Convert Experiences + GDPR + ePrivacy Regulations

GDPR and ePrivacy Regulations Roadmap for A/B Testing Software Convert Experiences

Convert is committed to assisting its customers in their journey to compliance starting late May 2018 for the GDPR (General Data Protection Regulation) and the upcoming ePrivacy Regulations. At Convert, we’re not only dedicated to adhering fully with GDPR prior to its enforcement date (as you can read here but also adjusting the analytics application of Convert Experiences to assist in compliance for our customers with GDPR and the upcoming ePrivacy Regulations (current draft).

The following details how:

What is GDPR (and why should I care)?

General Data Protection Regulation (GDPR) was passed by the EU Parliament in April of 2016. Replacing the Data Protection Directive from the 90s, it’s the biggest overarching legislative change in data privacy regulation to take place the last 20 years.

In a gist, GDPR was created to standardize data privacy laws throughout Europe—and to put greater protection on the data privacy of EU citizens. The big changes are:

  • A Change in Legislative Scope: Now, all controllers and processors in the EU are subject to GDPR—even if the data they’re accessing is processed outside of the EU. The reverse is also true. If you’re a company processing the data of EU citizens (either to offer goods and services, or to monitor behavior taking place in the EU)—it doesn’t matter where you’re based, or where you’re processing the data. You still have to comply with GDPR.
  • Greater Penalties for noncompliance: The maximum fine for noncompliance with GDPR is up to 4% of annual global turnover, or 20 million euros—depending on which is greater.
  • Strengthened Conditions for Consent: No more legalese. Consent has to be given in an easy, accessible way before processing a persons data. You also have to disclose the purpose for that data processing, and make it as easy to withdraw consent as to give it.

A full list of the key GDPR changes can be found on the EU GDPR website here.

What is the ePrivacy Regulation (and why should I care)?

Privacy and Electronic Communications Directive 2002/58/EC on Privacy and Electronic Communications, otherwise known as ePrivacy Directive passed as complementary law by the EU Parliament in 2002 and amended by Directive 2009/136 (in 2009). This complementary law to the GDPR is currently being updated and although not in effect the last drafts of October 26, 2017 by Member of the European Parliament Marju Lauristin. The current law is in draft under item 15333/17 but involves important changes to the way cookies and traffic data should be treated.

In a gist, ePrivacy Regulation was created to standardize data privacy & communication laws throughout Europe and for example remove the cookie walls, people in Europe are familiar with, and replace it with clear guidelines that can be adopted in national EU laws. It introduces several changes, especially in what concerns cookies, that are now subject to prior consent but also covers call-center and other forms of communication.

While GDPR is a law and enforceable national versions might differ from the main guidelines slightly, the ePrivacy Regulation is not yet a law and just a proposal in the late stages of approval. It most likely will not become a law until summer 2019 and so on May 25, 2018 there are two laws in place: the new GDPR and the old ePrivacy Directive 2009/136. When the ePrivacy Regulations are adapted we have GDPR and ePrivacy Regulation as complementary laws (expected summer 2019).

Who does GDPR and ePrivacy Regulation affect?

Just about anyone dealing with data. If your business is based in the EU, or you ever process the data of citizens from the EU—you’ll want to make sure you’re doing everything you can to comply with GDPR. In addition, it’s wise to start preparing for the ePrivacy Regulation based on the draft law (and approved by the European Parliament on October 26, 2017). Convert is preparing its business—but also, its customers applications—in line with both the GDPR law and ePrivacy Regulation draft of Member of the European Parliament Marju Lauristin.

What is Convert doing to ensure GDPR and ePrivacy Regulation compliance in its application Convert Experiences?

We’re glad you’ve asked! The chart below breaks down the new GDPR privacy standards as well as the ePrivacy Regulations, and how we’re working to respond to them. We’ll update this article frequently, so you can keep an eye on how far along we are in the process.

Art. in GDPR Summary Actions to be taken - Progress
Article 5

6 new Data Protection Principles have been introduced:

  1. Lawfulness, fairness and transparency
  2. Purpose limitations
  3. Data minimisation
  4. Accuracy
  5. Storage limitations
  6. Integrity and confidentiality

Convert Experiences will change features and settings, the most common should be:

  • Purpose limitations: the analytics application will suggest a consent mechanism once audiences involve location data, browser data, or when historical data segments are activated. COMPLETED
  • Purpose limitations: Do Not Track is the first setting that browsers have implemented to signal analytics tools like ours that tracking is not desired. Convert Experiences will not load our scripts on all customer websites worldwide by default, respecting Do Not Track settings. COMPLETED
  • Purpose limitations: Convert staff will monitor browser settings that indicate additional privacy preferences. Once implemented, these new settings will find their way to this roadmap. COMPLETED
  • Data minimisation: OrderID’s will be removed from the tracking script and not stored by Convert Experiences. COMPLETED
  • Data minimisation: Automatic anonymization of visitor’s ID by grouping hundreds of website visitors in visitor groups that only count the presence of the visitor. Individual visitors are not stored in Convert Experiences. It will not be possible to reconnect group counts to individual visitors in any way. COMPLETED
  • Data minimisation: Cookie IDs will be removed. COMPLETED
  • Storage limitation: A reduction of the cookie lifetime storage limit from 12 months to 6 months. COMPLETED
Article 6 Lawfulness of processing: conditions that must be satisfied for the processing of personal data to be lawful.
  1. Consent from individual
  2. Contract with individual
  3. Compliance with a legal obligation
  4. Vital interests
  5. Public task
  6. Legitimate interest

We will increase trust from website visitors. The cross domain cookie reconnect will be by default turned off for all projects in Convert Experiences. Activating this will create a warning of consent from the individual visitor most likely will be needed. COMPLETED

We’ll support customers in transparency. When adding multiple domains in a project, Convert Experiences will give a warning that consents of the individual don’t automatically travel between properties, unless properties are subdomains and related to the main domain. COMPLETED

Our historical segmentation option is by default turned off. When turned on for an audience by a customer, we will remind them that in our opinion consent from the individual is needed for this.

When additional logging is needed to find problems in the installation or website, the customer—as well as the website visitor within the European Union—will be required to give consent before the debugging tools are loaded (unless ePrivacy Regulation will bring additional clarity on this possible exception). COMPLETED

Universal User ID’s used by customers will get a warning that contracts by individuals are needed (for example, paid customer relationships) and consent from the individuals are required. This is in relationship with possible cross device and cross browser tracking. COMPLETED

Article 7 New legislation around the consent of the individual for the organisation to hold his/her personal data. Several aspects need to be addressed:
  1. Unbundled
  2. Active opt-in
  3. Granular
  4. Named
  5. Easy to withdraw
  6. Documented
  7. No imbalance in the relationship

No personal data will be stored in Convert Experiences. GDPR’s definition of personal data is now broader than under the Data Protection Directive. Article 4 of the GDPR states that “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’)”. It adds that: an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. COMPLETED

Convert Experiences will give warnings to all the custom tags (fields) available in the application for storage or personal data which is forbidden by the Terms of Use of Convert Experiences. COMPLETED

The opt-out feature will be placed in the app settings page. It will get an input field for the link of the opt-out on the domain matching the project with verification and email reminders. COMPLETED

Article 8 Same as article 7 but for children’s data consent in relation to information society services

Inform customers of this article in the privacy policy of Convert Experiences. COMPLETED

Article 9 Sensitive Personal Data which includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data, health-related information (physical or mental), sexual orientation.

No Sensitive Personal Data is stored in Convert Experiences but we will inform customers of this article in the privacy policy or terms of use of Convert Experiences. COMPLETED

Article 10 Sensitive Personal Data relating to criminal convictions and offences or related security measures.

No Sensitive Personal Data is stored in Convert Experiences but we will inform customers of this article in the privacy policy or terms of use of Convert Experiences services. COMPLETED

Article 11 Processing which does not require identification: A controller that cannot identify the data subject is absolved from having to respond in detail to a data subject’s requests — except to tell the data subject (“if possible” to do so) that it cannot comply due to lack of identification.

Convert Experiences cannot identify the data subjects based on any identifier since they are not stored. Data subject’s rights will be limited to the deletion of cookies. COMPLETED

Articles 12-14 Privacy Notices must be given at the time that the data is obtained from the data subject, or if the data was received from a third party, within a reasonable period after obtaining the data but at the latest within one month.

When third-party data could be used to build audiences, using either javascript or cookie conditions in audiences, or any other location in Convert Experiences, the customer will get a warning. The warning will state: individuals consent is needed and the privacy policy of that tool must be presented, where consent must be unbundled, obtained with active opt-in, be granular, clearly named, easy to withdraw, documented and no imbalance in the relationship must be present. COMPLETED

Articles 15-23 Expanded Individual's’ Rights:
  1. access their information;
  2. have inaccuracies corrected;
  3. have information erased;
  4. prevent direct marketing;
  5. prevent automated decision making and profiling;
  6. data portability.

Convert Experiences does not store any information about an individual user on the system. Upon deletion of the cookie individuals user’s history on which buckets he or she fell into are erased, although total unique visitor counts is available on Convert Experiences per bucket but do not contain individual user information. COMPLETED

Convert Experiences don’t offer direct marketing options. COMPLETED

On the summary pages of 1:1 Personalization option we will inform our customers of the possible privacy implications. Even though we don’t store individual users in our system, its buckets of users might be smaller than one hundred unique visitors which we consider enough for an additional consent warning to our customers. COMPLETED

No individual user data is stored on Convert Experiences servers so there is no data-portability option or erase option for website visitors is available. COMPLETED

Article 24 Definition of a Controller

Convert acts as a controller and will comply with all corresponding regulations. COMPLETED

Article 25 Data Protection by design and by default

Several guidelines will be applied during the software development circle:

  • Training (developers will be trained on Privacy and Security aspects) Design (all data oriented and process oriented design requirements will be driven by GDPR). COMPLETED
  • Coding (developers will use approved tools and frameworks, disable unsafe functions and modules, and regularly carry out static code analysis and code review). COMPLETED
  • Testing (test whether data protection and security requirements are implemented properly will be conducted). COMPLETED
  • Before every release, an Incident Response Plan will be established, and a full security review of the software will be carried out. Release will then be approved and all relevant data from the entire development process will be archived. COMPLETED
  • Maintenance (Convert Experiences should be prepared to respond to incidents, personal data breaches, faults and attacks, and be capable of issuing updates, guidelines, and information to users and those affected by the software). COMPLETED
Article 28 Definition of a Processor

Convert Experience acts as a processor and will comply with all corresponding GDPR regulations. COMPLETED

Article 30 Record keeping all personal data processing activities shall be recorded.

Article 30 says that these requirements don’t apply to organizations of under 250 employees, in addition Convert Experiences also does not manage personal data at the finish of this roadmap. COMPLETED

Articles 33-34 Data breaches

Convert Experiences does not contain any personal information yet will ensure that there are procedures in place to detect, investigate and report on application data breaches within 72 hours of becoming aware of it. COMPLETED

Articles 35-36

Privacy Impact Assessment (PIA): If you are using "new technologies" which process personal data which is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall carry out an assessment of the protection of personal data.

Prior Consultation: Data controllers should consult the supervisory authority every time a PIA identifies an inherently high risk processing activity.

Not strictly necessary as the type of processing Convert Experiences does is unlikely to result in a high risk, but Convert Experiences will put a simple PIA in the applications settings page anyway. COMPLETED

Articles 40-43 Codes of Conducts and Certifications: GDPR endorses the use of approved codes of conduct and certification mechanisms to demonstrate that you comply.

Convert will find the appropriate Codes of Conducts and Certifications and comply with them. The most “popular” are:

  1. ISO 27001 (Information Security Management)
  2. ISO 27017 (Cloud Security)
  3. ISO 27018 (Cloud Privacy)
  4. SSAE16 / ISAE 3402 (SOC 2/3)
  5. PCI-DSS
  6. ISO 9001 (Quality Management)
Articles 44-50 Cross-border data transfer: As a general rule, transfers of personal data to countries outside the EEA may take place if these countries are deemed to ensure an “adequate” level of data protection. A current list of “approved countries” is available here.

Convert Experiences does not know any cross-border data transfer from to or from outside EEA borders in its infrastructure. COMPLETED

Articles 51-99 Article on Independent Supervisory Authorities too the Final provisions

We have read these articles. COMPLETED

Art. in ePrivacy Regulations Draft 6543/2020 Extract Actions to be taken - Progress
Articles 2 and 14

“These metadata includes the numbers called, the websites visited, geographical location, the time, date and duration when an individual made a call etc.”

On targeting of geographical locations for regional and city level as well as targeting time (zones) of user terminals, Convert Experiences will signal a warning of individual consent needed. COMPLETED

Article 8 "This Regulation should also apply to natural and legal persons who use electronic communications services to send or present direct marketing commercial communications or make use of processing and storage capabilities of terminal equipment or collect information related to processed by or emitted by or stored in end-users’ terminal equipment. Furthermore, this Regulation should apply regardless of whether the processing of electronic communications data or personal data of end-users who are in the Union takes place in the Union or not, or of whether the service provider or person processing such data is established or located in the Union or not."

Convert Insights Inc. a Delaware USA incorporated organization, with its datacenter Frankfurt, Germany, will store and process no personal data of end users. We have this article and will respect its content. COMPLETED

Article 17b "Processing of electronic communication metadata for scientific research or statistical purposes should be considered to be permitted processing. This type of processing should be subject to further safeguards to ensure privacy of the end-users by employing appropriate security measures such as encryption and pseudonymisation. In addition, end-users who are natural persons should be given the right to object."

