ESOMAR monitors, assesses and influences international legislation that may impact market, social and opinion research.
Whether you are a researcher, regulator, association, journalist or other interested stakeholder, this page serves to explain why ESOMAR has prioritised certain Government Affairs issues and will provide you with background information on our key concerns, issues and messages to regulators. This section will be particularly relevant to associations in need of background information when lobbying national governments.
For specific queries, you can contact firstname.lastname@example.org or for press enquiries please contact email@example.com. Your feedback is also very welcome so that we can keep this page updated and as relevant as possible.
Check out the list below of key regulatory issues and click on each title to read more:
Data protection and privacy issues are at the forefront of many legislative agendas and many governmental and inter-governmental organisations are considering how to incorporate the latest online and technological developments into the scope of their laws which cover the collection, processing, and secure storage of personal data. Currently, the European Commission (EC) is updating the European Union's 1995 data protection law, the Council of Europe (CoE) is updating its Convention 108 on data protection and the US Federal Trade Commission (FTC) is also reviewing whether it should regulate privacy in a more uniform way. Additionally, the Organisation for Economic Co-operation and Development (OECD) is reviewing its OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data which pre-date all of the above rules as well.
In other regions, new rules are also being introduced to some Asia Pacific (APEC) and Latin American countries for the first time.
Regulators are exchanging views on important issues arising from the latest developments and technologies such as social media and online behavioural tracking and these debates could have a significant impact on market research and the legal obligations of researchers around the world depending on how regulators align their views.
ESOMAR, together with EFAMRO, CASRO and other associations, is developing position papers and holding meetings with regulators to explain the legitimate requirements of research and promote the value of market, social and opinion research and their contribution to informed decision-making. In doing so we emphasise that:
Personal data generally means any information relating to an identified or identifiable natural person i.e. a private individual (although some countries go further to include corporate or other comparable entities in certain circumstances). An identifiable person is someone who can be identified directly or indirectly, in particular by reference to an identification number or the person's physical, physiological, mental, economic, cultural or social characteristics. It includes an individual's postal address, telephone number and e-mail address. If all data which could lead to the identification of an individual are removed from data records (i.e. they are anonymised), the data set no longer contains personal data and is no longer subject to the requirements of data protection and privacy laws or to early deletion.
The application of research codes of conduct and practice has always placed great emphasis on the elimination of any risk of a breach of respondent confidentiality. This requirement is built into the ICC/ESOMAR Code and other self-regulated codes used by research associations internationally.
For more details read:
Some types of data must be handled with greater care.
The EU Directive on the protection of individuals and processing of personal data adopted in 1995 defines data on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and data on health or sex life as sensitive and prohibits their processing without explicit consent unless other clearly defined criteria have been met.
In the United States, personal health-related information, income or other financial information, e.g. financial identifiers and government-issued or financial identity documents are also regarded as sensitive.
ESOMAR and EFAMRO have recommended to the EC that sensitive data categories be both clearly defined in law and harmonised across the EU, to avoid unnecessary administrative burden for both research businesses and respondents. The different ways that 'explicit consent' has been translated into local legislation adds confusion and complexity. Our position is that introducing further requirements would place an unwarranted burden on research and its ability to produce robust and valid data for the benefit of businesses, governments and citizens.
For more details read:
EU and US legislators have proposed that privacy notices are more clear, concise and easily accessible.
In the EU, a key principle relating to data quality is that information must be processed fairly and lawfully.
The EU is currently considering introducing:
Another important issue for the EC is the principle of "purpose limitation", whereby personal data is used only in ways that have been described to the data subject at the time their informed consent is obtained. If the purpose changes, then the individual has to renew their consent for the new purpose. It is expected that more coherent implementation of this principle across the EU Member States will give data subjects greater control over their personal data.
