Whatever words you attach to it there has to be a root. And once you have identified the root - say it’s “information” or “research” - the adjective that defines that root might have a particular code of professional standards attached to it.

For instance, there will always be confidential survey research, and so the laws that apply to that part of the industry need to be clearly written and agreed to on a global basis. There are CASRO’s code of standards and ESOMAR’s [the European Society for Opinion and Marketing Research] standards, which are remarkably similar. Then we might define the standards for customer satisfaction research or for syndicated research or CRM research. Once we have all of those, then you have a real overview of the industry as a whole with the various rules and laws that apply to particular services that the industry provides. So even though we might not be able to see the specific changes to privacy legislation that are coming, we will be very much ahead of any laws that come our way.

We need to change our mindset away from research being the center of the universe and the thinking that respondents should participate because the process benefits capitalism and helps grow of the economy. That’s all very true but it just doesn’t carry as much weight as we would like. We have to marry the client’s wants and needs with the very legitimate rights and demands of the respondents, the people who are going to provide the information.

And if the industry is going to look at “valuing” the respondent, whether it’s compensating them, making a charitable contribution in their name - whatever the approach might be to get their cooperation - it has to be persuasive, it has to be true and it has to be transparent. It can’t be anything that’s misleading. Those are the parameters that we have to work within. It’s not something that spells the end of the industry. I don’t look at it that way at all. To me it’s an opportunity.