Note: this article explains the fundamentals carefully and with primary sources, but does not replace legal advice. For individual cases — especially involving sensitive data or your own contracts — involve a data protection professional.
Why privacy in user testing is not fine print
A think-aloud test inevitably produces personal data within the meaning of Art. 4(1) GDPR: the tester's voice, often their face, their screen including everything visible on it, and their behaviour. How seriously supervisory authorities treat data flows is shown by the biggest case to date: in 2023, the Irish Data Protection Commission — following a binding decision by the European Data Protection Board — imposed a record fine of €1.2 billion on Meta for unlawful data transfers to the US (violation of Art. 46(1) GDPR).
€1.2 billion — the largest GDPR fine in history — was issued in 2023 not for a hack, but for data transfers to the US without a valid basis.Irish Data Protection Commission (DPC) following an EDPB decision, May 2023
For small and mid-sized companies, the maximum fine (Art. 83(5): up to €20M or 4% of global turnover) is rarely the realistic scenario — complaints by individual testers, warning letters and loss of trust very much are. The good news: GDPR-compliant testing is not rocket science. It is five duties.
Duty 1: obtain consent — before the recording, not after
The legal basis for recordings is practically always informed consent (Art. 6(1)(a) GDPR). Under Art. 7 and the EDPB Guidelines 05/2020, it must be freely given, specific, informed and unambiguous — and demonstrable. Concretely: before starting, the tester learns what is recorded (screen? voice? camera?), for what purpose, how long it is stored and who has access. A checkbox buried in terms is not enough. The clean solution is a recording that technically cannot start until consent has been given — which is exactly how Test it Baby enforces it for every single test.
Duty 2: data minimisation — record only what the test needs
The principle of data minimisation (Art. 5(1)(c) GDPR) translates into three simple questions for user testing: Does the test really need the camera, or are screen + voice enough? Must testers enter real personal data, or can you provide test data? And: is the recording limited to the test task rather than the whole session? Tidying up beforehand reduces both risk and editing work.
Duty 3: regulate processing on your behalf (Art. 28)
As soon as a tool stores or analyses recordings for you, its operator is your processor — and Art. 28 GDPR requires a data processing agreement (DPA) with clear rules on purpose, duration, sub-processors and technical safeguards. Checklist for tool selection: Is there a DPA? Where are the servers? Which sub-processors are listed — and are they located in third countries?
Duty 4: avoid or secure third-country transfers (Chapter V)
This is the biggest pitfall, because many testing tools come from the US: every transfer of personal data to a third country needs a basis under Chapter V GDPR. The Meta case shows how expensive it gets when that basis is missing — and the current mechanism for US transfers (the EU-US Data Privacy Framework) has been under constant legal attack for years, just like “Safe Harbor” and “Privacy Shield” before it, both of which the European Court of Justice struck down. Avoiding transfers altogether — processing exclusively in Germany or the EU, including transcription and AI analysis — makes you independent of that ongoing battle. Our comparison shows how German and US providers differ here.
Duty 5: deletion concept and data subject rights
Testers remain in control of their data: they can request access (Art. 15), withdraw consent (Art. 7(3)) and demand deletion (Art. 17). Practically, you need three things: a fixed, communicated retention period, a defined deletion process (including at your tool provider!), and a contact address named in the consent text.
The checklist for your next test
We built Test it Baby from the ground up so this list stays short: consent is technically enforced before every recording, all data — including transcription and AI summary — is processed on servers in Germany, and testers without an account participate via expiring invitation links. Details on the book testers page and in the comparison with US tools.
Frequently asked questions
Are screen recordings from user tests personal data?
When must tester consent be obtained?
May I use US testing tools?
How long may I keep test recordings?
What penalties apply for violations?
Sources
- Regulation (EU) 2016/679 (GDPR), consolidated text: EUR-Lex — esp. Art. 4, 5, 6, 7, 15, 17, 28, 46, 83.
- European Data Protection Board (EDPB): Guidelines 05/2020 on Consent under Regulation 2016/679.
- Irish Data Protection Commission (DPC): Decision concerning EU/EEA→US data transfers by Meta Platforms Ireland, May 2023 (€1.2B fine).