For example, online researchers usually collect an IP address which enables the unique identification of a particular machine. This protects the robustness of research results by ensuring that individuals or groups of individuals cannot bias research projects by submitting multiple or fraudulent responses. ESOMAR and EFAMRO have advocated to the EC that the collection and processing of this information is relevant and proportionate to the specified purposes of the data controller.
For more details read:
The general public is rightly concerned about how personal opinions and behaviour are recorded and used by others. Transparency, control and choice are therefore key concerns for legislators when considering how consent to collect and hold personal data is obtained and market, social and opinion researchers have to be very mindful of these principles.
The EU Directive on the protection of individuals and processing of personal data adopted in 1995 requires 'unambiguous consent' for data collection and processing. This is translated and interpreted differently by different national authorities and might be harmonised in a legislative review currently underway.
The FTC in the USA is also listening carefully to privacy advocates who call for a clearer indication of an individual's consent.
Consent for all types of research is necessary and new types of research require finding suitable solutions to obtain consent for both the data subject and researcher. This is particularly true of online advertising where cookies are used to measure the value of advertising, as well as for improving its targeting. ESOMAR in cooperation with other associations attempts to ensure that legislators understand the purpose of new techniques that researchers use to measure advertising consumption. Market research plays an important role for advertisers in placing a value on advertising e.g. measuring the reach and impact of advertising in different media. If an advertiser cannot measure the impact on their target audience, then they cannot determine their return on investment and they are less likely to advertise which could be damaging for media which are supported by advertising.
ESOMAR and EFAMRO have informed the EC that unambiguous consent, as defined by ESOMAR in the ICC/ESOMAR Code and Notes on how to apply the Code, is a reasonable level of consent to adequately protect data. Such consent requires data subjects to clearly understand what data that is being collected about them, who is responsible (i.e. who is the data controller), who will have access to it and what it will be used for.
In a research interview, unambiguous consent is obvious – i.e. after the introduction to the project the respondent provides answers to the questions they are asked. There is no need to ask a specific question to obtain permission for the processing of data, but the consent of the data subject is clear nonetheless from the circumstances of the data collection. Only in cases where data collection is not obvious, for example when observing behaviour, or where further data collection is intended at a later date, would additional information need to be provided and consent obtained if there were any possibility that research subjects could be identified.
For more details read:
Cookies are small text files stored by a website on your computer that assign a numerical user ID and store certain information about your online browsing. These are essential for the proper functioning of most websites.
The EU 2009 e-Privacy Directive restricts how a cookie can be stored on a user's computer, or accessed from that computer. This Directive is currently being implemented in EU Member States.
The FTC Preliminary report on Protecting Consumer Privacy in an Era of Rapid Change highlighted how consumers are increasingly concerned about how to delete cookies on their computer, resorting to mechanisms such as the Targeted Advertising Cookie Opt-Out tool ("TACO"), which allows consumers to prevent online advertising networks from serving targeted ads based on web browsing activities. The advertising industries, on both sides of the Atlantic, have developed their own mechanisms - incorporating an icon to inform about tracking cookies and have offered an opt-out. This opt-out option is currently being scrutinised by regulators for its compliance with existing laws as well as to assess its robustness for recognition in future legal frameworks. You can learn more about this in the section on profiling and online tracking techniques below.
For more details, read:
Online identification and tracking technologies have developed rapidly on a global scale over the past few years. While many of these technologies are designed to improve the computer user's experience, they have led to close scrutiny from privacy advocacy groups who are concerned about the potential for organisations or individuals to identify and monitor individuals online without their knowledge.
Internet browsers are being developed with functionality that allows users to indicate to websites that they do not wish to receive targeted online behavioural advertising. Browser manufacturers are also developing lists of firms tracking user behaviour, so that users can refuse tracking cookies and/or block these sites.
A new challenge has been issued by European Commissioner Neelie Kroes to standardise do-not-track (DNT) solutions. Ms. Kroes' challenge involves not just the advertising sector (praised by Kroes for efforts in introducing an icon to signal online behavioural tracking) but now extends to all types of organisations that use tracking. Her stated aim is to standardise and introduce greater transparency to the practice by June 2012.
