Hi dear reader, if you are a fan of paid surveys online, I’m sure you sometimes wonder if your privacy or personal data is safe.
With all the data breaches and hacking going on, it’s important to be careful about what kind of information we share online.
Taking paid surveys is a quick and easy way to make some extra money without much effort, but there are risks involved with taking them.
In this post, we are going to cover key aspects like How Survey panels use cookies and personal data protection laws in different states.
Also, we give you solutions to keep your privacy safe.
Let’s get started
Cookies are essential to the modern Internet.
HTTP cookies help web developers give you more personal, convenient website visits as a necessary part of web browsing.
Cookies let websites remember you, your website logins, shopping carts, and more.
Cookies are text files with some pieces of data — like a username and password —to identify your computer as you use a computer network, and improve your web browsing experience.
Data stored in a cookie comes with a unique ID to you and your computer.
When the cookie goes between your computer and the network server, the server reads the ID and knows what information to specifically serve to you.
A cookie cannot contain any virus or produce any damage to your device.
Some cookies are strictly necessary for an optimum operation of a website.
Others have different functionalities like favoring the navigation between sites, allowing a site to remember your preferences, or detecting if you have visited the site previously.
By its origin, cookies can be:
First-party cookies: It is the visited site the one setting them.
Third-party cookies: Cookies set by a server from another domain, although always with the authorization of the visited site.
All internet users can freely choose if they authorize a site to drop ‘cookies’ on their device or not. One way to do this is through the settings of the web browser, the user can delete all the already dropped cookies and choose if he accepts them or not.
Source Kaspersky (What are Cookies?)
All survey panels and market research business uses cookies because they are indispensable for properly working for the panel and tracking completed studies.
At IOpenUSA use the Cint Cookie Policy(https://www.cint.com/cookie-usage) >We use cookies to verify that you have completed a survey.
We may also use cookies to track what websites (in addition to survey sites) you visit, regardless of whether such websites belong to us or a third party, and what campaigns and other online advertising you attend.
Also, We use both session cookies and persistent cookies.
Also, Read > How to Become a Paid Surveys Influencer.
We do not have a central federal law in the USA, like the EU’s GDPR.
There are instead several vertically-focused federal laws, as well as generation of consumer-oriented laws coming from the states.
IOpenUSA secure privacy
Back in the last century when databases were the height of computer technology, Congress and others were (rightly) concerned about the potential misuse of personal data held by the government. Congress passed the landmark US Privacy Act of 1974, which contained important rights and restrictions on data held by US government agencies, and should look very familiar to data pros in the year 2019. I’ll list them here because they’re the first references that I know of for everything that followed:
Passed in 1996, the Health Insurance Portability and Accountability Act (HIPAA) was landmark legislation to regulate health insurance. It is a very complex law with lots of moving parts but included both data and security sections. The data protection part of HIPAA is found in The Security Rule.
HIPAA also laid down data confidentiality requirements that can be found in, wait for it, The Privacy Rule.
If you’ve ever filled in a form at your doctor’s office allowing spouses and other family members to review or see your health information — what HIPAA refers to as protected health information (PHI)
This Rule contains a convoluted list of rules on who gets to see PHI. But in short, a healthcare provider or “covered entity” more or less has permission to use patient data if it’s related to “treatment, payment, and health care operations.” However, using the data for marketing purposes or selling the PHI requires explicit authorization.
HIPAA’s minimum requirement is a good example of PbD principles applied to sharing of PHI. It says that covered entities that share data for marketing purposes other than the ones mentioned above should limit who gets to see it. Health organizations are supposed to evaluate their data and practices, and put in place safeguards to limit “unnecessary or inappropriate” access to PHI. In effect, role-based access for PHI.
Back in the early days of the early Internet, circa 2000, the Children’s Online Privacy Protection Act (COPPA) took a first step at regulating personal information collected from minors. The law specifically prohibits online companies from asking for PII from children 12-and-under unless there’s verifiable parental consent.
