Regulatory Compliance for Designers

October 19, 2024
 · 
9 min read
Featured Image
Listen to the audio version of this post.

In this post I’m going to delve into an important topic but one that’s often overlooked by designers. Senior designers and design leaders in particular need to be familiar with regulatory requirements for their industries and how they apply to their work. I’ll do my best to keep the legalese digestible and engaging.

I’ll also clarify that I’m focusing solely on regulatory compliance in this article. I’m not talking about copyrights, trademarks, accessibility, and so on. Those are all very important, but today I’m covering the stuff that can get you into legal hot water with the government, such as healthcare, banking, and food labeling. Government regulators aren’t known for their senses of humor and it’s in your best interest to avoid drawing their attention.

Don’t steal other people’s work, and don’t let your clients do so, either. It’s not OK to just grab some pictures off of Google image search for their website. Everything you provide to your clients needs to be cleared for copyright, and you should check to ensure that content provided to you is as well. Your contract should cover this, and it’s a good idea to talk to a lawyer from time to time.

This article is primarily written for designers based in the United States. Every country has its own laws and regulations, so be sure to understand what applies to your locality.

And finally, I’m not a lawyer and this does not constitute legal advice. It’s a good idea to have your contracts vetted by a lawyer, and of course you should consult one if you have any questions or concerns.

Why Should You Care?

That’s a good question, and in my research I haven’t found any examples of designers or agencies being sued by regulators. But being aware of a client or employer’s regulatory environment shows a higher level of professionalism, especially for design leaders. It shows that you are knowledgeable, engaged, and that you understand the challenges they face. Also, accounting for regulatory needs can speed the client review process while eliminating rework and errors. They like that.

And even if you aren’t directly held responsible for a problem or regulatory finding, you’re better off not even being involved. Yes, you can point at the client’s lawyers and try to blame them, but it’s still a bad look.

Where Does This Apply?

There are myriad ways that your work could be affected by some sort of government regulation. I’m going to hit a few big ones here, but this is by no means comprehensive. I have nearly 20 years’ experience in finance and healthcare, so it’s fair to say I’ve seen my fair share of regulations.

Privacy

The EU flag with a padlock image in the center of it.

One of the most obvious regulatory entanglements involves privacy. Unless you’ve been living under a rock, you’re undoubtedly aware of the General Data Protection Regulation (GDPR). There are two important points to consider about GDPR:

  1. It applies even if you’re outside the EU. As long as you “process the personal data of EU citizens or residents, or you offer goods or services to such people” then the GDPR may apply to you.
  2. Penalties are HIGH for violations; as in millions of dollars. Meta got smacked with a $1.3 billion fine last year. (Meta is appealing the ruling, of course.)

But several privacy laws also apply within the US. The Children’s Online Privacy Protection Act (COPPA) stipulates what data can be collected from children under 13 years old. I’ve mentioned COPPA previously when describing a friend whose client wanted to build an app for seven-year-olds.

Also, California Consumer Privacy Act (CCPA) and the newer California Privacy Rights Act (CPRA). Specific rules stipulate how CCPA/CPRA apply, and if you’re building products for California companies you should be familiar with them.

For example, what data can you collect during an onboarding flow? Are disclosures required? How does the data collection opt-out process work? These are all questions that could affect your designs.

Medical

Mobile phone displaying the logo for the Centers for Medicare and Medicaid Services (CMS)

The medical industry is one of the most highly regulated, and for good reason. Healthcare companies are directly responsible for people’s health and well-being and accountability is good.

For this article I’m mostly focused on healthcare-related software. Medical devices are a whole other topic with their own, very stringent rules. If you’re designing hardware or software for medical devices you definitely need to be aware of the rules relating to your work.

The best-known healthcare regulation is almost certainly the Heath Insurance Portability and Accountability Act of 1996 (HIPAA).

HIPAA is also quite possibly one of the most misinterpreted and misunderstood laws, and it probably doesn’t work the way you think it does. The law applies only to certain information collected by “covered entities,” which typically includes healthcare providers, health plans, and healthcare clearinghouses. You don’t want to read an article on HIPAA and I’m not qualified to write one anyway, so I’ll leave you with two takeaways.

First, if you’re working on healthcare product for a covered entity then you need to think about how data is collected, handled, and displayed. In addition, researchers need to take care when working with healthcare applications. Be conscious of what information you collect from research subjects and how you handle and dispose of it. If your research includes protected health information (PHI) then you need to implement protocols and disclosures accordingly. (Also, talk to a lawyer.)