The EC has also indicated that it is considering regulation of the collection and further use of information about individuals as they move across the internet, or indeed offline, which could be combined to build a profile of an individual without that individual's full knowledge and consent. No generally agreed definition of profiling an individual exists at present.
The Council of Europe has also become concerned about profiling. Its "Recommendation on the protection of individuals with regard to automatic processing of personal data in the context of profiling" used a very broad definition of profiling which could potentially include all profiling and segmentation activities, not just those carried out online.
The Council of Europe has renewed its efforts to update its legally binding rules in Convention 108 on data protection in 2011-2012, which ESOMAR will continue to monitor with EFAMRO.
ESOMAR contacted the Council of Europe in 2010 regarding its proposal to develop this recommendation. At that time, the Council offered clarification that market, social and opinion research would normally be expected to apply other existing requirements designed for statistical research rather than this Recommendation.
ESOMAR and EFAMRO, in recent position papers and statements has informed the Council of Europe and the EC that if profiling is too broadly defined, it would impact the statistical techniques used to improve the quality of samples, which in turn could have a detrimental impact on the quality and representativeness of research results.
For more details, read:
The FTC has discussed online do-not-track (DNT) proposals. In it's report on Protecting Consumer Privacy in an Era of Rapid Change (December 2010) it suggested its preference for do not track mechanisms that provide persistent opt-out options built into internet browsers versus the advertising industry attempts to provide opt-out solutions for behavioural targeted advertisements delivered by advertising networks.
ESOMAR, in co-operation with CASRO, is addressing pro-DNT regulators and raising awareness that the research industry's differentiation from marketing and advertising results in 1) a level of public trust that improves researchers' access to and relationship with respondents, and results in 2) higher quality and reliable research.
Additionally, tracking should not be confused with device identification and IP address information which are widely used in research for the sole purposes of survey administration, survey fraud detection and prevention and research quality control. A standard which would require an opt-in before using identification and tracking technologies for these legitimate research purposes would seriously impair survey response rates, integrity and reliability.
Filter lists to block content and tracking scripts, could extend beyond online behavioural advertising to include legitimate website analytics and research activities and could block research panel cookies. This could occur even if the firms have obtained explicit consent from individuals to monitor their online behaviour. The industry needs to engage constructively with firms that provide this service in order to ensure that legitimate research activities, where users have given permission, are not blocked.
For more details, read:
The key topic that has recently attracted more concern from regulators is about the ability for an individual to exert control over their data, particularly online. In a number of countries, a 'habeas data' right exists in civil codes or constitutions which protects an individual by allowing them to find out what personally identifiable data is held about them in a manual or automated database and provides them with the right to rectify incorrect data.
Depending on the country, if research takes steps to anonymise data, it may be exempted by law from this.
The "right to be forgotten" is an issue that the EC is focussing on, in particular for social networking. In practice, this could mean that people who want to delete profiles on social networking sites would be able to rely on the service provider to remove their personal data such as photos and text automatically after a certain period if they do not continue to use the service or if they resign membership. This should not present a problem for researchers.
However, EFAMRO and ESOMAR support the retention of the exemption to the right of subject access in EU legislation when data are processed solely for purposes of scientific research or are kept in personal form for a period which does not exceed the period necessary for the sole purpose of creating statistics, the data are not used for taking measures or decisions regarding any particular individual and there is no risk of breaching the privacy of the data subject. These provisions allow access to historic data to compile research and statistical records and should be retained in the review of the Directive.
In research, the International Standard for market, social and opinion research, ISO20252, sets minimum retention periods for data collected or generated in the course of research projects (primary records 12 months, all other final documents 24 months) and this is also reflected in the sector's self-regulatory codes such as ICC/ESOMAR code, article 6. The purpose of these retention periods is to allow for necessary processes such as quality control and verification of results.
