By Walt Dickie, Executive Vice President
C+R started moving online in the late 90s, and the trickle became a flood in 2000 when we launched www.kidzeyes.com, our first online panel. From that point on we always had the Children’s Online Privacy Protection Act (COPPA) in our minds. The result was that an awareness of online privacy and security issues got baked into C+R’s DNA.
We were lucky because we were prepared when the Sarbanes-Oxley Act made companies re-think their risk management strategies, the Gramm-Leach-Bliley Act drove our financial clients to focus on privacy, and the Health Insurance Portability and Accountability Act changed the focus in healthcare. And big public privacy gaffes – most recently, the disclosure of customer data connected with 77 million Playstation accounts – brought the importance of protecting customer data to the fore for almost everyone else.
As part of our regular SAS70 review we recently re-drafted our Privacy Policy and website Terms of Use statements to make them easier to understand and to bring them up to date with changing technologies and methods.
We have a procedure in place for reviewing our data collection partners’ data handling policies and practices to determine whether we can trust them to receive protected data, such as personally identifiable financial or health data. We’ve scored phone rooms and focus group facilities for a while now, but until recently hadn’t considered online community platforms, bulletin board systems, journaling sites, webcam focus group facilities, or other suppliers catering to the skyrocketing online qualitative arena.
We’ve realized two things: one is that we have to be prepared for the explosion of MR methods that’s going to turn the field upside down in the next few years and expand our supplier review to cover new methods as soon as possible; the other is that the MR industry hasn’t gotten the message.
I’m not going to name names; that’s not the point of this post. But having recently scoured suppliers’ websites for Privacy Policies and formally requested documentation from vendors ranging from major software providers to online start-ups, we’ve found an industry that’s at least 10 years behind the curve.
The major MR organizations, such as CASRO, of which C+R is a member, have spoken loudly and clearly about these issues for some time. Any number of conference presentations have been given. Leading edge clients have demanded proof and audited results from us. But we found that minimal steps, such as a well thought out privacy policy, are above the reach of many vendors. And more serious programs, such as security audits and regular penetration testing haven’t generally been so much as considered.
Will it take a Playstation-sized data fiasco for the industry to finally understand what we are risking – for ourselves and our clients – by our cavalier attitude?