Updates to COPPA’s regulatory rules a few years ago effectively expanded the reach of the law and broadened the type of personal information to be protected, including screen names, email addresses, video chat names, as well as photographs, audio files, and street-level geo coordinates.
These updates also extend security coverage to third parties that use the children’s data. The originating website operator must take “reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential.”
Another late 90s legislation, Gramm-Leach-Bliley Act (GLBA) is an enormous slab of banking and financial law that has buried in it important data privacy and security requirements. Its protections of personal information are a major improvement over previous consumer financial data laws — see the Fair Credit Reporting Act (FCRA).
Overall, Gramm- Leach-Bliley Act protects nonpublic personal information (NPI), which is defined as any “data collected about an individual in connection with providing a financial product or service, unless that knowledge is otherwise publicly available” — essentially PII with an exception for any widely available financial fact— for example, property records.
You may have noticed that banks periodically mail out data privacy notifications, explaining the categories of NPI that are being collected and shared along with special opt-out instructions.
That’s due to GLBA’s somewhat limited privacy protections. Consumers can opt-out if they don’t wish that information to be sent to a “non-affiliated” third party.
However, for third-party companies affiliated with the bank or insurance company — part of the, cough, “corporate family” controls under GLBA to restrict the sharing of the NPI. That’s quite a large loophole, and GLBA is by no means a model for Internet-era privacy law.
In the USA, we got several federal and consumer-oriented privacy laws from the states.
IOpenUSA paid surveys privacy 2
In 2018, the California Consumer Privacy Act (CCPA) was signed into law. Its goal is to extend consumer protections to the internet. It’s not an exaggeration to say the CCPA is the most comprehensive internet-focused data legislation in the US, and with no equivalent at the federal level.
Under the CCPA, consumers have a right to access through a data subject access request (DSAR) the categories and specific pieces of personal information held by covered businesses. Businesses can’t sell consumers’ personal information without providing a web notice (“a clean and conspicuous link”) and allowing them to opt-out.
Like the GDPR, there is also a “right to delete” — with some exemptions — consumer personal information on request. The CCPA also gives consumers a limited right of action to sue if they’re the victim of a data breach. There’s a more general ability for the state Attorney General to sue on behalf of residents. Legislation is in the works to broaden consumers’ private right of action to sue on other grounds.
Another striking innovation within the CCPA is its very broad definition of personal information: “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” That covers a lot of ground and is similar to the GDPR’s expansive view of personal data.
To bring it back to the “black letter law”, the CCPA also contains a long list of identifiers it considers personal information, including biometrics, geolocation, email, browsing history, employee data, and more.
The CCPA also introduces “probabilistic identifiers”. Attorneys will be debating what this means, but it appears that data that give a greater than 50% chance of identifying someone will be treated the same as a deterministic identifier. Perhaps a combination of, say, Netflix viewing history and geolocation data may be enough to tip the scales. By the way, other states have picked up the probabilistic term in their laws (below).
California goes “meta” with its probabilistic identifiers.
While the focus — and rightly so —has been on extensive privacy rights for consumers, there’s also a data security component to the CCPA. The law calls for companies to “implement and maintain reasonable security procedures”. What does that mean? No one’s sure, though there are strong hints that the California government is looking to the Center of Internet Security’s top 20 controls and the NIST Critical Infrastructure Security (CIS) Framework as baselines.
With no federal answer to GDPR on the horizon, several other states are taking a page from California’s book by drafting their regulations to give citizens increased control over their data. While most of these bills use CCPA as a framework, there are differences. We’ve even put together a cheat sheet at the end to compare the different proposed state laws. Let’s first look at two tough proposals coming out of New York and Massachusetts
The proposed Data Privacy Law (S-120) shares a lot of the CCPA language. Consumer access to personal information? Check. Right to Delete? Check. Explicit notification of rights, and a chance to opt out of third-party sales of data? Check. A broad definition of personal information including probabilistic identifiers? Check.
There are a few important divergences from the CCPA, which include the right for consumers to sue for any violation of the proposed Massachusetts law. Consumers “need not suffer a loss of money or property as a result of the violation” to bring an action.
