Ethical Issues


Handling personal data

Data provided by respondents is confidential and the identity of respondents must be protected. The identity of respondents must not be revealed to the user of the information without respondents’ explicit consent and the researcher must ensure that information is collected for specified research purposes and not used in any manner incompatible with these purposes (see Article 7 of the ICC/ESOMAR International Code). No personally identifiable information may be used for subsequent non-research purposes such as direct marketing, list-building, credit rating, fund-raising or other marketing activities relating to those individual respondents (see Article 1d of the Notes to the ICC/ESOMAR International Code).


Personal identifiers

A respondent’s e-mail address or other personal identifiers (e.g. screen or user name or device identifier where it is recorded in the data) are personal data and must be protected in the same way as other identifiers. Read more

If all data which could lead to the identification of an individual are removed from data records (including identifying serial numbers which link to a separate file of identity data) the data set no longer contains personal data and is no longer subject to the requirements of data protection and privacy laws or to early deletion.


Notifications and e-mail

Researchers must remain mindful of concerns about privacy and intrusion and not make unsolicited e-mail approaches to potential respondents even in countries where this is still permitted by the law unless individuals have a reasonable expectation that they may be contacted for research.

Researchers must reduce any inconvenience such an e-mail might cause to the recipient by clearly stating its purpose in the subject heading and keeping the total message as brief as possible.

The same requirement applies to other electronic messages (eg instant messaging, SMS etc). See section 4.4 on Interactive mobile.


Specific requirements

The general principle is that market researchers will not use unsolicited e-mails to recruit respondents for research purposes whether consumer or business-to-business. Read more

Researchers are required to verify that individuals contacted by e-mail for research have a reasonable expectation that they will receive a contact for research. Such agreement can be assumed when all of the following conditions exist:

  1. A substantive pre-existing relationship exists between the individuals contacted and the research organisation, the client or the list owners providing sample for the research (the latter being so identified);
  2. Individuals have a reasonable expectation, based on the pre-existing relationship, that they may be contacted for research;
  3. Individuals are offered the choice to be removed from future electronic contact in each invitation in a clear and distinct way and this must be free of charge and easy to implement;
  4. The invitation list excludes all indi¬viduals who have previously taken the appropriate and timely steps to request the list owner to remove them.

Researchers must not use any subterfuge in obtaining electronic addresses of potential respondents, such as collecting e-mail addresses from public domains or under the guise of some other activity, or using technologies or techniques to collect e-mail addresses without individuals’ awareness.

Researchers must not use false or misleading return e-mail addresses when recruiting respondents over the internet.

Unsolicited survey invitation e-mails may be sent to business-to-business research respondents provided that researchers comply with points 3 and 4, as well as the anti-spam policies of their internet and e-mail service providers. This also applies to e-mail addresses of professionals whose details have been published in the public domain - e.g. lists of doctors or lawyers.

When receiving e-mail lists from clients or list owners, researchers must have the client or list provider confirm in writing and/or some durable form that individuals listed have a reasonable expectation that they will receive e-mail contact, as defined above.

It is good practice for researchers to keep copies of e-mails and other documents received from respondents agreeing to, or restricting, the use of or access to their personal information. This is a legal requirement in some countries, amongst others, all EU (European Union) member states, Argentina, Australia, Canada, New Zealand, and U.S. companies that participate in the U.S.-EU Safe Harbour Framework.


Privacy policies

Researchers must post a privacy policy statement on their online site. It must be clear, concise, and prominent.


Recommended content

The privacy policy must be made available as a link from every online survey and inform research participants how their personal information is used, kept secure and the conditions, if any, under which it may be disclosed to a third party. Read more

Some elements of the policy will be standard for all surveys (see section A standard elements for all privacy statements). Other aspects will vary depending on the sampling methods used (see section B three additional elements). There may also need to include upfront disclosure of privacy related information relevant to a particular survey in the invitation to participate, in addition to the more general statements in the privacy policy.

  1. Standard elements for all privacy statements

    Statement of who is doing the research. This could include a hyperlink to the research company home page for more information.

    Who it is for: explanation that each survey will contain information about the identity of the company/organisation the research is being done for, unless there are good reasons for not providing this information. If the research company is providing a data collection service, the identity and contact details of the company receiving the personal data and therefore the “data controller”, in EU terminology, should be provided. For further guidance on this issue see the Notes on how to apply the ICC/ESOMAR International Code note on Article 4.

    Guarantee that in all circumstances identities of individual respondents and their answers will be treated as confidential and will be used only for research purposes unless the respondent explicitly requests or agrees to disclosure to a third party.

    Will not mislead you: e.g. ”In obtaining your co-operation we will not mislead you about the nature of the research or the uses which will be made of the findings”.

    Voluntary: e.g. “As with all forms of market, social and opinion research, your co-operation is voluntary. No personal information is sought from or about you without your prior knowledge and agreement”.

    Withdraw: e.g. “You are entitled to withdraw at any stage of the interview, or subse¬quently, to ask that part or all of the record of your interview is destroyed or deleted. Wherever reasonable and practical we will conform to such a request”.

    Identification and tracking technologies: clear state¬ment of any technologies and processing related to the survey that are taking place. In addition to specific software that may be downloaded to a respondent’s computer or device, most web surveys can detect information about the respondent without their knowledge such as browser type, user name and computer identification. Statements should say clearly what information is being captured and used during the interview (e.g. data collected for tracking purposes to deliver a page optimised to suit the browser) and whether any of this information is being retained as part of the survey or administrative records.

