Introduction
In the ever-evolving landscape of professional usability testing, ensuring data privacy and security is more than a compliance necessity—it’s a commitment to trust and transparency.
Navigating privacy and data laws in usability testing can be complex due to the constant updates and legal jargon. What essential knowledge do usability professionals need to stay compliant?
This comprehensive guide will help you navigate the complexities of data privacy regulations like GDPR, CCPA, CPRA, and beyond, ensuring your formative and summative usability testing practices according to IEC-62366-1 and FDA Applying Human Factors and Usability Engineering to Medical Devices are not only compliant but also respectful of participant privacy.
We created this guide to help answer those questions. We’ll cover everything from:
- The importance of data privacy and confidentiality in usability testing
- Information about privacy regulations like GDPR, CCPA, and CPRA
- Compliance tips for usability professionals
- Additional resources on privacy and data laws
Ensure you consult your legal team to confirm that your usability testing practices comply with current laws. Use this guide as a reminder to handle user privacy and data with greater intention and care during your evaluation activities.
Why data privacy matters in the Usability Engineering Process
Privacy and confidentiality in usability testing are critical not just for compliance but for maintaining the trust of your participants. When participants feel their data is secure, they are more likely to engage openly, providing richer and more valuable insights or being open about root cause of occurred use errors during the test sessions. Effective usability testing relies on this trust, making it essential to prioritize data privacy from the outset.
Importance of privacy in Usability Testing
Usability testing of medical technology often involve participants sharing personal data about themselves, and everyone has different expectations when it comes to privacy. For usability engineers, accommodating these varying privacy preferences while complying with privacy laws should always be a priority. Ensuring privacy in usability testing not only protects participants but also enhances the quality of the research and testing outcomes.
Privacy should be considered throughout the entire testing lifecycle—from recruitment to data storage post-evaluation. This proactive approach not only protects participant information but also upholds ethical standards. When participants trust that their data is handled with care and transparency, they are more likely to provide honest and comprehensive feedback, leading to more accurate and useful insights.
Here’s a graphic that outlines how GDPR affects usability testing during each phase of the project:
The role of privacy regulations
Several key privacy laws impact how usability experts handle participant data. Understanding these regulations is crucial for managing participant data responsibly and transparently. These regulations establish the legal framework for data protection, ensuring that personal data is collected, processed, and stored securely. By adhering to these regulations, usability engineers can protect participant privacy and avoid legal pitfalls.
Understanding key privacy regulations in the EU – General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a comprehensive data protection regulation that applies to organizations handling the data of EU residents. Implemented on May 25, 2018, GDPR mandates strict data handling practices and imposes significant penalties for non-compliance, including fines of up to 4% of annual global turnover or €20 million, whichever is higher.
Key GDPR Requirements for Usability Experts
- Manual Opt-ins: Participants must actively opt-in for their data to be processed. Pre-checked boxes are not permitted.
- Minimal data collection: Collect only the data that is essential for your evaluation scope.
- Informed consent: Ensure participants understand what data you collect and why, using clear and concise language.
- Data security: Implement robust security measures to protect participant data from unauthorized access and breaches.
- Participant rights: Participants can request access to their data, corrections, and deletion.
Looking overseas – US & Canadian regulations
In the United States, there is no single, comprehensive federal regulation equivalent to the European Union’s General Data Protection Regulation (GDPR). Instead, data privacy and protection are governed by a complex patchwork of federal, state, and sector-specific laws, each targeting specific aspects of data privacy and protection. Businesses operating in the U.S. must navigate this intricate regulatory landscape and comply with relevant federal laws and the specific state laws where they operate or have customers. For businesses working internationally or with a significant presence in both the U.S. and EU, it is crucial to establish robust data privacy practices that can adapt to various regulatory requirements. Here is an overview of major regulations to be considered:
Federal regulations
- Health Insurance Portability and Accountability Act (HIPAA): Protects sensitive patient health information.
- Gramm-Leach-Bliley Act (GLBA): Protects consumers’ personal financial information.
- Children’s Online Privacy Protection Act (COPPA): Regulates the online collection of personal information from children under 13.
- Federal Trade Commission (FTC) Act: Prohibits unfair or deceptive business practices, which includes certain privacy and data security practices.
- Personal Information Protection and Electronic Documents Act (PIPEDA): Canadian law governing the collection, use, and disclosure of personal information in the course of commercial activities.
State regulations
California Consumer Privacy Act (CCPA): The California Consumer Privacy Act (CCPA) offers similar protections to GDPR but is specific to California residents. It was signed into law in 2018 and aims to enhance privacy rights and consumer protection. Key CCPA requirements for usability professionals are:
- Transparency: Clearly communicate data collection practices to participants, including what data is collected and how it will be used.
- Opt-out Options: Provide easy mechanisms for participants to opt-out of data sharing and collection.
- Data access and deletion: Allow participants to request access to their data and deletion upon request. Make this process straightforward and accessible.
California Privacy Rights Act (CPRA): The California Privacy Rights Act (CPRA), which took effect on January 1, 2023, expands upon CCPA, offering additional rights and protections. CPRA mandates more stringent data handling practices and greater transparency. Key CPRA Requirements for Usability Professionals:
- Expanded rights: Participants can restrict the use and disclosure of sensitive information.
- Opt-out consent: Ensure participants can easily opt-out of data collection, enhancing their control over personal information.
Virginia Consumer Data Protection Act (VCDPA): Provides similar rights to consumers as the CCPA.
Colorado Privacy Act: Another state-level regulation with consumer rights and business obligations akin to the CCPA.
New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act: Requires businesses to implement safeguards to protect the private information of New York residents.
We recommend consulting the guidance and resources provided by the European Commission and looking towards Great Britan the UK Information Commissioner’s Office for the most up-to-date and accurate best practices for GDPR/UK GDPR compliance.
Best practices for compliance – 6 Steps to ensuring GDPR compliance in usability tests
The GDPR is the most robust global privacy law in effect today, but it shouldn’t be scary! Designed to keep pace with how the world has changed, it helps people make sense of and control how their data is used. Understanding and sharing the experiences and perspectives of the people we learn from means processing a lot of personal data. So, understanding and complying with laws like GDPR is critical to ensuring safe, legal, and ethical research and usability testing. Here’s how to ensure your practices are GDPR compliant:
Step 1: Familiarize yourself with the basics
Get to know the GDPR requirements and principles to ensure you understand your obligations as a researcher or tester. The GDPR outlines specific rules around data protection, including consent, transparency, and data minimization. To help you get started, we’ve written a short guide to GDPR for User Research, introducing you to the principles, people’s rights, legal bases, and other general terms.
Step 2: Map your current data flows
Knowing what you are doing right now is an excellent place to start. Perform a data audit of your research and testing practices to understand what personal data you collect, how it is used, where it is stored, and who has access to it. A clear picture of your current practice will help you identify potential GDPR compliance issues and areas for improvement.
Because we often work in our own ways, doing this with your wider team can give you a clearer understanding of how data is handled across your team. We created a Data Mapping Workshop to help you run this remotely or in person. Once you’ve mapped out the types of data you collect, where they’re stored, and who has access to them, you can transfer this into one of the central documents to GDPR compliance – your Record of Processing Activities (ROPA).
The ROPA is a document that contains information about an organization’s processing of personal data. It provides:
- A detailed description of the type of personal data being processed.
- The purpose of the processing.
- The categories of data subjects.
- The recipients of the personal data.
- Any cross-border transfers of personal data.
The ROPA is an essential tool for GDPR compliance, as it helps organizations demonstrate their accountability and transparency concerning their processing activities. Organizations are required to maintain an up-to-date ROPA and make it available to supervisory authorities upon request.
Step 3: Make friends with your DPO
The GDPR requires an organization to appoint a Data Protection Officer (DPO) if:
- The organization is a public authority or body.
- The organization’s core activities require large-scale, regular, and systematic monitoring of individuals (for example, online behavior tracking).
- The core activities consist of large-scale processing of Special Category Data or data relating to criminal convictions and offenses.
