IRB approval for user research: when you need it, when you don't, and how to get it
A complete guide to IRB approval for user research. Covers when commercial UX research needs IRB review, exempt categories under 45 CFR 46, application process, timelines, and HHS-cited requirements for academic and FDA-regulated research.
Most commercial user research does not need IRB approval. Most academic user research does. The line between the two is defined by federal regulations (45 CFR 46, the Common Rule) and not by the type of research method you use. This guide explains when you need IRB approval, when you do not, how to apply when you do, and the exempt categories that cover most UX research conducted for product improvement.
Frequently asked questions
What is IRB approval and what does it cover?
An Institutional Review Board (IRB) is a committee that reviews and oversees research involving human subjects to protect participant rights and welfare. Under U.S. federal regulations (45 CFR 46, known as the Common Rule), federally funded human subjects research must be reviewed by an IRB. The FDA has parallel regulations under 21 CFR 50 and 21 CFR 56 for research that supports FDA submissions. IRB review covers informed consent, risk assessment, participant protection, data handling, and ethical conduct.
Do I need IRB approval for commercial user research?
Usually no. Commercial user research conducted to improve a company’s own products is generally not “human subjects research” as defined by 45 CFR 46.102, because it does not produce “generalizable knowledge.” Internal product improvement research, customer feedback studies, usability testing on commercial products, and most UX research done by product teams falls outside the scope of IRB requirements. The exceptions are research intended for academic publication, FDA-regulated medical device usability studies, federally funded research, and research at organizations that voluntarily extend IRB oversight to commercial work.
When does user research need IRB approval?
User research needs IRB approval in five scenarios. First, when conducted at an academic institution that requires IRB review for all human subjects research. Second, when the research is intended for publication in a peer-reviewed journal. Third, when the research supports an FDA regulatory submission (medical device usability under 21 CFR Part 820, drug labeling research, etc.). Fourth, when the research is funded by federal agencies that require IRB oversight under the Common Rule. Fifth, when working with vulnerable populations (children, prisoners, pregnant women, individuals with cognitive impairments) where institutional policy requires additional review.
What are the exempt categories under 45 CFR 46?
The 2018 revised Common Rule (45 CFR 46.104) defines eight exempt categories that may apply to user research. The most relevant for UX research are: Category 1 (educational practice research), Category 2 (research using surveys, interviews, or observation of public behavior), Category 3 (benign behavioral interventions like short tasks), and Category 4 (secondary research with identifiable information). “Exempt” does not mean “no IRB involvement”; the IRB still determines whether your study qualifies for exemption. Most usability testing falls under Category 2 or Category 3 when it qualifies for IRB review at all.
How long does IRB approval take?
IRB approval timelines depend on the review type. Exempt review typically takes 1 to 3 weeks. Expedited review (for minimal-risk research that does not qualify for exemption) takes 2 to 4 weeks. Full board review (for research with greater than minimal risk) takes 4 to 8 weeks because the full board meets monthly. Revisions requested by the IRB add 1 to 2 weeks per revision cycle. Plan for 2 to 8 weeks total when IRB review is required, and submit 8 to 12 weeks before your intended research start date for higher-risk studies.
How do I get IRB approval for user research?
To get IRB approval, you submit a research protocol package to the relevant IRB. The package typically includes the research protocol (objectives, methods, recruitment, analysis plan), informed consent forms, recruitment materials, screener and discussion guides, risk assessment, and investigator qualifications. The IRB conducts an initial review to determine the appropriate review type (exempt, expedited, or full board), conducts the review, requests revisions if needed, and issues approval. Approval is typically valid for one year and requires annual continuing review.
Do you need IRB approval? A decision framework
The single most important question in IRB compliance is whether your research even falls under IRB jurisdiction. Use this framework to determine the answer.
Step 1: Is it “research” under 45 CFR 46.102?
Federal regulations define research as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.” Two conditions must be met:
- Systematic investigation (yes for almost all user research)
- Designed to contribute to generalizable knowledge (this is the key question)
If your research is intended to inform internal product decisions and will not be published or shared as new knowledge for the field, it is generally not “research” under the Common Rule definition. If you intend to publish, present at academic conferences, or share findings as new knowledge applicable beyond your own product, it likely qualifies as research.
Step 2: Does it involve “human subjects”?
A “human subject” under 45 CFR 46.102(e) is “a living individual about whom an investigator obtains information through intervention or interaction, or identifiable private information.” Almost all user research meets this definition because you are actively interacting with participants and collecting information about them.
Step 3: Apply the decision matrix
| Research type | IRB required? | Why |
|---|---|---|
| Internal product improvement (commercial) | No | Not “generalizable knowledge”; not research under 45 CFR 46.102 |
| Customer feedback for iteration | No | Same reasoning |
| Usability testing for own product | No (most cases) | Internal use only |
| Academic/university research | Yes | Institutional policy + federal funding |
| Research intended for academic publication | Yes | ”Generalizable knowledge” |
| FDA-regulated medical device usability (HFE/UE) | Yes (FDA 21 CFR 50/56) | Required for FDA submission |
| Federally funded research | Yes | Required by funding agency |
| Research with vulnerable populations (commercial or academic) | Often yes | Institutional policy frequently extends review |
| Pharmaceutical research for FDA submission | Yes | FDA regulations |
| Research at hospitals/healthcare orgs | Often yes | Institutional policy commonly applies |
Step 4: When in doubt, consult
If your research could plausibly be published, support an FDA submission, or involve vulnerable populations, consult an IRB before starting. Many universities and commercial IRBs offer “determination” services where they review your protocol summary and tell you whether IRB review is required, often within a few business days at no cost.
IRB exempt categories explained
The 2018 revised Common Rule (45 CFR 46.104) defines eight categories of research that may be exempt from full IRB review. Five are relevant to user research.
Category 1: Educational practice research
Research conducted in established educational settings involving normal educational practices, such as research on instructional strategies or comparisons of teaching methods.
UX research example: Testing two versions of an instructional onboarding flow in an EdTech product to compare which method teaches users faster.
Category 2: Surveys, interviews, educational tests, and public behavior observation
Research involving surveys, interviews, educational tests, or observation of public behavior, when at least one of the following applies:
- Information is recorded so participants cannot be identified
- Disclosure of responses outside the research would not place participants at risk
- Information is identifiable but the IRB conducts limited review for sensitive topics
UX research example: An anonymous survey about how participants use a new feature, where no identifying information is collected.
Category 3: Benign behavioral interventions
Research involving benign behavioral interventions where the participant prospectively agrees, the intervention is brief, harmless, painless, and not likely to have lasting adverse impact.
UX research example: A 60-minute usability test where participants complete a series of tasks on a new feature. The intervention (using the prototype) is brief and harmless.
Category 4: Secondary research with identifiable information
Secondary research using identifiable private information or biospecimens, when one of several specific conditions applies (publicly available, already de-identified, regulated by HIPAA, or collected for federal use).
UX research example: Analysis of existing customer support tickets that are already in your CRM, used to identify usability pain points.
Category 6: Taste and food quality evaluation
Less commonly applicable to UX, but relevant for consumer product research involving taste tests or food evaluation.
Limited IRB review
For Category 2 research that involves identifiable private information about sensitive topics (illegal activities, sexual behavior, mental health), a “limited review” is required to ensure adequate privacy protections. This is faster than full review but still involves IRB engagement.
IRB review types and timelines
When IRB review is required, the type of review depends on the level of risk to participants and the nature of the research.
| Review type | When it applies | Typical timeline | Effort required |
|---|---|---|---|
| Exempt | Research that meets one of the eight exempt categories | 1-3 weeks | Lowest; submission and determination |
| Expedited | Minimal-risk research not qualifying for exemption | 2-4 weeks | Moderate; full protocol review by 1-2 IRB members |
| Full board | Research with greater than minimal risk; vulnerable populations; sensitive data | 4-8 weeks | Highest; review at convened IRB meeting |
What is “minimal risk”?
Under 45 CFR 46.102(j), “minimal risk” means “the probability and magnitude of harm or discomfort anticipated in the research are not greater in and of themselves than those ordinarily encountered in daily life or during the performance of routine physical or psychological examinations or tests.”
Most commercial-style usability research is minimal risk. Research involving stress, deception, sensitive topics, vulnerable populations, or invasive procedures typically exceeds minimal risk.
Timeline planning
If your research requires IRB review, plan timelines as follows:
| Review type | Submission to start of fieldwork |
|---|---|
| Exempt | 2-4 weeks |
| Expedited | 4-6 weeks |
| Full board | 8-12 weeks |
| FDA-regulated full review | 8-16 weeks |
Add 1-2 weeks per round of revisions. Most studies require at least one round of revisions, and full board reviews often require 2-3 rounds before final approval.
How to apply for IRB approval: step-by-step
Step 1: Identify the right IRB
If you are at a university, the institution has its own IRB and you must use it. If you are at a hospital or healthcare organization, the institutional IRB applies. If you are a commercial researcher and IRB review is required (for academic publication, FDA submission, or institutional policy), use a commercial IRB such as WIRB-Copernicus, Advarra, or Sterling IRB.
Step 2: Prepare the protocol package
A complete IRB submission package typically includes:
- Research protocol: Background, objectives, methodology, sample size justification, recruitment plan, analysis plan
- Informed consent form: Plain-language explanation of the study, risks, benefits, voluntary participation, withdrawal rights
- Recruitment materials: Flyers, emails, screener questions
- Data collection instruments: Surveys, interview guides, test tasks
- Investigator qualifications: CVs and IRB training documentation (CITI program completion)
- Risk assessment: Identified risks and mitigations
- Data management plan: Storage, access, retention, destruction
- Conflict of interest disclosures
Step 3: Submit the application
Most IRBs use online submission systems. Submission triggers an initial administrative review (typically within 5-7 days) to determine the appropriate review type and check for completeness.
Step 4: Respond to IRB feedback
The IRB will request clarifications or revisions in nearly every case. Common requests include:
- Clearer language in the consent form (plain language at 6th-8th grade reading level)
- More detail on data security measures
- Stronger justification for sample size or recruitment methods
- Clarification of risks and benefits
- Adjustments to compensation amounts (too high creates coercion; too low creates exploitation)
Respond promptly and address each comment specifically. Each round of revisions adds 1-2 weeks to the timeline.
Step 5: Receive approval
Approval is typically valid for one year. You will need to submit a continuing review application for studies extending beyond that period. You must also submit amendments to the IRB for any changes to your approved protocol (recruitment changes, new questions, new tools).
Step 6: Maintain compliance during the study
After approval, ongoing IRB obligations include:
- Following the approved protocol exactly
- Reporting adverse events promptly
- Submitting amendments before making any protocol changes
- Reporting unanticipated problems
- Annual continuing review submissions
- Final report at study completion
Commercial vs academic vs FDA-regulated research
The IRB requirements differ significantly across these three contexts. Understanding which applies to you is the first step in compliance planning.
Commercial product research
Typical IRB requirement: None for internal product improvement.
When IRB applies: Only when you intend to publish findings, support FDA submissions, or work with vulnerable populations under institutional policy.
Practical impact: Most commercial UX teams will never submit a study to an IRB. Apply ethical research principles and follow industry standards (the user research compliance checklist covers these), but formal IRB review is not legally required.
Academic research
Typical IRB requirement: Required by institutional policy, regardless of funding source.
When IRB applies: Almost always for human subjects research at universities and academic medical centers.
Practical impact: Plan 4-12 weeks for IRB review. Use the institution’s required forms and processes. Complete CITI training before submitting.
FDA-regulated research
Typical IRB requirement: Required for any research that supports an FDA submission.
When IRB applies: Medical device usability testing for 510(k), De Novo, or PMA submissions; drug research; biological product research.
Practical impact: FDA-regulated research follows 21 CFR 50 (informed consent) and 21 CFR 56 (IRB requirements), which have additional documentation and inspection requirements beyond the Common Rule. Plan 8-16 weeks for review and budget for higher administrative overhead.
The FDA has published a comprehensive IRB FAQ that addresses common questions about IRB requirements for FDA-regulated research. For healthcare-focused user research, familiarity with both FDA and IRB processes is essential.
Common IRB mistakes in user research
Mistake 1: Assuming IRB review is required for all research. Most commercial UX research is not subject to IRB review under federal regulations. Academic and FDA contexts are different. Know which context applies before beginning your compliance planning.
Mistake 2: Submitting incomplete protocols. The most common cause of IRB delays is incomplete submissions. Review your IRB’s submission checklist before submitting and ensure every required element is included.
Mistake 3: Using overly complex consent forms. Federal regulations require informed consent at a 6th-8th grade reading level. Lengthy, jargon-heavy consent forms are a frequent cause of IRB revision requests.
Mistake 4: Underestimating timelines. Plan 2-12 weeks for IRB review depending on review type. Adding IRB review to a timeline mid-project causes major delays.
Mistake 5: Failing to amend the protocol when changes occur. Any change to recruitment, methodology, materials, or compensation requires an IRB amendment. Proceeding with changes before amendment approval is a compliance violation.
Mistake 6: Confusing IRB with other compliance regimes. IRB approval addresses human subjects protection. It does not automatically cover HIPAA, GDPR, COPPA, or industry-specific regulations. These require separate compliance work.
Mistake 7: Using non-approved IRBs. If you are at an institution with its own IRB, you cannot substitute a commercial IRB without an institutional reliance agreement. Make sure you are using the right IRB for your context.
Resources and authoritative references
The U.S. Department of Health and Human Services (HHS) maintains the Office for Human Research Protections (OHRP), which oversees the Common Rule. The FDA maintains parallel oversight for FDA-regulated research. The most authoritative references for IRB questions are:
- HHS OHRP: 45 CFR 46 (the Common Rule) is the primary federal regulation for human subjects research
- HHS OHRP guidance documents: Detailed interpretations of the Common Rule, including the 2018 revisions
- FDA 21 CFR 50: Informed consent requirements for FDA-regulated research
- FDA 21 CFR 56: IRB requirements for FDA-regulated research
- FDA Guidance for Industry: Applying Human Factors and Usability Engineering to Medical Devices (relevant for medical device UX research)
- CITI Program: Required IRB training for most institutional researchers
For commercial product teams expanding into healthcare, EdTech, or other regulated spaces for the first time, the user research compliance checklist by industry provides industry-specific compliance guidance, and the research data privacy guide for product teams covers privacy practices that apply regardless of whether IRB review is required.
When to involve an IRB even if not required
Even when federal regulations do not require IRB review, voluntary IRB review or ethics consultation can be valuable in three scenarios:
1. Working with vulnerable populations. Children, patients, prisoners, and individuals with cognitive impairments deserve additional ethical scrutiny regardless of whether federal regulations require it.
2. High-stakes outcomes for participants. If your research could lead to product changes that significantly affect participants’ wellbeing (mental health apps, financial decisions, healthcare access), independent ethical review provides accountability.
3. Research credibility for external audiences. If you intend to share findings publicly (white papers, conference presentations, marketing collateral), independent review strengthens the credibility of your conclusions and protects your organization from criticism.
In these scenarios, commercial IRBs offer “ethics review” or “advisory determination” services that are faster and less formal than full IRB review but still provide the credibility and protection of independent oversight.
For most commercial UX research, a clear ethical framework, robust consent practices, and adherence to industry standards are sufficient. IRB review is one tool in the broader compliance toolkit, not the only one.