A full guide to data privacy regulations in user research: GDPR & more

A full guide to data privacy regulations in user research: GDPR & more

Data privacy and compliance are essential in UX research. Here’s how to cover your bases and how Maze helps do the heavy lifting for you.

Jul 3, 2026

TL;DR

Data privacy in user research requires protecting participant information through clear consent, minimal data collection, secure storage, and straightforward user controls. For teams using AI, privacy also includes keeping sensitive research data protected, reviewing AI-generated outputs, and ensuring participant information isn’t misused.

Maze supports user research compliance with built-in consent workflows, secure data handling, access controls, and AI guardrails to help teams run compliant research at scale.

More teams are running more research. In fact, 66% of product professionals say demand for research is rising faster than their capacity and systems can keep up with.

As research increases, so does the amount of participant data teams need to manage. This can include personal information, recordings, transcripts, survey responses, and consent records. Without clear processes, it becomes harder to protect that data consistently across markets, tools, and teams.

In this article, we break down what user research data privacy means in practice, from consent and GDPR compliance to secure storage, anonymization, and compliance in AI use. You’ll learn how to protect participant data without slowing down the research your team needs to make better decisions.

Key privacy laws for user research

Privacy laws shape how research teams get informed consent, collect participant data, store recordings, use AI tools, and respond to requests to access or delete user data. Most rules apply to personally identifiable information (PII), any data that can identify a participant, such as their name, email address, screen recording, voice recording, transcript, location, or IP address.

The exact requirements depend on several factors, like:

  1. Where your organization is based
  2. Where your participants are located
  3. Whether participant data is transferred across regions

For example, GDPR can apply to organizations outside the EU when they process personal data from people in the EU, while California privacy laws apply to qualifying businesses that collect personal information from California consumers.

These are the main laws research teams should take into account:

Privacy law

Applies when (region)

What research teams need to do

Potential penalties

General Data Protection Regulation (GDPR)

Teams collect or process personal data from people based in the European Union

Have a lawful basis for processing, get clear informed consent where required, collect only necessary data, store data securely, and support access, correction, deletion, and withdrawal requests

Up to €20 million or 4% of annual global revenue, whichever is higher

California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA)

Qualifying businesses collect personal information from California residents

Tell participants what data is collected, support deletion requests, limit the use of sensitive personal information, and allow opt-outs from certain data sharing

Up to $2,500 per violation, or $7,500 per intentional violation

Personal Information Protection and Electronic Documents Act (PIPEDA)

Many private-sector organizations collect, use, or disclose personal information in Canada

Get meaningful consent, explain the purpose of data collection, limit collection, apply appropriate safeguards, and avoid keeping data longer than needed

Certain offenses can lead to fines of up to CAD $100,000 per violation

Lei Geral de Proteção de Dados (LGPD)

Teams process personal data in Brazil

Have a valid legal basis for processing and support participant rights, including access, correction, deletion, and consent withdrawal

Up to 2% of company revenue in Brazil, capped at R$50 million per violation

Let’s look more closely at GDPR, one of the most wide-reaching frameworks governing how research teams collect, store, and use participant data.

GDPR for UX research

GDPR sets the bar for how teams collect, use, and manage personal data from European participants. Even if your company is not based in the EU, it can still apply if you research participants located there. In practice, it shapes how user research is planned, run, and stored.

Here’s how to approach GDPR compliance in user research:

  • Know when GDPR applies: GDPR applies when you collect or process personal data from research participants in the EU or UK, even if your company is based elsewhere. This includes interviews, surveys, usability tests, screen recordings, transcripts, and recruitment data.
  • Choose and document a lawful basis: Every research study needs a clear lawful basis for handling participant data. For example, recorded interviews may rely on participant consent, while analysis of existing product usage data may rely on legitimate interest. Decide this before the study starts, because your lawful basis affects your consent form, retention rules, and how you handle participant requests.
  • Use a clear consent form: Your consent form should explain the purpose of the study, what data you will collect, how you will use it, who can access it, and how participants can withdraw. For example, if you record video interviews, state that clearly and explain how long those recordings and other associated data will be stored.
  • Collect only the data you need: Only collect information that directly supports the study goal. For example, when testing a checkout flow, you may need task success, screen recordings, and feedback, but not a participant’s income or full address.
  • Protect recordings, transcripts, and notes: Research data often includes sensitive data. Store it in approved systems, restrict access to relevant stakeholders, and avoid sharing raw files over email or unsecured tools.
  • Set retention and deletion rules: Keep personal data only for as long as needed. Define when raw files, such as interview recordings, transcripts, and screen recordings, should be deleted and what anonymized insights can be retained for future reference.
  • Make users’ rights easy to act on: Participants can request access, correction, or deletion of their data. If a participant withdraws consent, you should be able to find and delete their data and any linked identifiers without affecting the rest of the research dataset.

Next, let’s look at the best practices that help teams protect participant data, maintain ethical standards, and run research across different tools, regions, and study types.

7 Best practices for compliant user research

Here are seven best practices that help you protect participant data and keep your research process consistent, secure, and compliant.

1. Design informed consent that protects participant privacy

Informed consent protects participants' privacy by explaining how their personal information will be collected, used, stored, and shared before the study begins.

It needs to explain:

  • Who is running the research (organization and contact person)
  • The purpose of the research project and how long it will take
  • What will happen during the session (for example, interview, user testing, survey, diary study), and whether it will be observed or recorded
  • What personal data and identifiable data you will collect, how you will use it, how long you will keep it, and whether any third-party tools (such as transcription services) are involved
  • What rights participants have under the General Data Protection Regulation and other relevant privacy laws, including rights to access, correction, and deletion

Under GDPR, consent must be freely given, specific, informed, and unambiguous, so avoid vague consent language or bundled approvals.

For example, don’t write: “We may use your data for research purposes.” Instead, write: “We’ll record your screen, audio, and responses during this 30-minute usability test. We’ll use the recording to analyze where users struggle in the checkout flow, and only the research and product teams will have access.”

Maze gives research teams dedicated ways to collect consent inside a study. You can add a specific consent step (for example, a Yes/No consent question or a dedicated consent screen) at the very start of a study and make it required so participants cannot continue without agreeing.

You can upload a consent form or privacy policy as a PDF, add your own wording about data use, and use branching to route people who do not consent out of the research experience.

An image of a legal screen you can add in Maze

2. Anonymize identifiable data to reduce data breach risk

Anonymization (and pseudonymization) reduces the chance that research participants can be identified if data is exposed, shared, or reused. It usually means stripping or masking names, email addresses, usernames, locations, company names, and other identifiers in your notes, interview transcripts, and clips.

For example, instead of sharing a raw interview clip that shows a participant’s face and mentions their company, you can share a trimmed clip with the name removed, the face blurred, and the company reference redacted. In transcripts, replace identifiers with labels like ‘Participant 3’ and remove details that could point back to a specific person.

Maze supports this best practice in two ways.

First, Maze generates automatic transcripts for Clips and recorded sessions so research teams can quickly scan and edit the text instead of widely sharing full raw video. This makes it easier to remove or mask identifiers before distributing insights.

Second, Maze’s research‑grade AI ensures that your text and speech data is sent only to a small set of vetted providers—OpenAI and Anthropic (via Amazon Bedrock) for language models, and Rev AI for speech‑to‑text.

These providers process your data only to return the AI output you requested and do not use your Clips, transcripts, or results to train their own models. The data is also encrypted in transit and at rest as part of Maze’s overall data security position.

A map of how Maze uses AI in it's workflow

3. Collect only the types of data your research study needs

This best practice comes from the data minimization principle in privacy laws like the GDPR and the CCPA. In simple terms, these laws say you should only collect personal data that is “adequate, relevant, and limited to what is necessary” for your stated purpose.

For example, if you’re running unmoderated UX testing on navigation, you might need task success, click paths, and a few behavioral questions. But you may not need full names, exact locations, or detailed demographics. Over-collecting personal data increases your privacy risk and your exposure in the event of a data breach, without necessarily improving your insights.

Maze supports data minimization by limiting unnecessary data collection. Maze doesn’t add extra tracking cookies or collect additional analytics on test‑taker URLs by default, so the only personal data in a maze is the data your team chooses to collect in questions and tasks.

In our GDPR guidance, we explicitly advise teams not to ask for personally identifiable information—such as names, emails, or company names—unless it is essential for the research study. And note that if your mazes do not contain identifiers, the resulting test data will generally sit outside the scope of the GDPR.

4. Lock down research data with enterprise-grade data security

When you store recordings, transcripts, and notes from UX research, you are holding sensitive user data. Enterprise‑grade data security means you protect that research data with audited controls (like SOC 2 and ISO/IEC 27001), strong encryption, and strict access management.

The core pieces of enterprise-grade data security for user research include:

  • Encrypting research data in transit: Use Transport Layer Security (TLS) to protect recordings, responses, and consent data as they move between participants’ browsers and your tools
  • Encrypting research data at rest: Store data (including backups) in encrypted databases, cloud storage, or secure file systems
  • Limiting access with role-based permissions: Only give access to people who need research data for their work, and remove access when roles change
  • Logging access and changes: Keep audit logs of who viewed, exported, or deleted research data to investigate issues and demonstrate good privacy practices
  • Backing up data securely: Maintain encrypted backups and test restore processes so you can recover from failures without exposing participant data
  • Preparing for incidents and data breaches: Have a clear response plan for security incidents, including how you will investigate, fix issues, and notify affected users if required by law

Maze applies these same principles to how it handles your research data. Maze is SOC 2 Type II and ISO/IEC 27001:2022 certified, meaning independent auditors have tested and approved its security controls and information security management system against recognized standards.

All customer data is encrypted in transit with TLS and at rest with strong ciphers, and access to production systems is restricted and monitored through role-based controls. For research teams, this means that session recordings, Clips, transcripts, and results live in an environment engineered and audited to meet enterprise data security and privacy expectations. Put simply, your data is in good hands when working in Maze.

💡 Want the full picture of Maze’s security and compliance policy? Explore certifications (like SOC 2 Type II), data privacy practices, and legal documentation in the Maze Trust Center.

5. Handle camera and mic prompts without hurting the user experience

When participants join the research studies, they may see browser prompts asking for camera, microphone, or screen-sharing access. Without clear context, these prompts can raise privacy concerns about what data is captured, who can access it, and how it will be used.

Set expectations early. Before any prompt appears, clearly explain what access you’ll request and why. For example: “This study will ask for camera and microphone access so we can record your feedback as you complete tasks. Only the research team will review these recordings.” This gives participants important context and reduces friction.

Time the prompt carefully. Trigger camera or mic access only when it’s required, not at the start of the study. For example, ask for access right before a think-aloud task or interview, not during onboarding.

Maze shares additional layers on top of this to keep the experience privacy‑aware. Before a live website test starts, Maze shows a warning that explains any personal data displayed on the site (for example, names, emails, or account details) and any data the participant enters will be visible to the study creator.

Maze shows a warning that explains any personal data displayed on the site

If a study relies on video or audio (such as Clips recordings, moderated interviews, or AI‑moderated sessions), Maze triggers the standard browser camera/mic prompt and, when access fails, shows a “We couldn’t access your camera and microphone” message with step‑by‑step instructions for enabling permissions in the browser.

Maze triggers the standard browser camera/mic prompt

Participants can choose whether to grant camera and microphone access, can close the maze at any time, and can ask the creator to delete their session data. This helps teams collect rich qualitative insights without forcing people into permissions they are not comfortable with.

6. Plan your research process for international data privacy compliance

When you run UX research across countries, you’re working under a patchwork of international data privacy rules that can all apply at once. Alongside setting conditions on how you collect participant data and where you store it, they also dictate how you should transfer it across borders when personal data leaves the country or region where the participant lives.

We’ve already covered the major frameworks like GDPR, CCPA/CPRA, PIPEDA, and LGPD. Here are other important regulations for user privacy protection that can apply depending on your research participants:

  • ePrivacy Directive, European Union: Governs cookies, tracking technologies, and electronic communications, including how you collect behavioral data during website testing or remote studies. Penalties vary by EU member state, but cookie and tracking violations can align with GDPR-level fines of up to €20 million or 4% of global annual turnover for serious infringements.
  • UK GDPR and Data Protection Act 2018, United Kingdom: Sets rules for consent, data processing, participant rights, and international transfers. The Information Commissioner’s Office can issue fines up to £17.5 million or 4% of global annual turnover for serious infringements and up to £8.7 million or 2% for less serious breaches.
  • Personal Information Protection Law, China: Sets strict rules for processing and exporting personal data from China, including security assessments and approved transfer mechanisms. Serious violations can lead to fines of up to RMB 50 million or 5% of the previous year’s annual revenue.
  • Digital Personal Data Protection Act, India: Governs digital personal data processing, including consent, user rights, data breaches, and cross-border transfers. Penalties can reach ₹250 crore for serious violations, including failure to maintain reasonable security safeguards.
  • Act on the Protection of Personal Information, Japan: Regulates how organizations collect, use, and transfer personal data, including safeguards for cross-border transfers. Businesses can face fines of up to JPY 100 million for certain violations.
  • Personal Data Protection Act, Singapore: Requires consent, purpose limitation, breach notification for certain incidents, and reasonable security arrangements. Fines can reach SGD 1 million or, for organizations with more than SGD 10 million in annual Singapore turnover, up to 10% of that turnover.
  • Protection of Personal Information Act, South Africa: Sets rules for lawful processing, including accountability, data minimization, purpose limitation, and security safeguards. Administrative fines can reach ZAR 10 million, and serious offenses may also carry criminal liability.

7. Raise your ethical standards beyond privacy laws

Privacy laws like GDPR, CCPA/CPRA, and others give you a legal baseline. They tell you what you must do to avoid fines, but they don’t fully answer questions like “Is this fair to participants?”, “Are we putting people under pressure?”, or “Could this insight be used in ways that harm certain groups?”.

Raising your ethical standards means adding your own guardrails around power, transparency, and respect for the people in your studies.

In practice, ethical standards in user research often include:

  • Respect for autonomy: Make participation genuinely voluntary, avoid nudging people into saying yes, and make it easy to withdraw—even if you technically have a lawful basis to process their data.
  • Minimizing harm: Avoid studies that could embarrass, distress, or disadvantage participants (for example, sensitive topics without proper support), even if they’re legal. Be careful how you share clips and quotes internally so people aren’t mocked or taken out of context.
  • Fairness and inclusion: Consider who is missing from your sample, how incentives work for different groups, and whether your research practices unintentionally exclude or burden certain communities.
  • Transparency about methods: Be honest with participants and stakeholders about what you’re doing, how you’re collecting and analyzing data, and where your findings have limitations or uncertainty.

As soon as you add automation into this mix, hidden bias in your data or models can shape patterns, themes, and top insights. This means your findings can drift away from what your participants said, at scale, without any obvious warning.

Trusting AI in user research

According to our 2026 Future of User Research report, nearly 2 in 3 researchers now use AI in their workflows, and 69% use it in at least some projects. That’s exciting for speed and scale, but it also raises ethical questions about how much you can—and should—trust AI in user research.

AI can help teams draft questions, summarize responses, identify themes, and support analysis. But user research depends on context. A participant’s hesitation, tone, word choice, or contradiction can change the meaning of a response. If AI misses that nuance, researchers risk turning complex human feedback into oversimplified findings.

That’s why trust remains a challenge. Of those surveyed, 82% say interpreting nuance and emotion still requires a human, while another 80% say ethical decision-making can’t be handed off to AI. At the same time, 73% call human review a key challenge when using AI, and 66% worry about trust and credibility.

Vertical bar chart titled 'When using AI in research, where is human judgment still essential?' showing top areas: interpreting nuance and emotion (82%), ethical decision-making (80%), framing the right questions (76%), strategic recommendations (66%), and stakeholder influence and storytelling (64%).