Second, HIPAA has a lot of gaps and there are plenty of products to which it does not apply, so this seems like a good time to encourage ethical design practices. Don’t collect unnecessary data and be careful how you handle it in the product. For example, mental health apps are notorious for leaking or selling user data.

Banking and Fintech

The front of the Consumer Financial Protection Bureau (CFPB) building.

I worked in banking and fintech for more than a 15 years and spent more time in compliance training than I care to admit. But aside from a few recalcitrant lawyers, I didn’t encounter many issues that affected the user interface. Common examples include accounting for know your customer (KYC) data collection, or masking requirements for things like account numbers, email addresses, and so on. You may also find yourself having to account for specific disclosure placements and formatting. Ever wonder why every credit card and loan offer disclosure looks the same? You guessed it: the Fair Credit Reporting Act (FCRA) has very specific disclosure formatting requirements.

Finance regulations can have a bigger effect on process and interaction design. For example, onboarding flows may need to include specific steps to meet KYC requirements. Loan application flows generally have to include FCRA disclosures or additional steps to allow the applicant to read and accept terms and additional disclosures.

When I was working on credit card products for a big-four bank we had to prevent users from ordering a replacement card online if they had changed their address in the past 30 days. This meant that for those scenarios we had to include an alternate step (and accompanying UI) to direct the customer to call the bank. The processes for handling commercial fleet cards could be fiendishly difficult to solve.

So when designing financial products, you can expect some additional steps and challenges. Plan for extra steps and alternate routes in your journeys and user flows. You can also bank on some subpar-but-legally-required copywriting as well.

Food and Supplement Labels

A sign for the US Food and Drug Administration outside an FDA building

So your friend is working on this awesome supplement and wants you to help out with the website and some product labels. You’d better prepare yourself for some fun with the FDA and/or the USDA. I say this because there is not one but two major food regulation programs in the US. The FDA even has very specific requirements about food identity.

If you’re working on a food or supplement product, be sure to do a little research and ask lots of questions. I can tell you that trying to meet minimum font sizes on nutrition labels for a 30 mL bottle can be a challenge.

Other Possible Compliance Pitfalls

Privacy, healthcare, and finance account for a huge number of compliance hurdles, but they are by no means the only ones. Most industries require some sort of disclosures or disclaimers. Working on a telecomm project? Disclosures. A website for a tire company? Yeah, they got some too.

Tips for Avoiding Compliance Issues

The good news is that there are a few simple steps you can take to help keep you and your client out of hot water.

  1. Don’t rely on someone else to know. Yes, the product manager should know what steps the flow needs to include or what data has to be collected, but if you’re not sure it’s a good idea to dig a little deeper or to ask around.
  2. Read up on your industry. This can be a little more difficult for freelancers who work across industries, but government regulations are posted online. Also, there are tons of other resources out there, including trade organizations, legal websites, and industry-specific publications. Check them out, but do be careful to vet your sources to avoid misinformation. (Also, don’t trust AI tools to know – they make shit up all the time.)
  3. Use a contract and have a lawyer review it. You should always, always, always use a contract. I don’t care if you’re redoing your uncle Earl’s junkyard website for a couple 12-packs, get a damn signed contract before you start. Make sure that your contract includes a section about errors and omissions (E & O), and get a lawyer to review your contract. It’s not that expensive; it cost me about $100 to get a LegalZoom lawyer to take a look at mine.
  4. Have business insurance. If you’re doing a fair amount of freelance work then you might want to look into insurance. You’ll typically want liability and E & O insurance, but talk to a professional if you’re unsure. I’m not in the insurance business so don’t ask me. Related: a DBA or LLC isn’t a bad idea either.

Don’t Freak Out

I’m not trying to scare you. I’ve worked on every type of product listed here and have been neither sued nor prosecuted. But I do think designers need to be aware of possible compliance issues in the products we help create. After all, it’s our job to understand the environment in which clients operate and to help them solve problems. Understanding their regulatory hurdles is a great way to show that you’re a serious professional and to better highlight the value you bring to them.

Anyone can design a website (theoretically, anyway). But if you can show a client that you already know about the hundred disclosures they need and have thought about how to handle them? Yeah, that’s showing actual business value for that client. They love that crap and you may have a client who will keep coming back and giving you money.

© 2024 58 Creative LLC All rights reserved

Back to top Arrow