Attorneys point out that there’s an enormous potential exposure of Massachusetts companies to class-action lawsuits: plaintiffs can recover up to $750 per consumer. For example, in 2017, almost 400,000 Mass. residents were affected by data breaches, leading to the possible exposure of almost $300 million for that year if the law had been in effect.
New York’s proposed S5642 (currently on hold) contains some of the hallmarks of CCPA. There’s a right to delete and request personal information. The definition of personal information — “any information related to an identified or identifiable person” — includes a very extensive list of identifiers: biometrics, email addresses, network information, and more.
Unlike California and similar to Massachusetts, New York’s act has a private right of action for any violation of the law! And the law applies to all businesses without any revenue threshold, which differs from California and other states. This makes the proposed NY law quite strict.
The NY bill, though, only requires businesses to disclose to consumers the broad categories of information shared with third parties. Under some circumstances, consumers would have the right to request copies of specific information shared.
Another key difference is the proposed NY law imposes the role of data fiduciary”, forcing all NYS businesses to be legally responsible for the consumer data they hold. The NY act takes a very expansive view: “exercise the duty of care, loyalty and confidentiality expected of a fiduciary concerning securing the personal data of a consumer against a privacy risk; and shall act in the best interests of the consumer, without regard to the interests of the entity, controller or data broker”. In short: consumers own the data.
The NY act also gives consumers the ability to correct inaccurate information, making it closer in spirit to the EU GPDR. None of the other clones, including California, go that far!
Hawaii’s SB 418 is similar to the CCPA, offering all of the same major rights and protections (potentially more, based on the current wording of the bill). While CCPA explicitly applies to websites that conduct business in the state of California, Hawaii’s SB 418 bill has no similar clause. In theory, websites based anywhere in the world could violate the law if they don’t offer adequate protection as outlined in the bill. However, the bill is likely to be amended in a later draft to focus solely on Hawaiian-based websites.
Maryland’s SB 613 is another bill with the potential to expand on the scope of CCPA in some areas. Businesses will have similar obligations to disclose information usage, though, to a lesser degree than under CCPA. And like California and Massachusetts, there’s also the use of a “probabilistic identifier” to refer to a certain type of personal information. Go, Maryland!
However, this bill goes beyond the scope of CCPA when it comes to disclosing third-party involvement. Under CCPA, companies only have to disclose if consumer information is being sold to a third party, but per Maryland’s SB 613, companies would have to disclose any information that is passed on to third parties, even if that data is transferred for free. This bill also prohibits websites from knowingly disclosing any personal information collected about children.
North Dakota’s HB 1485, which is currently in the state’s House of Representatives, is the most lightweight bill on this list. The only significant clause of HB 1485 would completely restrict websites from passing on any information to third parties without the consent of users. There is no right to have information removed or deleted once consent has been granted.
Source Complete Guide to Privacy Laws in the US
The best way to protect your privacy is to avoid surveys scams
You need to recognize: that if there is something too good to be true then it probably isn’t
In any legitimate survey panel, there is nothing to be afraid of, your information is safe and secure.
A lot of people are getting scammed these days.
But market research panels cannot harm you! In any case, where there’s really nothing at stake then why would anyone be so terrified?
It doesn’t make sense when the risk isn’t real anyway right?
So please do yourself a favor: don’t let fear guide decisions about what things seem risky enough before trying them out with no consequences
Always remember safety comes first
The key to keeping your information safe is to recognize and avoid fake survey panels and offers.
There are federal and state laws that protect your privacy in the USA.
Never give your key personal data like credit cards number or social security numbers to any survey panel even if it’s a reliable one.
We hope that the information we’ve provided has been helpful to you and that it will help keep your personal data safe.
If you like this blog post, please consider joining us or sharing it on social media with family and friends who may be interested in protecting their privacy as well!
GreenBook: Market Research Fraud: Distributed Survey Farms Exposed
Minnesota Attorney General: Avoid Survey Scams
Cookie | Duration | Description |
---|---|---|
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |