Privacy Policy
1. Commitment to Privacy and Survey Research Ethical Standards
Chadwick Martin Bailey, Inc. d/b/a CMB is a full-service market research and consulting firm that conducts quantitative and qualitative studies with consumers and businesses. We are committed to respecting and protecting your privacy whether you are a research respondent who is participating in a study or an individual visiting our website to obtain information about our services. This Privacy Policy explains how we collect, store, use and transfer data that we obtain via our own website or through surveys and other primary research methods used on behalf of our clients. We will explain this in a way that is easy to understand and provide ways for you to seek additional information or clarification as well as the means for resolving issues or complaints.
If you are visiting our website or are participating in one of our research studies from inside the United States and you have any concerns about the information we collect and store or how it is used, please contact CMB at: privacy@cmbinfo.com or write to us at:
Privacy Office
Chadwick Martin Bailey, Inc.
2 Oliver St – 11th Floor
Boston, MA 02109
If you are visiting our website or are participating in one of our research studies from outside the United States, please be aware that your information may be transferred to, stored in and/or processed in the United States. While the data protection and other laws of the U.S. might not be as comprehensive as those in your country, please be assured that we take steps to ensure that your privacy is protected. We participate in the United States Department of Commerce Privacy programs that help U.S. companies comply with European and Swiss privacy laws and rules concerning the transfer of personal data from the European Union (“EU”) and from Switzerland to the United States. We have also taken additional steps to comply with the EU’s General Data Protection Regulations (“GDPR”), including without limitation implementing EU approved standard contractual clauses to protect transfers of personal data out of the EU.
2. Protected Personal Data
Personal information or personal data (collectively, “PD”) is any type of information, including information transferred from the EU or Switzerland to the United States, that is recorded in any form, that is about, pertains to, or could be linked, directly or indirection, with a specific individual. Information we collect may include your full name, identification numbers, age or date of birth, gender, mailing address, phone numbers, email address, other demographic information (such as your race or education level) and other similar information. It may include information about your opinions and preferences. In some jurisdictions, it does not include any publicly available information. We may collect PD from you directly when you voluntarily provide it to us or we may obtain PD from clients who ask us to conduct research on their behalf. We may also obtain PD from list providers who have assured us that their lists are made up only of individuals who have given their consent to be included in the list. Finally, we may collect and use PD obtained from publicly available sources, where this is permitted by law.
“Sensitive Personal data” means PD that pertains to attributes such as race, ethnic origin, sexual orientation, political opinions, religious or philosophical beliefs, trade union membership or that concerns an individual’s health.
3. Protection of Information Provided in a Research Context
Market research is used by many organizations to obtain information from customers, members, potential customers and other stakeholders. The information collected in a research context may be used to plan new products or services, gauge customer/member satisfaction, measure awareness of products or services, or to test reaction to products, services or communications.
Most research questionnaires include demographic questions such as racial or ethnic origin, age, gender or income. We use these questions to make sure that the research results reflect a representative sample of the population we are studying. We understand, however, if you are not comfortable answering certain questions. Your participation in research is always voluntary, and you do not have to answer any questions you are not comfortable answering.
We may occasionally collect information that is legally considered more sensitive, “Sensitive Personal data” as described above. In such instances, we will fully comply with legal restrictions on the collection, storage, use and transfer of such information.
We will never ask you for certain information which, if stolen or misused, could give rise to economic crimes against you, such as bank account or credit card numbers, social security or other similar government-issued ID numbers.
We may also automatically collect a variety of publicly available machine information for system administration, service improvement and data integrity purposes. This is described in greater detail below.
Unless you have provided consent to do otherwise, we will protect the anonymity of your responses to questionnaires, in focus groups, on research websites or from any means of collecting feedback from you in a research context. If we obtain your contact information from a research panel or other third party, we will comply with the contact limitations and data protections that you agreed to when you signed up to participate in survey research or when you became a customer of a third party. We may occasionally re-contact you to validate your participation in a research study; we will identify ourselves and our purpose when we conduct such validation contacts.
