Survey Research Ethics — Informed Consent, GDPR, and APPI

"Does your survey properly state how PII is handled?" "When you send the thank-you email, did you really get consent?" — as research operations mature, you inevitably run into the wall of research ethics and privacy protection. A perfunctory "I agree" checkbox cannot satisfy GDPR or the amended APPI, and it earns no trust from respondents. On top of that, a data breach or consent violation can be a fatal blow to your brand that goes beyond legal liability.

This article uses the three principles of the Belmont Report (1979) as the foundation, and organizes — at the level a research operations team should be holding — Informed Consent implementation, regional differences in privacy protection (Japan APPI / EU GDPR / US CCPA), PII risk in open-ended responses, and additional considerations for children, vulnerable populations, and sensitive topics.

1. Why "Research Ethics" Has Become a Business Issue

The reason research ethics is rising in importance across the research industry is that three structural shifts are happening simultaneously:

• Stricter regulation: GDPR took effect in 2018, APPI was amended in 2022, and CCPA came into force in 2020 — privacy laws in major markets have been continuously strengthened.
• Accelerating technology: AI raises the risk of re-identification from open-ended responses, and data previously regarded as "anonymous" is increasingly becoming re-identifiable.
• Changing respondent attitudes: Centered on the SNS generation, there is a growing current of strictly evaluating the "quality of consent" around how one's own data is provided.

When these overlap, research ethics is elevated from "compliance" to "preservation of brand value." Visualizing the "ethics risk of research operations" is becoming a prerequisite for CX investment, even in reporting to executives.

2. The Three Belmont Principles — The Starting Point of Research Ethics

The Belmont Report (1979). Ethical Principles and Guidelines for the Protection of Human Subjects of Research is a document published by the US Department of Health and Human Services, internationally referenced as the ethical foundation for human-subjects research. These three principles are the starting point of research ethics and run beneath modern GDPR / APPI / CCPA as well.

These three principles may look abstract, but they become a shared language for self-questioning at survey design time: "Is this question putting a psychological burden on respondents?" "Has consent been obtained on a sufficiently informed basis?" "Is there fairness in subject selection?"

3. Implementing Informed Consent — What, When, and How to Communicate

Informed Consent is not a perfunctory "I agree" checkbox — it is an operational practice that creates a state in which respondents can make autonomous decisions on a sufficiently informed basis. Singer, E., & Couper, M. P. (2017). The Role of Numerical Examples in Informed Consent for Research shows that consent text including concrete examples leads to higher respondent comprehension than abstract explanations.

Elements to Include in Consent Text

Organizing the standard templates from academic Institutional Review Boards (IRBs) for practical use, the following six elements are the minimum required:

• Purpose of the survey: For what is the data used (e.g., "for service improvement" is not enough — "to formulate the Q2 2026 support quality improvement plan" or similar concrete framing is needed)
• Scope of data use: Who accesses what, for what purpose, and how far (internal only / including external analytics vendors / with third-party sharing)
• Data retention period: How many years it is kept and when it is deleted
• Respondent rights: The four rights of consent withdrawal, data deletion, data access, and data portability
• Scope of anonymity: Which of fully anonymous / pseudonymized / identifiable
• Point of contact: Inquiry channel for data questions (email address, name of responsible person)

Timing

• Always presented on the intro screen before the survey starts: If presented for the first time mid-survey, respondents who have already started feel psychological pressure to consent
• Checkboxes must be explicit opt-in: A pattern like "proceeding to next = consent" is considered a dark pattern and risks being judged invalid under GDPR
• Save the consent record: To prepare for a later claim of "I did not consent," save IP, timestamp, and consent text version

4. Regional Differences in Privacy Protection — APPI / GDPR / CCPA

In global research, you need to vary the approach to match the law of the target country. The comparison across the three major regions is organized below.

Implementation Guidelines for Global Research

When running research in multiple regions simultaneously, designing to the strictest standard — GDPR — as the baseline is the common operational pattern that covers regional requirements. Concretely:

• Adopt opt-in consent across all regions (CCPA-style opt-out is invalid in the EU)
• Unify the channels for consent withdrawal and data deletion into a single point
• Align data retention periods to the shortest, and do not split them by region

5. The Technical Boundary Between Anonymization and Pseudonymization

"Anonymization" and "pseudonymization" are distinct concepts both legally and technically. Confusing them creates a risk of GDPR / APPI violation.

• Anonymization: A state in which all information that identifies an individual is removed and re-identification is technically impossible. Under GDPR, anonymized data is not personal data and falls outside the scope of regulation.
• Pseudonymization: A state in which identifying information is replaced with a different ID, but re-identification is possible with additional information. Under GDPR, this is personal data and is in scope.

Re-identification Risks You Easily Mistake for "Anonymous"

What has been repeatedly verified in academic research is the fact that a combination of statistically unique attributes makes re-identification possible. For example, a classic study found that the combination "age, ZIP code, gender" uniquely identifies 87% of the US population (Sweeney, L. (2000). Simple Demographics Often Identify People Uniquely).

Practical Anonymization Standards

• k-anonymity: Guarantees that at least k people share the same attribute combination (k ≥ 5 is common)
• l-diversity: Guarantees at least l varieties of sensitive attributes within each attribute combination
• Differential privacy: A mathematical technique that adds noise to make individuals unidentifiable from query results

When publishing survey aggregation reports outside the organization, aggregation granularity that holds k-anonymity ≥ 5 at minimum is the industry's customary threshold.

