How to Choose a Privacy Compliant A/B Testing Tool (Our Guide for German Optimizers)
Consumers are gaining more awareness and control around their personal information, as privacy laws come into force worldwide. The EU, for example, passed the landmark General Data Protection Regulation (GDPR) in 2018, to tighten data privacy regulations and California enforced the California Consumer Privacy Act (CCPA) in 2020.
A/B testing companies are now taking extra measures to comply with these new rules. For example, many are asking users for consent before adding them to a mailing list, providing easily accessible privacy statements and disclosures, and giving users the ability to access, modify, or delete their personal information.
Despite the lack of digital privacy in today’s world, Germany remains committed to the protection of its citizens’ personal data, with laws like the former German Federal Data Protection Act (BDSG) being regarded as one of the most stringent in the world.
The following guide will walk you through each of the data privacy laws in Germany, so you can make the most informed decision when selecting an A/B testing tool.
Selection Criteria for Data Privacy
Data protection law, first adopted in Germany in 1970, has since grown into a key human right, supported by the data protection authorities of the 16 German states and federation. It is important to comply with the following laws when selecting an A/B testing platform:
- The EU General Data Protection Regulation (GDPR) (2018)
- Put in place to protect the data of EU citizens.
- The Federal Data Protection Act (BDSG) (2018)
- Modifies the GDPR, allowing for exceptions to individual rights when handling employee personal data.
- The Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia (TTDSG) (2021)
- Combines the Telecommunications Act (1996) and the Telemedia Act (2007), which prohibit access to telecommunication data (like business email accounts, business phones, or the history of internet browsers) and establish cookie consent requirements in accordance with Article 5(3) of ePrivacy.
- ePrivacy (Cookie Law) (2002)
- Ensures ”privacy and confidentiality, with respect to the processing of personal data in the electronic communication sector”.
The Following Criteria Will Serve as a Guide when Choosing an A/B Testing Platform that is Compliant within Germany
1. How Did the A/B Testing Company Prepare for Data Compliance?
How did they prepare for the GDPR, BDSG, and TTDSG laws?
Once you narrow down your top choices, make sure they are able to briefly describe the procedure, which areas were involved, and which measures were initiated. If not all planned measures have been fully implemented, they need to be able to explain their implementation status.
This will provide you with an overview of the approaches used, as well as their self-assessment regarding their position on how to implement the various laws.
Common questions to be answered are
- Were all essential company departments involved that work with personal data (e.g. human resources, IT, sales/customer support, marketing)?
- Is there evidence that training on these laws has been conducted?
- Have all the measures planned by the company been implemented?
For example, Convert posted a public roadmap, where we clearly state which actions were taken to become GDPR compliant (per each article required).
A similar roadmap should be present for each A/B testing platform you consider.
2. Does the A/B Testing Tool Have Records of Processing Activities?
It is important that the tool you select has included all of their personal data processing business operations within a register of processing activities.
Ask yourself the following:
- Is it clear that the record of processing activities is regularly reviewed and updated where necessary?
- Does this record correspond to the legal requirements of Article 30 GDPR?
- Do they provide the name and contact details of the person responsible?
- Are the purposes of the processing stated?
- Are the categories of persons concerned (e.g. employees, customers, etc.) and the categories of personal data (e.g. employee master data, applicant data, customer contact data, creditworthiness data, etc.) described?
- Is a statement made about the transfer of personal data to a third country or to an internal organization?
- Are the envisaged deadlines for the deletion of the various categories of data indicated?
Below is an example of the records Convert keeps for each data processing activity.
3. On what Legal Basis Does the A/B Testing Tool Process Personal Data?
According to the GDPR Article 6, there should be lawful bases on which the company relies to process personal data.
Ask the following questions:
- Are the legal bases mentioned in their Privacy Policy?
- Are the declarations of consent easy to understand, (i.e. is the content of the data subject made clear and simple when explaining the granting of consent)?
There are several lawful bases that Convert relies upon, which are published in our privacy policy. They are centered around GDPR and include
- Contract: We fulfill our contractual responsibilities to you (when you register as a customer, buy from us or use our services, for example).
- Consent: Customers must agree before we can use their personal information in a specific way (i.e. when enabling cross-domain tracking, adding multiple domains under a project, turning on audience segmentation, or requesting additional logging).
- Legal obligation: We are legally required to provide certain documents (i.e. copies of invoices and information about payments).
- Legitimate interest: We only use your personal data in ways you would fairly expect, with minimum privacy impact, or where there is a compelling justification.
4. Does the A/B Testing Tool Have a Data Protection Impact Assessment?
DPIAs (data protection impact assessments) assist organizations in identifying, assessing, and mitigating or minimizing privacy risks associated with data processing. They’re especially important when introducing a new data processing technique, system, or technology.
