Researchers often see compliance as a blocker. But when brought in early, compliance can actually make research faster, safer, and more impactful.
The real challenge is not whether compliance is needed—it always is—but when and how it enters the process.
As researchers, we need to empathize. Interestingly, product teams sometimes see research the same way we see compliance, as a step that slows progress. The difference is that compliance is non-negotiable. That comparison alone tells us something about perception versus necessity.
When researchers talk about compliance, they often do so with a sigh. It feels like the department that slows things down, turning curiosity into checklists. But the reality is that both sides are working toward the same goal: minimizing risk. They’re just on different timelines.
The tension comes from different priorities. Researchers value speed, iteration, and access to users. Compliance and legal teams prioritize risk reduction, defensibility, and regulation. And the stakes are rising.
With laws like Washington’s My Health My Data Act and the rapid tightening of state-level privacy regulations, even seemingly benign research, such as a smartwatch usability test or a well-being survey, can carry legal risk. Remote, distributed research compounds this, as a single study might include participants from California, the UK, and Singapore, each with its own definition of “sensitive data.”
In recent years, a growing number of U.S. states have expanded privacy and health data laws to cover consumer-facing scenarios outside traditional healthcare, redefining “sensitive” data to include biometric signals, wellness data, and location from wearables, among others.
Because of this, compliance often gets treated as the “final gate” instead of just another design constraint, like accessibility, cost, or technical feasibility.
When that happens, usability becomes an afterthought, and the actual experience suffers.
A deeper issue lies in language. Researchers and legal teams use the same terms but mean entirely different things by them. “Anonymous,” “participant,” “health data,” and “usage” each carry a different operational weight depending on who is speaking.
As with any relationship, reframing what it means for a partner to be part of your process is extremely important. Build genuine interest in their work early on. Go sideways: ask how projects failed when compliance was not involved. Ask for examples of projects that succeeded when they were at the forefront. What frustrates them the most? What makes their life easier?
The first conversation should be about understanding their world, not pitching yours.
What shifts the dynamic is treating compliance not as a barrier but as a partner in design. Compliance is part of the service journey, not an afterthought. Involve them in framing discussions rather than only at the sign-off stage. Think of them as another stakeholder group shaping the overall ecosystem.
How do we bring compliance in early in practice, and not only in theory? This is how you can get started.
Think short, focused alignment sessions instead of long review cycles.
Quick tip: Schedule a 15-minute compliance alignment at the start of every project, even if it’s just to confirm that nothing risky is happening. Compliance and legal teams will thank you for it. This doesn’t slow things down; it prevents the rework and friction that occur when compliance enters too late. You are saving the hidden cost of delays and a series of poor business decisions that cost the company.
This includes standardized consent forms, data handling templates, survey disclaimers, as well as any internal data-sharing templates
Bring in legal, compliance, a content designer, and a researcher to frame the building blocks of repeatable documents that you envision using. I would leave contracts and agreements out, as they are more ironclad. As a parallel process, while researchers prepare participants or guides, compliance reviews consent language or storage practices.
Define what counts as low, medium, or high-risk research so that not every study needs the same level of review. This will probably require running a few studies first, but once you define your tiers of risk, you’ll be able to classify studies based on approval cycles, approval levels, and compliance constraints (the higher the number, the higher the risk). Devise the framework with compliance and legal together. Once established, auto-assign these risk tiers. This gives both research and compliance teams clarity on the level of engagement and creates an escalation path if required.
Like any team, it pays to know where you can bend. Some compliance areas are rigid; others have room. Surface usability trade-offs early and involve decision-makers who can help negotiate.
Compliance runs smoother when it’s not just about processes but people.
‍Invite compliance into the creative room early and often. Let their voice influence design in real time so negotiations happen with everyone present.
As one survey of over 370 in-house legal professionals found, 58 % believe their team is perceived as “slowing down projects”, and 41 % say they’re seen as overly risk-averse. Yet 70 % of those same teams said their top priority for the year is “better alignment with other business units.
‍Cultivate “friends” within compliance who understand both product and design. These are the bridge-builders, people who can translate between risk and innovation. Over time, they’ll become your internal advocates, countering rigid interpretations and championing design-first approaches.
Translate research needs into compliance terms. What researchers call “participant anonymity,” they might call it something else.
Quick tip: Document vocabulary decisions and keep them versioned. Compliance can reference them later, which builds mutual trust.
Compliance doesn’t have to be a maze of approvals; it can be designed into the daily rhythm of research.
The key is to make compliance repeatable, not reactive.
‍Build shared decision trees outlining when and how to involve compliance. These should include triggers for early “red flags” such as studies involving health data, international users, or recording policies. Having a visual decision path helps reduce uncertainty and accelerates reviews.
‍Invest in tools and infrastructure that align with compliance needs, from secure storage and audit trails to automated PII redaction (Great Question is great for this). At minimum, partner with recruiters or vendors who are GDPR-compliant when running multi-region studies, as in the U.S., U.K., and France.Â
‍When storing user research sessions or recordings, regulated industry or not, scrub sensitive identifiers before archiving. When synthesizing insights, remove details like names, locations, or population data. These are everyday ethical acts that also fall squarely within compliance.
Compliance will also apply to data retention and research repositories after the research is completed.
Many researchers assume compliance belongs only to regulated industries. While that’s partly true, every team collecting participant data operates within a moral and legal framework.Â
When compliance is involved early:
When compliance walks beside research, the result is stronger trust.Â
Dhairya Sathvara is currently a Senior Service Designer at Intuit. Previously he has helped startups and mission-driven organizations create products that blend business impact with human-centered design. His work focuses on navigating the messy, ambiguous stages of product development, ensuring teams make informed decisions backed by research. Dhairya holds an MS in Strategic Design & Management from Parsons School of Design and is currently based in San Francisco. Connect with Dhairya on LinkedIn.
