Our platform allows you to launch various types of qualitative and/or quantitative market research actions. Depending on the actions you select, respondents’ personal information ("PI") may be captured and shared with you, the client. To protect respondents’ privacy, it’s important to be aware of PI and to always keep data privacy in mind when designing your actions.
Protecting the PI of respondents is critical when gathering insights through Suzy. It is not only the right thing to do for respondents, but it also protects your company from possible non-compliance with data protection laws like the California Consumer Protection Act (CCPA) and the General Data Protection Regulation (GDPR).
What is PI?
Personal Information (or “PI”) is a broad term that means any data that is or could be linked to an identified or identifiable natural person. It includes data that relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular person or household.
By way of example, common types of PI involved with Suzy actions targeted to our Crowdtap panel include the categories disclosed to our Crowdtap members in Section 6 of the Crowdtap privacy policy (within the Chart under “View Details”).
What’s the rule for Sensitive PI?
You must obtain special consent from respondents, via a screener question or similar mechanism, before launching actions that might collect sensitive PI. Categories of sensitive PI vary by jurisdiction but generally include:
- Racial or ethnic origin
- Political opinions or affiliations
- Religious or philosophical beliefs
- Trade union membership
- Sexual orientation, sexual preferences, or sexual practices
- Data relating to criminal convictions and offenses
- Precise geolocation information (IP addresses)
- Zip code
- Citizenship / immigration status
- Images, recordings, or captures of a person’s face
- Recordings of a person’s voice
- Data of minors between the ages of 13-17
- Financial information
-
Health information (physical and mental)
- Health information is considered sensitive PI and may only be collected after obtaining special consent. If your organization is a covered entity under HIPAA, medical information may be Protected Health Information (PHI) requires heightened protections. Reach out to your CSM for more info.
Is there any Prohibited PI?
The rule regarding prohibited PI is to never ask for it. If these restrictions are insufficient for your research needs, and your legal/privacy/security teams have approved soliciting this information, contact your Suzy representative to discuss exceptions. Prohibited PI includes:
- Our Crowdtap members' first or last names
- Our global audience's first or last names
- Our Crowdtap members' email addresses or contact information
- Our global audience's email addresses or contact information
- Credit card numbers
- Personal financial account numbers
- Passport numbers
- National ID card numbers
- Car loan number
- Drivers license number
- Social Security number
- Medical records
- Account passwords
- Specific genetic information
- Fingerprints
- Voice prints
- Iris and retina scans
- Health plan account or beneficiary numbers
- PI of anyone who hasn’t given permission for the processing of their PI. Keep inadvertent disclosures in mind. Example: Social media feeds may contain the PI of others that have not provided their consent to share such PI.
- Data of children under the age of 13
- HIPAA-applicable Protected Health Information. If you are a covered entity under HIPAA and your Action might involve Protected Health Information (PHI), contact your Suzy representative for more information.
Best Practices
If you don’t need PI, don’t ask for it.
If you need PI, only ask for the minimum amount you need.
Sensitive PI requires a special screener.
Do not ask for prohibited PI.
If you choose to export responses containing PI from the Suzy platform, you must do so with data protection in mind. Store it securely, restrict access/sharing, and securely dispose of it when it’s no longer needed following your organization’s internal policies.
Communicate with your organization’s legal, privacy, and security team(s), so they can determine their acceptable level of risk related to PI. For more information/questions, visit our Trust Center.
If these best practices are insufficient for your research needs, or if your company’s internal policies prohibit all PI, reach out to your Suzy representative to discuss alternatives.