The DPO’s job is to assist your organization to:
- Monitor internal compliance.
- Advise on your obligations under data protection laws.
- Advise and guide you on Data Protection Impact Assessments (DPIAs).
- Act as a point of contact for data subjects (in our context, your participants) and the data protection authorities.
If you have a DPO, this guide will help you start those conversations on the same page. Here are some questions you might want to ask:
- Could you see the existing ROPA?
- What is the current process for Data Protection Impact Assessments (DPIA)?
- How do we currently handle Data Subject Rights requests?
- How are incidents or breach management reported?
- How does the DPO review processors?
- How are cross-border transfer mechanisms handled?
If you don’t have a DPO at your organization, you’ll still need to complete the following steps. Not having a DPO doesn’t exempt you from GDPR compliance.
Step 4: Implement data protection by design and by default
The practice of Usability Ops is to develop systems and services that enable usability testing to happen within an organization. When designing those systems or services, we can use design principles to help us factor in these considerations.
The core ideas behind Data Protection by Design and Default are embodied in the seven fundamental principles of Privacy by Design:
- Be proactive: Prevent privacy issues before they happen. Develop a culture of privacy awareness across your team.
- Privacy by default: Protect participants’ data without requiring them to do anything.
- Design with data protection in mind: Consider data protection from the start.
- Avoid trade-offs: Incorporate all legitimate objectives while complying with obligations.
- Implement robust security measures: Use access controls, encryption, and pseudonymization.
- Transparency: Be clear with participants about what data you collect and how you use it.
- Prioritize participants’ interests: Give them control and appropriate notice if things change.
Data protection by design ensures that you comply with the fundamental principles and requirements of the GDPR and forms part of the focus on accountability.
One way to implement data protection by design and default into your usability testing practice is by using Data Protection Impact Assessments (DPIAs). You’ll need to do a DPIA whenever you plan to:
- Embark on a new project involving the collection of personal data.
- Introduce new IT systems for storing and accessing personal information.
- Participate in a new data-sharing initiative with other organizations.
- Initiate actions based on a policy of identifying particular demographics.
- Use existing data for a “new and unexpected or more intrusive purpose.”
- Review or audit an existing system or activity.
Article 35(1) states that you must do a DPIA where processing operations are likely to result in a high risk to the rights and freedoms of individuals.
Step 5: Obtain valid consent
Ensure that you have obtained valid and informed consent from research and testing participants, clearly and understandably. Participants should have the right to withdraw their consent at any time. During the process of obtaining consent, you’ll need to evidence:
- The information disclosed to your participant at the point of obtaining consent.
- Precisely how your participant was asked for consent.
- When your participant gave their consent.
Consider the participant’s experience during this phase. Ensure the format is accessible and in plain language. Make sure information is disclosed in the participant’s first language.
Step 6: Implement appropriate security measures
It’s essential to make sure that personal data is safe and secure throughout the evaluation process. This may include pseudonymization, encryption, and access controls to protect against unauthorized access, loss, or theft of personal data. Your data map from step 2 should highlight the security measures you have in place across your usability testing workflow. Some quick wins that can dramatically improve your security are:
- Use a password manager or Single Sign On (SSO) for account management.
- Enable 2 Factor Authentication (2FA) on all accounts holding your participant’s data.
- Use dedicated tools with encryption and access controls for larger data sets, such as your participant database or research repository.
Cross-border transfers
Cross-border transfers in GDPR involve moving personal information from the EU or EEA to a third country. The GDPR has strict rules to protect people’s personal information during these transfers. Although personal information can be transferred for valid reasons like business or legal purposes, it must comply with GDPR rules to protect people’s rights and ensure it’s protected.
The GDPR requires that the data controller or processor transferring personal data outside the EU/EEA must ensure an adequate level of protection for the data. This might mean:
- Obtaining explicit consent from the data subjects.
- Signing a data processing agreement with the recipient.
- Relying on specific legal mechanisms, such as standard contractual clauses or binding corporate rules.
Implementing compliance in usability testing
Practical tips for GDPR, CCPA and CPRA compliance
- Informed Consent: Develop detailed consent forms that are easy to understand and separate from other agreements. These forms should clearly explain what data will be collected, how it will be used, and participants’ rights.
