An anatomical model of a human foot

Photo by Nino Liverani on Unsplash

Most researchers working in UX are aware of best practice when dealing with research participants. For example, the Market Research Society and the British Psychological Society both have codes of conduct that contain advice on dealing with research participants. As a psychologist, I had research ethics drilled into me at a young age.

So the notion of obtaining consent from research participants is something I had done long before the General Data Protection Regulation (GDPR) turned best practice into a legal requirement. Nevertheless, there's always room for improvement, so I thought it was time to examine the way we did things at Userfocus. As you'll see, we did come up with some areas for improvement that went beyond just gaining informed consent and I think this is one reason why the GDPR is a good thing for our industry.

My first step was to read the GDPR and then turn to the various interpretations of it that exist. Here are some of the highlights that I think are relevant to UX researchers when gaining consent.

Consent needs to be:

  • Freely given. This means you can't make consent dependent on receiving a benefit, like an incentive for taking part. I've argued before that the best way to deal with this is to give the participant the incentive before you ask for consent.
  • Presented separately from other information. This means the consent form needs to be separate from other forms, like a non-disclosure form.
  • Based on properly explained information. This means you need to tell the participant what the research is about (for example, by providing a separate information sheet about the research).
  • Able to be refused and easily withdrawn. This means the participant can withdraw consent at any time and this needs to be easy to do.
  • Provided for a specific purpose. If you plan to use the data for multiple purposes, you need to get consent for all of them (for user research, this means if you want to share the video recordings in the future or if you want to hire an external firm to make transcripts of the sessions).

Importantly, the GDPR regulations don't apply to data that's anonymised (I'll explain later why this matters).

We already practiced most of these but we had concerns over withdrawing consent. Although we make it clear to our participants that they can withdraw from the research at any time, this isn't what these requirements are about. Our reading of this is that people should be able to contact us when they get home from the session, or even a few months later, and say: "You know what? I've changed my mind. I'd like to withdraw my consent".

Initial consent form

I started the redesign by reviewing the consent form in our Usability Test Plan Toolkit. Here's the way this appears:

Purpose of this study

The purpose of this study is to understand how people use a . Your participation in this study will help [Commissioning company] make the [product / web site] easier to use.

  • The researcher has explained the purpose of the research to me.
  • I have had an opportunity to ask questions about the study.

Freedom to withdraw

Your participation in this study is voluntary.

  • You can refuse to take part at any time.
  • You can take a break at any time.
  • You can ask questions at any time.
  • I understand that I can leave at any time without giving a reason.

Information we will collect

We will ask you to show us how you use the [product / web site]. We will watch how you do various tasks and we will ask you some questions. People on the design team may view the sessions from another room. We will also record the session and we will take notes to record your comments and actions.

  • I understand that people on the design team may be observing me during the research.
  • I understand that my voice, my face and the computer screen will be video recorded.

Privacy and Confidentiality

The design team may watch the recording of your session so they can improve the [product / web site]. No-one else will see the recordings. We may publish research reports that include your comments. The data used in these reports will be anonymous. This means you will not be identifiable and your comments will be confidential.

  • I understand that people on the design team may view the recording in the future.
  • I understand that my comments are confidential.

Your agreement

To take part in the research, please sign this form showing that you consent to us collecting these data.


First redesign

The main sections that looked like they needed work were the sections titled, "Information we will collect" and "Privacy and confidentiality". We needed to make it clear that people could withdraw their consent once the session was complete and we needed to make it easy to do.

The way I decided to change the form was to explicitly say what people were giving their consent to. So in the "Information we will collect" section, I highlighted observation from a remote room; the audio, video, and screen recording; and the written notes taken by people observing the session.

In the "Privacy and Confidentiality" section I thought I should make it clear that the participant's comments may end up in a written report, so I explicitly added that.

Finally, I added a paragraph about withdrawing consent in the future, to include the researcher's contact details.

Here was how it was looking:

Purpose of this study

The purpose of this study is to understand how people use the [INSERT PRODUCT NAME HERE]. Your participation in this study will help us make the product easier to use.

  • The researcher has explained the purpose of the research to me.
  • I have had an opportunity to ask questions about the study.

Freedom to withdraw

Your participation in this study is voluntary. You can refuse to take part at any time; you can take a break at any time; and you can ask questions at any time.

  • I understand that I can leave at any time without giving a reason.

Information we will collect

We will ask you to show us how you use the product. We will watch how you do various tasks and we will ask you some questions. People on the design team may view the sessions from another room. We will also record the session and we will take notes to record your comments and actions.

I give my consent (please tick all that apply):

  • For people to observe me during the research.
  • To audio record my voice.
  • To video record my face.
  • To record the computer screen.
  • To note down my comments and actions.

Privacy and Confidentiality

The design team may watch the recording of your session so they can improve the product. These recordings will not be shared outside our company.

We may publish research reports that include your comments and actions but they will be anonymous. This means your name will not be linked to anything you say or do.

I give my consent (please tick all that apply):

  • For people on the design team to play the recording in the future.
  • For the researcher to include my anonymous comments in reports.

Before you leave today, the researcher will give you a copy of this form. If you want to withdraw your consent in the future, or if you have any questions about the study, contact the researcher who will destroy any personal data we hold about you.

[Insert researcher’s name and contact details]

Your agreement

To take part in the research, please sign this form showing that you consent to us collecting the data you have ticked above.


Testing the form

What did user researchers think of the form? Was it practical? How about test participants? Would they understand it? To check, I sent the form to colleagues to review and I also tested it for understanding with people who I asked to play the role of users.

It didn't go well.

