When using personal data for market research purposes, what constitutes “true” market research? Section 33 of the Data Protection Act 1998 exempts processing of personal data for “Research, History and Statistics” from parts of the Act.
However, this exemption only covers “true” research projects in which the data “are not processed to support measures or decision relating to particular individuals” and which could not cause substantial damage or distress to the individuals.
The Market Research Society rules define these projects as “classic” confidential research and the survey will fall under this definition if feedback to the client is in the form of totally anonymous tables and statistical analysis which is non-attributable to individuals.
However, even where the exemption applies, the Data Controller must still have legal grounds for processing the data. The applicable grounds here could be either contract fulfilment, “balance of interest” or consent.
The “balance of interests” clause states lawfulness exists if:
“6. – (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.”
[Schedule II clause 6 (i)]
There should be little doubt that the data controller’s interests in conducting “true” market research are legitimate and would not prejudice the rights of the individuals concerned. Opted-out individuals may be included as the opt-out is for direct marketing, not research.
The ICO is particularly unhappy about the practice of disguising marketing messages as market research (commonly known as “sugging”)
Extract from ICO’s Direct Marketing Guidance on market research and ‘sugging’:
38. The direct marketing rules will not apply if an organisation contacts customers to conduct genuine market research (for example the purpose is to use market research to make decisions for commercial or public policy) or contracts a research firm to do so, as thiswill not involve the communication of advertising or marketing material. However, organisations conducting market research will still need to comply with other provisions of the DPA, and in particular ensure they process any individually identifiable research data fairly, securelyand only for research purposes.
39. However, an organisation cannot avoid the direct marketing rules by labelling its message as a survey or market research if it is
actually trying to sell goods or services, or to collect data to help it (or others) to contact people for marketing purposes at a later date.
This is sometimes referred to as ‘sugging’ (selling under the guise of research). If the call or message includes any promotionalmaterial, or collects data to use in future marketing exercises, the call or message will be for direct marketing purposes. The organisation must say so, and comply with the DPA and PECR direct marketing rules.
40. If an organisation claims it is simply conducting a survey when its real purpose (or one of its purposes) is to sell goods or services, generate leads, or collect data for marketing purposes, it will be breaching the DPA when it processes the data. It might also be in breach of PECR if it has called a number registered with the TPS, sent a text or email without consent, or instigated someone else to do so.
41. Organisations must not ask market research firms they employ to: promote their products (this will include asking the
research firm to use the organisation’s goods/services as a way to incentivise participation); or give them the research data for future sales or marketing purposes unless the individuals contacted agree to this and all communications comply with PECR (eg calls are screened against the TPS register).
42. If during a genuine market research project an organisation discovers errors in its customer database, we consider it can use the research data to correct these errors without breaching the DPA or PECR. This is consistent with the obligation under the fourth principle to ensure personal data is accurate and up to date. However, organisations should not deliberately use market research as a method of keeping their customer database updated.
Updated May 2016
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance to the Data Protection Act 1998 or other statutory measures referred to in the document
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.