CCPA Changes the Rules for Market Research

Helixa-CCPA-Privacy_V03

Privacy, Data privacy / by Florian Kahlert on November 22, 2019

CCPA Changes the Rules for Market Research

Will our industry be the collateral damage from efforts to curb marketing excesses?

 

I was watching Silicon Valley’s new season last week, which runs through issues of large-scale data collection and aggregation, the use of AI to cluster and segment it, and the privacy implications of all of the above – all in the first few episodes.


What was once relegated to office cubicles and generally ignored by the general public has launched into mainstream pop culture, reflecting the shift in public awareness that followed a few years of high-profile privacy issues and congressional appearances.

 

This should come as no surprise to anyone who has been closely watching this space.

 

GDPR was the first major wake-up call, but it still allowed many U.S. companies to remain nonchalant about the impending consequences. For many businesses focusing on the U.S., Europe was a faraway land, and GDPR was someone else’s problem. But now the California Consumer Privacy Act (CCPA) brings similar legislation to our shore, and a lot of companies. Are. Freaking. Out.

 

Consumer privacy has long been a priority for researchers

 

CCPA won’t just affect one-to-one marketers who want to connect with consumers in their own databases. Market researchers, who have historically been at the forefront of responsibly handling and protecting consumer data, will be affected by this new legislation. 

 

In addition to the ethical considerations, it simply makes good business sense to handle data properly and respectfully. This has always been the case, and it will remain true going forward. As such, our industry has always gone a step beyond what was required by law.

 

However, CCPA attempts to curb the excesses of the marketing industry has thus moved the goalposts, and the research side of the business has become collateral damage, of sorts. Now we need to take our efforts even further to comply with a law that can be fuzzy in its execution.

 

Mutual trust is critical but increasingly difficult

 

It’s paramount that the people who participate in research projects trust the researchers and process, whether they are survey respondents or panelists. We need these people to stay engaged and behave naturally for the results to remain valid, because they are representing the larger population we seek to understand. To foster that trust, we understand that mutual respect is non-negotiable.

 

However, that imperative became harder to maintain the further we moved into the 21st century. People have less time and survey response rates have plummeted as a result, increasing costs and contributing to the difficulty of proper research analysis. At the same time, many new data sources have become available for analysis. While some were built by the research companies themselves, many third-party sources tempt researchers with data that is difficult to obtain through other means.

 

We can trace the current privacy concerns facing market researchers to this point. Often, there is no way to control the original data collection when buying source data from third parties. Because of this, we have to trust the partner’s claims that their methodology was both responsible and compliant with all current and upcoming regulations – emphasis on the “upcoming.”

 

The implications of dropping one letter

 

Of all the ground covered by the multifaceted CCPA bill, the more subtle-seeming rule changes are the most worrisome. For example, a surface-level view of the move from PII (personally identifiable information) to PI (personal information) may seem trivial, but a deeper look into the specific definitions demonstrates how profound that change is in practice.

 

The new definition is a massive departure from PII, which seems quaint in comparison. It describes PI as “anything that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” The uncertainties invited by phrases like “reasonably” and “is capable of” are disconcerting and even confusing at points. I can already see the first lawsuits “clarifying” these things. 

 

Here’s a real-world example: Often, research companies have taken third-party data and appended it to information about real people in their databases. They may not be able to identify the source of this appended information after it was added. What if, under CCPA, the consumer revokes the right to use this information from the third party?

 

Even if the research company had collected it all themselves, they could run into issues with anonymized data. How do you comply with a request for the removal of personal information when you don’t know which data point corresponds to the person in question?

 

These questions may seem theoretical, but they are causing real anxiety throughout the research industry. It’s possible that some companies may even have to change structural aspects of their database technology to remain in compliance.

 

Additional concerns will arise with new technology

 

Research companies need to spend time and resources assessing how they will be affected as the CCPA bill comes into effect. Most companies that collect data will feel some impact, even those who only collect properly permissioned data for research without ever allowing companies to buy against it.

 

We must also look ahead at the additional concerns that will emerge as the industry continues to progress, and the eventual amendments and legislation that will arise as a result. 

 

For example, AI and machine learning algorithms can determine potential shopping preferences using public data, without ever getting confirmation from the panelist in question. That data point could possibly be considered personal information that would be protected by CCPA, but should it?

 

We saw this coming

 

Some companies will have an easier time adjusting than others.

 

At Helixa, we have built a research company for the 21st century. We only allow either public data or anonymous data devoid of PII on our platform. That data is processed in compliance with all current laws and regulations, in a way that cannot be reverse-engineered by any end-user. 

 

We don’t support targeting for advertising campaigns, going so far as to hold that stance with lookalike seed pools as well. And of course, we never sell data to third parties outside of the aggregated analytics we provide to our clients.

 

Because of these safeguards, which were built into the core of our platform, our clients and employees can sleep soundly at night knowing we are playing it safe and expect to be compliant with all aspects of CCPA.

 

I want to end with a bit of advice I have given to those who have asked me for my thoughts on this situation: Every marketer and researcher is also a consumer. Consider how you would feel if it were your personal information at stake, and exercise the utmost level of common sense and accountability, accordingly.

 

Subscribe Now