For more details, read:
Security measures are increasingly discussed by regulators to ensure that individual businesses that collect and hold personal data not only maintain a strict security regime themselves, but also ensure that their business partners offer at least an equal level of security. As it stands, EU and FTC regulators are proposing to increase their powers to apply significant fines for breaches of security. Regulators globally are also discussing privacy-by-design so that privacy and data protection are incorporated into the development and application of new information technologies. For example default settings in social networking sites that protect privacy while allowing social media users to choose lower levels of privacy if they wish. Another example includes transparent, understandable and comprehensive privacy policies that provide users with key information that they need to know before their personal data is collected and processed. The latest ESOMAR Guideline for Online Research provides an example of a layered guideline which is designed to meet this requirement.
ESOMAR and EFAMRO have indicated their joint support to the EU for privacy-by-design. However, it should be based on the risks of the technology used, should be technology neutral and regulators should not subject new technologies to a higher standard of scrutiny than current technologies as this would inhibit new technologies and innovation. The ICC/ESOMAR International Code requires researchers to employ adequate security measures in order to prevent unauthorised access, manipulation to or disclosure of personal data. The code also requires researchers to check that the third parties that they use for data processing employ at least an equivalent level of security.
For more details, read:
With the development of new technologies and processes such as cloud computing, it can be difficult to determine which law applies to data processing.
The European Commission (EC) has proposed developing clearer rules to determine which country's law applies.
ESOMAR and EFAMRO and their application across the EU but stress that this should seek to strike a balance between current divergences in interpretation to ensure that no single national market or jurisdiction is disproportionally affected by a change in the application of the Data Protection Directive.
For companies operating from the EU, if the non-EU country to which the company wants to transfer the data does not have an adequate level of protection according to the EU's national data protection authorities' criteria, then the company will need to choose other available methods to ensure the data transfer is legal. For example, the popular outsourcing destination of India has not been granted an adequate status although it is currently updating its laws. EU companies transferring data, for example to India, might alternatively consider gaining approval from their national data protection authority for their own binding corporate rules on data transfer to legitimise transfers to their organisation's affiliates in countries with laws failing to meet EU standards. Standard contractual clauses adopted by the EC in 2010 can also be used for relationships with data processors in countries outside the EU, but research companies need to check whether such clauses require verification or approval depending on the rules currently applied by different national data protection authorities.
The United States (US) takes a different approach to data protection compared with the EU but the US Government requires companies doing international transfers of data with the EU to join the US Safe Harbor self-certification scheme to meet relevant EU standards.
For more details, read:
The EC and other regulators have been debating whether to impose additional controls to protect children online. The EC in its consultation proposed defining such regulations for 'minors'.
ESOMAR and EFAMRO responded to the EC noting that prohibiting the collection of data from under 18s or treating all such data as sensitive data would not be appropriate as young people can leave school, or attend university and are autonomous at that age. There is also a need to balance measures to protect children and young people with their rights of expression in line with the UN Convention on the Rights of the Child (articles 12 and 13) which also guarantees rights to express views to participate in society. If additional restrictions are introduced, these should mirror the self-regulatory rules already in place. For example in the Notes on how to apply the ICC/ ESOMAR International Code and ESOMAR Children and Young People Guideline, a child is defined as below 14 and a young person is considered 14-17 years old. Specific guidance for questionnaires on websites aimed at children can be found in ESOMAR's updated Online Research Guideline, although researchers should check national self-regulatory codes for stricter rules.
For more details, read:
Both the EC and the FTC are demanding stronger self-regulation and the EC in its consultation asked for feedback about the desirability of certification schemes.