DPIAs also promote the accountability principle because they assist organizations in complying with the GDPR’s standards and demonstrating that sufficient measures were taken to ensure compliance.
As part of Convert’s GDPR Project, Convert developed guidance for staff and a template to be used to carry out DPIAs. This serves to ensure that processing operations with an expected high risk for the rights and freedoms of those affected are identified.
You can find the template with the pre-filled screening questions here.
5. Is a Data Protection Officer Appointed?
The primary responsibility of the Data Protection Officer (DPO) is to ensure that the personal data of her organization’s employees, customers, providers, or other individuals (also known as data subjects) is processed in accordance with the applicable data protection rules. The GDPR requires each EU organization and body to establish a DPO.
To clarify the qualifications of a company’s Data Protection Officer and how they are integrated into the organization, ask yourself:
- Can the current and sufficient specialist knowledge of the DPO be inferred from the documents? (Assess their training and further education in data protection, the extent/duration of their experience in data protection, their professional training (e.g. lawyer, computer scientist), and their participation in established data protection networks.
- Is there a publication of the contact details of the DPO? on the company’s website? Are the contact details of the DPO easy to find there?
Convert’s Data Protection Officer can be emailed anytime at support@convert.com.
6. How Does the A/B Testing Company Ensure that it Reports Data Protection Violations to the Supervisory Authority in a Timely Manner?
Every German organization is obligated, under GDPR Article 33, to keep personal data safe and secure and to respond appropriately, within 72 hours, to data security breaches (which can include reporting breaches to the Data Protection Officer in some cases).
To avoid the danger of injury to individuals, damage to operational business, and severe financial, legal, and reputational costs, it is critical to act quickly in the case of any actual, possible, or suspected breaches of data security or confidentiality.
When looking for a privacy compliant A/B testing tool, ask these questions:
- Has the process for reporting data protection violations been presented in a comprehensible manner?
- Are the responsibilities (who does what) clearly regulated in the reporting process?
- Ιs the 72-hour period noticeably taken into account?
- Is it clear that employees have been made aware of this process?
Convert has its own Personal Data Breach Escalation Policy that can be requested at support@convert.com.
7. Where Does the A/B Testing Tool Store Data?
Austria recently prohibited the use of Google Analytics because their data is stored in the United States, where privacy protection is more limited. Finding an A/B testing platform that stores data legally in the EU is your safest bet.
You should be able to find out where the data is held in the organization’s privacy policy. In general, data storage information is located in the “sub-processors” and “third-party services” sections. If you can’t find this information easily or it’s unclear, contact the organization for clarification.
Convert has stored data in Frankfurt, Germany, since 2016, which we chose because of their strict data protection policy.
8. Does the A/B Testing Tool Respect Do Not Track (DNT) Settings?
For users who are concerned about their privacy, several browsers have a “Do Not Track” feature, which can be turned on to tell websites and analytics tools to stop tracking user behavior.
In principle, this setting should prevent a visitor’s browser from accepting “cookies” that inform marketers and other businesses about their online habits and interests. However, websites are not technically bound by these restrictions. Therefore, it is important to find an A/B testing tool that cares about user privacy and goes the extra mile to ensure their systems comply with these requirements.
This video from Convert’s A/B testing course will teach you everything you need to know about A/B testing and cookies.
Convert supports Do Not Track because we believe it is critical to have a simple method of controlling how end-user information is utilized. We take DNT seriously as a signal from you and your end-users about how we should use data.
Convert provides users with the following options:
- Do Not Track (Opt out of tracking)
- Track (Opt into tracking)
- Null (No preference)
By default, web browsers use “Null”, indicating that the end-user hasn’t expressed whether they want to be tracked or not. When “Do Not Track” is chosen, Convert does not load the scripts/experiences, and instead loads the other two options.
In your Project Configuration, there is a row that says: “Respect Do Not Track Browser Settings”, which is turned OFF by default, but can be changed using the dropdown menu.
Tip: For the EEA country list, please visit this page.
9. Does the A/B Testing Tool Allow for Anonymized Tracking?
Anonymization allows A/B testing tools to comply with GDPR, while still tracking data for reporting. According to GDPR guidelines, A/B testing tools can gather certain data as long as it’s “rendered anonymous in such a way that the data subject is not or no longer identifiable”. This is important for companies who want to keep track of demographic data that isn’t personally identifiable.
The Data Anonymization option in Convert Experiences allows your website to cleanse all incoming and historical data about the names of your visitors’ bucketed experiences/variations, allowing marketing and IT teams to keep essential tracking data without jeopardizing privacy.
10. What Does the A/B Testing Tool Keep in its Server Logs?
According to the GDPR, an IP address is considered personal data. If your A/B testing tool’s server logs contain the IP addresses of your visitors, they contain personal data.
Here are basic guidelines for GDPR-compliant server logs:
- The most straightforward solution to keep GDPR-compliant logs is to keep no logs at all.
