Why Consent Management Is An Essential Part Of UX Research
Written by: Phil Hesketh
If you’re undertaking any type of UX research, you need to understand the logistics of data privacy regulations and consent management—and the implications for your business if you conduct research without taking these into consideration.
What is consent management?
Consent management is a process that allows website visitors and customers to determine the amount and type of personal data they wish to share with a business online.
Due to the implementation of data protection regulations and laws around the world—such as GDPR, CPRA, and LGPD — companies in every industry need to ensure they have a consent management system in place if they intend to collect, store, manage, or use any type of user data.
Is consent management the same as preference management?
While they’re often bundled together in the broader landscape of data compliance, preference management and consent management are two separate things.
Preference management relates to customers selecting their preferred method(s) and frequency of contact from a company (e.g. consenting to weekly emails, or allowing incoming SMS messages)
Consent management refers to customers having the ability to opt in or out of data collection and communication with a company. This gives users control over the amount and type of data they are willing to share, and allows them to revoke their consent at any time if they choose to do so.
Why is consent management important?
Consent management is essential for global legal compliance as mentioned above, and for upholding your company’s data ethics and principles around privacy and human rights.
Data regulation compliance
If you choose to sidestep consent management as part of your UX research initiatives, you do so at your own risk.
Customers these days are becoming much more intentional about the amount of data they share online, and which businesses they share it with. Any violations of data collection policies now come with significant risks for companies in the form of costly penalties and negative brand publicity.
A couple of years ago, you may recall that Amazon got slapped with an eye-watering fine of £636 million ($776 million USD) for breaching its GDPR compliance duties. It was a good lesson that nobody is exempt from data protection laws, not even global mega-corporations.
While it may seem like a huge amount of extra work, putting a consent management framework in place will give you peace of mind that you’re always on the right side of the law.
Two of the major data privacy regulations that require compliance are the EU’s General Data Protection Regulation (GDPR) and the CPRA (the California Privacy Rights Act, formerly the CCPA).
Under both of these laws, companies must be transparent with users about the type of data they collect, why they want to collect it, and what they intend to do with it. They must also give users the ability to withdraw consent or delete their data at any time.
Protecting users’ consent rights
Being transparent about the type of data your company is collecting via cookies, trackers, surveys, etc. is an important step in building trust and brand loyalty between your business and its customers.
In a Deloitte survey, 73% of people said they were happy to share their information with companies, as long as they maintained control of their data and had the ability to delete it at any time.
If you’re intending to survey users for UX research purposes, paying attention to consent requirements is 100% necessary before you begin to collect or use anyone’s data.
You’ll need to have a consent management solution in place that respects your users’ rights, and covers their questions about the “before, during, and after” of the consent process, such as:
- What sort of data will be collected
- How you’ll store and manage their data
- How the data will be used
- Who you’ll be sharing the data with
- How long the data will be kept for
This information must be easily accessible to your users. Your participants can then choose to opt in to your survey with explicit consent, or opt out if they don’t feel like sharing this data with your company.
Although consent for most of us looks like a checkbox with a yes or no question attached, the nuances behind this go much deeper.
If you’re undertaking a UX research survey, you might need different consent questions for certain participants or user segments—and you’ll need to take into account each user’s consent preferences to enable you to use the final data in a way that respects everyone’s individual wishes.
Consent management and privacy laws
Keeping up with the rules, regulations, and potential fines attached to consent and data privacy laws are enough to make your head spin.
But as we’ve already mentioned, consent is the key to maintaining the trust and respect of your users, and it provides protection from unwanted legal entanglements under laws such as GDPR and CPRA.
The GDPR requires a lawful basis for data processing. If your lawful basis is consent, you’ll need to familiarize yourself with the conditions for consent, and what your company is expected to do to uphold these, including:
- Requiring an opt-in approach to consent
- Being able to prove that your users (or research participants) have freely consented to their personal data being used
- Allowing users to withdraw their consent at any time
- Whether the performance of a contract, including the provision of a service, is conditional on consent to processing of personal data that is not necessary for the specific performance of that contract.
ICO research provisions published in the UK recommend that “legitimate interest” should be the lawful basis for processing. This means consent would not apply, but the right to withdraw from the research can still be upheld.
Under the CPRA, consent is defined as ”a freely given, specific, informed, and unambiguous indication of a data subject’s agreement to the processing of his or her personal data.”
Consumers have data protection rights under these regulations which include:
- The right to correct their data
- The right to opt out of automated data collection
- The right to access information about a company’s automated data collection
- The right to limit how their personal information is used
Obtaining consent by means of dark patterns, disguised ads, pre-checked boxes, or muting, pausing, or closing a piece of content, does not constitute consent.
This means companies need to get very specific about how they display and structure their consent collection forms.
Express consent vs implied consent
Under the CPRA laws, two versions of consent may be necessary.
Express consent - this applies to consent where a user expressly agrees in writing to disclose their personal data.
Implied consent - when an user takes an action that indicates they are aware their data is being collected, and choose not to opt out (e.g. checking a box on a pop-up form). It’s worth noting that the GDPR doesn’t recognize implied consent (e.g. pre-checked boxes on consent forms).
The CPRA is essentially an opt-in law, as we explain below. But these regulations also cover specific situations where opt-outs should be used instead of opt-ins.
The important thing to remember when you’re collecting consent under the CPRA is that your users must always be given the choice to opt out of consent, even if they have previously opted in.
