Ethics and Consent in Scientific Fields

In the domains of medicine, psychology, and social science, informed consent is a cornerstone of ethics.

As summarized by Renard Sexton:

Informed consent, in short, is a process by which a researcher provides the necessary information to a subject about the nature of study such that the subject can competently decide whether to participate or not.

In medical studies, this is pretty straightforward: researchers provide patients with the best information they have around risks and potential benefits, and individuals are able to make a decision about whether or not to participate.

Psychology studies are very similar. The CPA Code of Conduct for Psychologists requires that researchers must:

Provide, in obtaining informed consent, as much information as reasonable or prudent individuals … would want to know before making a decision or consenting to the activity. Typically … this would include: purpose and nature of the activity; mutual responsibilities; whether a team or other collaborators are involved; privacy and confidentiality limitations, risks and protections; likely risks and benefits of the activity, including any particular risks or benefits of the methods or communication modalities used; alternatives available; likely consequences of non-action; the option to refuse or withdraw at any time, without prejudice; over what period of time the consent applies; and how to rescind consent if desired.

I try to follow these ethical standards and make sure I obtain informed consent when I carry out remote or in-person usability studies. Participants are aware that they are participating in a study, what kind of data will be captured and how it will be used and stored, and they’re able to opt-out at any time.

Unfortunately, the web operates on implied consent.

The web operates on implied consent

Companies draft detailed privacy or data use policies that mention what data may be collected and how it will be used. If you, as a user, don’t want a company collecting this data, your only option is to opt-out of using the product — if you’re even aware that your data is being collected in the first place. Otherwise, your consent is implied.

In 2014, Facebook (again) carried out a study wherein they manipulated 689,003 user’s emotions by adjusting what appeared on individual timelines, based on positive and negative emotional expression, and demonstrated that this had an emotional contagion effect that influenced the user’s own emotions.

In this study, users never provided informed consent. Researchers “took advantage of the fine print in Facebook’s data use policy to conduct a scientific experiment without informed consent,” which was, essentially a loophole that relied on users not reading or understanding Facebook’s data use policy.

In 2011, in a push to advocate for user privacy, the U.K. rolled out the Privacy and Electronic Communication Regulations (PECR) Act, legislation specifying that websites serving users from the U.K and E.U. must be notified when websites store cookies and perform “non-essential tracking.” This was originally drafted with the goal of requiring informed consent from users.

The rollout of this legislation was thoroughly bungled: most U.K. government websites weren’t ready when it came into play, meaning that they would fall afoul of the law.

A week before the legislation kicked in, it was updated to allow for implied consent: all a company needed to do to comply was show the user a message about the use of cookies, and all a user had to do to consent was continue to use the website or product.

Privacy legislation is getting better

In contrast to PECR, the upcoming E.U. General Data Protection Regulation (GDPR) advances much stronger legal requirements around collecting data and user privacy. This legislation comes into effect on May 25, 2018.

Of note:

Transparency. Data processors and controllers may only process an individual’s data if they have first informed the individual of the extent of the data processing and the uses to which the individual’s data will be put. (Recital 39) Specifically, data processors and controllers must inform data subjects of: • The identity of the data controller.

• The specific purposes of the data processing, which must be “explicit and legitimate and determined at the time of the collection of the personal data.”

• The period for which the personal data will be stored or, if that is not possible, the criteria used to determine the retention period.

• The right to withdraw consent at any time.

• Data subjects’ rights to obtain confirmation regarding their personal data that will be processed, including the right to access, correct, or erase personal data.

• The risks, rules, safeguards, and rights in relation to the processing of personal data.

• How they may exercise their rights regarding the processing of their personal data. Plain language. Any information and communications regarding data processing must be “easily accessible and easy to understand,” and “clear and plain language must be used.” (Recital 39) Similarly, consent provisions cannot be “buried” in another, longer document Affirmative act. Consent must be “freely given, specific, informed and unambiguous.” (Recital 32) The data subject must signify his or her consent through an affirmative act, such as by signing a written document, checking a box on a website, or other action that clearly demonstrates the subject’s intent to agree to the data processing. It is not appropriate to set up an “opt-out” system whereby the data subject has consented to the data processing unless he or she takes an affirmative action to show a lack of consent, as “silence, pre-ticked boxes, or inactivity” does not constitute consent. (Source.)

Unfortunately, this legislation doesn’t necessarily affect Canada or the U.S.A., and it’s not all that clear how it’ll affect UX research.

That’s why we have to consider and apply our own ethics around consent in UX research.

Implied consent isn’t good enough for UX research

I don’t believe that implied consent is good enough when it comes to UX research.

When working in UX, one learns that users don’t read. They’ll skim content, jumping from headline to headline. They’ll dismiss modals and messages without reading them, and ignore the blindingly obvious in favour of the task they’re trying to achieve.

This implies that few users will read notices about the use of cookies on a website, let alone dive into lengthy legalese privacy and data use policies — if they even understand the implications of what they’re reading.

PECR’s ineffectiveness is somewhat unavoidable: cookies are essentially required for most products to work at all. If the legislation hadn’t been adjusted at the last moment to allow for implied consent, it would have had massive financial, economic, and social implications. And, we can’t legislate that users inform themselves about how it affects them.

But while cookies may be required for many apps to work, there’s absolutely nothing that requires real-time recording of user activity. It’s a business decision. Products will still work without it.

Informed consent should be a requirement for UX research

If we choose to track user activity, users should be able to choose whether or not to participate. Informed consent should be a requirement for certain types of tracking for UX research.

I think the tipping point is when we’re capturing interstitials.

Any time a user opts in to tracking, it’s our responsibility to make sure that users, as the CPA guidelines state:

… were provided as much information as reasonable or prudent that they would want to know before making a decision or consenting to the activity.

In the context of UX research, that means making sure that users understand things like:

Their cursor and scrolling movements can and will be captured while using a product;

When and where data entered into forms and fields is captured;

How data is stored, used, and shared within and outside an organization.

What would informed consent look like for UX research?

I imagine informed consent for UX research will end up similar to how email subscriptions are handled today: granular control over opting in or out of individual types of emails.

There’s too much information users need to know to be informed to be included in a modal, and it’s unrealistic to ask anonymous users to provide consent. When our products have user accounts, I believe there’s an opportunity to ask users to be collaborators in our research, and through this, receive informed consent.

This is a quick exploration of how this might be handled as part of user settings. Note that it’s very incomplete, but it gets the idea across.