GDPR’s impact on CRO Data Collection: A Quick Recap
November 12, 2019 –
The basis for optimizing the conversion rate on any website is the systematic collection and analysis of the data pertaining to visitors who interact with the website.
The collection of user data is crucial to gauging how visitors use, understand and like the different parts of a website. However, under the General Data Protection Regulation (GDPR) that was introduced by the European parliament in April 2016 and finally enforced in May 2018, the collection and processing of personal data in the European Union became unified and confined.
In layman’s terms, businesses can no longer collect and hoard data without a valid reason. They also can’t process data as they like. And finally, data now comes with an expiration date. There is a need to regularly purge data that’s not being used to improve user and customer experience in tangible ways.
The aim of the GDPR is to harmonize the data privacy laws in the European Union, to strengthen the data privacy rights of the EU citizens and to prevent data breaches. Organizations that do not comply with the GDPR can be fined up to 4% of their annual turnover or up to 20 million Euro (whichever is higher).
Fines have already been imposed. For example, the Information Commissioner’s Office (ICO) announced a fine of £183.39 Million for British Airways due to a data breach that compromised the personal data of 500,000 customers and an infringement of the GDPR.
Thus, the general motto under the GDPR is the less personal user information you gather, the better. But does that mean the collection of user data from EU citizens for the purpose of optimizing the conversion rate is impossible without risking heavy fines under the GDPR?
If you collect personal data of an EU citizen through tracking tools, cookies, processing software or data evaluation programs, you need to know which kind of data is collected, where it will be stored, how it is processed and when will it be eventually deleted. The need for a change in the general mindset of businesses and organizations of owning the personal data of individuals intensified in recent years.
The portability section of personal data in the GDPR states, that no company can own an individual’s data and that the data subject has the right to share their data with another organization. Thus, under the GDPR, businesses and organizations are legally obligated to obtain a consent agreement for collecting and processing data of their website visitors. Furthermore, you need to write the consent form in plain words to clearly explain why you are collecting the data and what you are going to use it for.
At first glance, this sounds overwhelming and difficult to execute on a daily basis. However, this article will help you deal with the GDPR requirements.
Furthermore, the article will give you an overview of what is deemed as personal data under the GDPR, how you can become compliant with GDPR while collecting personal data for the conversion rate optimization (CRO) purposes and how the GDPR affects common CRO tools that are used to optimize websites.
What Constitutes Personal Data?
Article 4 of the GDPR defines what constitutes personal data.
Personal data is any form of information that can directly or indirectly identify a natural person. A natural person is an individual living in the EU. The easiest way to identify a person is generally through the full name. But there can be multiple individuals with the same name living in the EU. However, a combination of different data points can be enough to identify one specific individual. Identifiable data points could, e.g., be the name, location, e-mail address, login information, IP address and unique identifiers such as user IDs or transaction IDs.
While reading the last section, you probably noticed that most of the commonly used conversion rate optimization tools collect and process the mentioned identifiable data points. But are you responsible for ensuring that third party data processing tools are compliant with the EU data protection regulations?
Third Party CRO Tools: How to Work with Them
The GDPR describes that the data collection process is conducted by two different entities: The data “controller” and the data “processor”. The data controller decides the purpose, scope and intent of the collected data. Therefore, data controllers are the website owners in most cases. Data processors, on the other hand, process the collected data to meet a predetermined goal on behalf of the data controller.
Data processors are generally third-party CRO tools such as heatmaps, testing tools, form analytics or A/B testing tools. Before any third-party tool can be used, an agreement of what the third-party tool is allowed to do in the name of the website owner must be approved by the website owner.
That means that a third-party tool as a data processor acts as an extension of the data controller.
The general data protection regulation states that a data controller is legally liable for the actions of the data processor. Thus, if the data processor in form of a third-party CRO tool is not compliant with the GDPR, the data controller in turn is equally noncompliant and can face penalties. Thus, it is recommendable to check up on which kind of data the marketing and tracking tools you use for your website collect for you.
Now you are probably asking yourself: “What are my responsibilities under the GDPR? And which measures should be stated in the agreement between the website owner and the third-party data processing tool to ensure compliance with the GDPR?” The following checklist will give you a quick overview of the most important GDPR requirements for third-party tools as well as your own requirements.
Checklist for Third-party tools’ GDPR Requirements
- Updated data processing agreement with an added GDPR section
- Contract should state that they will only act on your documented directions
- The duration, purpose, storage and the process of the method of the data processing
- Records of the website visitors’ consent must be maintained over a short period of time that is predicted by the GDPR requirements
- The data security measures should be stated in the agreement of the third-party tool
- The data processor must assist the data controller in the user’s rights to access the stored data, in the withdrawal of the given consent and in the right to be forgotten and to erase certain information
- The third-party tool should state which type of personal data will be collected and processed
- In the agreement between the data processor and the data controller, a section that describes the rights and obligations of each party should be included
Checklist for Website Owners’ GDPR Requirements
- Information audit: What personal data do you collect/process/store?
- Have a legal justification for collecting personal data (Art. 6, 7-11)
- Do not keep data longer than it is necessary (Art.5)
- Obtain the consent for collecting personal data and store consents for proof of the given consent through an active opt-in option (Art. 4)
- Encrypt and pseudonymize personal data wherever it is possible (Art. 32)
- Make it easy for your customers to withdraw their consent, the collection and the possible deletion of their collected data (Art. 15, 17, 18, 21)
- Name the third-party tools that have access or collect personal data in your name
- Follow the restrictions for personal data transfers to countries outside of the EEA (Art. 44-50)
GDPR Compliance: Possible Impact on Experience & Conversion Rate
Under the GDPR, all data collected should be done so after acquiring the explicit consent of the user. There are two ways in which this can be potentially detrimental to businesses:
- Forms can no longer come with consent baked in (pre-checked boxes) and they need to request consent for each separate kind of data processing. So in short, if a browser has signed up for your lead magnet, do not automatically start visiting their inbox with the newsletter. This not only reduces the number of touchpoints with prospects, if forms are not designed with UX in mind, the consent options can induce frustration and fatigue leading to worse completion/submission rates.
- Cookie consent pop-ups. This post by Convert breaks down the different types of cookies that can be used on a site, and how to gain permission for their use from traffic. In case the cookie you have in mind requires a nod from site browsers, then hideous cookie consent forms are the way to go. Most tools have their own cookie consent banners with very limited customization options. The aggregate tools that allow for the consolidation of cookie consents for different solutions are inadequate and require users to click through or navigate away from the existing page to opt in or opt out.
Though no formal research has been conducted into the decrease in traffic, engagement or goal completion rates, pre and post GDPR, most businesses have suffered.
However, this suffering has given rise to a need to invest in Consent Rate Optimization™techniques and better design and UX – elements that will eventually improve how companies interact with prospects and walk them through the buying/consumption cycle.
The GDPR and the like-minded data privacy laws that are taking shape around the world are steps in the direction towards a more private and free digital future – but it is vital that the technical solutions for the enforcement of these laws are balanced and nuanced, so that they don’t break the economies of the Internet that fund the free and universal parts of it, which we all cherish and wish to protect.Daniel Johannsen, CEO of Cybot, creators of Cookiebot.
Storing, Erasing and Classifying Personal Data
Another GDPR requirement that can impact the collection of data for CRO purposes is the storing and processing of personal data. This can be especially complicated, as many CRO tools store personal data and many parties can be involved in the data analysis process. Thus, it depends on how many CRO-tools you use for your website, but it is mostly possible to restrict the long-term storage of personal data in the CRO tools used.
The necessity of erasing data collected and kept by organizations or businesses has been debated for many years. Under the GDPR, an individual can request to having their personal data erased without further delay. However, it is not entirely clear how organizations should showcase a proof of the data deletion, as this would give rise to questions about data privacy and company policies.
Another point that needs to be addressed is the appropriate classification of personal data. As an organization, you need to know which type of data you must collect to run your business successfully.
The data collection regulations of the GDPR describes the importance for businesses to only collect personal data with a legal justification. In total, there are 6 legal bases for collecting data: Consent, contract, legal obligation, vital interests, public task and legitimate interests. A common legal justification for collecting and processing personal data is a legitimate interest. This could be for example the processing of data for retargeting or direct marketing purposes (Recital 47). This will also restrict the unauthorized use of personal data by third party tools and thereby reducing the risk of data theft.
The mandatory GDPR requirements can partially affect the data collection process for the conversion rate optimization. Especially the volume of the collected data is affected by the “opt-in” consent form on websites. Furthermore, third-party CRO tools that collect data for you need to be checked so you can verify if the most important GDPR requirements are included in the agreement, as you are liable for potential third-party GDPR violations.
Overall though, these are positive changes that will bear fruit in the form of more free interactions between prospects and brands – without the underlying fear of data mis-use. Any dips in conversion rates in the present will be compensated as conscious brands take compliance in their stride and invest in developing practices that focus on making the process of consent acquisition as painless (and even delightful) as possible.