- Data processing awareness: Understand your organization’s role in data processing, whether as a controller or a processor. Ensure that all third-party tools and services used comply with GDPR requirements.
- Participant control: Implement systems that allow participants to access, correct, and delete their data easily. This includes setting up processes for responding to data requests promptly.
- Sensitive data caution: Justify the need for collecting sensitive data and ensure additional safeguards are in place to protect this information. Regularly review and update data protection measures.
- Documentation and record keeping: Maintain thorough records of all data processing activities, including consent forms, data audits, DPIAs, and any data breaches. This documentation demonstrates compliance and provides a clear trail for auditing purposes.
- Minimal data processing: Process only the most necessary personal information for your research and testing purposes. Avoid collecting excessive data that does not serve a clear purpose.
- Updated privacy policies: Regularly update your privacy policies and notices to reflect any changes in data collection practices or regulatory requirements. Ensure that these documents are easily accessible to participants.
- Data retention policies: Establish clear policies for data retention, outlining the types of data collected, their purposes, and the duration for which they will be stored. Regularly review and delete data that is no longer needed.
- Breach prevention: Implement robust security measures to prevent data breaches, such as single sign-on (SSO), two-factor authentication (2FA), and complex password requirements. Regularly conduct security audits and updates.
- Opt-out Options: Make it easy for participants to opt-out of data collection or limit the sharing of their information. Provide clear instructions and options in your consent forms and privacy policies.
Practical application of GDPR in Usability Testing: Key Takeaways
Collecting and processing information on users and their behavior is essential for making informed decisions in user research and usability testing. Here are five key takeaways for applying GDPR in your practices:
- Understanding personal data: GDPR defines personal data as any information that can identify a person, directly or indirectly. This includes names, contact numbers, addresses, social media handles, and combinations of data points like cultural or social identity, economic background, job title, and location.
- Ownership and collection of data: The ‘owner’ of personal data is always the individual (the participant). GDPR ensures individuals have control and ownership of their data, allowing them to retract or edit it as needed. Data ‘controllers’ are responsible for determining what data to collect and how it will be processed.
- Recording consent: Consent must be recorded accurately, capturing who consented, when they consented, what information was given, and how they consented. This ensures transparency and protection for all parties involved.
- Data storage duration: While there is no maximum time limit for storing personal data, it is advised to store it only as long as necessary for the project. Anonymized data, which cannot be traced back to an individual, can be stored longer and used for creating research tools like user archetypes and personas.
- User control over data: Under GDPR, data ‘owners’ have the right to erasure (the ‘right to be forgotten’), allowing them to request deletion or editing of their data. Anonymized data, however, falls outside this jurisdiction.
Conclusion
Navigating data privacy regulations can seem daunting, but with the right approach and understanding, it becomes a manageable part of the usability testing process. By prioritizing transparency, consent, and data security, researchers and testers can ensure compliance while building trust with participants.
Call to Action
Ready to take your usability testing to the next level? Start implementing these best practices today and ensure your research and testing is compliant, ethical, and trustworthy. Join us on this journey to better usability testing practices that respect and protect participant privacy.
By following this guide usability testers can navigate the complex world of data privacy regulations with confidence, ensuring that their research and testing practices are both compliant and respectful of participant privacy.
STANDARDS & REFERENCES
- Human Factors & Usability Engineering for Medical Products | USE-Ing. GmbH
- Learning from the User – Contextual Interview | USE-Ing. GmbH
- Professionally developing medical technology | USE-Ing. GmbH
- European Commission: Data Protection
- General Data Protection Regulation (GDPR) Compliance Guidelines
- UK Information Commissioner’s Office
- California Consumer Privacy Act (CCPA)
- California Privacy Rights Act (CPRA)
- Virginia Consumer Data Protection Act (VCDPA)
- Colorado Privacy Act
By following this guide, UX researchers and usability testers can navigate the complex world of data privacy regulations with confidence, ensuring that their research and testing practices are both compliant and respectful of participant privacy.