Best Practices for Avoiding the Collection of PII

Overview:

UserTesting’s platform allows customers to record audio and video of test participants interacting with websites, apps, prototypes, and other products. Occasionally, a test will require test participants to log into an account or enter information into a form. To protect test participants’ privacy, it’s important to avoid collecting Personally Identifiable Information (or “PII”).

PII is data that could be used to determine the actual identity of, and contact, a specific living person.

Protecting the personal information of participants is critical when gathering insights through testing. It is not only the right thing to do for participants, but it also protects your company from possible non-compliance with the General Data Protection Regulation (GDPR). See this information page about UserTesting and GDPR.

Sensitive PII:

  • The rule regarding sensitive PII is to never collect it, even if blurred.
  • Sensitive PII includes:
    • Credit card numbers or credit card purchases
    • Personal financial account numbers
    • Passport numbers
    • Drivers license number
    • Social Security number
    • Medical records or treatment documentation/history
    • PII provided by minors under 13 years old*
    • Specific genetic information

*Note: The word "minors" (in the US) defines people under 18. There are additional privacy regulations that apply to situations when testing with and gathering PII from children under 13 years of age. If you have questions about testing with minors, contact your Customer Success Manager.

Non-sensitive PII:  

Additionally:

  • UserTesting participants are never required to purchase anything while testing.
  • Your organization may have stricter rules about the research and tests you conduct.

Best practices:

Follow these best practices when you run a test that may prompt test participants to provide their PII:

  1. When requiring a test participant to complete a form requesting PII, instruct them to enter false or “dummy” information that will not identify a specific individual.
    For example: “Enter the email address = fake@google.com and password = fake.”
  2. Never ask for social security numbers, medical records, or bank and credit card information.
    For example: “Please use fake information like 5555-5555-5555-5555 Exp: 12/20”
  3. If your test requires test participants to go through a complete checkout process, provide participants with gift cards or gift codes in order to complete the checkout process without entering their own credit card information. For more guidance on testing purchase transactions, visit our course.
  4. If it’s necessary for a test participant’s PII to be visible on the screen during a certain task, enable the Blur Tool to make the screen unreadable during that specific task.
  5. If you expect test participants’ PII to pop up during the recording (such as notifications), please create screener questions to set expectations before the test starts.
    For example: Create a screener saying, “This test requires you to disable notifications. Have you disabled all notifications on your smart device?”
    • Yes, I have disabled notifications. [Accept]
    • No, I do not wish to disable notifications. [Reject]

If these best practices will not be sufficient for your research needs, please contact the UserTesting Support team to discuss alternatives. If it is determined that it is acceptable to record PII during your test, you will need to provide test participants with a detailed explanation of what PII will be recorded, what it will be used for, and get their written consent before the start of the test.



Was this article helpful?
18 out of 21 found this helpful

Comments

0 comments

Article is closed for comments.