4. Protection of Information Provided by Users of Our Website
You may provide personal data to us when you contact us through our website seeking information about our services. We will treat this information as confidential PD.
5. How We Use Information You Provide
If you provide information to us to inquire about our services, we will only use that information to contact you about our services. We will not sell or provide your information to any third party for any other use. By submitting this PD through our website contact form, you are consenting to us sharing your personal data within CMB, including our parent company ITA Group and any subsidiaries. For more information about CMB, please see the “Who We Are” section of our website: https://www.cmbinfo.com/about/.
If we receive your contact information from a list or panel company, we will use it only in asking you to participate in market research, to conduct survey research with you, to validate answers you give or to respond to your requests to us or our client. We select panel companies that adhere to an opt-in process for obtaining panelists and have an adequate policy for protecting the privacy of panelists. We will not use your information in any other way that is inconsistent with the research or purposes for which you agreed to be contacted.
We may share your PD with employees of our company to analyze survey responses.
If we receive your contact information from our client and you are a customer of that client, we will only use your contact information to ask you to participate in market research for that client. We will protect your anonymity when communicating your research responses to clients unless you have explicitly given permission for your identity and contact information to be shared with our client or you have specifically asked us to give that information to our client so that they may resolve questions or complaints you may have.
Whether we obtain your PD from a list company or from clients, we will not use this information to sell you any goods or services and we will not provide your contact information to any other party so that they may use that contact information to directly sell you goods or services. We will share your PD with our clients only with your specific permission or at your request, or with restrictions as permitted by the Insights Association Code of Standards and Ethics for Marketing Research and Data Analytics.
In rare cases, CMB may be required to disclose an individual’s personal data in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.
6. Data Collection
While interacting with our staff, our Website or while participating in Marketing Research activities, the following are some of the types of data and methods by which CMB may collect data on you:
Methods that CMB may use to collect data on you:
Data we may automatically collect about you:
Data we may receive from third parties about you:
7. California Residents
If you are a California resident, you have the following additional rights available to you under the California Consumer Privacy Act (CCPA) effective January 1, 2020.
7.1 Personal Information Collected and Processed
7.2 Your rights under the CCPA
7.2.1 Right to know
You have the right to request that we send you the following information:
To exercise your right to know, please contact us as provided in the “Contact Us” section below.
7.2.2 Right to Delete
You have the right to request that we delete the information we have collected about you. To exercise your right to delete, please contact us as provided in the “Contact Us” section below.
7.2.3 Right to Opt out of “Sale”
CCPA defines the term “sell” broadly. Its meaning includes “renting, releasing, disclosing, disseminating, making available, [and] transferring…for monetary or other valuable consideration.”
Under this definition, and the CCPA’s broad definition of “personal information,” some information we share with clients in connection with our research results may constitute a “sale” under CCPA. You have the right to request that we do not “sell” any of your personal information in this manner. In order to submit a “do not sell” request, please click here.
7.2.4 Non-discrimination
We will not discriminate against you for exercising your privacy rights under the CCPA by doing any of the following in response:
7.2.5 Information “Sold” and Disclosed for a Business Purpose
You also have the right to know what categories of personal information we’ve “sold” or disclosed for a business purpose, and the third parties to whom that information was “sold” or disclosed.
In the last 12 months we’ve “sold” the following categories of information to our clients in connection with delivery of our services: (1) demographic data, such as age, sex, sexual orientation, race/ethnicity, parental status, marital status, ZIP code, place of work, income, assets and education levels; (2) log files, browser type, operating system, and other device information; (3) respondent photos, video, and audio; (4) biometric information and geolocation data; and (5) commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
In the last 12 months we’ve disclosed the following categories of information to the following parties for a business purpose: (1) Respondent names, mailing addresses, email addresses, IP addresses, and unique identifiers with our vendors (e.g., as required for secure database management, recruiting, and honoraria distribution); (2) Demographic data, such as age, sex, race/ethnicity, parental status, marital status, ZIP code, income and education levels, occupation, employer, biometric information, geolocation data, and commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies, with our data collection partners; (3) Log files, browser type, operating system, and other device information with our third-party service providers; (4) Respondent photos, video, and audio with vendors (e.g., focus group facilities and online research platforms) and contractors (e.g., qualitative moderators and videographers); and (5) business partner employee names, addresses, phone numbers, and email addresses with our third-party service providers.