One user researcher thought it was "slightly horrifying" and questioned what would happen if a participant didn't want to be observed from another room — did this mean he needed to eject the VP from the observer room? And what if a participant gave consent to video recording but not to audio recording? (That reminded me of a time that I once ran a usability test session and I forgot to pilot test the microphone beforehand — the video was almost impossible to interpret.)

It got worse. Potential participants were overwhelmed by the number of checkboxes. One commented that it was looking a bit too… legal: like the terms and conditions when installing new software.

I had created what I thought was a GDPR compliant form; but it came at a serious usability cost. I needed to remind myself that the important concept here is consent: I had allowed the GDPR regulations to dominate in the redesign.

Back to the drawing board.

Second redesign

I tried to address these comments in a second redesign.

I removed many of the checkboxes in the earlier sections. These were really no more than checks that the participant was reading the form and not relevant to either privacy or consent.

I also rolled up the audio, video and screen recording into one "recording" item. We need a participant to consent to all of these, otherwise it's not worth including the participant in our research. Since we send our consent form to participants ahead of the research (and since they are recruited on the basis that they are comfortable with the session being recorded), I felt it was unlikely this would create an obstacle.

I removed the line about including anonymous comments in reports. This is because GDPR doesn't apply to anonymous information. So long as you make participants unidentifiable (e.g. by using a number like "P6" rather than a name, by blurring the participant's face in a usability test video or by obscuring any identifiable information the participant enters in an on-screen form) then by definition the data you collect is not "personal". This saved another checkbox.

I also changed the headings to make it more readable.

Finally, I replaced the user researcher's details with the data controller's contact details. In GDPR speak, the user researcher is the "data processor"; the organisation will usually have a dedicated data controller who is more widely responsible for protecting personal data. (We can use Thomas the Tank Engine as an analogy: Thomas's driver is the data processor and the Fat Controller is the data controller). I made this change because one user researcher made the point that her personal data are important too. For various reasons, she might not want to be personally contacted by a participant after the study.

Here's where I ended up:

What this study is about

The purpose of this study is to understand how people use [insert product name]. Your participation in this study will help us make the product easier to use.

Your participation in this study is voluntary

You can take a break at any time. Just tell the researcher if you need a break. You can leave at any time without giving a reason.

Information we want to collect

We will ask you to show us how you use the product. We will watch how you do various tasks and we will ask you some questions. We will record the session and we will take notes to record your comments and actions.

How we ensure your privacy

People on the design team may view the sessions from another room. Other people involved in the design of the product may watch the recording of your session in the future. These recordings will be treated as confidential and will not be shared outside our company.

We may publish research reports that include your comments and actions but your data will be anonymous. This means your name and identity will not be linked in our research reports to anything you say or do.

Your consent

Please sign this form showing that you consent to us collecting these data.

I give my consent (please tick all that apply):

  • For people to observe me during the research.
  • For the session to be recorded.
  • For people on the design team to watch the recording in the future.

If you want to withdraw your consent in the future, contact the person named below who will destroy any personal data we hold about you (such as the recordings). Otherwise, we will delete your personal data after two years.

[Insert data controller's name and contact details]

Testing the redesign

We're going to test this out for real in an upcoming usability test. After that, we'll revise the consent form if necessary and then add it to the Test Plan Toolkit.

How GDPR is improving the way we do user research

First, we're trying to anonymise everything. For example, we use an external agency to recruit participants for us and now we tell the agency that we do not want them to send us each participant's full name or contact details. We're just happy to know that "Bob" will be arriving for the 10am session. The agency can send Bob the details of the study and they can phone Bob if he's late for the session. Similarly, we blur the participant's face in any video clips that could get distributed more widely than the design team. In this way, we are minimising the amount of personal data we hold on our participants and controlling the data where participants could be identified.

Second, we now have a data retention policy for our user research. All of our raw data that contains personal information (primarily usability test video recordings but also photographs and audio recordings from field visits) are destroyed after two years. As an acquisitive researcher, this is one of the things I found most difficult. Raw data are the building blocks of our trade: what if I want to re-analyse them in the future? Then I looked over the last 20 years of research we had done and discovered this had happened just once (for a commercial banking client who had lost the transcripts of field visit interviews). So it's something I'm learning to live with.

Third, we've standardised on the way we label and name our research data (like our test videos). This is to make it easier for us to track down and delete videos if a participant decides to withdraw consent in the future.

I've not shown this to a lawyer so I can't claim that our new consent form really is GDPR compliant. But I'm always open to improving our approach. If you have some comments or ideas, especially if they are based on trying out the form yourself, please contact me: @userfocus.

About the author

David Travis

Dr. David Travis (@userfocus) has been carrying out ethnographic field research and running product usability tests since 1989. He has published three books on user experience including Think Like a UX Researcher. If you like his articles, you might enjoy his free online user experience course.



Foundation Certificate in UX

Gain hands-on practice in all the key areas of UX while you prepare for the BCS Foundation Certificate in User Experience. More details

Download the best of Userfocus. For free.

100s of pages of practical advice on user experience, in handy portable form. 'Bright Ideas' eBooks.

Related articles & resources

This article is tagged ethnography, legal, usability testing.


Our services

Let us help you create great customer experiences.

Training courses

Join our community of UX professionals who get their user experience training from Userfocus. See our curriculum.

David Travis Dr. David Travis (@userfocus) has been carrying out ethnographic field research and running product usability tests since 1989. He has published three books on user experience including Think Like a UX Researcher.

Get help with…

If you liked this, try…

Get our newsletter (And a free guide to usability test moderation)
No thanks