    Cookies: clear statement if they are being used, and if so, why e.g. “We use cookies and other similar devices sparingly and only for quality control, validation and to prevent bothersome repeat surveying”. If cookies are being used, it would be advisable to include a reminder that the respondent has control over whether their computer accepts cookies e.g. ” Ensure your browser is configured so that you are alerted to the placement of all cookies. You can also delete cookies by adjusting your browser settings”.

    Children: clear statement about how interviews with children will be carried out e.g. “In research involving children, we will seek the verifiable permission of a parent, legal guardian or other person legally responsible for the child before an interview commences”.

    How to contact us: e.g. “We will provide a postal address, an e-mail address and/or a freephone number for respondents to contact us to discuss any concerns about a particular survey”.

    Security measures: e.g. “Our web site has security measures in place to protect the loss, misuse, and alteration of the information you provide to us. Only authorised employees have access to the information for data analysis and quality control purposes. If personal data are transferred to third parties, we ensure that they employ at least an equivalent level of security measures”.

    Unsolicited mail: state policy not to send unsolicited mail or pass on e-mail addresses to others for this purpose.

    Access to personal information note: how to access and if necessary correct information held on a respondent.

    Where the data is held/processed: as many companies operate globally and may collect data in one country and process in another.

    Registered address of the organisation.

    Date the policy was last updated.

  2. Three additional elements which will need to be included depending on the methodologies used to contact potential respondents.
    1. Where the respondent is being invited to join a panel for market research purposes, or has already joined:

      The sign up process: describe the registration process.

      The panel database: describe information that will be stored in a research participant database, for panel management, control and sample selection and the process for updating it, deleting it or deleting all personal identifiers.

      Frequency of contact: give an indication of what participation involves e.g. how often, for how long.

      Password identity system: if it is used, describe how it works and the security it offers.

      Opt in and opt out policies for communications other than surveys, such as panel maintenance or reward schemes. State what communications will be sent, which are optional and clarify any potential communications on behalf of third parties.

      Reward: explain any reward scheme and if this forms the basis for a contract.

    2. Where the researcher has obtained a list of e-mail addresses in order to send invitations to participate in a survey:

      Source of information: clear statement of where the e-mail address came from or that this will be included in the information given in the survey itself. A statement that the list provider has verified to the researcher that the individuals listed have a reasonable expectation that they will receive e-mail contact.

      Spamming: will not knowingly send e-mail to people who have not consented to helping in research and must include a mechanism for the researcher to remove their name from future surveys or notify the provider of the e-mail list.

      Password identity system: if it is used describe how it works and the security it offers.

      Stop and start interview process: if this is possible explain how, and any information stored to allow it.

    3. Intercept surveys where the respondent is selected as a 1-in-n sample of visitors to a web site or similar technique:

      Explain intercept technique: e.g. random selection.

      Password identity system: if it is used, describe how it works and the security it offers.

      Stop and start interview process: if this is possible, explain how, and any information stored to allow it.

      Invisible processing: describe any invisible processing used to make the intercept or re-direct respondents to the survey.

Appendix 2 – Example privacy policy


Children and young people

Researchers must be sensitive to concerns of parents, consumer groups and legislators about the potential exploitation of children and young people on the internet. All reasonable measures must be taken to ensure verifiable and explicit permission is obtained from a parent or legal guardian to invite a child to participate in a research survey although it is recognised that the identification of children and young people is not possible with certainty on the internet at this time.


Obtaining permission

Researchers must observe all relevant laws and national codes specifically relating to children and young people noting that the age definition for children varies from country to country. Read more

Where there is no specific national definition, the ESOMAR Guideline on Interviewing Children and Young People recommends those aged under 14 should be treated as “children” and those aged 14-17 as “young people” since market research is founded in the social sciences and recognizes different stages of mental and psychological development. note

Before interviewing children, researchers must ensure that permission is obtained from a parent, legal guardian or other person legally responsible for the child (hereafter referred to as ‘parent’).

Questionnaires on websites aimed at children must require a child to give their age before any other personal information is requested. If the age given is below the nationally agreed definition of a child, the child should not be invited to provide further personal information until the appropriate permission has been obtained. This notice must be clear and prominent, include an explanation of the subject and refer to the fact that permission will be verified where relevant. A request to the parent for their permission must be provided on the research provider’s website or e-mailed to a parent.

Where personal information collected from children will only be used for research purposes and no personal data will be passed on for any other purpose, permission can be a return e-mail from the parent or other suitable method that is in compliance with the relevant laws and national codes.

Reasonable steps must be taken to validate that they actually have agreed by following up with an e-mail, letter or phone call for example, having asked the child to provide their parent’s contact details so that their permission can be sought.

Prior parental permission is not required to:

  • Collect a child’s or parent’s e-mail address solely to provide notice of data collection and request permission.
  • Collect a child’s age for screening and exclusion purposes. If this screening leads to the decision that a child does qualify for interview, parental permission must then be sought to continue with the interview.

In ensuring that all reasonable precautions are taken to ensure respondents are not adversely affected as a result of participating in a research project, asking children and young people questions on topics generally regarded as sensitive must be avoided wherever possible and in any case handled with extreme care.

Personal information relating to other people (for example, parents) must not be collected from children.

Where researchers are setting out to recruit children for repeated surveys they should consider:

  • Recruiting parents with children of the required age and then managing the research process with the agreement and monitoring of the activity by the parent.
  • Enabling password protection of surveys so that the entry of a password known only by the parent is required which means the parent must agree to provide it before the child can proceed in the research.

Where necessary, researchers should consult their national research association or the ESOMAR Guideline for advice.