Is your User Research ethical? Best practices for privacy and consent

Conducting User Research isn’t just about gathering insights – it’s about doing so in an ethical and compliant way. As a Research Operations professional, you’re often responsible for ensuring that you and your team’s research meets legal and ethical standards. In this blog, we’ll explore key regulations, governance strategies, and the critical role of informed consent in ensuring compliance.

Why Governance matters in User Research

Governance refers to the guidelines you establish for consent, privacy, and information storage, ensuring that both your researchers and participants are protected. A strong governance framework helps your research stay compliant with regulations like GDPR and CCPA while protecting participants’ personal information.

Your company’s legal team can be a valuable resource. “At UserTesting, we are really lucky that our legal team has always been generous with their time and are keen to continually improve our processes,” said Becky Wright, Senior Staff Product Researcher at UserTesting. By collaborating with your legal team, or legal counsel, you can better ensure all your bases are covered when it comes to governance and compliance. “ReOps, remember, the legal team are your friends,” she said.

Research governance involves:

• Understanding laws and regulations (e.g. GDPR & CCPA)
• Creating compliant processes
• Developing templated consent forms
• Maintaining Personally Identifying Information (PII)

2 key regulations for User Research compliance

Let’s take a quick look at two of the most important regulations that affect User Research:

→ GDPR: The General Data Protection Regulation applies if you handle data from EU citizens, regardless of your company’s location. Non-compliance can lead to significant fines (up to 4% of revenue or €20 million) and damage your credibility with users.

→ CCPA: The California Consumer Privacy Act provides California residents with rights around personal information. If you collect data from California residents, your research must ensure informed consent, offer opt-outs, and adhere to strict data security measures.

While these regulations are essential, consult with your legal counsel to ensure full compliance with all relevant laws, including additional regulations like COPPA, the Colorado Privacy Act, and PIPEDA.

The importance of informed consent

One of the most critical aspects of compliant research is ensuring informed consent. Informed consent is more than just getting a signature – it involves participants fully understanding the research purpose, potential risks, and their rights.

Failing to secure informed consent can result in:

• Participants unknowingly exposing themselves to risks they didn’t agree to.
• Legal consequences such as fines and penalties due to non-compliance with laws like GDPR.
• Damage to your reputation, which can reduce participant engagement and tarnish not only your company’s brand but also the credibility of your research function.

What’s the difference between consent and informed consent?

Consent = A participant’s agreement to take part in the study based on a general understanding of what’s involved.

Informed Consent = A participant’s agreement to participate, with a full understanding of the study’s purpose, risks, benefits, and their rights.

What are the principles of informed consent? 

In User Research, informed consent often requires a comprehensive breakdown of what the participant should expect, how their data will be used, and their ability to withdraw at any time.

• Voluntary participation: Participation should be completely voluntary and free of coercion or undue influence. 
• Disclosure: Participants must receive full disclosure of relevant information, including the purpose, procedures, risks, benefits, and right to withdraw at any time without penalty. 
• Understanding: Participants must comprehend the information provided. 
• Decision: Participants should be given adequate time to decide to participate without feeling rushed or pressured.
• Consent documentation: Obtaining a written or verbal record of consent, typically through a signed form, is crucial to acknowledge understanding and agreement to participate. 

💡Becky’s consent advice: Work with legal.💡

One of Becky’s early projects at UserTesting was to improve the informed consent process. To ensure she was covering all her bases, she worked closely with the legal team. 

If you have an in-house legal team or outsource legal services, consider their time as valuable.  “It’s impossible to be too prepared when working with legal,” said Becky. She suggests organizing and documenting the following key information before seeking legal assistance:

• Problem being addressing
• Use case
• Goals and objectives
• Existing process
• Solutions already explored

“This approach ensures efficient use of time and establishes you as a competent, collaborative partner,” said Becky. “The more detailed and prepared I was, the more trust I built with the team.”

In User Research, informed consent often requires a comprehensive breakdown of what the participant should expect, how their data will be used, and their ability to withdraw at any time.

Mastering these fundamentals empowers you and your team to conduct compliant, ethical research while safeguarding your participants. Ready to dive even deeper into consent and research ethics? Download our free 2024 ReOps Playbook for a comprehensive guide to best practices!