11th Apr 2018 – A/B Testers: Time to Fix Your Post-GDPR Privacy Policy
We should all care about our visitors privacy and collect only what we need.
New legislation including the GDPR and ePrivacy Regulations puts the control over personal data firmly back in the hands of the individual data subjects. This means businesses need to step back and think about how they have been using personal data and what changes they need to achieve compliance. One option is to collect consent but smart marketers will avoid processing personal data by using intelligent tools. These will automatically anonymize a website visitor’s identity and do not store personal data. My view is its about careful selection of tools from suppliers who understand and embrace the new legal requirements and making the available tech work for you in your business.
Under GDPR: this should change. While all this certainly makes compliance a lot easier—ignoring GDPR is still not a good idea. We suggestion you update your privacy policy and add a cookie policy.
After the revisions to our software, we asked some privacy experts what the think. If you’re running Convert Experiences–what adjustments should you make?
That means we don’t store: IP’s, Cookie ID’s, country, region or city data, transaction IDs or order IDs (making us the most privacy oriented testing tool on the market).
To improves users experiences and drives strategic business goals—Convert Experiences does not need to collect much.
But for some settings—you should actively inform users of the tests you’re running. We suggest getting user consent for:
In this article, we’ve detailed some questions you’ll need to ask about your testing software—before GDPR gets instated.
This article details how—using Convert Experiences as an example.

What do the Privacy Experts Say?

If you’re using another A/B testing tool, you should really have a conversation with your provider about compliance.

Right now, most of our customers run experiments on their websites without giving their visitors much notice.
James Chiodo CEO of DisclaimerTemplate.com

What the software does is to determine results is: make a random change for an audience group, and then, en masse, count how many users took an action, and how many did not.
Sue Edwards MD of www.lawhound.co

When to ask for consent?

Sans jargon—that just means your A/B testing, doesn’t require data that could determine the website user.
At Convert—we altered our software to take privacy by design into account. And in our software’s default setting, we eliminated the storage of any personal data point.
The cookies we place are first party cookies, set in the domain name of the customer, and they don’t rely on User ID. The software doesn’t store personal identifiers, and, after doing the statistical research, we’ve found—web activity can’t be connected to a site visitor.

  • Cross domain tracking
  • Universal User ID’s
  • Using long term persistent segmentation
  • Regional and City targeting
  • Using cookies and Javascript for audience information
  • Using very detailed user-agent targeting

The “buckets” visitors are counted in, to perform these actions, are large. Warnings are given when groups are becoming very small, as to avoid potential user identification.
We did a lot to make our tool GDPR friendly—and we haven’t seen other tools on the market, document these steps. In particular, if you’re testing with a tool that offers post segmentation analysis, adding goals retroactively, 1:1 personalization, account based marketing or zip code targeting—you’re hinting at, or clearly using personal data. A lot of personal data. And you’ll want to hire a privacy expert for an assessment.
If you are not collecting any personal data at all, including IP addresses, and the data you collect can in no way identify or be used with other information to identify an individual, then I don’t see a problem and the GDPR or ePrivacy Regulation would not apply. However, if the pages you are split testing have any contact information, i.e., email address, opt-in form, or phone number, then I think the pages being tested should have a website privacy notice to comply with global privacy laws. A properly drafted privacy notice or disclosure solves most problems when collecting personal data. Collecting personal data is not a problem if you disclose it properly. Even if you think you are not collecting personal data with the A/B testing, just insert a short provision in your privacy notice covering the information collected from the A/B testing to make sure.

Similar Posts