- If server logs are required, retain them for as little time as possible. Create a server log rotation policy that deletes older logs automatically.
- If they collect logs without IP addresses or other personal data, they are GDPR-compliant.
- They can collect logs without consent under certain conditions, but they must inform you of this in their privacy policy.
Live Logs in Convert Experiences track how end users are interacting with web pages in real time. They capture information like timestamp when a goal is triggered, the event type that was triggered, variation displayed to the end user and much more. Live logs are considered GDPR-compliant, as they do not store IP addresses or any other PII data.
11. Who Owns the Data?
One of the primary requirements of GDPR is that suitable measurements for processing personal data be in place. Data linked to a consumer transaction in the EU must be physically stored in the EU or a nation with data protection measures that the GDPR deems adequate (unless the user consent to keeping their data elsewhere).
This rule poses some challenges for firms not based in the EU, though some of these issues can be mitigated using an analytics package with a clear data ownership policy.
Convert gives users peace of mind by having a defined ownership statement in placewill. This outlines that we will “not share any data with a third party without the express written approval of the customer”, and will “delete any data relating to customers who unsubscribe from the service upon request”.
12. Can the A/B Testing Tool Integrate with your Current Tech Stack?
You’ll want to make sure a new A/B testing tool works well with the rest of your tech stack, such as your CMS (content management system) and eCommerce platform. Connecting your present tech stack to a new solution could be costly, so be sure to make a list of all the current tools you use and see if you can recreate the same integrations with the new tool, either through integrations or APIs.
When conducting your study, keep the following questions in mind:
- How well and how quickly will your chosen tool integrate with the rest of your system, such as your CRM?
- Are there any authorized integrations to make such connections possible? If not, are you allowed to modify the code to make it work for you?
- Is it possible to effortlessly convert your data to another tool if the necessity arises?
- Is there any evidence of vendor lock-in or problems with shifting data to a different provider?
Convert integrates with 100+ tools, and for each one, we provide specific instructions on how to achieve the integration.
13. Is There an Option to Self Host the A/B Testing Script?
Choosing between Software-as-a-Service (SaaS) and self-hosting can be tough. When considering cost, ease, and convenience, it makes sense to have the majority of software supplied through the cloud. However, SaaS may not be the best choice for some businesses and organizations, like governments and banks.
An on-premise A/B testing solution will be the most favored option for firms that desire full control over their data and storage location. It will also be the simplest, in terms of GDPR compliance.
Ask yourself these clarifying questions:
- Is your A/B testing tool allowed to use a cloud-hosted solution?
- Do you have the resources to host the tool on your infrastructure?
- Do you know what data limits come with your plan?
Did you know that Convert allows you to develop your tests locally?
14. Are International Data Transfers Allowed?
Data transfers are now so common that most people aren’t even aware they are happening. Even still, they can be troublesome to deal with and should be agreed upon in the original data collection agreement (much like data location).
Until recently, corporations used the Privacy Shield framework to transmit data from the EU and Switzerland to the US without requiring prior approval. However, in 2020, European judges ruled that American data protections were insufficient, rendering the framework invalid, though these risky data transfers still occur on other legal grounds.
To avoid potential threats, A/B testing companies might use the strategy of data protection by design, (which we’ll discuss in the next section.) Otherwise, they can simply request consent and specify where the data will be stored and moved.
Convert has taken a proactive approach, keeping active and trial users informed through in-app messages. Luckily, nothing needed to be done for our clients whose EU data transfers were already covered by SCCs (EU standard contractual clauses).
15. Is Data Protection by Design and Default Being Respected?
The concept of privacy by design is at the heart of privacy-friendly A/B testing tools.
We prefer to prevent privacy invasions than to deal with them after the fact, and we use data minimization and purpose limiting to stay proactive.
Data minimization means only processing data that is required to achieve a specific goal, while purpose limitation refers to identifying the goal of processing data, recording it, and informing persons, prior to processing.
Once collected and processed, data should only be maintained for the duration of the task for which it was obtained.
Data protection by design necessitates the use of technical and organizational safeguards during the planning stages of processing. This allows organizations to ensure that privacy and security mechanisms are in place from the beginning. The specific procedures vary depending on the use case, but they could include data anonymization, data monitoring, or the addition of new privacy-protecting features to A/B testing software.
So, which A/B Testing Platforms are Privacy-Friendly?
If you’re searching for a way to collect and analyze data from your website, digital product, or mobile app within Germany, the platform you choose is critical.
Most A/B testing solutions were not built with privacy in mind, and while the major platforms get certain things right (like data anonymization and ownership), they fall short in other areas (like data location).
Luckily, there is high demand these days for A/B testing software that allows you to run experiences on your website while maintaining data privacy. This means there are more privacy-friendly A/B testing tools available today than ever before. For a brief summary, see the table below with the most important metrics.