User Researchers’ Guide to Data Privacy Regulations: GDPR, CCPA, CPRA, and Beyond

User data privacy and confidentiality should be a constant priority, not an afterthought. Good UX researchers should always be mindful of how personal user data is collected, used, shared, and stored. 

But with all the legal jargon and constant updates to regulations, navigating privacy and data laws in user research might seem complex. What exactly do user researchers need to know to stay compliant? 

We created this guide to help answer those questions. We’ll cover everything from:

• The importance of data privacy and confidentiality in UX research
• Information about privacy regulations like GDPR, CCPA, and CPRA
• Compliance tips for UX researchers
• Additional resources on privacy and data laws

From our experience we’ve found that it’s easiest to think about privacy regulations in the framework of a few simple rules, which we’ll outline below. However, make sure to consult your own legal team to make sure your research practices are compliant with current laws. Use this guide as a reminder to approach user privacy and data in user research more intentionally.

Importance of privacy

“Privacy means people know what they’re signing up for, in plain language, and repeatedly. I believe people are smart. Some people want to share more than other people do. Ask them.” 

– Steve Jobs, Co-founder of Apple in Steve Jobs on Privacy

User research often involves participants sharing personal information about themselves, and everyone has different expectations when it comes to privacy. For user researchers, being able to accommodate different privacy preferences and complying with privacy laws should always be top-of-mind. The last thing you want as a user researcher is to get hit with a hefty fine for not complying with privacy laws, and potentially losing the trust of your participants who share personal information with you. 

Privacy-compliant user research is not just about knowing laws and regulations. It’s about protecting and respecting the privacy of your participants by being transparent with privacy practices and empowering recruits with information and choices to handle their personal information.

That’s why privacy plays an important role in how researchers handle information from or about research participants. Privacy should be considered during the entire research lifecycle–from recruitment, to the research study itself, to the protection of participant data after the research is complete. 

There are several privacy laws and regulations that might affect how user researchers obtain, manage, and secure research participant data, including:

• The General Data Protection Regulation (GDPR)
• The California Consumer Privacy Act (CCPA)
• The California Privacy Rights Act (CPRA)
• ...and more!

What is GDPR? 

The General Data Protection Regulation (GDPR) is a data protection regulation that empowers individuals located in the EU and European Economic Area to understand and control how their data is used (the UK has a similar law sometimes referred to as the UK GDPR). The GDPR was implemented on May 28, 2018, and violations can carry a fine of 4% of your company's annual revenue, or €20 million. Since the internet doesn’t quite adhere to traditional land boundaries, these laws have a sweeping impact on many businesses based outside of the EU and UK.

Even if you don’t live or work in the EU or UK, chances are you’ll work with participants that do. It’s better to cover your bases than risk the fine. 

Why does GDPR matter to user researchers? 

Researchers typically deal with a lot of personal data (sometimes referred to as personal information, personally identifiable information, or PII) to recruit participants, ensure they’re contacting the right people for research, and gather additional context for research sessions. 

Personal data is any data that’s related to an identifiable person. That’s broad, and it can include things like a participant’s name or photo, so it’s probably safe to assume that any and all personal information you collect about your participant during the course of research falls under the GDPR umbrella. 

Personal information is pretty much the main thing GDPR protects. For user researchers, this means gathering informed consent for any and all data processing, only collecting and storing the information you need, ensuring that all data is being processed securely, and giving users control over their data.

Here’s a graphic that outlines how GDPR affects UX research during each phase of the project: 

CCPA: The Cali version of GDPR

GDPR isn’t the only privacy and confidentiality regulation researchers need to be aware of. In the absence of a federal law similar to GDPR in the United States, many U.S. states have been passing their own data privacy laws. For example, in California, the California Consumer Privacy Act of 2018 (CCPA) is a data privacy law that gives consumers more control over the personal information that businesses collect about them. 

While GDPR is for the EU, CCPA regulations secure privacy rights for California consumers. There are some key differences between CCPA and GDPR, but they protect similar data privacy and confidentiality rights that GDPR protects (more on this later). 

CCPA was first signed into law in 2018, but it’s been through a series of modifications and amendments since then. And as data privacy and confidentiality becomes more prominent throughout the years, laws and regulations will likely continue to evolve at the same pace. 

CPRA: CCPA 2.0

The latest data privacy regulation update that researchers should know in 2023 is the California Privacy Rights Act (CPRA). 

CPRA amends and expands the CCPA. It resembles GDPR, but one key difference is that if “consent” is the legal basis for processing personal data under GDPR, that consent must be opt-in, whereas CCPA/CPRA allows consent to be opt-out.

As of January 1, 2023, consumers have new rights in addition to CCPA rights, such as:

• Expanded rights to make requests to business related to their personal data
• The right to limit the use and disclosure of sensitive personal information collected about them

Related privacy regulations and laws

GDPR, CCPA, and CPRA are not the only data privacy regulations that researchers should be aware of. There are several other state and federal regulations that might also affect user research. Don’t forget to consult your legal team to familiarize yourself with other related privacy regulations that may be applicable to your work.