These concerns matter for data privacy, too. Without clear rules, teams can lose track of where participant data is used, what AI-generated outputs are based on, and whether findings reflect the original evidence.

The answer is to use AI with clear guardrails. Research teams should tell participants when AI is involved, label AI-assisted outputs in reports, and review AI-generated themes against the original clips and transcripts. They should also define where AI can and can’t be used, especially when studies involve sensitive participant data.

Many teams are already moving in this direction. In response to AI trust and privacy concerns, 80% of researchers say they’ve built human review of AI outputs into their workflows, often alongside privacy controls and clear rules for AI use.

Setting up guardrails for challenges in user research

Maze’s AI ethics guidance for UX research highlights specific risks. These include biased prompts, opaque or overconfident summaries, and teams that rely too heavily on AI without human review. You should tell participants when AI is involved, label AI‑assisted outputs in your reports, and always check AI‑generated themes against the original clips and transcripts.

Maze supports ethical research with research‑grade AI and its AI moderator, but it keeps researchers in charge of what’s asked and how findings are used.

Every AI‑generated insight in Maze can be traced back to the exact questions and participant responses it came from, so you can see the raw moments behind themes. Researchers can preview and edit the AI moderator’s behavior before a study goes live, adjust the level of automation, and apply human review to outputs.

How Maze supports ethical, compliant user research studies

Teams need systems that make privacy and compliance part of the research process. Maze builds privacy, security, and compliance into how studies are set up, run, and shared:

  • Built for global compliance: Supports frameworks like GDPR, CCPA, and SOC 2 Type II, helping teams meet legal and enterprise requirements
  • Secure data handling: Encrypts data in transit and at rest on secure cloud infrastructure
  • Granular access control: Let's teams restrict who can view, edit, or share participant data and study results
  • Privacy by design: Aligns with principles like data minimization, consent, and user rights across the platform
  • Clear data processing policies: Provides Data Processing Agreements and documentation to support audits and procurement reviews
  • Reduced sensitive data exposure: Avoids storing high-risk data like payment information directly
  • AI with guardrails: Documents how AI features use data, supports human oversight, and gives teams control over AI usage

With Maze, teams can scale user research while keeping participant privacy, security, and compliance built into every study to keep you and your participants safe.

Research responsibly, scale confidently

Maze helps you collect insights at scale while keeping participant data secure and your research aligned with privacy and compliance requirements.

Frequently asked questions about user research data privacy

What is informed consent in user research?

Informed consent means participants clearly understand and agree to who is running the study, what data you’ll collect, how you’ll use it, and that they can say no or stop at any time.

How does GDPR apply to user research?

GDPR applies whenever you collect or process personal data from people in the EU/EEA, including for user research. You must have a lawful basis (usually explicit consent), explain what you collect and why, minimize data, store it securely, and honor rights like access and deletion.

How long should I store user research data?

Keep data only as long as needed for the research purpose you told participants about. Once that purpose is complete, delete the identifiable data or anonymize it so it can no longer be linked to a participant.

In Maze, you can delete individual sessions or entire studies (which permanently removes recordings, transcripts, and results) and request the deletion of specific participant data when someone exercises their rights. For AI‑related data, Maze also documents specific retention periods for the external models it uses, such as 30–90 days depending on the provider, so you can align your retention policy with how long that data is kept.

Why does Maze ask for camera and microphone access (and what to tell participants)?

Maze requests camera and microphone access for studies that involve recording, like unmoderated tests with Clips, moderated interviews, or AI‑moderated sessions. You can inform participants that this is used to capture their audio/video and screen for research purposes, is subject to your privacy policy, and is optional unless you’ve marked it as required for that specific study.

What should a user research consent form include?

A good consent form for user research explains:

  • Who is running the study
  • What the study is about
  • What participants will be asked to do
  • What data you’ll collect, including recordings, transcripts, or screen activity
  • How you’ll use, store, and protect participant data
  • How long you’ll keep the data
  • Whether AI tools will be used to process or analyze responses
  • That participation is voluntary
  • How participants can withdraw from the study
  • Who participants can contact with questions, complaints, or data privacy requests

Continue Reading