Types of consent to consider
Consent management can be approached in three different ways, and it’s important that you know which types of consent are compliant with the major data regulations.
When you implement opt-in consent, it means your users need to take a specific action that confirms they consent to their information being collected, stored, and used.
You will have seen opt-ins used in many instances around the web such as forms for accepting cookies, email communications, and subscriptions.
Opt-in examples can include things like:
- Sharing or selling personal data of minors
- Secondary use of data
- Participation in financial incentives
To remain GDPR compliant, companies must ensure that their users manually consent to opt into data collection. Under the CPRA rules users can also be given an option to opt-out if they choose.
To stay on the safe side of global compliance rules, it’s always best if you ask your users to manually consent to some, or all, of your data collection requests before they proceed on your website. This positions you as a transparent business with user friendly data policies that can help grow brand trust.
The opt-out method is common in the US, but is no longer acceptable under EU laws. If you’re a company operating internationally, using the opt-in method above is the best solution.
With the opt-out approach, customers are informed that a company will be collecting specific personal data on them, and they are then allowed to opt out if they wish.
Some opt-out examples include things like:
- Targeted ads
- Automated profiling
- Sharing of personal data
- Sales of personal data
- Use of sensitive personal information
- Use of personal data of minors
Users must manually fill out a form or uncheck a box to withdraw consent for data collection, otherwise it will be assumed that consent is automatically given.
There are pros and cons for both the opt-in and opt-out approaches to consent, and it’s often unclear which is the best choice. Because data privacy laws are growing and changing rapidly around the world, it makes sense for many businesses to adopt a “hybrid” consent model.
Hybrid consent enables companies to remain compliant with global regulations, while still giving customers control over their personal information. This model incorporates aspects of the opt-in and opt-out approaches, and is typically dependent on the type of data that will be collected, and how that data will be managed and used.
A company in the US might use the opt-out method unless it’s collecting highly sensitive personal data.
When sensitive data is requested from a user, the company would change to the opt-in approach, as they would need a user’s express consent to collect and process this type of personal data.
However—in the context of research, it’s hard not to collect sensitive information (or special category data).
As an example:
Say you’re recording a video interview in the field for your UX research. This will automatically reveal data such as the person’s age, gender, and ethnicity. There are also many other personal things that may potentially arise as part of your line of questioning.
When you’re considering using the hybrid consent model, you’ll need to make sure that all your compliance bases will be covered.
As a response and/or solution to the challenges of UX Research (particularly over longitudinal studies and community design projects), there is another option for ensuring compliance, which is dynamic consent.
Implementing a platform like Consent Kit that has user-centric dynamic consent capabilities allows your UX research participants to control the collection of their data, and consent to its usage, for the entire duration of their interactions with your company.
This gives you a rock solid consent management system to use and store personal data compliantly—and ethically.
How do you implement consent management?
Implementing a system to manage consent can feel like a huge undertaking, but it’s no longer optional for businesses.
Thankfully, the software industry has responded to the growing need for data compliance by developing specialist platforms that can fit neatly into existing tech stacks and help companies manage the consent process with ease.
Consent management platforms
Many companies choose to manage users’ consent by way of a consent management platform (CMP), or a similar marketing platform that has the ability to compliantly manage user data.
These types of platforms are designed with robust capabilities to capture, monitor, and organize user data. They handle all aspects of data compliance, and give companies the ability to:
- Automate the consent management process
- Track and monitor their users’ data
- Enable users to update or delete their data and preferences
CMPs make it simple for businesses to stay compliant with regulations like GDPR and CPRA, while at the same time giving customers peace of mind that they are in control of the data they share.
Every CMP looks a little different from the customer side, but they typically involve some form of pop-up with checkboxes for giving consent.
If you invite a customer to participate in a UX research survey, they might click on the invite link you send them. Your CMP might then render a pop-up on your website that will ask your customer to consent (or not) to their data being collected before they continue on to your survey.
A CMP ensures consent is always obtained before data is collected, so that compliance can be maintained and the risk of breaches and penalties is significantly reduced. CMPs also mean that consent data can be stored and managed from one centralized place, instead of having this information scattered across multiple systems.
Creating a consent framework for UX research
Whether you choose to use a CMP or not, it’s important that you create a standardized process for collecting informed consent from your research participants.
Your consent framework needs to put your participants in control, and ensure that:
- It’s crystal clear that giving consent is optional
- There are no pre-checked boxes or dark patterns that “trick” people into consenting
- You obtain user consent for each different or specific element of your research
- There is a clear, manual, and affirmative action taken by each participant, proving that they freely made the decision to contribute to your survey
- Participants know that they have the option to change or revoke consent at any time, and are informed of how they can go about this
- Participants know their data is not being sold to third parties
- Participants understand how long data will be kept before it is destroyed
You’ll also need to think about how you’ll handle:
- Secure storage of personal data
- Usage of individual data
- Data sharing or transfer
- The right to data access by each participant
- Giving individuals the right to alter or erase data, or revoke consent
- Keeping proper records and proof of consent from each participant
- Archiving and destruction of data
Having a well-defined system for handling all your legal consent-related requirements will help reduce your team’s admin time, reduce errors in consent collection and management, and minimize your risk of non-compliance fines.
Consent management is a necessary piece of your UX research puzzle. It develops trust and credibility between your brand and your research participants by maintaining transparency about how and when their personal data will be used.
Most importantly, implementing a consent management system protects your business from potential lawsuits and fines that may arise if you neglect to comply with the numerous requirements of global data regulations and laws.