Here are some other privacy regulations and laws that you might come across:

• Virginia Consumer Data Protection Act (VCDPA)
• Colorado Privacy Act 
• Personal Information Protection and Electronic Documents Act (PIPEDA)
• Children’s Online Privacy Protection Act (COPPA)
• New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act

Now that you have a basic understanding of the different laws and regulations, let’s dive into what these regulations mean for UX research and examples of how to ensure compliance for your research practice.

8 actionable tips for GDPR compliance in UX research

Since GDPR is a huge regulation with many different articles, we narrowed it down to eight actionable examples that we think matter most to user researchers, then outlined how those things affect each stage of the research process.

Before we get into our compliance examples, keep in mind that they might not be suitable for your organization. Always consult your legal team or a data security expert to make sure you’re complying with GDPR the right way! 

📘 We also recommend checking out the guidance and resources provided by the European Commission and the UK Information Commissioner’s Office for the most up-to-date and accurate best practices for GDPR/UK GDPR compliance.

With this in mind, here are eight different ways and examples to approach GDPR compliance in user research: 👇

1.Gather informed consent for any and all data processing

✅ Good user researchers always ask for consent. Gathering informed consent from your research participants is an important prerequisite to protect both you and your participants. 

The easiest way to collect consent is to send an informed consent form to participants before the research session. 

The idea of more paperwork isn’t the most exciting part of research, but informed consent forms are necessary to help maintain trust, ethics, and protection from legal issues. You should get in the habit of consulting your legal team and creating consent forms tailored for your unique research needs. 

There are two main pieces to informed consent:

1. Data processing
2. Opt-in vs. opt-out 

Data processing doesn’t only involve data you collect during a study. It’s any activity that involves handling a user’s personal data in any way. This means that even the process of participant recruitment falls under GDPR regulations, including:   

• Combing through potential participants before choosing the ones you’d like to speak to for a study
• Putting participant data in an Excel sheet
• Sharing participant data with one of your colleagues
• Inviting a participant to a study

✨With User Interviews, every piece of personal data from participants sourced from our platform will remain securely within User Interviews throughout the research process. 

If you’re recruiting on your own, you’ll need to consider each step of your research process and how it complies with GDPR. Your company’s data protection officer can help you understand how your company’s practices comply with GDPR, and what can be improved.

Where consent is the legal basis for processing personal data under GDPR, that consent must be freely given, specific, informed, and unambiguous.  In the research context, this means a participant can agree to each marketing opt-in, research database, and observed session separately. This gives people more control over how their data is used and allows them to understand why someone needs access to it. 

This also means companies can no longer pre-select consent checkboxes—the person whose data is being collected must do that themselves. 

For researchers, this typically manifests in a consent form that is sent along with the recruitment screener. The consent form walks users through what data the researcher wants to collect and how, where, and why that data will be used. 

The participant must:

• Read the consent form
• Manually check the “I agree” boxes themselves
• Provide a signature to confirm that they have consented to data processing

If you’re managing your research panel through User Interviews, you can add in your own consent form for any participants that opt-in to your panel. 

Don’t have a consent form yet? Make sure to consult your legal team to create legally compliant consent forms. Here’s an example of what an informed consent form might look like (from User Interviews’s UX research team):

📘Learn more about creating informed consent forms and find the template here: Consent Forms for UX Research: A Starter Template

2.Inform participants about session recording and additional observers 

✅ As a part of informed consent, you need to tell your participants if their session will be recorded, who will watch it, and if anyone will observe in real time. 

Not only does this help the participant prepare for the session properly, it helps you set up your expectations for research from the moment you recruit participants.

✨With User Interviews, you can gain consent for your research right when users sign up for your research panel. Just add a data consent notice to your opt-in form in My Team > Consent Settings. 

3.Only collect and store the information you need

✅ Only collect what you need to know about participants, and minimize the collection of unnecessary information. 

Since personal information is so heavily protected by GDPR, and sensitive categories of information are even more heavily protected, chat with your UXR and legal teams about what information is a “need to have” vs a “nice to have.” 

If you don’t really need to know their income, how many children they have, or their religious beliefs, don’t ask. 

4.Ensure that all user data is being stored and processed securely (including by 3rd party tools)

✅ Understand your company’s role in the processing of personal data, and vet any third-party tools you integrate or work with. 

Under GDPR, your business is responsible not only for its own collection and handling of personal data, but also for the third parties with which it shares that data for further processing. This is related to the GDPR’s concept of “controllers” and “processors.”

Controllers are the ones who determine what the data will be used for. Processors are the ones who process the data on behalf of the controller. So if you’re Tiles R Us, and you collect personal information about your customers when they complete orders with you, you’re a controller. If you then send out a tile-themed newsletter through EmailMonkey, EmailMonkey is a processor of the data you collected. 

Under GDPR, Tiles R Us is still responsible for ensuring that EmailMonkey’s processes are GDPR compliant since EmailMonkey is processing the data on their behalf.

Be critical about which data needs to be passed to third parties, when it needs to be transferred, and how that personal data is being used by the third party. 

5.Give users control over their data

✅ Delete participant data at their request, give participants access to data you have about them, and correct information about participants at their request

One of GDPR’s main goals is to give people more control over how, where, and why their data is used. To ensure that people have rights over their data, GDPR laid out 8 rights of the data subject. These rights basically mean that many companies have to change the way they think about using personal data from customers.

For user researchers, the rights may have the biggest impact on the way researchers gain consent for research sessions. Under GDPR, data subjects must give informed consent in order for a company to use their data. They can also withdraw their information at any time, even if it’s during a research session.

All of the users’ rights are important, but we want to highlight:

• The right to request any information you have about them
• The right to ask you to correct any of that data
• The right to stop processing that data at any time
• The right to delete their data from your system

6. Take extra care when asking for sensitive information

✅ Ask yourself and your team why you need sensitive information from your participants (as with any information you collect during the course of research). 

Sensitive data includes: 

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Genetic or biometric data for the purpose of uniquely identifying a natural person
• Data concerning health
• Data concerning a person’s sex life or sexual orientation

Make sure to be extra careful when collecting data that’s sensitive, because processing this data requires you to satisfy additional conditions under GDPR. 

7. Keep participant data organized and easily manageable

✅ Come up with a system to keep your research repository organized, or use a participant management tool to manage participant data. 

Say you keep all your participant data in a protected Excel sheet, but for each study you create a separate sheet to keep track of who you’ve invited to the study and who has participated. If a participant requests that you delete or correct their data, you must do it across all the Excel sheets. Similarly, if a participant requests that you share the data you’ve collected about them, you’ll need to search through all your sheets and share everything. 

The more you can consolidate the amount of places your participant data lives, the easier it will be to control and maintain that data in compliance with GDPR. 

✨Within User Interviews’s Hub, you can manage your research participants and their data all in one place. Simplify GDPR compliance with PII controls, data consent, NDAs, and an API for secure data transfer. Learn how to secure GDPR compliance with User Interviews.

8. Don’t combine your consent form with other participant forms

✅ Don’t confuse your NDA or any other form you use with a consent form.

It might be tempting to combine your consent forms, your NDAs, and whatever other forms you usually use into one giant mega-form to make things easier on you and the participant. However, consent forms, per GDPR, must use plain language and gain consent freely from your participants. They require language that’s much simpler than the ‘legalese’ your NDA likely uses, and presenting them separately helps to ensure you’re properly gaining informed consent. 

📘Get The Low-Down on Non-Disclosure Agreements (NDAs) for UX Research

How to comply with CCPA and CPRA for UX research

Complying with CCPA and CPRA regulations for user research is similar to complying with GDPR regulations. Here are some examples of what UX researchers can do to comply:

• Process the minimal amount of personal information. Only ask participants for the most necessary personal information for your research purposes. 
• Update your privacy policy and notices. These laws are always changing, so there’s always potential for compliance requirements to evolve. Consult your legal team to make sure your privacy policy reflects any changes you make to be compliant.
• Establish a data retention policy. Once a research study is complete, make it a habit to delete all the personal user data that you no longer need. Your data retention policy should include categories of collected data, their purpose, and the time you plan to store it before deletion.
• Take preemptive measures to minimize the chances of a data breach. Make sure you’re using user research tools that allow you to control who sees what. This means using tools that use single sign-on, two-factor authentication, and complex password requirements to control access. 
• Make it easy for participants to opt out or limit data sharing. Give your research participants the option to opt-in, opt-out, or limit sharing certain data during the study. You can include links to this in your informed consent form.

🔐Visit User Interviews’s Security page and Privacy Policy to see how we’re protecting participant data privacy and confidentiality.

Understanding GDPR, CCPA, CPRA, and the like can be a huge headache. Whether you’re new to all this or have experience with the fine print of these regulations, we recommend you always consult your legal team and a data privacy expert to make sure your research practices are fully compliant.

TL;DR

First off, while we care very much about your success, we are not your lawyers. So everything we talked about in this guide is just that—a guide. If you want to ensure compliance with privacy laws like GDPR, CCPA, and CRPA, you’ll need to set aside some time with your lawyers and/or a data protection expert. 

In short, data privacy encourages companies to think more critically about what personal data they collect, how they use it, why they need it, and how they store and maintain it. It also gives people more control over how companies use their personal data, and offers them the ability to hold companies accountable for how they process that data. 

For user researchers, this means gathering informed consent for any and all data processing, only collecting and storing the information you need, ensuring that all data is being processed securely, and giving users control over their data.

If this all sounds like a whole lot to take in, that’s because it is! We’ve made our piece of the process easier and more secure—here’s what we’ve done to get right with GDPR, CCPA, CPRA, and more. If you’d like to hand off a little bit of the data privacy headache, sign up for a free account to start recruiting and managing participants with User Interviews. Research with confidence knowing that we follow industry best practices and have robust controls and processes in place to secure your data.