Automatic anonymize visitor’s ID by grouping hundreds of website end-users in visitor groups that only count the presence of the total number of end-users. Individual end-users are not stored in Convert Experiences. It will not be possible to reconnect group counts to individual visitors in any way and the anonymized groups will be used for statistical purposes only and is permitted processing. Each customer of Convert Experiments needs to have an opt-out form on the site assisting website visitors to express the right to object to this statistical research. COMPLETED

Articles 20 and 21 "Furthermore, the so-called spyware, web bugs, hidden identifiers, tracking cookies and other similar unwanted tracking tools can enter end-user’s terminal equipment without their knowledge in order to gain access to information, to store hidden information and to trace the activities. Information related to the end-user’s device may also be collected remotely for the purpose of identification and tracking, using techniques such as the so-called ‘device fingerprinting’, often without the knowledge of the end-user, and may seriously intrude upon the privacy of these end-users. Techniques that surreptitiously monitor the actions of end-users, for example by tracking their activities online or the location of their terminal equipment, or subvert the operation of the end-users’ terminal equipment pose a serious threat to the privacy of end-users. Therefore, any such interference with the end-user’s terminal equipment should be allowed only with the end-user’s consent and for specific and transparent purposes.” as well as “Exceptions to the obligation to obtain consent to make use of the processing and storage capabilities of terminal equipment or to access information stored in terminal equipment should be limited to situations that involve no, or only very limited, intrusion of privacy. For instance, consent should not be requested for authorizing the technical storage or access which is necessary and proportionate for the legitimate purpose of enabling the use of a specific service requested by the end-user. This may include the storing of cookies for the duration of a single established session on a website to keep track of the end user’s input when filling in online forms over several pages, authentication session cookies used to verify the identity of end-users engaged in online transactions or cookies used to remember items selected by the end-user and placed in shopping basket. Cookies can also be a legitimate and useful tool, for example, in assessing the effectiveness of a delivered information society service, for example by helping to measure the numbers of end-users visiting a website, certain pages of a website or the number of end-users of an application. This is not the case, however, regarding cookies and similar identifiers used to determine the nature of who is using the site. Information society providers that engage in configuration checking to provide the service in compliance with the end-user’s settings and the mere logging of the fact that the end-user’s device is unable to receive content requested by the end-user should not constitute access to such a device or use of the device processing capabilities. Consent should not be necessary either when the purpose of using the processing storage capabilities of terminal equipment is to fix security vulnerabilities and other bugs, provided that such updates do not in any way change the functionality of the hardware or software or the privacy settings chosen by the end-user and the end-user has the possibility to postpone or turn off the automatic installation of such updates. Software updates that do not exclusively have a security purpose, for example those intended to add new features to an application or improve its performance, should not fall under this exception."

Recital 21 of ePrivacy Regulations draft 1533 says: "Exceptions to the obligation to obtain consent to make use of the processing and storage capabilities of terminal equipment or to access information stored in terminal equipment should be limited to situations that involve no, or only very limited, intrusion of privacy." with the removal of all personal data from Convert Experiences in the default settings we there is a very limited to no privacy implication of using the software. We do recommend customers to ask for consent when specific settings are turned on. COMPLETED

CHAPTER II -PROTECTION OF ELECTRONIC COMMUNICATIONS OF END-USERS AND OF THE INTEGRITY OF THEIR TERMINAL EQUIPMENT, Article 8, Protection of information stored in terminal equipment of end-users and related to or processed by or emitted by such equipment. "1. The use of processing and storage capabilities of terminal equipment and the collection of information from end-users’ terminal equipment, including about its software and hardware, other than by the end-user concerned shall be prohibited, except on the following grounds: (d) it is necessary for audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user or by a third party on behalf of the provider of the information society service provided that conditions laid down in Article 28 of Regulation (EU) 2016/679 are met."

Article 28 of Regulation (EU) 2016/679 describes the relationship of the controller, the contracts between the customers of Convert Experiences, and Convert. Customers can request additional contract clauses for European customers, for this reason we have a DPA and DPIA online. COMPLETED

CHAPTER II -PROTECTION OF ELECTRONIC COMMUNICATIONS OF END-USERS AND OF THE INTEGRITY OF THEIR TERMINAL EQUIPMENT, Article 10, Information and options for privacy settings to be provided, Protection of information stored in terminal equipment of end-users and related to or processed by or emitted by such equipment. "3. In the case of software which has already been installed on [25 May 2018], the requirements under paragraphs 1 and 2 shall be complied with at the time of the first update of the software, but no later than [25 August 2018]."

Inform customers of Convert Experiences to share their privacy settings to all end-users before 25th of August 2018 with features like opt-out. COMPLETED

Have questions about how Convert’s actions, and GDPR, will affect your business? Contact us at:

Start Your 15-Day Free Trial Right Now.
No Credit Card Required

You can always change your preferences later.
You're Almost Done.
I manage a marketing team
I manage a tech team
I research and/or hypothesize experiments
I code & QA experiments
Convert is committed to protecting your privacy.

Important. Please Read.

  • Check your inbox for the password to Convert’s trial account.
  • Log in using the link provided in that email.

This sign up flow is built for maximum security. You’re worth it!