Do You Need a Privacy Policy for a Survey?
The short answer: yes, if your survey collects any personally identifiable information (PII). This includes names, email addresses, IP addresses, demographic details, or even opinions that could identify someone when combined with other data. Under GDPR, personal data includes any information that can directly or indirectly identify a natural person.
Most survey platforms also collect data on their own -- cookies, device information, and usage analytics. Even if your questions are anonymous, the platform itself may be processing personal data, which means you need to disclose this to respondents.
Survey Platform Requirements
What the major survey platforms require and how they handle respondent data.
Google Forms
- Collects respondent email by default if "Collect email addresses" is enabled
- Responses stored in Google Sheets -- subject to Google's data processing terms
- No built-in privacy policy link field -- you must add it manually in the form description
- Google Workspace users can restrict forms to organization-only access
Typeform
- Uses cookies and tracks respondent interactions (time spent, drop-off points)
- Supports adding a consent checkbox and privacy policy link to forms
- Data stored on AWS servers -- Typeform acts as your data processor under GDPR
- Hidden fields can capture UTM parameters and referrer data automatically
SurveyMonkey
- Collects IP addresses and response metadata by default
- Offers anonymous response mode that strips identifiers -- but still uses cookies
- HIPAA-compliant plan available for health-related surveys
- Enterprise plans include custom data processing agreements for GDPR
GDPR Consent for Survey Data
Under GDPR, you need a lawful basis to process survey responses from EU residents. For most surveys, consent is the appropriate basis -- but it must be freely given, specific, informed, and unambiguous.
Inform before collection: Respondents must know what data you collect, why, and how long you keep it before they submit the survey. Add a privacy notice at the start of the form.
Consent must be voluntary: Do not make survey completion mandatory for accessing a service or employment benefit. Forced participation undermines consent validity.
Right to withdraw: Respondents must be able to withdraw consent and request deletion of their responses. Provide clear instructions for how to do this.
Special category data: Questions about health, ethnicity, political opinions, or sexual orientation require explicit consent and additional safeguards under GDPR Article 9.
Cross-border transfers: If your survey platform stores data outside the EU (most do -- US-based servers), disclose this and reference the transfer mechanism (SCCs, adequacy decisions).
Anonymous vs Identified Surveys
The distinction between anonymous and identified surveys affects your privacy obligations significantly. True anonymity is harder to achieve than most people think.
| Factor | Anonymous Survey | Identified Survey |
|---|---|---|
| Email collection | Disabled -- no email field | Email required or optional |
| IP logging | Must be disabled in platform settings | Typically logged by default |
| Privacy policy needed | Still recommended -- platform collects metadata | Required -- you are collecting PII |
| GDPR applies | Only if data can indirectly identify someone | Yes -- full GDPR obligations apply |
| Respondent can request deletion | Difficult -- cannot identify their response | Yes -- must be able to locate and delete |
Survey Types and Their Privacy Rules
Customer Feedback Surveys
Linked to purchase or account data. Must disclose if responses are tied to customer profiles, used for product decisions, or shared with third-party analytics tools.
Employee Surveys
Extra sensitivity required. Employees may feel coerced. Make participation voluntary, explain who sees results, and clarify whether responses are truly anonymous or linked to employee IDs.
Academic Research Surveys
Subject to Institutional Review Board (IRB) requirements. Must include informed consent, data security plan, and clear retention and destruction timelines. Often requires ethics approval.
Market Research Surveys
Often distributed via email lists or social media. Must disclose how contact information was obtained, what happens to responses, and whether data is sold or shared with clients.
Health and Sensitive Topic Surveys
Surveys about health conditions, mental health, financial status, or similar topics collect special category data under GDPR. Requires explicit consent and heightened security measures.
What Your Survey Privacy Policy Must Include
Purpose of the survey: Explain why you are conducting the survey and how the responses will be used -- product improvement, research publication, HR decisions, or marketing.
Data collected: List all data points: form responses, email addresses, IP addresses, cookies set by the platform, timestamps, and any hidden fields or UTM parameters.
Survey platform disclosure: Name the platform (Google Forms, Typeform, SurveyMonkey) and link to their privacy policy. They are your data processor.
Anonymity status: Clearly state whether the survey is anonymous or identified. If anonymous, explain what steps you have taken to ensure anonymity.
Data retention: Specify how long you will keep survey responses and when they will be deleted. For research, this might be until publication plus a defined period.
Contact information: Provide an email address or contact form where respondents can ask questions, withdraw consent, or request deletion of their data.
Generate Your Survey Privacy Policy
Create a customized privacy policy for your surveys that covers platform disclosures, respondent rights, and compliance requirements.
Structured around widely accepted GDPR and CCPA requirements. Not legal advice.
Related Resources
Privacy Policy for Google Forms
Google Forms compliance guide
Privacy Policy for Typeform
Typeform data compliance
GDPR Privacy Policy Template
EU compliance requirements
Privacy Policy for Websites
General website compliance guide
CCPA Privacy Policy Example
California compliance requirements
Privacy Policy for Airtable
Database compliance guide
Add a Privacy Policy to Your Site
Step-by-step placement guide
Policy Generator
Create your compliant privacy policy