At a Glance
Suzy’s platform allows you to launch various types of qualitative and/or quantitative market research actions. Depending on the Actions selected*, respondents’ PI may be captured and shared with you, the client. To protect respondents’ privacy, it’s important to be aware of Personal Information (or “PI”) and to always keep data privacy in mind when designing your Actions.
*For more information about what respondent PI gets shared with clients (and when), see Section 9 of the Suzy Privacy Policy.
Protecting the Personal Information (“PI”) of respondents is critical when gathering insights through Suzy. It is not only the right thing to do for respondents, but it also protects your company from possible non-compliance with data protection laws like the California Consumer Protection Act (CCPA) and the General Data Protection Regulation (GDPR).
What is PI?
Personal Information (or “PI”) is a broad term that means any data that is or could be linked to an identified or identifiable natural person. It includes data that relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular person or household.
By way of example, common types of PI involved with Suzy Actions include the categories disclosed to our Crowdtap members/respondents in Section 6 of the Crowdtap privacy policy (within the Chart under “View Details”).
What’s the Rule for Sensitive PI?
You must obtain special consent from respondents, via a screener question or similar mechanism, before launching Actions that might collect Sensitive PI.
Categories of Sensitive PI vary by jurisdiction but generally include:
- Racial or ethnic origin
- Political opinions or affiliations
- Religious or philosophical beliefs
- Trade union membership
- Sexual orientation, sexual preferences, or sexual practices
- Data relating to criminal convictions and offenses
- Precise geolocation information (IP addresses)
- Zip codes
- Citizenship / immigration status
- Zip code
- Images, recordings, or captures of a person’s face
- Recordings of a person’s voice
- Data of minors between the ages of 13-17
- Health information (physical and mental). Health information is considered Sensitive PI and may only be collected after obtaining special consent. If your organization is a covered entity under HIPAA, medical information may be Protected Health Information (PHI) requires heightened protections; contact your Suzy representative to discuss. Financial information
Is there any Prohibited PI?
The rule regarding Prohibited PI is to never ask for it. If these restrictions are insufficient for your research needs, and your legal/privacy/security teams have approved soliciting this information, contact your Suzy representative to discuss exceptions.
Prohibited PI includes:
- Respondents’ email addresses
- Credit card numbers
- Personal financial account numbers
- Passport numbers
- National ID card numbers
- Car loan number
- Drivers license number
- Social Security number
- Medical records
- Account passwords
- Specific genetic information
- Fingerprints
- Voice prints
- Iris and retina scans
- Health plan account or beneficiary numbers
- PI of anyone who hasn’t given permission for the processing of their PI. Keep inadvertent disclosures in mind. Example: Social media feeds may contain the PI of others that have not provided their consent to share such PI.
- Data of children under the age of 13
- HIPAA-applicable Protected Health Information. If you are a covered entity under HIPAA and your Action might involve Protected Health Information (PHI), contact your Suzy representative for more information.
Best Practices
- If you don’t need PI, don’t ask for it.
- If you need PI, only ask for the minimum amount you need. Example: asking for a birth year instead of MM/DD/YY to gauge respondents’ age, or asking respondents to select amongst age ranges.
- Sensitive PI requires a special screener.
- Do not ask for Prohibited PI.
- If you choose to export responses containing PI from the Suzy platform, you must do so with data protection in mind. Store it securely, restrict access/sharing, and securely dispose of it when no longer needed following your organization’s internal policies.
Communicate with your organization’s legal, privacy, and security team(s), so they can determine their acceptable level of risk related to PI. For more information/questions, visit our Trust Center. - If these best practices are insufficient for your research needs, or if your company’s internal policies prohibit all PI, please contact your Suzy representative to discuss alternatives.