ESOMAR and EFAMRO responded in various position papers to the EC that an environment which supports self-regulation, by providing advice and guidance to assist code holders in ensuring that codes of conduct are robust and fit for purpose, would be helpful and that industry guidelines provide an opportunity to keep regulation up to date with legal and technological developments. Regulators should allow individual sectors to provide effective self-regulation and for regulators to intervene only if that system is not working. Similarly, CASRO and ESOMAR, in a recent position paper have asked the FTC to recognise the self-regulation provided by codes of conduct as a more effective means to provide consumer protection. Since the 1940s, market, social and opinion research has been robustly self-regulated by a family of codes of conduct and practice, supported by strong compliance and disciplinary frameworks. Amongst these, the ICC/ESOMAR International Code on Market and Social Research (last updated 2007) is one of the oldest international codes for self-regulation of a profession in the world. Self-regulation provides a level of detail and granularity that is impossible to achieve in national or supra-national legislation and encourages sector specific authoritative guidance and regulation.
When sugging (selling under the guide of research) or frugging (fundraising under the guise of research), traders deceptively present themselves to consumers as conducting market research, which is commonly understood not to involve any form of commercial message.
Currently sugging and frugging are banned in the case of telephone communication in the EU according to a 1997 EU law on distance contracts. However there is no similar protection against such practices used in person or in any other form of communication, such as letter, fax, and email. Market researchers consider this position to be anomalous and request that the Commission makes clear that sugging and frugging fall within practices banned by the Directive. For more details, read our latest news.
Hotly contested elections are often accompanied by a political debate about whether pre-election public opinion polls should be more strictly regulated, the latest example being in France.
These discussions tend to focus on the possible presumed negative effects of opinion polls on the outcome of elections and as a consequence, attempts are made to introduce bans or tighter restrictions on the conduct or publication of opinion polls.
Opinion polls are of broad interest and are widely reported in the media and therefore can cast a spotlight on the market research sector in general. ESOMAR and other market research associations promote the right to freedom of expression and to conduct polls but also adopt a proactive approach to self-regulation to ensure they are conducted and reported professionally and ethically.
In some countries, e.g. Great Britain, Germany, the United States and The Netherlands, the publication of opinion polls, including pre-election polls, is subject to self-regulation rather than a specific legal framework and ESOMAR collaborates with other associations to promote this approach. Recently, ESOMAR worked with SYNTEC, the research association in France, to explain to regulators about the legitimate requirements of researchers in conducting opinion polls following a challenge by the French Parliament in 2011.
Further information on the French proposals.
Bidding for contracts launched by public authorities is an expensive and resource-intensive process, which could benefit from more transparency.
The process is also expensive for researchers and resources are wasted if too many bidders are asked to submit full tenders. In some cases, researchers have to provide documentation amounting to more than 2000 pages for a single proposal.
ESOMAR in collaboration with EFAMRO, urged the EU to lift the administrative burden for research companies responding to public calls for tenders in a 2011 position paper to the EC. They agreed with the EC's enquiry that current procedures hinder efficient purchasing and that more flexible yet transparent and fair procedures should be introduced, to enable smaller companies to better compete.
ESOMAR and EFAMRO responded to the European Commission's public consultation on its 'Green Paper on the modernisation of EU public procurement policy: just ahead of an expected update of EU legislation on public procurement in 2012.
For more details, read:
Public authorities and governments often gather large volumes of information which can be published and reused to benefit society in general. Most of this is raw data that can generate new products and services in both the public and the private sector. There are regulatory efforts e.g. in the EU to make this information available more widely.
Researchers regularly rely on publically available information to define universes and provide sampling frames. Public sector information is a valuable source of information on the general population and businesses and can also help verify research findings.
ESOMAR and EFAMRO informed the EC in its consultation of the need to update the reuse of public sector information law in the EU and that the reuse of public sector information has not reached its full potential. Both associations highlighted the need for researchers to have greater access to up-to-date information that will facilitate both national and multi-country studies. This access should be harmonized and free, or available at marginal cost, for non-commercial activities such as research.
Fairer conditions of reuse for commercial researchers in relation to their public or academic counterparts are also needed. Problems that still remain with restrictive copyright regimes, electronic access and standardised formats should be further improved.
For more details, read: