Guides

User research compliance checklist by industry: GDPR, HIPAA, COPPA, and more

Complete user research compliance checklist by industry. Covers GDPR, HIPAA, COPPA, FERPA, FDA, FISMA, GLBA, and PCI-DSS requirements with industry-specific checklists for healthcare, finance, government, EdTech, and enterprise research.

User research compliance checklist by industry: GDPR, HIPAA, COPPA, and more

User research compliance requirements vary dramatically by industry. A consumer SaaS study may need only basic consent and a privacy policy. A healthcare patient study needs IRB approval, HIPAA business associate agreements, encrypted infrastructure, and de-identified data handling. Getting compliance wrong creates legal liability, regulatory fines, and reputational damage. This guide provides a master compliance checklist plus industry-specific checklists for every regulated sector.

Frequently asked questions

What compliance requirements apply to user research?

The compliance requirements depend on three factors: where your participants are located, what data you collect, and what industry you operate in. Universal requirements include informed consent, data minimization, secure storage, and a documented privacy policy. Geographic requirements add GDPR (EU participants), CCPA (California residents), and similar local laws. Industry-specific requirements add HIPAA (US healthcare), COPPA (children under 13), FERPA (US education records), FDA 21 CFR Part 11 (regulated medical devices and pharmaceuticals), FISMA (US government), GLBA (US financial), and PCI-DSS (payment card data).

Do all user research studies need IRB approval?

No. IRB approval is required for human subjects research conducted at academic institutions, healthcare organizations, or studies funded by federal agencies. Most commercial product research does not require IRB review, but it should still follow ethical research principles. Healthcare research, even commercial healthcare product research, often requires IRB review when working with patients, medical providers, or protected health information. Financial and government research may also require ethics review under sector-specific rules.

What is the difference between GDPR, HIPAA, and COPPA?

GDPR (General Data Protection Regulation) is the EU’s data protection law that applies to any organization processing personal data of EU residents, regardless of where the organization is based. HIPAA (Health Insurance Portability and Accountability Act) is a US law that protects individually identifiable health information. COPPA (Children’s Online Privacy Protection Act) is a US law requiring verifiable parental consent before collecting personal information from children under 13. They are not interchangeable: a single study can be subject to all three (an EU study with US healthcare participants involving children would require GDPR + HIPAA + COPPA compliance simultaneously).

What is a Business Associate Agreement (BAA) and when do I need one?

A BAA is a written contract between a HIPAA-covered entity (like a hospital or health insurer) and a vendor that handles protected health information on its behalf. You need a BAA whenever you use a third-party tool, platform, or contractor to process PHI as part of healthcare research. This includes recording platforms, transcription services, recruitment tools, and analysis software. Common research tools without BAAs (Zoom basic, standard Otter.ai, Google Docs) cannot legally be used to handle PHI.

How do I make my research GDPR-compliant?

GDPR compliance for user research requires six core practices: explicit and informed consent, data minimization (collect only what is necessary), purpose limitation (use data only for stated research purposes), participant rights (access, correction, erasure), secure storage and transfer, and a Data Protection Impact Assessment (DPIA) for high-risk processing. EU participants must consent before any data collection, including screener questions. See the GDPR-compliant user research methods guide for detailed implementation.

What are the penalties for non-compliance?

Penalties vary by regulation. GDPR fines reach up to ?20 million or 4% of global annual revenue, whichever is higher. HIPAA penalties range from $100 to $50,000 per violation, with annual maximums of $1.5 million. COPPA violations can reach $51,744 per violation (each affected child counts as one violation). FERPA violations can result in loss of federal funding for educational institutions. Beyond fines, non-compliance creates litigation exposure, brand damage, and loss of access to regulated markets.

Universal compliance checklist

Every user research study, regardless of industry, should meet these baseline compliance requirements.

Pre-study compliance checklist

  • Define data collection scope. Document what personal data will be collected, why it is necessary, and how long it will be retained.
  • Draft informed consent document. Include study purpose, what participation involves, time commitment, compensation, data handling, and right to withdraw.
  • Create participant privacy notice. Plain-language explanation of what happens to participant data.
  • Verify vendor compliance. Confirm recording, recruitment, and storage tools meet your regulatory requirements.
  • Document data retention policy. Specify when and how data will be deleted after study completion.
  • Identify legal basis for processing. Required under GDPR; consent is most common for research.
  • Conduct risk assessment. Document risks to participants and mitigations.
  • Get internal stakeholder approval. Legal, privacy, and security teams should sign off before recruitment begins.
  • Verify recruitment screener compliance. Screener questions must comply with discrimination laws and data protection rules.
  • Confirm contractor agreements. Any external researchers, agencies, or transcribers must have appropriate confidentiality and data handling clauses.

During-study compliance checklist

  • Collect consent before any data capture. Verbal consent must be on the recording; written consent must be signed before the session starts.
  • Confirm participant identity verification (where required for the audience type).
  • Document withdrawal requests. Track any participants who withdraw and ensure their data is deleted per their request.
  • Use only approved tools. No ad-hoc Zoom calls, personal email, or unapproved file storage.
  • Limit observer access. Observers must be approved and bound by the same confidentiality terms.
  • Mask or omit sensitive data in real-time notes (do not write down PHI, financial account numbers, or passwords even if disclosed).

Post-study compliance checklist

  • De-identify research data. Remove names, contact information, and direct identifiers from analysis materials.
  • Securely store recordings. Encrypted at rest and in transit.
  • Honor retention policy. Delete raw data per your documented retention schedule.
  • Document data handling for audit purposes. Maintain records of who accessed what data, when, and why.
  • Process participant data requests (access, deletion, correction) within regulatory timeframes.
  • Report breaches if required. GDPR requires notification within 72 hours of discovery.

Compliance by industry

This table summarizes the primary regulations and core requirements for each industry.

IndustryPrimary regulationsCore requirements
Healthcare/PharmaHIPAA, FDA 21 CFR Part 11, IRBBAA with vendors, PHI encryption (AES-256), audit logs, de-identification, IRB approval for patient research
Finance/BankingGLBA, PCI-DSS, GDPR/CCPA, FCA (UK)Consent for PII, breach notification within 72h, access controls, no payment card data in research
Government/CivicFISMA, Section 508, FOIA, Privacy ActWCAG 2.1 AA accessibility, FedRAMP-authorized vendors, IRB for human subjects, FOIA-aware data handling
EdTech (K-12)COPPA, FERPA, state student privacy lawsVerifiable parental consent, no behavioral advertising, educational record protection, district approval
EdTech (Higher Ed)FERPA, IRB, GDPR (international students)Educational record protection, IRB review, accessible research materials
InsuranceGLBA, state insurance regulationsConsent for PII, no actuarial data in research without authorization
Legal techAttorney-client privilege, state bar rulesPrivilege preservation, NDA enforcement, conflict checking
Children’s productsCOPPA, GDPR-K, state privacy lawsVerifiable parental consent, age-appropriate design, no profiling
CybersecurityIndustry-specific (varies), NDA-heavyStrict NDA, no production data, secure-only environments
Pharma clinicalFDA, ICH-GCP, IRB, HIPAAClinical research compliance, GxP standards, IRB, informed consent
Mental health/BehavioralHIPAA, state mental health laws, IRBEnhanced consent, trauma-informed design, mandatory reporting awareness
International (multi-region)GDPR + local equivalentsPer-region consent, cross-border transfer mechanisms, local representatives

Industry-specific compliance checklists

Healthcare and pharma

Healthcare research has the most demanding compliance requirements. The checklist below applies to studies involving patients, providers, or PHI. For details on each requirement, see the HIPAA-compliant user research methods guide.

Pre-study healthcare checklist

  • IRB submission and approval (2-6 weeks for initial review)
  • HIPAA covered entity status documented (are you a covered entity, business associate, or neither?)
  • BAAs signed with all vendors that may touch PHI: recording platform, transcription, recruitment, storage, analysis tools
  • Encryption verified for data at rest (AES-256 minimum) and in transit (TLS 1.2+)
  • Audit logging enabled on all systems handling PHI
  • Patient recruitment protocols approved by IRB
  • Consent form approved by IRB and HIPAA-compliant
  • De-identification protocol documented for analysis materials
  • Minimum necessary standard applied to all data collection
  • Access controls limit PHI exposure to authorized researchers only
  • Incident response plan in place for potential PHI breaches

During-study healthcare checklist

  • Sessions conducted on HIPAA-compliant platforms only
  • No PHI in chat windows, screen sharing, or unapproved channels
  • Real-time notes exclude direct patient identifiers
  • Observer list approved and limited
  • Patient identity verified per IRB protocol

Post-study healthcare checklist

  • Recordings stored on encrypted, access-controlled systems
  • Transcripts de-identified before sharing
  • Analysis materials use participant codes, not names
  • Data retention matches IRB-approved protocol
  • Reporting reviewed for inadvertent PHI disclosure
  • PHI deleted per retention schedule
  • Breach notification process tested

Finance and banking

Financial services research must protect personally identifiable information (PII) and comply with GLBA, PCI-DSS, and applicable state and international privacy laws.

  • GLBA Privacy Rule compliance for any nonpublic personal information
  • No payment card data captured during research (PCI-DSS scope avoidance)
  • Customer consent obtained before discussing accounts or transactions
  • Access controls prevent unauthorized researcher access to customer data
  • Encryption for any captured financial data
  • Vendor risk assessment completed for research tools
  • Breach notification procedures in place (72-hour notification under GDPR for EU customers)
  • GDPR compliance for EU customers (separate from US compliance)
  • CCPA compliance for California residents
  • State-specific financial privacy laws reviewed (NY DFS, Massachusetts, etc.)
  • FCA Consumer Duty compliance for UK financial services research
  • Conflict-of-interest disclosure for financial professional participants

Government and civic tech

Government research must comply with federal information security standards, accessibility requirements, and human subjects protections. See the civic tech research methods guide for context.

  • FISMA compliance for systems handling federal information
  • FedRAMP-authorized vendors for cloud-based research tools
  • Section 508 / WCAG 2.1 AA accessibility for all research materials
  • IRB approval for federally funded research with human subjects
  • Privacy Act compliance for federal employee data
  • FOIA awareness in data handling (research data may be subject to FOIA requests)
  • Security clearance verification for participants where required
  • Procurement compliance for vendor contracts
  • PRA (Paperwork Reduction Act) compliance for surveys collecting data from 10+ federal employees or members of the public
  • Accessibility testing included in research methodology
  • Plain-language requirements for all participant-facing materials

EdTech (K-12)

K-12 education research is heavily regulated due to children’s privacy protections and educational record laws. See the COPPA-compliant user research guide and K-12 EdTech research guide for details.

  • COPPA verifiable parental consent before collecting any data from children under 13
  • FERPA compliance for educational records
  • District/school approval before contacting students
  • No behavioral advertising based on children’s data
  • Privacy policy explicitly addresses children’s data handling
  • Data minimization stricter than adult research
  • State student privacy laws reviewed (California SOPIPA, others)
  • Age verification before allowing self-consent (13+ in US)
  • Parent notification for any data sharing
  • Teacher consent when conducting classroom research
  • Trauma-informed design for sensitive topics
  • Researcher background checks where district policy requires

Higher education

  • FERPA compliance for student educational records
  • IRB approval for university-affiliated research
  • GDPR compliance for international students
  • Accommodation for disabilities in research methodology
  • Consent independent of grades or course standing
  • Academic freedom and research integrity standards followed

Children’s products (under 13, beyond EdTech)

  • COPPA verifiable parental consent (email plus credit card, video verification, or signed form)
  • GDPR-K for EU children under 16
  • No targeted advertising based on children’s data
  • Age-appropriate design code (UK) compliance for UK children
  • Direct marketing restrictions for children
  • Limited data collection to what is strictly necessary
  • Parental data access rights documented and supported
  • Child safety review of research materials and methods

Insurance

  • GLBA Privacy Rule for nonpublic personal information
  • State insurance department regulations reviewed
  • HIPAA when research involves health insurance
  • No actuarial data captured in research
  • Genetic information protection (GINA) for relevant research
  • Disability discrimination protections in screening
  • Attorney-client privilege preserved (no privileged content captured)
  • Conflict checking before recruiting attorneys from related matters
  • NDA enforcement for confidential client information
  • State bar advertising and solicitation rules reviewed
  • Work product doctrine awareness
  • Ethics opinion review for jurisdiction-specific concerns

Cybersecurity

  • NDA executed before any product disclosure
  • Production data prohibited in research environments
  • Synthetic or sanitized data for all test scenarios
  • Secure session recording with restricted access
  • Vendor security assessment for research tools
  • Background checks for participants with security clearances

Pharma clinical research

  • FDA 21 CFR Part 11 compliance for electronic records
  • Good Clinical Practice (ICH-GCP) standards
  • IRB approval before any participant contact
  • Informed consent meeting FDA requirements
  • Data integrity (ALCOA+ principles)
  • Audit trail for all data modifications
  • Source documentation maintained
  • Adverse event reporting procedures in place

Mental health and behavioral health

  • HIPAA compliance when working with covered entities
  • State mental health laws reviewed
  • Mandatory reporting procedures in place (suicide risk, abuse)
  • Trauma-informed research methods (trauma-informed guide)
  • Crisis response protocol for participants in distress
  • Enhanced informed consent with capacity assessment
  • Researcher mental health training

Regulation-specific quick reference

GDPR checklist (for any EU participants)

  • Lawful basis identified (consent is most common for research)
  • Explicit, informed consent obtained before any data processing
  • Privacy notice provided in plain language
  • Data Protection Impact Assessment (DPIA) for high-risk processing
  • Data minimization principle applied
  • Purpose limitation documented
  • Right to erasure process in place
  • Right to access process in place
  • Breach notification within 72 hours of discovery
  • Cross-border transfer mechanisms for non-EU storage (SCCs, adequacy decisions)
  • Data Protection Officer designated (if required)
  • Records of processing activities maintained

See the GDPR-compliant user research methods guide for detailed implementation.

HIPAA checklist (for any PHI)

  • BAA signed with all vendors handling PHI
  • Minimum necessary standard applied
  • Encryption at rest (AES-256) and in transit (TLS 1.2+)
  • Access controls with role-based permissions
  • Audit logging enabled
  • Workforce training documented
  • Risk analysis completed and reviewed annually
  • Incident response plan documented and tested
  • De-identification per Safe Harbor or Expert Determination
  • Authorization or waiver for PHI use in research

COPPA checklist (for children under 13)

  • Privacy policy specifically addressing children’s data
  • Verifiable parental consent before collection
  • Direct notice to parents about data practices
  • Limited data collection to what is necessary
  • No conditioning participation on disclosure of more information than necessary
  • Parental access rights to their child’s data
  • Parental deletion rights for their child’s data
  • No behavioral advertising to children
  • Reasonable security procedures for children’s data
  • Data retention limits specific to children’s data

See the COPPA-compliant user research guide for detailed implementation.

IRB submission checklist (for human subjects research)

  • IRB application form completed
  • Detailed research protocol (objectives, methods, recruitment, analysis)
  • Informed consent document for review
  • Recruitment materials for review
  • Screener and interview/test scripts for review
  • Data management plan documented
  • Risk assessment with mitigations
  • Investigator qualifications documented
  • Funding source disclosed
  • Conflict of interest disclosure completed

Tool and vendor compliance checklist

Most compliance violations come from using non-compliant tools, not from researcher error. Verify these before every regulated study.

Tool categoryWhat to verifyCommon issues
Recording platforms (Zoom, Lookback, UserTesting)BAA available, encryption, recording storage locationFree tiers often non-compliant
Transcription (Otter, Rev, Fireflies)BAA available, US data residency, encryptionDefault settings often share with AI training
Recruitment platforms (CleverX, Respondent, User Interviews)Data processing agreement, GDPR readinessCross-border transfer issues
Survey platforms (Typeform, Qualtrics)GDPR mode, BAA tier (Qualtrics), data residencyFree tiers often EU-non-compliant
Storage (Google Drive, Dropbox, Box)Encryption, access controls, BAA tierPersonal accounts inappropriate
Analysis tools (Dovetail, Marvin, Notably)Data processing agreement, AI training opt-outAI training on uploaded data
Note-taking (Notion, Confluence)Encryption, access controls, audit logsPersonal/shared accounts inappropriate
Communication (Slack, email)Encryption, retention controlsCasual sharing of participant data

Tool compliance verification questions

For every tool you use in regulated research, get clear answers to these questions:

  1. Does this vendor sign a BAA? (HIPAA)
  2. Is participant data processed in compliant geographies? (GDPR)
  3. Is participant data used to train AI models? (research integrity)
  4. What is the data retention default and how do I change it?
  5. Who has access to participant data within the vendor’s organization?
  6. What is the breach notification SLA?
  7. Is the vendor SOC 2 Type 2 certified?
  8. What encryption is used for data at rest and in transit?

Common compliance mistakes

Mistake 1: Using consumer-tier tools for regulated research. Free or basic tiers of common tools (Zoom, Otter, Google Workspace) typically lack the security controls and BAAs required for regulated research. The “I’ll just use the tool I already have” instinct is the most common compliance failure.

Mistake 2: Treating consent as a one-time checkbox. Compliant consent is informed, ongoing, and revocable. Participants must understand what they are consenting to, and they must be able to withdraw consent at any time without penalty.

Mistake 3: Storing data longer than necessary. Every additional day of unnecessary data retention increases liability. Document a retention policy and follow it.

Mistake 4: Skipping vendor due diligence. Compliance flows through your vendors. If your transcription service has a breach, your study has a breach. Verify vendor compliance before signing contracts, not after.

Mistake 5: Conflating geographies. A US-based researcher conducting interviews with EU participants must comply with GDPR even if their company has no EU presence. Geography of participants determines applicable law.

Mistake 6: Assuming IRB approval covers everything. IRB approval addresses ethics and human subjects protection. It does not automatically address GDPR, HIPAA, or industry-specific compliance. These require separate review.

Mistake 7: Treating compliance as a one-time setup. Compliance is ongoing. Regulations change, vendor capabilities change, and your data practices evolve. Annual compliance review is the minimum standard.

Building a compliant research operation

Mature research teams treat compliance as infrastructure, not as a per-study activity. The investment in pre-approved tools, templates, and processes pays back across every study.

Three foundations of a compliant research operation

1. Pre-approved tool stack. Maintain a list of tools that have been vetted for each compliance regime your team works under. Researchers should not need to renegotiate tool selection per study.

2. Template library. Build templates for consent forms, privacy notices, screeners, data retention schedules, and DPIAs. Templates should be reviewed annually by legal and updated as regulations change.

3. Compliance training. Every researcher should complete annual training on the regulations relevant to their work. New researchers should complete training before their first study.

For teams expanding into regulated industries for the first time, the user research industry benchmarks 2026 report provides context for the time and budget impact, and the research timelines guide shows how compliance review affects project duration. Compliance is not an obstacle to good research; it is the infrastructure that makes good research possible in regulated contexts.