Skip to main content


Navigating the Gray Area: How to Ensure Ethical User Research Practices in the Digital Age

Alexia Ingber

This blogpost - including the present disclaimer - was written with the assistance of Grammarly and ChatGPT; the latter is a state-of-the-art language generation model developed by OpenAI. A human has reviewed and edited the text and verified it for accuracy. The opinions and statements expressed in this post are solely those of the author and do not reflect the views of OpenAI.

With the rise of global action around data privacy and protection laws in Europe, researchers need to think about how participant privacy is maintained before, during, and after a research study. We are responsible for our participants' well-being, representing them honestly and keeping their personal information safe.

But, a little bit of history first!

Over the last two decades, data management and privacy in UX research have evolved significantly. Understanding those changes helps us better grasp today’s risks and needs regarding data collection and privacy.

Data management practices were less formalized and regulated initially, and privacy concerns were less prominent. As technology advanced, the ability to collect, store and analyze data increased, leading to more sophisticated research methods and more detailed data. However, with the increase in data collection, privacy and data security concerns also grew.

But there is more. Technology is constantly improving, changing, moving, alienating; you name it. With the rise of social media and mobile devices came risks: more data was available online, and collecting those without consent was easier for some people (you know who you are!).

Even more now, with remote research, information is being collected through online surveys, remote interviews, and digital trackers, which means more risks of data breaches.

The most significant changes took place in the past decade with legal and regulatory requirements for data usage. Our data need to be protected, and we need more control over it (Hello, GDPR!).

We also had to be more transparent about our processes. And we did. We have become more aware of privacy issues, including things like data minimization, anonymization, secure data storage, and participant consent.

Black surveillance camera painted on white background

Shoulda, Woulda Coulda ?

In the context of user research, conflicting interests around data management and privacy can arise between the research team and the participants (1) and between the research team and the stakeholders (2). Let’s explore those two issues:

The first tension that can arise is between the need for detailed and specific data to inform the research and design process and the need to protect participants' personal information and privacy. As researchers, we may want to collect detailed information about participants' demographics, behaviors, and preferences to understand their needs and pain points. However, participants must feel comfortable sharing this information and willing to participate in the research. We must be upfront about how their data will be used and respect their wish to engage or not with us.

The second conflict can arise between the research team and stakeholders, such as clients or business partners. Stakeholders may want access to detailed information about participants to inform business decisions or product development. However, the research team may be reluctant to share this information, as it could compromise participants' privacy or the integrity of the research.

To help you handle those difficulties, here are some guidelines for an ethical user research process:

  1. Clearly communicate the data collection process

    Before the research begins, inform participants about how their data will be collected, stored, and used and obtain their explicit consent. You formalize it with the signature of an Informed Consent.

  2. Minimize the amount of data collected

    Only collect the minimum amount of data necessary for the research and avoid collecting sensitive personal information unless it is absolutely necessary. After the research is finished, you should delete or anonymize the data if it is no longer needed. Collecting only the necessary data can reduce the risk of mishandling or exposing sensitive personal information. It helps to ensure that only relevant information is collected, which can improve the overall quality of the research. But, it is also a way to comply with legal and regulatory requirements.

  3. Anonymize and aggregate data

    When possible, anonymize participants' data and aggregate it to protect their identities and personal information.

  4. Use secure storage and sharing methods

    Use secure platforms and protocols to store and share data, and limit access to only those who need it.

  5. Regularly review and delete unnecessary data

    Review the data collected regularly and delete unnecessary data to minimize the risk of data breaches or misuse.

  6. Be transparent and accountable

    Be transparent with stakeholders about the data collected, how it will be used, and the measures taken to protect participants' privacy.

By applying these best practices, we can balance the need to collect detailed and specific data with the need to protect participants' privacy while also maintaining the research's integrity and the stakeholders' trust.

  • Profile picture of Dieter Peirs
  • Serena Yang Product Manager
  • Hannes

Getting to know each other is a good way to start. During our call, we will discuss your goals, how we can help and when we’ll open the champaign.

Let’s jump on a call

Book a time slot with Hannes

More opinions: