Introduction

According to Pew Research, 72% of Americans believe that almost all their online activity is being tracked. Hardly a month goes by without a report that another company has had its online data security breached. Therefore, many people are concerned about the security of their personal data online and how data from online activity is analyzed and harvested.

The growth of the Internet of Things (IoT) and more connected devices means even more information sharing. That said, since we live in a social media commenting-and-liking world, consumers generally accept as a given that companies will have adequate data security in place to protect personal details.

Regulatory Response

However, this means greater threats to personal data privacy and more opportunities for information to be compromised. Many governments are passing legislation to protect individuals:

• In Europe, where regulations are rather stringent, there’s General Data Protection Regulation (GDPR), which was enacted in 2016.
• The state of California passed the California Consumer Privacy Act (CCPA) in 2018, and an even more stringent California Privacy Rights Act (CPRA) that is scheduled to go into effect later this year CPRA, also known as Proposition 24, permits consumers to prevent businesses from sharing personal information, correct inaccurate personal information, and limit businesses’ use of “sensitive personal information,” including precise geolocation, race, ethnicity, religion, genetic data, private communications, sexual orientation, and specified health information.
• Other states are also making consumer privacy the law, with more recent ones including Colorado, Maine, Nevada, and Virginia.
• Approved in 2018 and coming into force in 2020, the LGPD is Brazil’s data privacy and protection law. The LGPD was based on the GDPR with certain changes that better suit Brazilian legislation.
• In Singapore, years of compromised data, including 1.5 million healthcare records (25% of the population) in 2018, have prompted the Singaporean government to make data breach reporting mandatory in 2021. Eight jurisdictions (Singapore, mainland China, Indonesia, the Philippines, South Korea, Taiwan, Australia, and New Zealand) now have some form of mandatory breach notification rules, and this will become nine when Thailand begins enforcement of its new Personal Data Protection Act later this year.

By 2023, 65% of the world’s population will have modern privacy regulations protecting personal data, compared to only 10% in 2010. With these regulations in place, individuals can choose to opt-in or opt-out and decide how their information is used.

How Does this Impact Market Research?

Market research, as an industry, has traditionally maintained an ethical standpoint that differentiates it from other industries using consumer information, based on the view that nothing is ever assumed and that there is a fundamental requirement to be utterly transparent at all times and to ensure any permissions for data (identifiable and non-identifiable) are granted explicitly. With the widespread availability of consumer data, this position is being challenged. So maybe the question should be… To what extent should the market research industry continue to abide by its strict (and self-imposed) data privacy rules, or should those rules be relaxed, as has happened in other industries?

There are (at least) three trends influencing this discussion:

1. The Effect of DIY on Privacy. Online DIY market research tools are increasingly available, which means they are used more often by companies outside the traditional market research industry. These non-traditional users are often unaware of the MR industry’s historically strict stance on data privacy, or they choose to ignore it.
2. Social and Passive Data Collection. The second driver of this debate is the increased presence of social media and passive data collection methods. Any information a consumer publicly provides (age, location, profession etc.) can be combined into a more significant average. Sentiment analysis tools can even seek out particular terms or phrases within a message and cross-tabulate them with demographics and predictive models for further analysis. Passive data collection has also opened up opportunities outside the digital world. In 2013, UK supermarket chain Sainsbury’s installed a digital tracking system that allowed the grocer to monitor shoppers as they made their way around the store. In this example, the company got permission from each participant. But what if this were not the case? What is stopping passive data collection such as this from being used in the future without permission? Or simply under the guise of assumed consent?
3. Personalized Marketing For Brands. User data collection is overly intrusive in its current state. Many consumers do not understand how their data is being collected, used, and segmented to enhance marketing efforts. When it comes to the brands, data from across social media, for example, on forums and influencers’ feeds, are a part of this. General data protection regulations stipulate that consent needs to be given to securely retain data. Yet, the seductive quality of this data has created a reliance on this data for many brands.