Learn about the importance of Personally Identifiable Information (PII) and how UserTesting can assist in protecting PII. |
This article applies to: UserTesting
On this page:
About PII
- Personally Identifiable Information (PII) is data that could be used to contact and determine the actual identity of a specific living person.
- Protecting the personal information of contributors is critical when gathering insights through testing and it protects your company from possible non-compliance with the General Data Protection Regulation ("GDPR").
- If you are a covered entity under HIPAA and your test might involve Protected Health Information (PHI), please review our article on collecting insights under HIPAA.
Prohibited PII
The rule regarding Prohibited PII is to never ask for it, even if your test asked for consent or you use the Blur Tool.
Credit card numbers or credit card purchases | Personal financial account numbers |
Passport numbers | National ID card numbers |
Car loan number | Drivers license number |
Social Security number | Account passwords |
Specific genetic information | Biometric identifiers used for identification purposes (e.g., fingerprints, voice prints, iris and retina scans) |
Note: Please review our Data Processing Agreement, Content Policy, and Privacy Policy for more information.
Sensitive PII
- The rule regarding Sensitive PII is that you must obtain contributors' consent to collect this information via a screener question.
- Categories of PII data vary by jurisdiction.
-
Some examples of Sensitive PII include but are not limited to:
- Racial or ethnic origin
- Political opinions, religious or philosophical beliefs, trade union membership
- Data concerning health or a person's sex life or sexual orientation
- Data relating to criminal convictions and offenses
Note: Please review our Data Processing Agreement, Content Policy, and Privacy Policy for more information.
Special considerations
Screener questions
- Suppose you determine that it is acceptable to record PII during your test. In that case, you'll need to provide test contributors with a detailed explanation of what PII will be recorded, what it will be used for, and get their written consent before the start of the test.
- You should provide a question as your first screener.
- For example: “During this test, you will be required to enter your full name and home street address as part of a registration process. This information will only be used for the purposes of this test and will not be shared. Do you consent to provide this information?”
- Yes, I consent to provide my full name and street address to participate in this test. [Accept]
- No, I do not consent to provide my full name and street address to participate in this test. [Reject]
Other PII
- You're required to get contributor consent before requesting or processing any PII.
- If you’re running a test that may collect other PII, such as a full name or home street address, it’s a best practice to ask for contributors’ permission using a screener question.
Blur tool
Depending on your internal policies and applicable data laws for collecting and handling personal information, you may want to use the Blur Tool for certain tasks that expose PII you want to protect.
Health information
- Medical information is considered Sensitive PII and may only be collected after obtaining consent.
- If your organization is a Covered Entity under HIPAA, medical information may be Protected Health Information (PHI) and should only be collected if your organization has a signed Business Associate Agreement with UserTesting.
Testing purchase transactions
- UserTesting contributors must never be required to purchase anything while testing or to participate in any financial transactions.
- If you have questions about how to test processes which include a financial transaction, visit our course.
Testing social media
- Social media feeds may contain the personal data of others who have not provided their consent to share such personal data.
- The best approach is to only enter engagements where you are processing personal data from the contributor participating in the test.
Best practices
Follow these best practices when you run a test that may prompt test contributors to provide their PII:
Set expectations with screeners:
- If you expect test contributors’ PII to pop up during the recording (such as notifications), create screener questions to set expectations before the test starts.
-
Example: Create a screener saying, “This test requires you to disable notifications. Have you disabled all notifications on your smart device?”
- Yes, I have disabled notifications. [Accept]
- No, I do not wish to disable notifications. [Reject]
Use false or "dummy" information:
- Instruct test contributors to enter false or “dummy” information that will not identify a specific individual.
- Example: “Enter the email address = fake@google.com and password = fake.”
Avoid sensitive data:
- Never ask for social security numbers, medical records, or bank and credit card information.
- Example: “Please use fake information like 5555-5555-5555-5555 Exp: 12/20.”
Use the Blur tool:
- If a test contributor’s PII must be visible on the screen during a certain task, enable the Blur Tool to make the screen unreadable during that specific task.
Use gift cards for checkout:
- If your test requires test contributors to go through a complete checkout process, provide them with gift cards or gift codes to complete the checkout without using their own credit card information.
- For more guidance on testing purchase transactions, visit our course.
Consider alternative testing methods:
- If you're concerned that PII might inadvertently be provided by contributors during a test, consider a Live Conversation rather than an unmoderated test.
- This allows you to manage the conversation and prevent the sharing of sensitive information.
Review pages as you plan your test:
- Be mindful that personal information might appear on the dashboard or other pages within logged-in experiences.
- Review these pages as you plan a test and consider using the Task question and Blur Tool.
Messaging with Contributors:
- If you need to communicate with a UserTesting contributor outside the test, follow our guidelines for messaging.
PII that Customers should not share about themselves during a test:
During a Live Conversation divulging a combination of personal information could make you more easily identifiable to contributors.
Avoiding sharing the following:
- Your last name
- Age
- Location
- Company
- Job role/title
If these best practices are insufficient for your research needs, please contact the UserTesting Support team to discuss alternatives.
Related content
|
|
Want to learn more? Check out these Knowledge Base articles... |
Interested in growing your skills? Check out our University courses... |
|
|
Need hands-on training?
|
Can't find your answer?
|