7.2.6 Your Right to Use an Authorized Agent
You have the right to designate an authorized agent to make a request under the CCPA on your behalf. To designate an authorized agent, please contact us as provided below. In order to verify you have authorized an agent we will require a signed, written authorization from you.
7.2.7 Verification Process
If you make a request to access or delete your information, or to opt out of the sale of your personal information, we may ask you for additional information to verify your identity. This information may include: your full name, birth date, phone number, email address, or other basic personal information about you that we already have on file.
8. GDPR – How We Will Use the Data Collected and the Justification
The use of your PD under EU data protection laws requires that a specific justification be determined as the legal “grounds” for each use. The justifications used by us as detailed in the GDPR are referenced in the table below and are defined as follows:
Consent: you have given consent for the processing of your personal data for one or more specific purposes;
Legitimate interests: processing is necessary for the purposes of the legitimate interests pursued by us, except where such interests are overridden by your interests or fundamental rights and freedoms.
Data Collected | Data Source and Usage | Justification for use |
Name, Address, Email Address, Phone Number | Provided by research initiator (CMB Client) or panel provider and used to contact you for participation in a research survey | Consent – provided by you to the initiator or to the panel provider for participation in surveys |
IP Address | Collected by CMB and our survey vendor for use in deduplication of survey data | Legitimate interests – for the processing of surveys |
Name, Address, Email Address | Collected by CMB for the processing of incentive payments for some surveys | Legitimate interests – for the processing of incentive payments |
9. How Long We Will Keep Your Information
All research data collected is used strictly for the purposes of Market Research unless otherwise clearly explained.
When the research for a survey has been completed, data collection is formally closed, and findings are communicated to our clients, all PD will be deleted within 90 days of the project closing date.
In the event you participated in a survey requiring additional PD for the processing of incentive payments, all additional PD provided will be deleted when the payment has been initiated. We do not hold any PD data beyond 90 days of the closing of a survey unless specifically disclosed prior to a survey commencing.
10. Your GDPR Rights
10.1 Right to Access
You have the right to request if your PD is being processed by us and request a copy of your data if that is the case.
10.2 Right to Rectification
You have the right to access your PD and to correct, amend or delete inaccurate information, except where the burden or expense of providing access would be disproportionate to the risks to your privacy in the case in question or where the rights of persons other than you would be violated.
10.3 Right to Erasure
You have the right to request that your PD be deleted by us unless doing so would cause a legal issue, in which case we will notify you in writing.
10.4 Right to Restriction of Processing
You have the right to request that we stop processing your PD at any time.
10.5 Right to Data Portability
You have the right to request a copy of your PD from us or that we transfer a copy of your PD to another process where legally allowable and technically feasible.
10.6 Right to Object (File a Complaint)
You have the right to file a complaint with a supervisory authority such as the Information Commissioners Office in the UK.
11. Adherence TO EU-US and Swiss- US Privacy Framework Principles
CMB complies with the EU-US Data Privacy Framework and Swiss-US Data Privacy Framework (collectively, the “DPF”) established by the US Department of Commerce, under the enforcement authority of the Federal Trade Commission, regarding the collection, use, and retention of personal data from Switzerland and EU member countries. CMB has certified that it adheres to the DPF. If there is any conflict between the terms in this Privacy Policy and the DPF Principles, the DPF Principles shall govern. To learn more about the DPF program, and to view our certification, please visit https://www.dataprivacyframework.gov/s/participant-search.
12. E.U. and Swiss DFF Principles
12.1 Notice
When we collect PD from you, we will notify you of the purpose for which we are collecting and using your PD and the type of non-agent third parties to which we disclose or may disclose that information. You will be provided with the choice and means for limiting the use and disclosure of your PI. This Notice will be provided in clear and conspicuous language when you are first asked to provide PI, or as soon as practicable thereafter, and in any event before we use or disclose the information for a purpose other than for which it was originally collected.
12.2 Accountability for Onward Transfers
Before we disclose your PD to a third party, we will ensure that any third party to which PD may be disclosed subscribes to the DPF Principles or is subject to law providing the same level of privacy protection as is required by the DPF Principles and agrees in writing to provide an adequate level of privacy protection.
We describe in detail above the types of information we collect and how we will use it. In some circumstances, to gain your participation in Internet-based, telephone or in-person survey research, we may transfer your name and email address or your name and telephone number to a market research field service facility, to a professional interviewer located in your home country, or to a company that operates Internet-based research platform. Before doing so, we will ensure that the third party provides and agrees in writing to provide an adequate level of protection and will not use it for any other purpose. In some circumstances, with your permission and where it is legal to do so, we may transfer your name and email address to a fulfilment company to send you an incentive for participating in survey research. Before doing so, we will ensure that the fulfillment company provides and agrees in writing to provide an adequate level of protection for your personal data and will not use it for any other purpose. If you provide personal data in a survey or other research instrument to which you are responding, we will anonymize your response and will not supply any information that could personally identify you to any other entity, including our clients, without your permission.
In cases of onward transfers of data received pursuant to the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, CMB is potentially liable.
12.3 Recourse, Enforcement, and Liability
In compliance with the DPF Principles, CMB commits to resolve complaints about your privacy and our collection or use of your personal data. European Union individuals or Swiss citizens with inquiries or complaints regarding this Privacy Policy should first contact us as provided in the “Contact Us” section below.
CMB has further committed to refer unresolved privacy complaints under the DPF Principles to the Insights Association Data Privacy Framework Services, a non-profit alternative dispute resolution provider located in the United States and operated by the Insights Association. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://www.insightsassociation.org/Resources/Data-Privacy-Framework/Information-for-EU-Swiss-Citizens-to-file-a-complaint for more information and to file a complaint. These dispute resolution services are provided at no cost to you.
Under certain limited circumstances individuals may be able to invoke binding arbitration before the DPF Panel to be created by the US Department of Commerce and the European Commission.
13. Information Security
CMB maintains an ISO 27001 certified ISMS (Information Security Management System) with all the necessary physical, electronic and procedural measures to help safeguard client data and personal data. Third parties that provide us with support or services may also receive client data or personal data, and we require them to maintain security measures similar to ours with respect to such information.
14. Data Integrity and Purpose Limitation
We will only process PD in a way that is compatible with and relevant to the purpose for which it was collected or authorized by you. To the extent necessary for those purposes, we will take reasonable steps to ensure that your PD is accurate, complete, current and reliable for its intended use. We will limit use of your PD to the use we disclosed to you when we collected it. Prior to using any PD for another purpose, we will notify you and obtain your permission.
15. Children’s Privacy
Our general website does not direct any services to children. If we gain actual knowledge that a child under the age of 16 has provided any personal data to us without the parent’s or guardian’s consent, we will use that information only to respond directly to that child to inform him or her that we must have parental consent before receiving his or her personal data.
16. External Links
If our general website or any survey we conduct links you to other sites, those sites do not operate under this Privacy Policy. We recommend you examine the privacy statements posted on those other websites to understand their procedures for collecting, using, and disclosing personal data.
17. Changes to this Privacy Policy
This Privacy Policy may be amended from time to time consistent with the requirements of the DPF and GDPR. We will post any revised policy on our website.
18. Contact Us
If you have any questions about this Privacy Policy, or to exercise your privacy rights, please contact CMB at:
Privacy Office
Chadwick Martin Bailey, Inc.
2 Oliver St – 11th Floor
Boston, MA 02109
800-265-4028
v2.4