A/B Testers: Time to Fix Your Post-GDPR Privacy Policy

Dennis van der Heijden
By
April 11, 2018 ·

Right now, most of our customers run experiments on their websites without giving their visitors much notice.

Under GDPR: this should change.

This article details how—using Convert Experiences as an example.

Warning: Not All A/B Testing Tools are Equal

At Convert—we altered our software to take privacy by design into account. And in our software’s default setting, we eliminated the storage of any personal data point.

That means we don’t store: IP’s, Cookie ID’s, country, region or city data, transaction IDs or order IDs (making us the most privacy oriented testing tool on the market).

Sans jargon—that just means your A/B testing, doesn’t require data that could determine the website user.

The cookies we place are first party cookies, set in the domain name of the customer, and they don’t rely on User ID. The software doesn’t store personal identifiers, and, after doing the statistical research, we’ve found—web activity can’t be connected to a site visitor.

What the software does is to determine results is: make a random change for an audience group, and then, en masse, count how many users took an action, and how many did not.

The “buckets” visitors are counted in, to perform these actions, are large. Warnings are given when groups are becoming very small, as to avoid potential user identification.

While all this certainly makes compliance a lot easier—ignoring GDPR is still not a good idea. We suggestion you update your privacy policy and add a cookie policy.

What do the Privacy Experts Say?

After the revisions to our software, we asked some privacy experts what the think. If you’re running Convert Experiences–what adjustments should you make?

If you are not collecting any personal data at all, including IP addresses, and the data you collect can in no way identify or be used with other information to identify an individual, then I don’t see a problem and the GDPR or ePrivacy Regulation would not apply. However, if the pages you are split testing have any contact information, i.e., email address, opt-in form, or phone number, then I think the pages being tested should have a website privacy notice to comply with global privacy laws. A properly drafted privacy notice or disclosure solves most problems when collecting personal data. Collecting personal data is not a problem if you disclose it properly. Even if you think you are not collecting personal data with the A/B testing, just insert a short provision in your privacy notice covering the information collected from the A/B testing to make sure.

James Chiodo CEO of DisclaimerTemplate.com

New legislation including the GDPR and ePrivacy Regulations puts the control over personal data firmly back in the hands of the individual data subjects. This means businesses need to step back and think about how they have been using personal data and what changes they need to achieve compliance. One option is to collect consent but smart marketers will avoid processing personal data by using intelligent tools. These will automatically anonymize a website visitor’s identity and do not store personal data. My view is its about careful selection of tools from suppliers who understand and embrace the new legal requirements and making the available tech work for you in your business.

Sue Edwards MD of www.lawhound.co

When to ask for consent?

We should all care about our visitors privacy and collect only what we need.

To improves users experiences and drives strategic business goals—Convert Experiences does not need to collect much.

But for some settings—you should actively inform users of the tests you’re running. We suggest getting user consent for:

  • Cross domain tracking
  • Universal User ID’s
  • Using long term persistent segmentation
  • Regional and City targeting
  • Using cookies and Javascript for audience information
  • Using very detailed user-agent targeting

Other A/B testing tools?

If you’re using another A/B testing tool, you should really have a conversation with your provider about compliance.

In this article, we’ve detailed some questions you’ll need to ask about your testing software—before GDPR gets instated.

We did a lot to make our tool GDPR friendly—and we haven’t seen other tools on the market, document these steps. In particular, if you’re testing with a tool that offers post segmentation analysis, adding goals retroactively, 1:1 personalization, account based marketing or zip code targeting—you’re hinting at, or clearly using personal data. A lot of personal data. And you’ll want to hire a privacy expert for an assessment.

Mobile reading? Scan this QR code and take this blog with you, wherever you go.
Originally published April 11, 2018 - Updated January 06, 2022
Written By
Dennis van der Heijden
Dennis van der Heijden
Dennis van der Heijden
Co-founder & CEO of Convert, passionate community builder and out-of-the-box thinker. 

Start Your 15-Day Free Trial Right Now.
No Credit Card Required

You can always change your preferences later.
You're Almost Done.
I manage a marketing team
I manage a tech team
I research and/or hypothesize experiments
I code & QA experiments
Convert is committed to protecting your privacy.

Important. Please Read.

  • Check your inbox for the password to Convert’s trial account.
  • Log in using the link provided in that email.

This sign up flow is built for maximum security. You’re worth it!