6. PII Risks in Open-Ended Responses and Countermeasures

Quantitative questions are structured by predefined options, so PII risk is relatively manageable, but open-ended responses (OA / FA) contain unpredictable PII.

Typical PII That Slips into Open-Ended Responses

• Their own name ("I am Tanaka, but…" as a self-introduction)
• Workplace / company-specific names ("at my company, OO Trading…")
• Disease names / symptoms (especially frequent in medical surveys)
• Names of children / school names
• Parts of an address ("I live near OO station, but…")
• Contact info (writing email / phone as "please contact here")

Three Layers of Countermeasures

1. At question design time: Before the open-ended field, explicitly include a note saying "please do not write information that identifies a person"
2. At data intake: Detect and replace patterns that look like phone numbers / emails / names with automated masking (regex / NER models)
3. At analysis and sharing time: Separate post-masking data for external sharing, and restrict access to raw data

When you analyze open-ended responses with AI, completing PII masking before feeding into the LLM is essential. After feeding, you become dependent on the LLM provider's data handling terms.

7. Additional Considerations for Children, Vulnerable Populations, and Sensitive Topics

Beyond ordinary survey design, when subjects or question content are special, additional ethical considerations are required.

Children (Under 13)

• COPPA (US Children's Online Privacy Protection Act) / GDPR Article 8 makes parental consent mandatory
• Explicitly screen with "targets are 13 and older," and account for the risk of age misrepresentation
• Surveys via schools require coordination with educational institutions and parental notification

Vulnerable Subjects

• For surveys of the elderly, disabled, patients with intractable diseases, or sexual minorities, give special consideration to psychological burden and information asymmetry
• Verify capacity to consent (e.g., for surveys of people with dementia, use combined family consent)
• The power relationship between questioner and respondent (employer to employee, doctor to patient, etc.) may distort the freedom of consent

Sensitive Topics

• Sexual behavior, illegal acts, mental health, religion, political beliefs, etc. fall under special categories with additional protection under GDPR
• When touching on suicidal ideation, trauma, etc., always include a link to a support / helpline
• Design follow-up after responses (referral to specialists when needed) in advance

8. Editorial Perspective — Operational Guidelines for Research Operations

From a position of continuously following industry cases and public guidelines, five points that always work when implementing research ethics.

1. Fix an Informed Consent Template in Your Organization

If you write it from scratch every time, element omissions will inevitably happen. Fix a 6-element template in Notion / Confluence and run an operation where every project edits from this baseline — that is the pattern with the fewest incidents.

2. Set Data Retention Period to "the Shortest Necessary"

"Long, just in case" carries violation risk under both GDPR and APPI. Make automatic deletion N months after project end the default, and only document a reason when extension is needed.

3. Verify Outsourcing Contracts with Third-Party Vendors

When external vendors are involved — survey tools, analytics vendors, panel companies — verify the Data Processing Agreement (DPA) every time. Under GDPR, there are cases where a violation by an outsourcee becomes the responsibility of the outsourcer.

4. Decide the Breach Response Protocol in Advance

Under GDPR, reporting to the supervisory authority within 72 hours of discovery is mandatory. Under APPI, the reporting obligation includes notification to data subjects. Without a protocol in place in advance, you cannot move within 72 hours.

5. "Ritualize" Ethics Reviews

Setting up a full IRB (Institutional Review Board) internally is excessive, but always inserting a 30-minute ethics checkpoint at project kickoff is easy to implement. A third-party perspective from outside the designer finds the oversights.

9. Research Ethics and Privacy Protection with the Survey Tool Kicue

Functionality and operational patterns when running research ethics / privacy protection with Kicue:

• Stating Informed Consent in the intro and closing messages: You can design consent text as free-text on the setting screen and display it before responses begin
• Respondent ID management: Each response is assigned an internal ID, and you can run in a pseudonymized state (identifying information is managed separately)
• CSV export: Once data containing PII is downloaded as CSV, operational responsibility moves to the user — apply internal access controls and retention management separately
• Response deletion operation: When a deletion request arrives from a respondent, individual records can be deleted from the Kicue admin screen (manual handling by the operations owner)

Scope That Kicue Cannot Cover

⚠️ Legal responsibility lies with the user, not with Kicue. Specifically, items that cannot be covered by Kicue's functionality alone and require operational design on the user side:

• GDPR / APPI-compliant consent flows: Kicue provides the place to display consent text, but the content itself of the consent text must be created by the user in a form that meets legal requirements
• Data portability rights: Respondent requests of "I want to port my own data" need an operational design that handles them case-by-case via the CSV export feature
• Breach notification obligations: Notification to data subjects and to supervisory authorities when a breach occurs is implemented under the user's responsibility
• DPAs with third-party vendors: In addition to the DPA with Kicue itself, when CSV data is passed to external analytics vendors, a separate DPA is required
• Automated masking: Automated PII masking of open-ended responses is not provided by Kicue — the operational pattern is to combine with external tools (spaCy NER / GPT-4-based masking, etc.)

As related reading, Survey Intro and Closing Message Design Guide, Designing Beyond Survey "Honne and Tatemae", Open-Ended Question Design Guide, and Analyzing Open-Ended Responses with AI complement this article with concrete measures of ethical consideration at the question design level.

If you want to operate surveys with research ethics and privacy protection built in, try the free survey tool Kicue. From Informed Consent display in the intro screen, to respondent ID-based pseudonymization, CSV export, and an operational window for individual record deletion — you can execute the main parts of research ethics operations in a single account (the legal-fitness of consent text, breach notification, automated PII masking of open-ended responses, and third-party DPA execution require operational design and integration with external tools / legal counsel on the user side).