45

SO's "GDPR Policy" states in part

we describe how we collect and use your data, and how we use technologies like cookies to understand how we can better help developers.

However, The Loop's first survey states that it is governed by Survey Monkey's privacy policy, with "Privacy Policy" linked to https://www.surveymonkey.com/mp/legal/privacy-basics/?ut_source=survey_pp.

screen shot of link to The Loop's privacy policy

There is no indication that SO's Privacy Policy applies. There is no indication that GDPR applies. This makes me wonder what policies are intended to apply to the data SO is collecting. In particular:

  1. Is personal data provided via SurveyMonkey to Stack Overflow subject to Stack Overflow's Privacy Policy?

  2. Is personal data provided by EU persons via SurveyMonkey to Stack Overflow protected by GDPR?
    a. Is this data subject to the right of portability?
    b. Is this data subject to the right to be forgotten?
    c. How does the site use cookies?

SO's Privacy Policy states that gender and race are only collected during the Annual Developer Survey:

In order to provide meaningful insights into the developer community, Stack Overflow may collect sensitive data about you, including, but not limited to your gender, race, sexual orientation, immigration status, and your location.

However, the Privacy Policy does not state that sensitive information will be collected as part of The Loop. In fact, the only case in which gender or race are declared to be collected is as part of the Annual Developer Survey.

  1. Since SO's policy does not state that this data may be collected by The Loop, what is the justification for collecting this data, and have you sufficiently notified users such that their consent is knowing and unambiguous? Although the survey states "We will NOT associate your responses to this survey with your account information" that may not be enough to declare it GDPR-compliant. For example, if IP addresses are collected as part of the survey, then this might mean participants could be identified. Is SO asserting that data collected in the survey cannot be traced to the survey respondent in any way?

I think that if the Loop is intended to fall under SO's Policies, it needs to clearly and unambiguously notify users prior to collection of any data.

If SO asserts the survey is truly anonymous, then SO needs to notify users of that prior to collecting data as well.

Improve this question

1 Answer 1

Reset to default
23

The way I'm reading this - Stack Overflow is delegating the collection of data to SurveyMonkey, and they have a GDPR-compliant policy in place.

There's nothing personally identifiable in the actual survey - it's all broader reaching bio-demo data (race/ethnicity, age group), so the likelihood of you needing to file a GDPR request is pretty small, too.

I mean, unless you wanted to disassociate yourself based on IP address...I suppose that's still PII according to the GDPR...

But, if you have burning concerns, you could always reach out to SurveyMonkey.

Improve this answer
7
  • 4
    I do agree that Survey Monkey's own data collection processes are GDPR-compliant, that doesn't answer my primary question: Is The Loop covered by SO's privacy policy? Their Privacy Policy lists what data is processed by each of their products (Public Q&A, Teams, etc.) but makes no mention of The Loop.
    – Mark Beadles
    Commented Nov 26, 2019 at 21:48
  • 1
    @MarkBeadles But, as this answer notes, nothing in the survey constitutes PII (neither in isolation nor even in combination) so I’m not sure why you think GDPR concerns are even relevant here.
    – Konrad Rudolph
    Commented Nov 27, 2019 at 11:30
  • SurveyMonkey reports IP address to its customers (SO in this case) by default. help.surveymonkey.com/articles/en_US/kb/…: "When someone takes your survey, their IP address is recorded as metadata with your survey results by default."
    – Mark Beadles
    Commented Nov 27, 2019 at 22:37
  • @KonradRudolph I am not asking about only GDPR. I am asking if this survey is covered by any of Stack Overflow's privacy policies. GDPR is certainly a big item. But I don't see anywhere in the survey or on SO's policy pages that indicates that The Loop is covered under those policies.
    – Mark Beadles
    Commented Nov 27, 2019 at 22:46
  • @MarkBeadles: I'm still trying to mull over your point. Are you suggesting that The Loop is a product? I'm seeing it as an opt-in survey which does collect some broadly identifiable information + IP address. I suppose my main question is, what're you getting at here? Are you concerned that the data you've submitted or would submit isn't subject to the same Privacy Policy that has applied every time Stack Overflow has conducted a survey? (I believe it still applies.)
    – Makoto
    Commented Nov 27, 2019 at 23:47
  • 6
    "if you have burning concerns" You make it sound like caring about privacy should only happen in an emergency, and that at other times we should just ignore it and let the corporations do whatever they like with our data.
    – Lightness Races in Orbit
    Commented Dec 28, 2019 at 15:37
  • 3
    Note: if survey monkey passes on information such as IP addresses or other Mera artifacts, it could be pretty easy for SE INC to match that data with their own data. Which would make it theoretically possible to fully identify some of the users taking the survey.
    – GhostCat
    Commented Dec 29, 2019 at 8:20

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .